I have a problem where previously logged in users are showing on the login screen on our lab computers. I have already deleted the users using a JAMF policy so they are not existing in the Users folder, however they are still showing on the login screen. Is there a plist that can be trashed for the login window ? or did someone face the same issue before? Note that these users are domain users not local users. Thanks!
@nadeen.n92 All you are doing there is removing the Home folders. I believe you would need a dscl command to fully remove the user accounts. If you log in as admin and look in the System Preferences / Users and Groups you will see the accounts still exist.
sudo dscl . list /Users
Will show you the accounts.
sudo dscl . delete /Users/ACCOUNT
Will delete them. Put the Account name in place of ACCOUNT.
The accounts should be the same as the home folder, so you should be able to use that as the attribute add it in to your for loop and use $home for the account name.
Unfortunately this will not work where you have already run your script and removed the homes. The dscl . list /Users will give them to you. But it then becomes fun to extract the ones you want from the list. But it is possible.
dscl . list /Users | grep -viE '(_|root)'
on my Mac will remove all the ones that list with underscore in the name, be warned the underscore could be anywhere in the name, and it gets rid of the root account.
If you put admin in there, that will find Admin, Administrator, Localadmin....
Simply add the exceptions to the list seperated with the | symbol. Test it in Terminal to see what it gives you.
Your script will end up a bit like this....
for home in $(dscl . list /Users | grep -viE '(_|root)') do rm -r /Users/$home dscl . delete /Users/$home done
Dont take my word for it please test this out first.
It looks confusing, but /Users and the /Users in the dscl command are not exactly the same thing.
sudo dscl . delete /Users/mac ## removes the user 'mac' from the local directory sudo rm -rf /Users/mac ## deletes the 'mac' users files
But, like @mschroder, I'd like to know how the users are created. If they are mobile accounts (cached network credentials), you could use a Configuration Profile with a Mobility payload to delete users after they have not been used for a period of time. This is what I've used for lab environments with my clients.
[edited: sure. the one time I don't click preview first is when I failed to properly quote code.]
thanks @mschroder , @chadlawson , yes they are network mobile accounts. i have a config profile set to "0" which should delete the users accounts right upon logout. But the usernames are still appearing in the login window. It is really not presentable for a lab machine to see all previously logged in users when trying to login. I even made sure that my jamf login window settings are set to show "username and password field" and not "list of users". It is not applying properly for some reason..
A couple follow-up questions since I feel like we are getting closer:
If I'm right about both of these, you may have to script the process instead. FileVault enabled users may be except from deletion profiles or something.
Just add them in to the list in the brackets with | between them. I have put them in there for you, although with admin in there you do not really need to put staffadmin as it will already be got by the admin one.
for home in $(dscl . list /Users | grep -viE '(_|root|admin|staffadmin)') do rm -r /Users/$home dscl . delete /Users/$home done
@nadeen.n92 , with JNUC fresh in mind, I wanted to check in and see if this worked for you.
I recently had a customer ask me to do something similar with his picking stations in his warehouse. All the users log in with a generic account, but despite rules they sometimes log into personal stuff which leaves cookies and files laying around that others might see. So he wanted me to have the accounts wipe out their home folders on logout so they would get re-created with the user template on the next login.
So I used a similar script (mine only needs to look for the generic account) to do so. But for Catalina I had to send out a PPPC configuration profile first to approve the script to delete user files. As far as I can tell with @PaulHazelden 's script, if you flip the "rm" and "dscl" lines there shouldn't be an issue if the user is deleted first.
For mine, the user will still exist, so I needed the PPPC to allow it.