Posted on 08-05-2020 09:52 PM
I have a problem where previously logged in users are showing on the login screen on our lab computers. I have already deleted the users using a JAMF policy so they are not existing in the Users folder, however they are still showing on the login screen. Is there a plist that can be trashed for the login window ? or did someone face the same issue before? Note that these users are domain users not local users. Thanks!
Posted on 08-06-2020 02:45 AM
Do you have FileVault enabled? If so then you will need to remove the crypto users.
fdesetup remove -usertoremove <user>
Posted on 08-06-2020 02:46 AM
...also which policy are you using to remove the user accounts?
Posted on 08-06-2020 02:59 AM
hi @oliverr thanks for your comment but no the machines are not encrypted and FileVault is not turned on..
Posted on 08-06-2020 03:05 AM
@oliverr to remove users i use a script that keeps admin accounts and then removes the rest from the users folde:
for home in $(ls /Users | grep -v Shared | grep -v root | grep -v Guest | grep -v student)
do rm -r /Users/$home
Posted on 08-06-2020 05:36 AM
@nadeen.n92 All you are doing there is removing the Home folders. I believe you would need a dscl command to fully remove the user accounts. If you log in as admin and look in the System Preferences / Users and Groups you will see the accounts still exist.
sudo dscl . list /Users
Will show you the accounts.
sudo dscl . delete /Users/ACCOUNT
Will delete them. Put the Account name in place of ACCOUNT.
Posted on 08-06-2020 05:39 AM
@PaulHazelden thanks for your input. The problem is that the usernames differ from one computer to another since they are lab machines and many students log in to them. Is there a way to delete all accounts without admin accounts without specifying usernames?
Posted on 08-06-2020 06:01 AM
The accounts should be the same as the home folder, so you should be able to use that as the attribute add it in to your for loop and use $home for the account name.
Unfortunately this will not work where you have already run your script and removed the homes. The dscl . list /Users will give them to you. But it then becomes fun to extract the ones you want from the list. But it is possible.
dscl . list /Users | grep -viE '(_|root)'
on my Mac will remove all the ones that list with underscore in the name, be warned the underscore could be anywhere in the name, and it gets rid of the root account.
If you put admin in there, that will find Admin, Administrator, Localadmin....
Simply add the exceptions to the list seperated with the | symbol. Test it in Terminal to see what it gives you.
Your script will end up a bit like this....
for home in $(dscl . list /Users | grep -viE '(_|root)') do rm -r /Users/$home dscl . delete /Users/$home done
Dont take my word for it please test this out first.
It looks confusing, but /Users and the /Users in the dscl command are not exactly the same thing.
Posted on 08-06-2020 08:16 AM
Are you using network accounts, or how are the accounts created?
If it is just about the names showing up at the login window, what about using the settings 'Name and Password' for the 'Display login window as'?
Posted on 08-13-2020 02:19 PM
I'll second what @nadeen.n92 and @PaulHazelden have said about the commands, but the basics are:
sudo dscl . delete /Users/mac ## removes the user 'mac' from the local directory sudo rm -rf /Users/mac ## deletes the 'mac' users files
But, like @mschroder, I'd like to know how the users are created. If they are mobile accounts (cached network credentials), you could use a Configuration Profile with a Mobility payload to delete users after they have not been used for a period of time. This is what I've used for lab environments with my clients.
[edited: sure. the one time I don't click preview first is when I failed to properly quote code.]
Posted on 08-17-2020 07:35 AM
thanks @mschroder , @chadlawson , yes they are network mobile accounts. i have a config profile set to "0" which should delete the users accounts right upon logout. But the usernames are still appearing in the login window. It is really not presentable for a lab machine to see all previously logged in users when trying to login. I even made sure that my jamf login window settings are set to show "username and password field" and not "list of users". It is not applying properly for some reason..
Posted on 08-24-2020 01:34 PM
A couple follow-up questions since I feel like we are getting closer:
If I'm right about both of these, you may have to script the process instead. FileVault enabled users may be except from deletion profiles or something.
Posted on 08-27-2020 06:14 AM
@PaulHazelden i want to try your script out but im confused about one thing.
"for home in $(dscl . list /Users | grep -viE '(_|root)')
do rm -r /Users/$home
dscl . delete /Users/$home
if i wanted to keep admin accounts such as staffadmin, IT how would i make an exception for those?
Posted on 09-04-2020 05:14 AM
Just add them in to the list in the brackets with | between them. I have put them in there for you, although with admin in there you do not really need to put staffadmin as it will already be got by the admin one.
for home in $(dscl . list /Users | grep -viE '(_|root|admin|staffadmin)') do rm -r /Users/$home dscl . delete /Users/$home done
Posted on 10-01-2020 11:59 AM
@nadeen.n92 , with JNUC fresh in mind, I wanted to check in and see if this worked for you.
I recently had a customer ask me to do something similar with his picking stations in his warehouse. All the users log in with a generic account, but despite rules they sometimes log into personal stuff which leaves cookies and files laying around that others might see. So he wanted me to have the accounts wipe out their home folders on logout so they would get re-created with the user template on the next login.
So I used a similar script (mine only needs to look for the generic account) to do so. But for Catalina I had to send out a PPPC configuration profile first to approve the script to delete user files. As far as I can tell with @PaulHazelden 's script, if you flip the "rm" and "dscl" lines there shouldn't be an issue if the user is deleted first.
For mine, the user will still exist, so I needed the PPPC to allow it.
Posted on 01-18-2022 09:09 AM
I know this is a very old post, but I am curious what the PPPC profile that you used? I think this is where I am getting stuck while trying to do this.
Posted on 03-01-2022 12:05 PM
Here is what I came up with. Seems to be working. Please test before using... (I kept my account names in the script to see where to add in yours)
#!/bin/bash for home in $(dscl . list /Users | grep -viE '(_|root|micro|basicuser|basicadminuser|jamf)') do sysadminctl -deleteUser $home done exit 0
Posted on 05-07-2022 08:23 AM
Anyone know a script to show old inactive Local Accounts? Thanks!