removing previously logged in user accounts from login screen

nadeen_n92
New Contributor II

Hello All,
I have a problem where previously logged in users are showing on the login screen on our lab computers. I have already deleted the users using a JAMF policy so they are not existing in the Users folder, however they are still showing on the login screen. Is there a plist that can be trashed for the login window ? or did someone face the same issue before? Note that these users are domain users not local users. Thanks!

14 REPLIES 14

oliverr
Contributor

Do you have FileVault enabled? If so then you will need to remove the crypto users.

fdesetup list
fdesetup remove -usertoremove <user>

oliverr
Contributor

...also which policy are you using to remove the user accounts?

nadeen_n92
New Contributor II

hi @oliverr thanks for your comment but no the machines are not encrypted and FileVault is not turned on..

nadeen_n92
New Contributor II

@oliverr to remove users i use a script that keeps admin accounts and then removes the rest from the users folde:

for home in $(ls /Users | grep -v Shared | grep -v root | grep -v Guest | grep -v student)
do rm -r /Users/$home
done

PaulHazelden
Contributor III

@nadeen.n92 All you are doing there is removing the Home folders. I believe you would need a dscl command to fully remove the user accounts. If you log in as admin and look in the System Preferences / Users and Groups you will see the accounts still exist.

sudo dscl . list /Users
Will show you the accounts.
sudo dscl . delete /Users/ACCOUNT
Will delete them. Put the Account name in place of ACCOUNT.

nadeen_n92
New Contributor II

@PaulHazelden thanks for your input. The problem is that the usernames differ from one computer to another since they are lab machines and many students log in to them. Is there a way to delete all accounts without admin accounts without specifying usernames?

PaulHazelden
Contributor III

The accounts should be the same as the home folder, so you should be able to use that as the attribute add it in to your for loop and use $home for the account name.
Unfortunately this will not work where you have already run your script and removed the homes. The dscl . list /Users will give them to you. But it then becomes fun to extract the ones you want from the list. But it is possible.

dscl . list /Users | grep -viE '(_|root)'

on my Mac will remove all the ones that list with underscore in the name, be warned the underscore could be anywhere in the name, and it gets rid of the root account.
If you put admin in there, that will find Admin, Administrator, Localadmin....
Simply add the exceptions to the list seperated with the | symbol. Test it in Terminal to see what it gives you.
Your script will end up a bit like this....

for home in $(dscl . list /Users | grep -viE '(_|root)')
do rm -r /Users/$home
dscl . delete /Users/$home
done

Dont take my word for it please test this out first.
It looks confusing, but /Users and the /Users in the dscl command are not exactly the same thing.

mschroder
Valued Contributor

Are you using network accounts, or how are the accounts created?

If it is just about the names showing up at the login window, what about using the settings 'Name and Password' for the 'Display login window as'?

chadlawson
Contributor
Contributor

I'll second what @nadeen.n92 and @PaulHazelden have said about the commands, but the basics are:

 sudo dscl . delete /Users/mac ## removes the user 'mac' from the local directory
 sudo rm -rf /Users/mac ## deletes the 'mac' users files

But, like @mschroder, I'd like to know how the users are created. If they are mobile accounts (cached network credentials), you could use a Configuration Profile with a Mobility payload to delete users after they have not been used for a period of time. This is what I've used for lab environments with my clients.

[edited: sure. the one time I don't click preview first is when I failed to properly quote code.]

nadeen_n92
New Contributor II

thanks @mschroder , @chadlawson , yes they are network mobile accounts. i have a config profile set to "0" which should delete the users accounts right upon logout. But the usernames are still appearing in the login window. It is really not presentable for a lab machine to see all previously logged in users when trying to login. I even made sure that my jamf login window settings are set to show "username and password field" and not "list of users". It is not applying properly for some reason..

chadlawson
Contributor
Contributor

A couple follow-up questions since I feel like we are getting closer:

  • You said the profile is set to 0 but the users are still showing up. Are they getting deleted but still showing up or or they not getting deleted? If it's the former, that's just odd, but I suspect it's the latter.
  • You said your profile to set to user and password fields isn't working. Do these machines have FileVault turned on? Because FileVault automatically changes back to a list of FileVault enabled users no matter what. Apple won't let us be FileVault protected AND have user/password fields.

If I'm right about both of these, you may have to script the process instead. FileVault enabled users may be except from deletion profiles or something.

nadeen_n92
New Contributor II

@PaulHazelden i want to try your script out but im confused about one thing.

"for home in $(dscl . list /Users | grep -viE '(_|root)')
do rm -r /Users/$home
dscl . delete /Users/$home
done"

if i wanted to keep admin accounts such as staffadmin, IT how would i make an exception for those?

PaulHazelden
Contributor III

Just add them in to the list in the brackets with | between them. I have put them in there for you, although with admin in there you do not really need to put staffadmin as it will already be got by the admin one.

for home in $(dscl . list /Users | grep -viE '(_|root|admin|staffadmin)')
do rm -r /Users/$home
dscl . delete /Users/$home
done

chadlawson
Contributor
Contributor

@nadeen.n92 , with JNUC fresh in mind, I wanted to check in and see if this worked for you.

I recently had a customer ask me to do something similar with his picking stations in his warehouse. All the users log in with a generic account, but despite rules they sometimes log into personal stuff which leaves cookies and files laying around that others might see. So he wanted me to have the accounts wipe out their home folders on logout so they would get re-created with the user template on the next login.

So I used a similar script (mine only needs to look for the generic account) to do so. But for Catalina I had to send out a PPPC configuration profile first to approve the script to delete user files. As far as I can tell with @PaulHazelden 's script, if you flip the "rm" and "dscl" lines there shouldn't be an issue if the user is deleted first.

For mine, the user will still exist, so I needed the PPPC to allow it.