Howto delete "Directory Groups " on ILOs via powershell

Hi,

iLO does not provide any API for listing the directory groups or deleting same.

But they do provide disabling the directory groups which you can try on the directory groups you want to delete.

Disabling directory groups can be achieved using set-hpilodirectory cmdlet with -LDAPDirectoryAuthentication parameter value as "Disable". Refer the cmdlet help  examples which clearly shows how to disable the directory group.

Cmdlet snippet is pasted below.

Set-HPiLODirectory -Server $Server -LDAPDirectoryAuthentication @("Disable","Use_HP_Extended_Schema") -LocalUserAccount @("Y","N")

Thanks,

Gokul

HPE PowerShell Team

Like you I am trying to clean up an existing iLO Environment. I wanted to add the current three AD Security Groups we are using; an Admin Level, an Operator level, and a Read-Only level. Here's is what I did to Delete Existing AD Security Groups from the iLO configuration:

Set-HPiLOSchemalessDirectory -Server $HOSTNAME -USERNAME $user -Password $pwd -DisableCertificateAuthentication -Group1Name $Admin -Group1Priv $Admin_Priv -Group1SID $Admin_SID -Group2Name $Opt -Group2Priv $Opt_Priv -Group2SID $Opt_SID -Group3Name $RO -Group3Priv $RO_Priv -Group3SID $RO_SID -Group4Name "" -Group5Name "" -Group6Name ""

After setting the values for the variables above for the new groups I'd also listed slots #4, #5, and #6. If you use just the "-Group#Name" and use empty "" it will remove any existing data in the number provide slot.

the following:

Set-HPiLOSchemalessDirectory -Server $HOSTNAME -USERNAME $user -Password $pwd -DisableCertificateAuthentication -Group2Name ""

Will remove the existing Group in the #2 slot, then move the existing #3 Group into the #2 Slot, the #4 Group would move into the #3 slot, ETC.

Hope this makes sense....

Hi,

If you are asking for confirmation then the commands you are trying will work as desired.

Anything else you want to know apart from the previous post confirmation let me know.

Thanks,

Gokul

HPE PowerShell Team

With the latest HP iLO commandlets, this command is not longer available and the replacement (Set-HPEiLODirectoryGroup) does not accept null entries e.g.

Set-HPEiLODirectoryGroup -GroupName 'GrouptoRemove' -NewGroupName "" 

...will not work

Is there a replacement Powershell command to remove directory groups from the user administration section?

Hi,

Unfortunately there is no RIBCL support from iLO4 for deletion of diretory groups and that is the reason for not allowing empty tags in Set-HPEiLODirectoryGroup cmdlet. You have to use iLO GUI only to delete the groups.

Thanks,

Gokul

Any news on this with the newest Module relaeses.

There is now a cmdlet "Remove-hpeiloDirectoryGroup" existing which with it should be possible to remove ILO AD Groups.

However when i try to remove one of the configured AD Groups, i get a message that my privileges are insufficient, even though im logged in as ILO Administrator.

Verbose Information:

VERBOSE: Performing the operation "Remove-HPEiLODirectoryGroup" on target "servername".
VERBOSE: Executing the cmdlets with 1 task serially.
VERBOSE: [Remove-HPEiLODirectoryGroup][gusmcv71-rib.geberit.net]: GetRedfishExistingDirGroup - Getting directory settings data by Redfish interface.
VERBOSE: [Remove-HPEiLODirectoryGroup][gusmcv71-rib.geberit.net]: Validating Cmdlet supportability.
VERBOSE: [Remove-HPEiLODirectoryGroup][gusmcv71-rib.geberit.net]: Checking for iLOGeneration, Model and Firmware for Cmdlet Supportability.
VERBOSE: [Remove-HPEiLODirectoryGroup][gusmcv71-rib.geberit.net]: Validating parameter supportability.
VERBOSE: [Remove-HPEiLODirectoryGroup][gusmcv71-rib.geberit.net]: Getting JSON url for ODataType AccountService.
VERBOSE: [Remove-HPEiLODirectoryGroup][gusmcv71-rib.geberit.net]: Getting OdataId for OdataType AccountService.
VERBOSE: [Remove-HPEiLODirectoryGroup][gusmcv71-rib.geberit.net]: Getting url value from resource instance.
VERBOSE: [Remove-HPEiLODirectoryGroup][gusmcv71-rib.geberit.net]: JSON url is /redfish/v1/AccountService/
VERBOSE: [Remove-HPEiLODirectoryGroup][gusmcv71-rib.geberit.net]: JSON URL with query is- /redfish/v1/AccountService/
VERBOSE: [Remove-HPEiLODirectoryGroup][gusmcv71-rib.geberit.net]: Sending Redfish request.
VERBOSE: [Remove-HPEiLODirectoryGroup][gusmcv71-rib.geberit.net]: Processing JSON response.
VERBOSE: [Remove-HPEiLODirectoryGroup][gusmcv71-rib.geberit.net]: Response Type is HPE.iLO.Response.Redfish.DirectorySettingInfo
VERBOSE: [Remove-HPEiLODirectoryGroup][gusmcv71-rib.geberit.net]: Processing complex JSON response.
VERBOSE: [Remove-HPEiLODirectoryGroup][gusmcv71-rib.geberit.net]: GetRemoteRoleMapping - Getting existing iLO directory users
VERBOSE: [Remove-HPEiLODirectoryGroup][gusmcv71-rib.geberit.net][Redfish]: Validating Cmdlet supportability.
VERBOSE: [Remove-HPEiLODirectoryGroup][gusmcv71-rib.geberit.net][Redfish]: Checking for iLOGeneration, Model and Firmware for Cmdlet Supportability.
VERBOSE: [Remove-HPEiLODirectoryGroup][gusmcv71-rib.geberit.net][Redfish]: Validating parameter supportability.
VERBOSE: [Remove-HPEiLODirectoryGroup][gusmcv71-rib.geberit.net][Redfish]: Getting url value from resource instance.
VERBOSE: [Remove-HPEiLODirectoryGroup][gusmcv71-rib.geberit.net][Redfish]: Getting url value from resource instance.
VERBOSE: [Remove-HPEiLODirectoryGroup][gusmcv71-rib.geberit.net][Redfish]: Creating Redfish request.
VERBOSE: [Remove-HPEiLODirectoryGroup][gusmcv71-rib.geberit.net][Redfish]: Retrieving URL's from parameter mapper.
VERBOSE: [Remove-HPEiLODirectoryGroup][gusmcv71-rib.geberit.net][Redfish]: Forming JSON payload for corresponding URL.
VERBOSE: [Remove-HPEiLODirectoryGroup][gusmcv71-rib.geberit.net][Redfish]: Creating Redfish request.
VERBOSE: [Remove-HPEiLODirectoryGroup][gusmcv71-rib.geberit.net][Redfish]: Sending Redfish request to PATCH/POST/DELETE the JSON payload.
VERBOSE: [Remove-HPEiLODirectoryGroup][gusmcv71-rib.geberit.net][Redfish]: Processing JSON response.
VERBOSE: [Remove-HPEiLODirectoryGroup][gusmcv71-rib.geberit.net][Redfish]: Redfish response message: InsufficientPrivilege

Tried it with an AD-User as well as a local admin.

Regards,
Nico