Batch Request for Deleting Managed Attributes?

We have a custom workflow that creates new groups in Active Directory, and while testing this workflow, we created quite a few test groups. We’d like to implement a process for cleaning them up. Since they are being run through the Entitlement Update workflow, they show up in the Provisioning Transaction table, so I thought I might be able to schedule a Provisioning Transaction report, and use the resulting CSV (with slight tweaks) in a Batch Request to delete those Managed Attributes (and their associated AD groups). But when I looked at the docs for Batch Requests, DeleteManagedAttribute or DeleteEntitlement are not available as operation types. Is there, by any chance, an undocumented feature that would allow me to do this? (And yes, I did actually try it, and got an “Invalid Operation” error).

And yes, I know I could write a rule, run it from a task, (or probably a half dozen other ways) etc., but I’m trying to do the simplest thing that could possibly work, and also avoid doing any (more) custom development work. TIA for any suggestions you might have.

As you have the CSV with the details of the ManageAttributes to be deleted, you can utilise the IIQ Console to delete the ManagedAttributes.

1. Create a txt file with the list of ManagedAttributes IDs

delete ManagedAttribute <ID1>
delete ManagedAttribute <ID2> 
.
.
delete ManagedAttribute <IDn>

2. Utilise the Source command of the IIQ Console to delete the ManagedAttributes

source

The proper thing to do here would be to delete the AD groups in AD then run a Group Aggregation with Detect Deleted Groups enabled. If you have the DNs of the AD groups you created, you should be able to construct a provisioning plan to delete them all and then execute it in IIQ.

Alternatively, you could also do a quick and dirty delete of the AD groups via PoSh on your IQService host (it will have the AD PoSh tools installed already): Remove-ADGroup - PowerShell - SS64.com

Note that if you had a good naming convention for the AD groups, you can possibly do a one-line command like this example:

# Get all groups whose name starts with 'SS64' and remove them:

get-adgroup -filter 'Name -like "SS64*"' | remove-adgroup

Brian and Abhishek, thanks for your suggestions, I really appreciate it. In the spirit of doing the simplest thing that could possibly work, using the CSV from the OOTB Provisioning Transaction and sending that to our AD admins, for them to use as input to a PowerShell script is the answer. Then a scheduled Group Aggregation with Detect Deleted Groups selected, and everything is back to normal. Thanks!

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.