ProLiant Servers (ML,DL,SL)

Howto delete "Directory Groups " on ILOs via powershell

 
kuehnela
Occasional Collector

Howto delete "Directory Groups " on ILOs via powershell

hello community

I have activated ldap authenification on 150 ILOs in our company in addition to the local "admin users". Ldap is activated by "Set-HPiLODirectory" and is ok.

Set-HPiLODirectory -DisableCertificateAuthentication -LDAPDirectoryAuthentication Use_Directory_Default_Schema -LocalUserAccount Yes -Username $ILOUSER -Password $ILOPASSWORD -Server $ILOIP -ServerAddress XXX.local -ServerPort 636 -UserContext1 "CN=YYY,OU=AAA,OU=SSS,DC=GGG,DC=local" 

After this I added a AD Group with the permissions we need: Login for AD Users within the AD group "CN=..." works.

Set-HPiLOSchemalessDirectory -DisableCertificateAuthentication -Username $ILOUSER -Password $ILOPASSWORD -Server $ILOIP -GroupAccount 'Enable' -Group1Name "CN=XXX,OU=YYY,DC=ZZZ,DC=local" -Group1Priv "1,2,3,4,5,6" #1 - admin, 2 - settings, 3 - power, 4 - media, 5 - remote console, 6 - login

Now I have the problem, that there are 2 Directory Groups (Administrators and Authenticated Users) I have to delete. The 2 groups are on all ILOs per default...

I cannot find a commandlet to list and delete the Directory Groups via powershell, and I will not login to all 150 ILOs and delete them manually :-(

So my question, is the a commandlet to do this or do you have a workaround to do this?

thx for support

6 REPLIES 6
GokulKS
HPE Pro

Re: Howto delete "Directory Groups " on ILOs via powershell

Hi,

iLO does not provide any API for listing the directory groups or deleting same.

But they do provide disabling the directory groups which you can try on the directory groups you want to delete.

Disabling directory groups can be achieved using set-hpilodirectory cmdlet with -LDAPDirectoryAuthentication parameter value as "Disable". Refer the cmdlet help  examples which clearly shows how to disable the directory group.

Cmdlet snippet is pasted below.

Set-HPiLODirectory -Server $Server -LDAPDirectoryAuthentication @("Disable","Use_HP_Extended_Schema") -LocalUserAccount @("Y","N")

Thanks,

Gokul

HPE PowerShell Team


I am a HPE Employee

Accept or Kudo

K9OL
New Member

Re: Howto delete "Directory Groups " on ILOs via powershell

Like you I am trying to clean up an existing iLO Environment. I wanted to add the current three AD Security Groups we are using; an Admin Level, an Operator level, and a Read-Only level. Here's is what I did to Delete Existing AD Security Groups from the iLO configuration:

Set-HPiLOSchemalessDirectory -Server $HOSTNAME -USERNAME $user -Password $pwd -DisableCertificateAuthentication -Group1Name $Admin -Group1Priv $Admin_Priv -Group1SID $Admin_SID -Group2Name $Opt -Group2Priv $Opt_Priv -Group2SID $Opt_SID -Group3Name $RO -Group3Priv $RO_Priv -Group3SID $RO_SID -Group4Name "" -Group5Name "" -Group6Name ""

After setting the values for the variables above for the new groups I'd also listed slots #4, #5, and #6. If you use just the "-Group#Name" and use empty "" it will remove any existing data in the number provide slot.

the following:

Set-HPiLOSchemalessDirectory -Server $HOSTNAME -USERNAME $user -Password $pwd -DisableCertificateAuthentication -Group2Name ""

Will remove the existing Group in the #2 slot, then move the existing #3 Group into the #2 Slot, the #4 Group would move into the #3 slot, ETC.

 

Hope this makes sense....

GokulKS
HPE Pro

Re: Howto delete "Directory Groups " on ILOs via powershell

Hi,

If you are asking for confirmation then the commands you are trying will work as desired.

Anything else you want to know apart from the previous post confirmation let me know.

Thanks,

Gokul

HPE PowerShell Team


I am a HPE Employee

Accept or Kudo

Sceptico
New Member

Re: Howto delete "Directory Groups " on ILOs via powershell

With the latest HP iLO commandlets, this command is not longer available and the replacement (Set-HPEiLODirectoryGroup) does not accept null entries e.g.

Set-HPEiLODirectoryGroup -GroupName 'GrouptoRemove' -NewGroupName "" 

...will not work

Is there a replacement Powershell command to remove directory groups from the user administration section?

GokulKS
HPE Pro

Re: Howto delete "Directory Groups " on ILOs via powershell

Hi,

Unfortunately there is no RIBCL support from iLO4 for deletion of diretory groups and that is the reason for not allowing empty tags in Set-HPEiLODirectoryGroup cmdlet. You have to use iLO GUI only to delete the groups.

