help and possible feature request, managing local users

Well, where to start....

My environment is huge. Over 50 buildings, over 30 servers over 6,000 clients with most of them being Macbooks. It is a hassle to manage at times. I am not in charge of everything nor am I management, so it puts me in a gray area at times when managing the client machines. We have local user accounts that have been created that I want gone, however I am not sure what the names of those user accounts are. We had a password leak and some users promoted their own accounts to admin, and I want to demote them. We have a naming convention that starts with their graduation year. So any user account under /Users that does not start with a number can be wiped, with one exception, the generic local account we created for local log ins just in case the network went down. That account is called student. I am trying to script something that will scan /Users and wipe out anything that does not start with a number. I got some help from a bit more advanced shell scripter than myself and came up with this so far:

#! /bin/sh

keep="student"

cd /Users [[ $(pwd) != "/Users" ]] && echo warning cd failed && exit 2

for a in [^0-9]* ; do # only loop over names that doen't start with a number [[ "$a" == "$keep" ]] && continue # skip that extra local account /usr/bin/dscl . -delete /Users/$a # get rid of it echo 'removing user files'

/bin/rm -rf /Users/$a

done

I haven't had a lot of time to test it but it basically kills everything in /Users except those that start with a number. My next questions are, is there a Casper solution to this, and how can I demote local accounts with Casper from a local admin to a mobile or managed local user?

Thoughts?

Thanks for anyone brave enough to read this.

Tom

I don't believe there is a Casper way (other than scripting, adding the
script to the JSS and creating a policy) to do what you describe. In order
to delete an account using the accounts tab you need to know the short name
of the account.
The script you shared seems like the way to go. You'll still need to demote
any unauthorized admins. You can adapt your script to do that. I believe the operative bit will be:

dscl . delete /Groups/admin GroupMembership <shortname>

You can loop through /Users, as in your script. It is possible that someone
may have been smart enough to move their home directory, so I might want to
look into looping through the local directory service instead of the /Users
folder.

Change $keep to your local admin account, and remove the numbered account
exclusion since you want to catch "08jdoe" if it is an admin account.

As far as not being the boss, I think most of us are in or have been in that
situation. I suggest getting to know the person/people who *are* the
bosses. Write up sensible policies and get the boss(es) to sign them. I
mean print them out and have them actually put a pen to paper. A policy
document signed by the CIO/Dean/Director/Boss holds more weight than you or
I do.

This also gives you a great, socially acceptable way out of confrontational
situations where users demand something out of scope. With such a signed
policy, you should be held to it as well, since the boss approved it. Then
when you're asked to violate it, you can simply say that you're not
authorized to grant the request. Provide them with a copy of the policy
document and tell them that this policy was enacted by "The Boss" (whomever
signed the document). If that doesn't stop them from trying to get you to
violate the policy, you can say something to the effect of "I understand,
technology should serve the goals of the organization. If you feel strongly
that an exception or change to the policy is required in this case, I can
schedule a time when we can meet with "The Boss" to discuss it." I've found
that most of the time, this ends the discussion.

----------
Miles A. Leacy IV

? Certified System Administrator 10.4
? Certified Technical Coordinator 10.5
? Certified Trainer
Certified Casper Administrator
----------
voice: 1-347-277-7321
miles.leacy at themacadmin.com
www.themacadmin.com

OK, I was thinking about just changing the group membership back to
staff, but I guess deleting it from the admin group would probably be
the right move, since in OD they are already staff with their directory
UID and GID.

As for the policy thing, this is our second year in a 1:1 and yes there
are changes, but like many things in our government, there is a process. It is getting better, and next year will be even better because I have
learned a lot from my users. I have learned to never ever trust a
teenager with technology, hahahahahahaha.

I will do some tinkering, but it would be nice to maybe have some
flexibility with Casper on something like this. I think that large
educational deployments would love it, and probably most enterprise
business ones.

As for my local admin accounts, they all live in /private/var so I can
sudo rm -rf /Users/* all day and it wouldn't affect my local admin
accounts.