Help

Destroy managed mobile user accounts

Sean_M_Harper
Contributor

Posted on ‎02-22-2013 02:15 PM

Currently I run the following script to destroy the managed mobile user accounts left behind on machines (such as in my LMC computer labs). It appears to work, but the script (when run via Remote) claims to fail. I have listed the log below the actual script.

Is there something I am missing, or perhaps a better way to write this script? Any help would be great!

Script:

dscl . -delete /Users/ dscl . list /Users | grep -v "_" #!/bin/bash UserList=/bin/ls /Users | /usr/bin/grep -v "Shared" for u in $UserList ; do if [[ `/usr/bin/dscl . read /Groups/admin GroupMembership | /usr/bin/grep $u -c` == 1 ]] then /bin/echo "Admin account detected skipping..." else /usr/bin/dscl . delete /Users/$u && /bin/rm -rf /Users/$u fi done

Log (example):

/usr/sbin/jamf is version 8.61 Executing Policy 2013-02-22 at 4:06 PM | amccutchan | 1 Computer... Mounting afp://10.5.10.33/CasperShare to /Volumes/CasperShare... Running script mobile_users_destroy.sh... Script exit code: 185 Script result: <dscl_cmd> DS Error: -14009 (eDSUnknownNodeName) delete: Invalid Path admin daemon harpese macports nobody rhackbarth root <dscl_cmd> DS Error: -14009 (eDSUnknownNodeName) delete: Invalid Path Admin account detected skipping... <dscl_cmd> DS Error: -14009 (eDSUnknownNodeName) delete: Invalid Path Admin account detected skipping... <dscl_cmd> DS Error: -14009 (eDSUnknownNodeName) delete: Invalid Path Unmounting file server...
Labels:
0 Kudos
2 REPLIES 2

Fveja
New Contributor III

Posted on ‎02-22-2013 08:58 PM

Hi Sean,

Casper Remote looks for the word "error" in the output of the script and thinks that there was an error in your script, if it finds it. Some of the calls to dscl in your script output errors similar to

<dscl_cmd> DS Error: -14009 (eDSUnknownNodeName)

To fix this, for each line that might produce an error, or even for commands that you do not care what they display, simply throw away their output by piping it to /dev/null, similar to

dscl . list /Users | grep -v "_" > /dev/null 2>&1

This takes the standard output and the standard error and throws them away, this way Casper Remote never sees the word "error".

See ```
man sh
``` for more info on piping.

Casper Remote will also check the exit code of your script. Exit codes other than 0 are considered an error. In your example log, Casper Remote sees your exit code as 185. To fix this, use 

exit 0

at the end of your script, to signal to Casper a successful run.

Hope this helps.

Florin

0 Kudos

blackholemac
Valued Contributor III

Posted on ‎02-23-2013 12:54 PM

For what it's worth, I'll share the way I do it...for 10.7-10.8 machines, I wrote an OS X Configuration Profile. You have the profile affect user and not computer, you go to the Mobility payload and then go to the "Account Expiry" tab.

For 10.6 machines, you have to use MCX to do the same thing....create a managed preference from template, go to com.apple.MCX and use the Mobile Account Time to Live Setting. I have it scrub these every 9 weeks in my environment if it's worth anything, but you can set it to empty daily or even more frequently if you want. Hope it helps

0 Kudos