Deleting Local User Folders Created by AD logins on a Schedule

GabeShack
Valued Contributor III

Hey all,
I'm trying to find a way to do some clean up either once a week or once a month with our AD networked users.

When logging in to a machine it creates a local user folder (but not a system user) from AD and I was wondering if there is an easy way to delete these user folders from time to time to reduce clutter. Any ideas?

Gabe Shackney
Instructional Technology Specialist
Princeton Public Schools

Gabe Shackney
Princeton Public Schools
1 ACCEPTED SOLUTION

mscottblake
Valued Contributor

I run this script nightly to remove user directories on desktops, and on restart on laptops. Since there is a chance that a user is logging into the machine, I not only check at the beginning, but also throughout the loop just in case.

#!/bin/bash

# Loop through users with homes in /Users; exclude any accounts you don't want removed (i.e. local admin and current user if policy runs while someone is logged in)

for username in `ls /Users | grep -v localadmin | grep -v anotherlocaladmin | grep -v Shared`
do
    if [[ $username == `ls -l /dev/console | awk '{print $3}'` ]]; then
        echo "Skipping user: $username (current user)"
    else
        echo "Removing user: $username"

        # Optional, removes the account
        dscl . delete /Users/$username

        # Removes the user directory
        rm -rf /Users/$username
    fi
done

View solution in original post

15 REPLIES 15

CasperSally
Valued Contributor II

With snow leopard, you can use MCX for this. This is broken in Lion (I have a ticket in with Apple). They suggested I script it. If you search the boards someone else posted a script for this here. Let me know if you can't find it.

jshipman
New Contributor III

I delete the home folders at logout to prevent clutter. So, when a user logs in it creates a mobile account for them, but at logout it deletes their home folder in /Users. Here is the script I use:

#!/bin/sh -f

if [ ! "$1" = "localadmin" ] && [ ! "$1" = "root" ]
then rm -r /Users/$1
fi

I run it at logout through the JSS, but I'm not sure how to do it automatically every so often. I'm really sorry if this was no help :-)

Nix4Life
Valued Contributor

you should be able to create a cronjob that will run the script

jagress
New Contributor III

We do something similar (but also deleting mobile accounts and several other things) via script/policy once per day. It sounds like all you need is something like this that runs regularly (i.e. once per day or week):

#!/bin/sh

for home in $(ls /Users | grep -v localadmin | grep -v Shared)
do
rm -rf /Users/$home
done

GabeShack
Valued Contributor III

jagress this script is just grabbing the AD created users and not the system users correct?

Gabe Shackney
Princeton Public Schools

jagress
New Contributor III

Not necessarily. It's all home folders in /Users except those specified by "grep -v name". I'm not sure what you mean by system users, but it sounds like you mean your local admin accounts; all you need to do is change "localadmin" in the example to the name of your admin account. If you have multiple accounts whose home folders you don't wan't deleted, then add those in with a pipe and another "grep -v name" - for example: grep -v account1 | grep -v account2 | grep -v account3. This may not be a perfect way to do this, but it does work.

jagress
New Contributor III

Not necessarily. It's all home folders in /Users except those specified by "grep -v name". I'm not sure what you mean by system users, but it sounds like you mean your local admin accounts; all you need to do is change "localadmin" in the example to the name of your admin account. If you have multiple accounts whose home folders you don't want deleted, then add those in with a pipe and another "grep -v name" - for example: grep -v account1 | grep -v account2 | grep -v account3. This may not be a perfect way to do this since you do have to explicitly define the accounts you don't want touched, but it does work and happens to be the way I like doing it in my environment.

ahyzhang
New Contributor

Hi, am using the above script with casper, but getting exit code: 126 error. Any suggestion? the script as below:

#!/bin/sh
for home in $(ls /Users | grep -v localadmin | grep -v Shared)
do
rm -rf /Users/$home
done

GabeShack
Valued Contributor III

So this script is working fine for me at this point, however I wanted to put in a command to not delete a user if he is currently logged in. Is this as easy as putting in a grep -v $3?

Gabe Shackney
Princeton Public Schools

Gabe Shackney
Princeton Public Schools

mscottblake
Valued Contributor

I run this script nightly to remove user directories on desktops, and on restart on laptops. Since there is a chance that a user is logging into the machine, I not only check at the beginning, but also throughout the loop just in case.

#!/bin/bash

# Loop through users with homes in /Users; exclude any accounts you don't want removed (i.e. local admin and current user if policy runs while someone is logged in)

for username in `ls /Users | grep -v localadmin | grep -v anotherlocaladmin | grep -v Shared`
do
    if [[ $username == `ls -l /dev/console | awk '{print $3}'` ]]; then
        echo "Skipping user: $username (current user)"
    else
        echo "Removing user: $username"

        # Optional, removes the account
        dscl . delete /Users/$username

        # Removes the user directory
        rm -rf /Users/$username
    fi
done

GabeShack
Valued Contributor III

This looks like what I want! Thanks MsBlake. I'm just going to edit the grep to add a few extra account names we would like saved. Otherwise this looks perfect.

Gabe Shackney
Princeton Public Schools

Gabe Shackney
Princeton Public Schools

gmarnin
New Contributor III

I agree with CasperSally. This was working nicely with MCX in 10.6 but broke in 10.7 +.

I've been using this script with success:

#!/bin/bash

# This script works well for removing local accounts that are older than 1 day. 
# Obviously the 1 day time frame can be modified (-mtime +1).  

# Credit to http://groups.google.com/group/macenterprise/browse_thread/thread/e6ca6a75ef1bf40e/2e19da23e6cb2b27?lnk=gst&q=delete+accounts#2e19da23e6cb2b27

# Runs using Launch Daemon - /Library/LaunchDaemons/edu.org.deleteaccounts.plist
# version .7

DATE=`date "+%Y-%m-%d %H:%M:%S"`

# Don't delete local accounts
keep1="/Users/admin_account_1"
keep2="/Users/admin_account_2"
keep3="/Users/Shared"
currentuser=`ls -l /dev/console | cut -d " " -f 4`
keep4=/Users/$currentuser

USERLIST=`/usr/bin/find /Users -type d -maxdepth 1 -mindepth 1 -mtime +1`

for a in $USERLIST ; do
    [[ "$a" == "$keep1" ]] && continue  #skip admin_account_1
    [[ "$a" == "$keep2" ]] && continue  #skip admin_account_2
    [[ "$a" == "$keep3" ]] && continue  #skip shared
    [[ "$a" == "$keep4" ]] && continue  #skip current user

# Log results
echo ${DATE} - "Deleting account and home directory for" $a >> "/Library/Logs/deleted user accounts.log"

# Delete the account
/usr/bin/dscl . -delete $a  

# Delete the home directory
/bin/rm -rf $a

done 
exit 0

FastGM3
Contributor

Perfect timing for this post. I need to do some summer maintenance on our 10.8 AD bound computers as well. I'd like to delete all the AD student accounts and folders, however I have to be carefully not to delete our AD "admin" users accounts.

It looks like Scott has a good solution for this but I'm not sure how to incorporate just AD admin users. The script seems to require a specific user to exclude. Also we make our AD admin users local admin as well so when they take the computers home they're still admin. So how does that come into play? Don't I technically have an AD admin user and local admin user by the same name?

Thanks for any help,
Chuck

mscottblake
Valued Contributor

@FastGM3: This should also skip the users in the group stored in the adminGrp variable at the top.

Untested

#!/bin/bash

adminGrp="admin"

# Loop through users with homes in /Users; exclude any accounts you don't want removed (i.e. local admins, admin group, and the current user if policy runs while someone is logged in)

for username in `ls /Users | grep -v localadmin | grep -v anotherlocaladmin | grep -v Shared`
do
    if [[ `dseditgroup -o checkmember -m $username $adminGrp | awk '{print $1}'` == "yes" ]]; then
        echo "Skipping user: $username (admin)"
    elif [[ $username == `ls -l /dev/console | awk '{print $3}'` ]]; then
        echo "Skipping user: $username (current user)"
    else
         echo "Removing user: $username"

        # Optional, removes the account
        dscl . delete /Users/$username

        # Removes the user directory
        rm -rf /Users/$username
    fi
done

jcshofner
New Contributor III

How would I be able to run one of the given scripts at a specific time through jamf?