Help

dscl delete + Mojave

Go to solution
zinkotheclown
Contributor II

Posted on ‎10-18-2018 01:30 PM

Does anyone know if dscl -delete still works in 10.14 (Mojave)? I have a script that converts a local user to a mobile one and it requires the local account be deleted so i script a "dscl . -delete /Users/username" but all I get is "delete: Invalid Path" and "<dscl_cmd>DS Error: -14009 (eDSUnknownNodeName)".

However I have found that "sysadminctl -deleteUser username -keepHome" does work in 10.14 except for the last user with a securetoken.

0 Kudos
Reply
1 ACCEPTED SOLUTION

Go to solution
sshort
Valued Contributor

Posted on ‎10-18-2018 02:10 PM

I've avoided dscl in Mojave and High Sierra, as it seems to strip secureToken from users that already have it when resetting a pw with that command. This has been working for me in Mojave:

sudo sysadminctl -adminUser AdminUserHere -adminPassword AdminPasswordHere -deleteUser UserToBeDeletedHere -keepHome

View solution in original post

Reply
5 REPLIES 5

Go to solution
jmariani
Contributor

Posted on ‎10-18-2018 01:51 PM

Just as a test...try granting /usr/sbin/cfprefsd full disk access in the new Privacy settings and then try running your scripts again.

0 Kudos
Reply

Go to solution
sshort
Valued Contributor

Posted on ‎10-18-2018 02:10 PM

I've avoided dscl in Mojave and High Sierra, as it seems to strip secureToken from users that already have it when resetting a pw with that command. This has been working for me in Mojave:

sudo sysadminctl -adminUser AdminUserHere -adminPassword AdminPasswordHere -deleteUser UserToBeDeletedHere -keepHome
Reply

Go to solution
Lotusshaney
Contributor II

Posted on ‎10-18-2018 11:18 PM

Dscl under Mojave has changed.

Deletes don’t work for everything. You cans update a UID or home location.

Reply

Go to solution
dstranathan
Valued Contributor II

Posted on ‎01-07-2020 10:20 AM

I agree with @Lotusshaney - The main reason I run dscl is to edit a user's homedir location and UID.

0 Kudos
Reply

Go to solution
alexjdale
Valued Contributor III

Posted on ‎01-07-2020 01:15 PM

Just to add to this (it was sorta mentioned in the first post), there are limitations on some user actions, designed to address the "what happens if no user has a Secure Token?" issue. In later versions of 10.14, you cannot do anything that would leave the system without a Secure Token user. That includes deleting the last Secure Token user or forcing a password change for that user. It was a half-hearted effort to solve the problem, without actually solving it.

I'm curious what would happen in a DEP scenario where the only Secure Token user is the primary user, who happens to be a mobile user, if that user changed their password at the directory and tried to log in with it. Would they be able to log in, but not sync their local password? Or would they just be unable to log in at all?

0 Kudos
Reply