Skip to main content
Question

How to delete admin users using JAMF policies


Forum|alt.badge.img+6

I work for a large company and we want to add new admin accounts to all machines and delete the old ones but I keep getting the error "unable to delete user". Is there a way to delete this account without having to physically touch the computer? There are other admins on the computer and the account that I am trying to delete was the original admin account. Thanks!!

9 replies

geoff_widdowson
Forum|alt.badge.img+8

The problem could be they are the only accounts with an admin token for filevault. You could just remove the admin rights and make them standard accounts, using a script like below. The If statement lists the accounts you want to keep admin rights.

#!/bin/sh
adminUsers=$(dscl . -read Groups/admin GroupMembership | cut -c 18-)

for user in $adminUsers
do
    if [ "$user" != "root" ]  && [ "$user" != "Administrator" ] && [ "$user" != "jss_mgmt" ]
    then 
        dseditgroup -o edit -d $user -t user admin
        if [ $? = 0 ]; then echo "Removed user $user from admin group"; fi
    else
        echo "Admin user $user left alone"
    fi
done

Forum|alt.badge.img+6
  • Author
  • Contributor
  • 23 replies
  • November 3, 2020

Thank you for the response. Unfortunately I am still getting the "Unable to delete user" error when running the policy.


Forum|alt.badge.img+11
  • Valued Contributor
  • 324 replies
  • November 4, 2020

How are you trying to do it? Can you show us what your policy does?


Forum|alt.badge.img+6
  • Author
  • Contributor
  • 23 replies
  • November 4, 2020

This is how I am trying to do it. I used the previous comment's "dseditgroup" command to downgrade it to a standard account but I still get the "unable to delete account" error when running the policy


Forum|alt.badge.img+2
  • New Contributor
  • 1 reply
  • November 4, 2020

I'd like to bump this - I have this exact issue on a single MacBook in our environment. Interestingly enough, I can log into that particular account that I am trying to delete.


Forum|alt.badge.img+12
  • Valued Contributor
  • 90 replies
  • November 4, 2020

It sounds like you're trying to delete the only account that has Secure Token. Even if you're not using FileVault2, the OS won't allow you to do that. A good tool for diagnosing the issue is an extension attribute that lists all of the Secure Token users on the computer. By looking at that item in the computer's inventory record, you'll be able to tell in the dashboard whether you're trying to delete the only Secure Token account.


Forum|alt.badge.img+6
  • Author
  • Contributor
  • 23 replies
  • November 5, 2020

I found the problem... The account I was trying to delete was the only account that had a secure token assigned to it. once I assigned a secure token to another account I was able to delete the original one. I used the sysadminctl command to give another account a ST. Thank you for your help!


ejadadic
Forum|alt.badge.img+9
  • Contributor
  • 28 replies
  • March 15, 2022

I have both users with the secure token and I am not able to delete the admin account 


Forum|alt.badge.img+11
  • Valued Contributor
  • 324 replies
  • March 16, 2022

are those users admin as well though? not sure it'll let you delete the only admin account on a device.


Reply


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings