High Sierra Root user unable to delete other Users

Cornoir
Contributor II

I have noticed that when logged in as the root user I am unable to delete other users in the Users & Groups panel of System Preferences, the "-" minus sign is greyed out.
However logging in an Admin account I can delete other users.

Tested a 10.12.5 system and I am able to log in as Root and delete other users.

11 REPLIES 11

SGill
Contributor III

Seeing that grey-out in the 10.13 GUI as well. Appears to still work on the command line though.

gachowski
Valued Contributor II

You also can't set the root account to auto log-in... I saw this in the beta, but had "other" issues to test and work on.. Also this is the third or fourth OS in a row were the root account had issues and I was a little to upset to "open a ticket with Apple"

C

roiegat
Contributor III

@SGill What command are you using to delete from command line? Getting permission error when I try to delete an account using:

sudo /usr/bin/dscl . -delete "/Users/$user"

UPDATE: Using 10.13.1 btw

SGill
Contributor III

I use this one to preserve local users and local admin accounts but clear out every network AD account (over ID 1000) more than 1 day old. Be sure to only run it on a mac that is logged out and test first--your environment might/will vary of course:

#!/bin/sh
userList=`dscl . list /Users UniqueID | awk '$2 > 1000 {print $1}'`

echo "Deleting account and home directory for the following users..."

for a in $userList ; do
        find /Users -type d -maxdepth 1 -mindepth 1 -not -name "*.*" -mtime +1 | grep "$a"
        if [[ $? == 0 ]]; then
            dscl . delete /Users/"$a"  #delete the account
            rm -r /Users/"$a"  #delete the home directory
        fi
done

Update: I just tested it on 10.13 High Sierra and it ran fine.

roiegat
Contributor III

@SGill Are those users admin users? We have a script we deploy to remove admin users that weren't created by us. In order for users to have admin rights, they have to go through extra security procedures and get a special AD account that only works on a specific machine. So I have the following code that I use to remove extra admin accounts, but in 10.13.1 it fails:

NOTE: Code has been scrubbed to remove names of accounts used to manage machines here...but you can figure out the rest:

#!/bin/bash echo "" echo "####################################################" echo "## REMOVING EXTRA LOCAL ADMIN ACCOUNT" echo "####################################################" echo "" admins=$(dscl . -read /Groups/admin GroupMembership | sed 's/GroupMembership: //') for user in $admins; do userID=$(dscl . -read /Users/$user UniqueID 2> /dev/null | sed 's/UniqueID: //') if [[ ! -z "$userID" ]]; then if [ $userID -gt 500 ] && [ $userID -le 10000 ];then #delete the user account via dscl if [[ ! $user == "XXXXXXX" && ! $user == "YYYYYYYY" ]]; then echo "Found Extra account: $user" sudo /usr/bin/dscl . -delete "/Users/$user" fi fi fi done

Also, it seems like admin accounts can't be removed via minus button in Users and Groups as well.

easyedc
Valued Contributor II

What type of accounts are these? Are they Local or AD accounts? I had a similar experience and after opening a ticket with Apple confirmed that in my situation, it was acting as expected (the only "admin" account was a local account and it could delete AD accounts all day long, but the GUI couldn't delete the only local account, even if I signed in as root, but terminal. (see my post here)

roiegat
Contributor III

@easyedc These accounts are local. Basically they are the account the tech crew used to image the machine. Once the machine is imaged, it runs the script to remove this local account. So does Apple have a method of deleting a local admin account? At best I was able to remove the admin rights away, but that still requires a reboot.

ooshnoo
Valued Contributor

I just use the Directory Editor to delete local accounts.

easyedc
Valued Contributor II

So are these users admins or standard users? The GUI will not allow you to remove a local admin user if it is the only local admin user.

SGill
Contributor III

@roiegat all my user deletions are AD/network/non-admin users. I always preserve the 501 local admin user, so I may not be seeing some of the issues described...my results haven’t changed with 10.13 however, and the script still runs fine.

roiegat
Contributor III

@ooshnoo Is it possible to use command line to delete via the directory editor? Might have to go that route.