Help

How to delete admin users using JAMF policies

cnixon14
New Contributor III

Posted on ‎11-03-2020 11:31 AM

I work for a large company and we want to add new admin accounts to all machines and delete the old ones but I keep getting the error "unable to delete user". Is there a way to delete this account without having to physically touch the computer? There are other admins on the computer and the account that I am trying to delete was the original admin account. Thanks!!

0 Kudos
Reply
9 REPLIES 9

geoff_widdowson
Contributor II

Posted on ‎11-03-2020 11:41 AM

The problem could be they are the only accounts with an admin token for filevault. You could just remove the admin rights and make them standard accounts, using a script like below. The If statement lists the accounts you want to keep admin rights.

#!/bin/sh
adminUsers=$(dscl . -read Groups/admin GroupMembership | cut -c 18-)

for user in $adminUsers
do
    if [ "$user" != "root" ]  && [ "$user" != "Administrator" ] && [ "$user" != "jss_mgmt" ]
    then 
        dseditgroup -o edit -d $user -t user admin
        if [ $? = 0 ]; then echo "Removed user $user from admin group"; fi
    else
        echo "Admin user $user left alone"
    fi
done
Reply

cnixon14
New Contributor III

Posted on ‎11-03-2020 02:30 PM

Thank you for the response. Unfortunately I am still getting the "Unable to delete user" error when running the policy.

0 Kudos
Reply

allanp81
Valued Contributor

Posted on ‎11-03-2020 06:43 PM

How are you trying to do it? Can you show us what your policy does?

0 Kudos
Reply

cnixon14
New Contributor III

Posted on ‎11-04-2020 07:55 AM

This is how I am trying to do it. I used the previous comment's "dseditgroup" command to downgrade it to a standard account but I still get the "unable to delete account" error when running the policy
d6e3f440ac7f4125a0cd29f21ac6d15f

0 Kudos
Reply

fonleyjd
New Contributor

Posted on ‎11-04-2020 09:25 AM

I'd like to bump this - I have this exact issue on a single MacBook in our environment. Interestingly enough, I can log into that particular account that I am trying to delete.

0 Kudos
Reply

jefff
Contributor II

Posted on ‎11-04-2020 10:58 AM

It sounds like you're trying to delete the only account that has Secure Token. Even if you're not using FileVault2, the OS won't allow you to do that. A good tool for diagnosing the issue is an extension attribute that lists all of the Secure Token users on the computer. By looking at that item in the computer's inventory record, you'll be able to tell in the dashboard whether you're trying to delete the only Secure Token account.

0 Kudos
Reply

cnixon14
New Contributor III

Posted on ‎11-05-2020 11:26 AM

I found the problem... The account I was trying to delete was the only account that had a secure token assigned to it. once I assigned a secure token to another account I was able to delete the original one. I used the sysadminctl command to give another account a ST. Thank you for your help!

Reply

ejadadic
New Contributor III

Posted on ‎03-15-2022 01:15 PM

I have both users with the secure token and I am not able to delete the admin account 

0 Kudos
Reply

allanp81
Valued Contributor

Posted on ‎03-16-2022 04:49 AM

are those users admin as well though? not sure it'll let you delete the only admin account on a device.

0 Kudos
Reply