Jamf Nation Community

You could have a login hook that detects any local accounts through a UID range (500 - 999) assuming your local management accounts for Casper and local administration are hidden and have a UID below 500. Network/portable accounts typically have a UID of 1,000 and greater.

You could custom build a policy that builds an array of local user accounts through that UID range and then deletes them. This would be to only compliment what Jared has already mentioned. It is also not a preventative measure but rather a reactive one. Test this a ton as well, because every environment is different, and if you are deleting accounts you would also be deleting data.

if they have physical access to the box, and there's no whole disk encryption in place, anyone determined enough can become an admin.

with jared's approach, if you remove the accounts pane and terminal.app, then set a firmware password, all those are rendered useless by pulling a stick of ram, booting in single user mode, then dropping in account and group plists or just re-enabling the setup helper on next boot.

if you follow tom's model, you're basically reporting on moving targets. i'd be very careful when considering deleting accounts and data.

your best bet is to define decent reporting for yourself, then back it up with policy. if there are no institutional repercussions for such activity, then you're stuck. hand over details of who's violated your policy, then revoke computer use (or something like that).

For the record, I would highly recommend Jared's method over anything else. The method I mentioned isn't a good solution in a best practices sense, but possibly could be applicable in maybe some rare cases.