removing user accounts in Ventura

Pre-Ventura, I've been used a couple of different scripts to delete users' folders via a Jamf policy. It's worth noting this script only deleted the folder, but did not delete the user account with the OS. When a user with a deleted folder would log in again, their user folder would be recreated as a default user folder and they'd go on their merry way.

With Ventura, the script will delete the user folder, but when the user tries to log in again, the computer will hang. Testing has shown the problem is the lingering user account. If I manually delete the account, log in works normally for then.

I'm curious what scripts y'all are using to accomplish user removal in Ventura? I've been using the script below which removes the user accounts via "sysadminctl -deleteUser [username]", but sometimes it doesn't catch all the users.

#!/bin/bash



# Loop through users with homes in /Users; use grep to exclude any accounts you don't want removed (i.e. local admin and current user if policy runs while someone is logged in)



#Catch any users who had their profiles saved when their account was deleted

rm -rf "/Users/Deleted Users"



#shared is /Users/Shared, calmin is local admin account

for username in `ls /Users | grep -v Shared | grep -v calmin`

do

    if [[ $username == `ls -l /dev/console | awk '{print $3}'` ]]; then

        echo "Skipping user: $username (current user)"

    else

        echo "Removing user: $username"



		sysadminctl -deleteUser $username

		sleep .5

		# Removes the user directory if for whatever reason sysadminctl doesn't catch it, or it's some rando folder without a user attached

        rm -rf /Users/$username

        echo "Removed user home folder: $username"

		

		# enable fdesetup line if you FileVault active

		# fdesetup remove -usertoremove $username



    fi

done

Page 1 / 1

I'd wager it has something to do with secure tokens which you cannot modify or delete with scripts. We reinstall macOS between users.

I should have mentioned this is in our computer labs, so reinstalling the OS after every user is not viable.

I'm trying to determine how to do this as well. Have you found something that works?

my strategy so far has been to use the script I posted above after manually cleaning off the users. It seems to miss a lot less with the sleep .5 I added. The downfall is that it pulls the user list from the folders in /users/ . I haven't found a way to list the users another way that would allow a more accurate list.

I'm trying to determine how to do this as well. Have you found something that works?

this is working for me:

#!/bin/bash



# Loop through users with accounts, but skipping admin and service accounts; use grep to exclude any accounts you don't want removed (i.e. local admin and current user if policy runs while someone is logged in)



for username in `dscl . list /Users | grep -v _ | grep -v Shared | grep -v LOCALADMINACCOUNTNAME | grep -v daemon | grep -v nobody | grep -v prey | grep -v root`

do

    if [[ $username == `ls -l /dev/console | awk '{print $3}'` ]]; then

        echo "Skipping user: $username (current user)"

    else

        echo "Removing user: $username"



		sysadminctl -deleteUser $username

		sleep .5

		# Removes the user directory if for whatever reason sysadminctl doesn't catch it, or it's some rando folder without a user attached

        rm -rf /Users/$username

        echo "Removed user home folder: $username"

		

		# enable fdesetup line if you FileVault active

		# fdesetup remove -usertoremove $username



    fi

    

#Catch any users who had their profiles saved when their account was deleted

rm -rf "/Users/Deleted Users"



done



#rerun the list to see if any users got skipped

dscl . list /Users | grep -v _

this is working for me:

#!/bin/bash



# Loop through users with accounts, but skipping admin and service accounts; use grep to exclude any accounts you don't want removed (i.e. local admin and current user if policy runs while someone is logged in)



for username in `dscl . list /Users | grep -v _ | grep -v Shared | grep -v LOCALADMINACCOUNTNAME | grep -v daemon | grep -v nobody | grep -v prey | grep -v root`

do

    if [[ $username == `ls -l /dev/console | awk '{print $3}'` ]]; then

        echo "Skipping user: $username (current user)"

    else

        echo "Removing user: $username"



		sysadminctl -deleteUser $username

		sleep .5

		# Removes the user directory if for whatever reason sysadminctl doesn't catch it, or it's some rando folder without a user attached

        rm -rf /Users/$username

        echo "Removed user home folder: $username"

		

		# enable fdesetup line if you FileVault active

		# fdesetup remove -usertoremove $username



    fi

    

#Catch any users who had their profiles saved when their account was deleted

rm -rf "/Users/Deleted Users"



done



#rerun the list to see if any users got skipped

dscl . list /Users | grep -v _

Hate to revive an old post, but what you mentioned is exactly what we're seeing. I tried your script and it was working great, but now the same thing has returned. Users account gets deleted (i don't see it on the machine), but when they return to the device and try to login, the device hangs at the login screen. The only way to fix it is to log into jamf, locate the device, go to the local account section on the inventory page, and remove the user from there.

has this issue returned for you, or is the above script still working?

I have not seen that issue. My issue of late has been that the script runs, but doesn't delete all the users not named via grep. to get around that, I set the policy to rerun on failure 3 times, and then added an "exit 1" to the end of the script so Jamf sees it as an error and reruns it a few minutes later. That has helped significantly.

Reply

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded