Skip to main content
Solved

dscl delete + Mojave

  • October 18, 2018
  • 5 replies
  • 38 views
Z
Forum|alt.badge.img+8

Does anyone know if dscl -delete still works in 10.14 (Mojave)? I have a script that converts a local user to a mobile one and it requires the local account be deleted so i script a "dscl . -delete /Users/username" but all I get is "delete: Invalid Path" and "<dscl_cmd>DS Error: -14009 (eDSUnknownNodeName)".

However I have found that "sysadminctl -deleteUser username -keepHome" does work in 10.14 except for the last user with a securetoken.

Best answer by sshort

I've avoided dscl in Mojave and High Sierra, as it seems to strip secureToken from users that already have it when resetting a pw with that command. This has been working for me in Mojave:

sudo sysadminctl -adminUser AdminUserHere -adminPassword AdminPasswordHere -deleteUser UserToBeDeletedHere -keepHome

    5 replies

    J
    Forum|alt.badge.img+13
    • jmariani
    • Contributor
    • October 18, 2018

    Just as a test...try granting /usr/sbin/cfprefsd full disk access in the new Privacy settings and then try running your scripts again.

    S
    Forum|alt.badge.img+15
    • sshort
    • Valued Contributor
    • Answer
    • October 18, 2018

    I've avoided dscl in Mojave and High Sierra, as it seems to strip secureToken from users that already have it when resetting a pw with that command. This has been working for me in Mojave:

    sudo sysadminctl -adminUser AdminUserHere -adminPassword AdminPasswordHere -deleteUser UserToBeDeletedHere -keepHome
      L
      Forum|alt.badge.img+5
      • Lotusshaney
      • Contributor
      • October 19, 2018

      Dscl under Mojave has changed.

      Deletes don’t work for everything. You cans update a UID or home location.

        dstranathan
        Forum|alt.badge.img+19
        • dstranathan
        • Valued Contributor
        • January 7, 2020

        I agree with @Lotusshaney - The main reason I run dscl is to edit a user's homedir location and UID.

        A
        Forum|alt.badge.img+18
        • alexjdale
        • Contributor
        • January 7, 2020

        Just to add to this (it was sorta mentioned in the first post), there are limitations on some user actions, designed to address the "what happens if no user has a Secure Token?" issue. In later versions of 10.14, you cannot do anything that would leave the system without a Secure Token user. That includes deleting the last Secure Token user or forcing a password change for that user. It was a half-hearted effort to solve the problem, without actually solving it.

        I'm curious what would happen in a DEP scenario where the only Secure Token user is the primary user, who happens to be a mobile user, if that user changed their password at the directory and tried to log in with it. Would they be able to log in, but not sync their local password? Or would they just be unable to log in at all?

        Terms & ConditionsCookie settingsAccessibility statement