Posted on 06-19-2023 09:34 AM
Pre-Ventura, I've been used a couple of different scripts to delete users' folders via a Jamf policy. It's worth noting this script only deleted the folder, but did not delete the user account with the OS. When a user with a deleted folder would log in again, their user folder would be recreated as a default user folder and they'd go on their merry way.
With Ventura, the script will delete the user folder, but when the user tries to log in again, the computer will hang. Testing has shown the problem is the lingering user account. If I manually delete the account, log in works normally for then.
I'm curious what scripts y'all are using to accomplish user removal in Ventura? I've been using the script below which removes the user accounts via "sysadminctl -deleteUser [username]", but sometimes it doesn't catch all the users.
#!/bin/bash
# Loop through users with homes in /Users; use grep to exclude any accounts you don't want removed (i.e. local admin and current user if policy runs while someone is logged in)
#Catch any users who had their profiles saved when their account was deleted
rm -rf "/Users/Deleted Users"
#shared is /Users/Shared, calmin is local admin account
for username in `ls /Users | grep -v Shared | grep -v calmin`
do
if [[ $username == `ls -l /dev/console | awk '{print $3}'` ]]; then
echo "Skipping user: $username (current user)"
else
echo "Removing user: $username"
sysadminctl -deleteUser $username
sleep .5
# Removes the user directory if for whatever reason sysadminctl doesn't catch it, or it's some rando folder without a user attached
rm -rf /Users/$username
echo "Removed user home folder: $username"
# enable fdesetup line if you FileVault active
# fdesetup remove -usertoremove $username
fi
done
Posted on 06-20-2023 05:07 AM
I'd wager it has something to do with secure tokens which you cannot modify or delete with scripts. We reinstall macOS between users.
Posted on 06-20-2023 06:22 AM
I should have mentioned this is in our computer labs, so reinstalling the OS after every user is not viable.
Posted on 07-12-2023 11:18 AM
I'm trying to determine how to do this as well. Have you found something that works?
Posted on 07-13-2023 06:17 PM
my strategy so far has been to use the script I posted above after manually cleaning off the users. It seems to miss a lot less with the sleep .5 I added. The downfall is that it pulls the user list from the folders in /users/ . I haven't found a way to list the users another way that would allow a more accurate list.
Posted on 07-26-2023 07:53 AM
this is working for me:
#!/bin/bash
# Loop through users with accounts, but skipping admin and service accounts; use grep to exclude any accounts you don't want removed (i.e. local admin and current user if policy runs while someone is logged in)
for username in `dscl . list /Users | grep -v _ | grep -v Shared | grep -v LOCALADMINACCOUNTNAME | grep -v daemon | grep -v nobody | grep -v prey | grep -v root`
do
if [[ $username == `ls -l /dev/console | awk '{print $3}'` ]]; then
echo "Skipping user: $username (current user)"
else
echo "Removing user: $username"
sysadminctl -deleteUser $username
sleep .5
# Removes the user directory if for whatever reason sysadminctl doesn't catch it, or it's some rando folder without a user attached
rm -rf /Users/$username
echo "Removed user home folder: $username"
# enable fdesetup line if you FileVault active
# fdesetup remove -usertoremove $username
fi
#Catch any users who had their profiles saved when their account was deleted
rm -rf "/Users/Deleted Users"
done
#rerun the list to see if any users got skipped
dscl . list /Users | grep -v _
Posted on 06-16-2024 12:26 PM
Hate to revive an old post, but what you mentioned is exactly what we're seeing. I tried your script and it was working great, but now the same thing has returned. Users account gets deleted (i don't see it on the machine), but when they return to the device and try to login, the device hangs at the login screen. The only way to fix it is to log into jamf, locate the device, go to the local account section on the inventory page, and remove the user from there.
has this issue returned for you, or is the above script still working?
Posted on 06-16-2024 05:22 PM
I have not seen that issue. My issue of late has been that the script runs, but doesn't delete all the users not named via grep. to get around that, I set the policy to rerun on failure 3 times, and then added an "exit 1" to the end of the script so Jamf sees it as an error and reruns it a few minutes later. That has helped significantly.