removing user accounts in Ventura

cgeorge
New Contributor III

Pre-Ventura, I've been used a couple of different scripts to delete users' folders via a Jamf policy. It's worth noting this script only deleted the folder, but did not delete the user account with the OS. When a user with a deleted folder would log in again, their user folder would be recreated as a default user folder and they'd go on their merry way.

With Ventura, the script will delete the user folder, but when the user tries to log in again, the computer will hang. Testing has shown the problem is the lingering user account. If I manually delete the account, log in works normally for then.

I'm curious what scripts y'all are using to accomplish user removal in Ventura? I've been using the script below which removes the user accounts via "sysadminctl -deleteUser [username]", but sometimes it doesn't catch all the users.

 

 

 

#!/bin/bash

# Loop through users with homes in /Users; use grep to exclude any accounts you don't want removed (i.e. local admin and current user if policy runs while someone is logged in)

#Catch any users who had their profiles saved when their account was deleted
rm -rf "/Users/Deleted Users"

#shared is /Users/Shared, calmin is local admin account
for username in `ls /Users | grep -v Shared | grep -v calmin`
do
    if [[ $username == `ls -l /dev/console | awk '{print $3}'` ]]; then
        echo "Skipping user: $username (current user)"
    else
        echo "Removing user: $username"

		sysadminctl -deleteUser $username
		sleep .5
		# Removes the user directory if for whatever reason sysadminctl doesn't catch it, or it's some rando folder without a user attached
        rm -rf /Users/$username
        echo "Removed user home folder: $username"
		
		# enable fdesetup line if you FileVault active
		# fdesetup remove -usertoremove $username

    fi
done

 

 

 

7 REPLIES 7

AJPinto
Honored Contributor III

I'd wager it has something to do with secure tokens which you cannot modify or delete with scripts. We reinstall macOS between users.

cgeorge
New Contributor III

I should have mentioned this is in our computer labs, so reinstalling the OS after every user is not viable.

demuthp
New Contributor II

I'm trying to determine how to do this as well. Have you found something that works?

cgeorge
New Contributor III

my strategy so far has been to use the script I posted above after manually cleaning off the users. It seems to miss a lot less with the sleep .5 I added. The downfall is that it pulls the user list from the folders in /users/ . I haven't found a way to list the users another way that would allow a more accurate list. 

cgeorge
New Contributor III

this is working for me:

 

#!/bin/bash

# Loop through users with accounts, but skipping admin and service accounts; use grep to exclude any accounts you don't want removed (i.e. local admin and current user if policy runs while someone is logged in)

for username in `dscl . list /Users | grep -v _ | grep -v Shared | grep -v LOCALADMINACCOUNTNAME | grep -v daemon | grep -v nobody | grep -v prey | grep -v root`
do
    if [[ $username == `ls -l /dev/console | awk '{print $3}'` ]]; then
        echo "Skipping user: $username (current user)"
    else
        echo "Removing user: $username"

		sysadminctl -deleteUser $username
		sleep .5
		# Removes the user directory if for whatever reason sysadminctl doesn't catch it, or it's some rando folder without a user attached
        rm -rf /Users/$username
        echo "Removed user home folder: $username"
		
		# enable fdesetup line if you FileVault active
		# fdesetup remove -usertoremove $username

    fi
    
#Catch any users who had their profiles saved when their account was deleted
rm -rf "/Users/Deleted Users"

done

#rerun the list to see if any users got skipped
dscl . list /Users | grep -v _

braillle
New Contributor III

Hate to revive an old post, but what you mentioned is exactly what we're seeing. I tried your script and it was working great, but now the same thing has returned. Users account gets deleted (i don't see it on the machine), but when they return to the device and try to login, the device hangs at the login screen. The only way to fix it is to log into jamf, locate the device, go to the local account section on the inventory page, and remove the user from there.

has this issue returned for you, or is the above script still working?

cgeorge
New Contributor III

I have not seen that issue. My issue of late has been that the script runs, but doesn't delete all the users not named via grep. to get around that, I set the policy to rerun on failure 3 times, and then added an "exit 1" to the end of the script so Jamf sees it as an error and reruns it a few minutes later. That has helped significantly.