Delete users?

jstone-3 · ‎Dec 05, 2016

As Windchill Admin, I'm suddenly getting emails with the message "

The Windchill principal named JDoe of type wt.org.WTUser needs repair. The principal is missing in LDAP

Nothing has changed on either the AD side of things or in Windchill. At random times of day, two or three emails about various users are coming up, all of them former employees. They're not still in Windchill as users, the only way I can find them is to Search Disconnected Participants in Participant Administration.

Is it OK to just delete them from there? I don't want to mess up any history.

BenLoosli · ‎Dec 05, 2016

General consensus is to NEVER delete users from Windchill, but to mark them as no longer active.

Be careful of replace user, too. I replaced a manager in a role when he left the company with the new manager and it changed it every place, including who signed off on a workflow. Completed data should not be changed like that. I won't be doing replace user again.

rkandepu-2 · ‎Dec 05, 2016

Hi Jim,

If these are legit users and have to be in Windchill, do not delete them. First check for the reason why they have became 'disconnected'. It likely that either AD has some issues (or) they have been removed from AD as they are no more part of your Windchill application.

Once you are clear with reason, you can think about - repair these users or delete them. Deleting the users from Windchill will keep the history intact. You will be seeing user name for history like - '<User Name> (deleted)' for fields Created By, Modified Bye etc.,

Thanks & Regards,
Ravi Kandepu.

MikeLockwood · ‎Dec 05, 2016

A bit more explanation here that may be of interest:

User accounts are created and managed in Windchill Directory Service (Windchill DS), aka LDAP
There are a number of ways to tie this to the network (e.g. Active Directory) through HTTPServer (Apache) config files such that the network password is used and other functionality.
An additional database object is created in the database WTUSER table once any user defined in DS logs on.
The Windchill Participants Admin UI has the available actions: "Delete from Windchill" and "Delete from Windchill and Windchill Directory Server." As others have stated here, you don't really ever want to delete either, but it is interesting to take a look at both Windchill DS and the Database WTUSER table and see what results from these actions (not what you'd expect).
It's essential that Windchill maintain a record of what every user has done in the system, even if they leave the company - and this is in fact how it works. The WTUSER table record ensures that Joe contractor who worked for 2 months 5 years ago is still shown as the user who Modified XYZ drawing, etc.
Best practices on this have been discussed 100's of times on this forum and several have posted summaries. Note that there is no actual "deactivate" action in Windchill - you have to remove from any groups and context roles and team templates manually (and have to put together some pretty sophisticated query builder reports to find all these), and then ideally, put them into a new group (e.g. De_Activated Users) just to have a listing.

TomU · ‎Dec 05, 2016

User accounts are created and managed in Windchill Directory Service (Windchill DS), aka LDAP

Not necessarily. With "full" Active Directory integration, the user accounts only exist in Active Directory, they do not exist in Windchill DS and are not managed there. (Yes, groups in Windchill DS can still include these Active Directory users.)