Skip to main content
Question

During removing macOS User by script I got Error: -14120 and user is not fully removed

  • June 25, 2024
  • 3 replies
  • 91 views
F
Forum|alt.badge.img+3

Hi there,

I try to remove all "old" users from our iMacs, managed with JAMF School. The useres have an AD account and during first login on an iMac we create a local (mobil) account on the mac. At the end of the year we want to rmove all these users and there data.

If I run a "sudo /usr/sbin/sysadminctl -deleteUser $user" on the client, the user is totally removed (after I once gave the terminal full access to the drive in system preferences). But if I run a JAMF Script with the same command, I got the error:

### Error:-14120 File:/AppleInternal/Library/BuildRoots/91a344b1-f985-11ee-b563-fe8bc7981bff/Library/Caches/com.apple.xbs/Sources/Admin/DSRecord.m Line:563

Nearly the same, if using the command "sudo dscl . delete /Users/$user": dscl DS Error: -14120 (eDSPermissionError)

All users, the first local Admin and root have "Secure Token" enabled. After I disabled System Integrity Protection in rescue mode with "csrutil disable", the JAMF Script is doing the job without error, but this is no solution.

My test client is a MacBook Pro on macOS 14.5 Build 23F79.
Any helpful ideas?

Kind regards Chris

    3 replies

    skeenan07
    Forum|alt.badge.img+10
    • skeenan07
    • Contributor
    • June 25, 2024

    You'll want to include an admin username and password in your script to delete the account. Like this: 

    sysadminctl -deleteUser "$user" -adminUser "$adminUser" -adminPassword "$adminPassword"

    I use the bash script in the following GitHub repo to encrypt the admin password: https://github.com/brysontyrrell/EncryptedStrings. Then, I use the input parameters for the script to pass in the encrypted string, passphrase, and salt and decrypt them in the script. A whole script could look something like this

    #!/bin/zsh

    function DecryptString() {
    # Usage: ~$ DecryptString "Encrypted String" "Salt" "Passphrase"
    echo "${1}" | /usr/bin/openssl enc -aes256 -md md5 -d -a -A -S "${2}" -k "${3}"
    }

    adminUser=${4}
    adminPassword=$(DecryptString "${5}" "${6}" "${7}")

    sysadminctl -deleteUser "$user" -adminUser "$adminUser" -adminPassword "$adminPassword"

     I also have a script in GitHub, deleteInactiveUsers.zsh, that deletes users after they've been inactive for a specified number of days. (I also just realized I hadn't updated it in a while, so I pushed updates this afternoon.) 

    F
    Forum|alt.badge.img+3
    • FOSBOS-SR
    • Author
    • New Contributor
    • June 26, 2024

    You'll want to include an admin username and password in your script to delete the account. Like this: 

    sysadminctl -deleteUser "$user" -adminUser "$adminUser" -adminPassword "$adminPassword"

    I use the bash script in the following GitHub repo to encrypt the admin password: https://github.com/brysontyrrell/EncryptedStrings. Then, I use the input parameters for the script to pass in the encrypted string, passphrase, and salt and decrypt them in the script. A whole script could look something like this

    #!/bin/zsh

    function DecryptString() {
    # Usage: ~$ DecryptString "Encrypted String" "Salt" "Passphrase"
    echo "${1}" | /usr/bin/openssl enc -aes256 -md md5 -d -a -A -S "${2}" -k "${3}"
    }

    adminUser=${4}
    adminPassword=$(DecryptString "${5}" "${6}" "${7}")

    sysadminctl -deleteUser "$user" -adminUser "$adminUser" -adminPassword "$adminPassword"

     I also have a script in GitHub, deleteInactiveUsers.zsh, that deletes users after they've been inactive for a specified number of days. (I also just realized I hadn't updated it in a while, so I pushed updates this afternoon.) 


    Hi Skeenan07,

    thanks for you quick and detailed response. Unfortunately, I'm travelling today, but I'm back tomorrow. I'll report my experience afterwards, but all you wrote makes sense.

    Regards Chris

    F
    Forum|alt.badge.img+3
    • FOSBOS-SR
    • Author
    • New Contributor
    • June 27, 2024

    You'll want to include an admin username and password in your script to delete the account. Like this: 

    sysadminctl -deleteUser "$user" -adminUser "$adminUser" -adminPassword "$adminPassword"

    I use the bash script in the following GitHub repo to encrypt the admin password: https://github.com/brysontyrrell/EncryptedStrings. Then, I use the input parameters for the script to pass in the encrypted string, passphrase, and salt and decrypt them in the script. A whole script could look something like this

    #!/bin/zsh

    function DecryptString() {
    # Usage: ~$ DecryptString "Encrypted String" "Salt" "Passphrase"
    echo "${1}" | /usr/bin/openssl enc -aes256 -md md5 -d -a -A -S "${2}" -k "${3}"
    }

    adminUser=${4}
    adminPassword=$(DecryptString "${5}" "${6}" "${7}")

    sysadminctl -deleteUser "$user" -adminUser "$adminUser" -adminPassword "$adminPassword"

     I also have a script in GitHub, deleteInactiveUsers.zsh, that deletes users after they've been inactive for a specified number of days. (I also just realized I hadn't updated it in a while, so I pushed updates this afternoon.) 


    Hi skeenan07,

    I testet your command in the local script. For testing, I wrote in the script the local admin credentials in clear text, because it is a test system and I don't want to mix up something during encryption an decrytion. But anyway the error is the same, Error:-14120, if I start the script via JAMF. And there is no error (user is removed), if I start the script local in the terminal with sudo. The script is removing the user without error.

    Regards Chris

    Terms & ConditionsCookie settingsAccessibility statement