I work for a large company and we want to add new admin accounts to all machines and delete the old ones but I keep getting the error "unable to delete user". Is there a way to delete this account without having to physically touch the computer? There are other admins on the computer and the account that I am trying to delete was the original admin account. Thanks!!
The problem could be they are the only accounts with an admin token for filevault. You could just remove the admin rights and make them standard accounts, using a script like below. The If statement lists the accounts you want to keep admin rights.
#!/bin/sh adminUsers=$(dscl . -read Groups/admin GroupMembership | cut -c 18-) for user in $adminUsers do if [ "$user" != "root" ] && [ "$user" != "Administrator" ] && [ "$user" != "jss_mgmt" ] then dseditgroup -o edit -d $user -t user admin if [ $? = 0 ]; then echo "Removed user $user from admin group"; fi else echo "Admin user $user left alone" fi done
This is how I am trying to do it. I used the previous comment's "dseditgroup" command to downgrade it to a standard account but I still get the "unable to delete account" error when running the policy
It sounds like you're trying to delete the only account that has Secure Token. Even if you're not using FileVault2, the OS won't allow you to do that. A good tool for diagnosing the issue is an extension attribute that lists all of the Secure Token users on the computer. By looking at that item in the computer's inventory record, you'll be able to tell in the dashboard whether you're trying to delete the only Secure Token account.
I found the problem... The account I was trying to delete was the only account that had a secure token assigned to it. once I assigned a secure token to another account I was able to delete the original one. I used the sysadminctl command to give another account a ST. Thank you for your help!