Deleted Active Directory (AD) groups still appear in the QAS cache.
The "deleted_check.sh" script will delete both users and groups. It is located in /opt/quest/libexec/vas/scripts directory.
- Edit the vas.conf and set the following:
delusercheck-script = /opt/quest/libexec/vas/scripts/deleted_check.sh
By default, vasd only detects that user objects have been deleted when explicit requests for the deleted users are made by the QAS authentication modules or by calls to
getpwnam(). This is due to the difficulties inherent in detecting when objects in a directory are deleted when using an incremental update algorithm. While deleted users cannot get access to Unix machines through QAS, this may not satisfy some auditing requirements. If a Unix environment requires that the cache of user and group information is completely up to date (including removal of deleted objects), you can configure vasd to check periodically for deleted objects. By default this check is turned off to limit the amount of LDAP traffic each QAS client generates. The value of this option should be set to an interval in minutes where vasd should perform the deleted user check. You should carefully evaluate the impact of enabling this search on your Unix clients before enabling this option across your deployment. The following example shows how to configure vasd to run the deleted user check every 24 hours.
delusercheck-interval = 1440
To remove the group from the cache do a forced update on the single group /opt/quest/bin/vastool list -f group <groupname>
NOTE:vastool list -f groups (groups plural) will not check for deleted groups only active groups are checked.