To Delete Messaging Server and Calendar Server Users with Delegated Administrator Command-Line Tools

The Delegated Administrator commadmin domain purge command shown in these steps must be run by the Top-Level Administrator. (The commadmin user delete command can be run by a Top-Level Administrator or an Organization Administrator.)

Before You Begin

In the Access Manager Administration Console, be sure that the Compliance User Deletion option is selected. It is selected by default when you configure Delegated Administrator.

The Compliance User Deletion option ensures that the user's LDAP entry is marked for deletion when you run the commadmin user delete command in Step 1, below. If this option is not selected, the commadmin user delete command will not operate properly.

1. Use the commadmin command to mark the messaging and calendar user for deletion.

   This step changes the user's status to “deleted” in the LDAP directory by changing the value of the user's inetUserStatus attribute to deleted.

   commadmin user delete -D admin user -n admin domain -w password -d domain -l user

   -D admin user

   Specifies the user ID of the Top-Level Administrator (the user with permission to execute this command)

   -n admin domain

   Specifies the domain of the Top-Level Administrator

   -w password

   Specifies the password of the Top-Level Administrator

   -d domain

   Specifies the domain of the user to be deleted

   -l user

   Specifies the user ID of the user to be deleted

   Example:

   commadmin user delete -D admin -n siroe.com -w &!2x%!a5 -d sesta.com -l jsmith

2. Use the appropriate command to remove mail and calendar resources from the user.

   A resource can be a mailbox or a calendar.

   For mail services, you use the msuserpurge command. msuserpurge finds all user entries where inetUserStatus or mailUserStatus is set to deleted and purges those user mailboxes from the message store. All resources associated with those users are also removed. msuserpurge then marks the mailUserStatus attribute in the affected user entries as “removed.”

   msuserpurge -d domain

   -d domain

   Specifies the domain of the user marked for deletion

   For calendar services, you use the csclean command. csclean finds all user entries where inetUserStatus or icsStatus is set to deleted and removes all calendars belonging to the deleted users. It then marks the icsStatus attribute in the affected user entries as “removed.”

   csclean clean domain

   clean

   Mandatory argument for running the csclean command

   domain

   Specifies the domain of the user marked for deletion

   Example:

   msuserpurge -d sesta.com csclean clean sesta.com

3. Permanently remove the user entry from the directory by running the commadmin domain purge command.

   The commadmin domain purge command permanently removes all user entries that have been marked as deleted. This command also removes the user from all groups (mail lists) in which the user is a member or owner.

   commadmin domain purge -D admin user -n admin domain -w password -d domain -g grace

   -D admin user

   Specifies the user ID of the Top-Level Administrator (the user with permission to execute this command)

   -n admin domain

   Specifies the domain of the Top-Level Administrator

   -w password

   Specifies the password of the Top-Level Administrator

   -d domain

   Specifies the domain of the user to be deleted

   -g grace

   Specifies the grace period, in days, before the user is purged. Only users marked for deletion longer than the specified grace period are removed. The default value is 5 days. A 0 indicates purge immediately.

   Example:

   commadmin domain purge -D admin -n siroe.com -w &!2x%!a5 -d sesta.com -g 2

   In the preceding example, only user entries marked for deletion longer than 2 days ago are removed. If you run commadmin user delete and commadmin domain purge on the same day, you would have to set the grace period to 0 to permanently remove those users.

4. If the user created an address book in Communications Express, use LDAP tools to find and remove the personal address-book related LDAP entries.

   The LDAP data for a user's personal address book is stored in a base entry and several subordinate entries. For a sample listing, see User Data Stored in the Directory by Communications Express.

   The following steps summarize how to find and remove these entries. You might want to write your own script to automate these steps.

   1. Use the ldapsearch command to find the user's address-book base entry and all its descendants.

      The base entry is piPStoreOwner=user, where user specifies the user ID to be deleted.

      Example:

      ldapsearch -b "piPStoreOwner=jsmith,o=sesta.com,o=PiServerDb" -s sub "objectclass=*" dn

      This example finds the personal address book DNs for a user named jsmith in the sesta.com domain.

   2. Use the ldapdelete command to remove each subordinate entry.

      Example:

      ldapdelete -D "uid=admin,ou=People,o=siroe.com,o=root_suffix" -w &!2x%!a5 "piEntryID=e10976f864e00m,piPStoreOwner=jsmith,o=sesta.com,o=PiServerDb"

      You might prefer not to run ldapdelete for each subordinate entry. Instead, you can create a response file based on the LDIF output generated from the preceding ldapsearch command. The response file can be used with ldapdelete to iteratively delete the multiple entries.

   3. Use the ldapdelete command to remove the user's address-book base entry.

      Example:

      ldapdelete -D "uid=admin,ou=People,o=siroe.com,o=root_suffix" -w &!2x%!a5 "piPStoreOwner=jsmith,o=sesta.com,o=PiServerDb"

      When you complete these steps, all user-related data maintained by Communications Express is removed.