Jamf Nation Community

You also can't set the root account to auto log-in... I saw this in the beta, but had "other" issues to test and work on.. Also this is the third or fourth OS in a row were the root account had issues and I was a little to upset to "open a ticket with Apple"

C

@SGill What command are you using to delete from command line? Getting permission error when I try to delete an account using:

sudo /usr/bin/dscl . -delete "/Users/$user"

UPDATE: Using 10.13.1 btw

I use this one to preserve local users and local admin accounts but clear out every network AD account (over ID 1000) more than 1 day old. Be sure to only run it on a mac that is logged out and test first--your environment might/will vary of course:

#!/bin/sh
userList=`dscl . list /Users UniqueID | awk '$2 > 1000 {print $1}'`

echo "Deleting account and home directory for the following users..."

for a in $userList ; do
        find /Users -type d -maxdepth 1 -mindepth 1 -not -name "*.*" -mtime +1 | grep "$a"
        if [[ $? == 0 ]]; then
            dscl . delete /Users/"$a"  #delete the account
            rm -r /Users/"$a"  #delete the home directory
        fi
done

Update: I just tested it on 10.13 High Sierra and it ran fine.

@SGill Are those users admin users? We have a script we deploy to remove admin users that weren't created by us. In order for users to have admin rights, they have to go through extra security procedures and get a special AD account that only works on a specific machine. So I have the following code that I use to remove extra admin accounts, but in 10.13.1 it fails:

NOTE: Code has been scrubbed to remove names of accounts used to manage machines here...but you can figure out the rest:

#!/bin/bash echo "" echo "####################################################" echo "## REMOVING EXTRA LOCAL ADMIN ACCOUNT" echo "####################################################" echo "" admins=$(dscl . -read /Groups/admin GroupMembership | sed 's/GroupMembership: //') for user in $admins; do userID=$(dscl . -read /Users/$user UniqueID 2> /dev/null | sed 's/UniqueID: //') if [[ ! -z "$userID" ]]; then if [ $userID -gt 500 ] && [ $userID -le 10000 ];then #delete the user account via dscl if [[ ! $user == "XXXXXXX" && ! $user == "YYYYYYYY" ]]; then echo "Found Extra account: $user" sudo /usr/bin/dscl . -delete "/Users/$user" fi fi fi done

Also, it seems like admin accounts can't be removed via minus button in Users and Groups as well.

What type of accounts are these? Are they Local or AD accounts? I had a similar experience and after opening a ticket with Apple confirmed that in my situation, it was acting as expected (the only "admin" account was a local account and it could delete AD accounts all day long, but the GUI couldn't delete the only local account, even if I signed in as root, but terminal. (see my post here)

@easyedc These accounts are local. Basically they are the account the tech crew used to image the machine. Once the machine is imaged, it runs the script to remove this local account. So does Apple have a method of deleting a local admin account? At best I was able to remove the admin rights away, but that still requires a reboot.

I just use the Directory Editor to delete local accounts.

So are these users admins or standard users? The GUI will not allow you to remove a local admin user if it is the only local admin user.

@roiegat all my user deletions are AD/network/non-admin users. I always preserve the 501 local admin user, so I may not be seeing some of the issues described...my results haven’t changed with 10.13 however, and the script still runs fine.

@ooshnoo Is it possible to use command line to delete via the directory editor? Might have to go that route.