Thanks,

Gokul

 

 

 


I am a HPE Employee

Accept or Kudo

ITO-INS
New Member

Re: Howto delete "Directory Groups " on ILOs via powershell

Any news on this with the newest Module relaeses.


There is now a cmdlet "Remove-hpeiloDirectoryGroup" existing which with it should be possible to remove ILO AD Groups.

However when i try to remove one of the configured AD Groups, i get a message that my privileges are insufficient, even though im logged in as ILO Administrator.

Verbose Information:

VERBOSE: Performing the operation "Remove-HPEiLODirectoryGroup" on target "servername".
VERBOSE: Executing the cmdlets with 1 task serially.
VERBOSE: [Remove-HPEiLODirectoryGroup][gusmcv71-rib.geberit.net]: GetRedfishExistingDirGroup - Getting directory settings data by Redfish interface.
VERBOSE: [Remove-HPEiLODirectoryGroup][gusmcv71-rib.geberit.net]: Validating Cmdlet supportability.
VERBOSE: [Remove-HPEiLODirectoryGroup][gusmcv71-rib.geberit.net]: Checking for iLOGeneration, Model and Firmware for Cmdlet Supportability.
VERBOSE: [Remove-HPEiLODirectoryGroup][gusmcv71-rib.geberit.net]: Validating parameter supportability.
VERBOSE: [Remove-HPEiLODirectoryGroup][gusmcv71-rib.geberit.net]: Getting JSON url for ODataType AccountService.
VERBOSE: [Remove-HPEiLODirectoryGroup][gusmcv71-rib.geberit.net]: Getting OdataId for OdataType AccountService.
VERBOSE: [Remove-HPEiLODirectoryGroup][gusmcv71-rib.geberit.net]: Getting url value from resource instance.
VERBOSE: [Remove-HPEiLODirectoryGroup][gusmcv71-rib.geberit.net]: JSON url is /redfish/v1/AccountService/
VERBOSE: [Remove-HPEiLODirectoryGroup][gusmcv71-rib.geberit.net]: JSON URL with query is- /redfish/v1/AccountService/
VERBOSE: [Remove-HPEiLODirectoryGroup][gusmcv71-rib.geberit.net]: Sending Redfish request.
VERBOSE: [Remove-HPEiLODirectoryGroup][gusmcv71-rib.geberit.net]: Processing JSON response.
VERBOSE: [Remove-HPEiLODirectoryGroup][gusmcv71-rib.geberit.net]: Response Type is HPE.iLO.Response.Redfish.DirectorySettingInfo
VERBOSE: [Remove-HPEiLODirectoryGroup][gusmcv71-rib.geberit.net]: Processing complex JSON response.
VERBOSE: [Remove-HPEiLODirectoryGroup][gusmcv71-rib.geberit.net]: GetRemoteRoleMapping - Getting existing iLO directory users
VERBOSE: [Remove-HPEiLODirectoryGroup][gusmcv71-rib.geberit.net][Redfish]: Validating Cmdlet supportability.
VERBOSE: [Remove-HPEiLODirectoryGroup][gusmcv71-rib.geberit.net][Redfish]: Checking for iLOGeneration, Model and Firmware for Cmdlet Supportability.
VERBOSE: [Remove-HPEiLODirectoryGroup][gusmcv71-rib.geberit.net][Redfish]: Validating parameter supportability.
VERBOSE: [Remove-HPEiLODirectoryGroup][gusmcv71-rib.geberit.net][Redfish]: Getting url value from resource instance.
VERBOSE: [Remove-HPEiLODirectoryGroup][gusmcv71-rib.geberit.net][Redfish]: Getting url value from resource instance.
VERBOSE: [Remove-HPEiLODirectoryGroup][gusmcv71-rib.geberit.net][Redfish]: Creating Redfish request.
VERBOSE: [Remove-HPEiLODirectoryGroup][gusmcv71-rib.geberit.net][Redfish]: Retrieving URL's from parameter mapper.
VERBOSE: [Remove-HPEiLODirectoryGroup][gusmcv71-rib.geberit.net][Redfish]: Forming JSON payload for corresponding URL.
VERBOSE: [Remove-HPEiLODirectoryGroup][gusmcv71-rib.geberit.net][Redfish]: Creating Redfish request.
VERBOSE: [Remove-HPEiLODirectoryGroup][gusmcv71-rib.geberit.net][Redfish]: Sending Redfish request to PATCH/POST/DELETE the JSON payload.
VERBOSE: [Remove-HPEiLODirectoryGroup][gusmcv71-rib.geberit.net][Redfish]: Processing JSON response.
VERBOSE: [Remove-HPEiLODirectoryGroup][gusmcv71-rib.geberit.net][Redfish]: Redfish response message: InsufficientPrivilege

Tried it with an AD-User as well as a local admin.


Regards,
Nico