Jamf Nation Community

When you say leave only the admin accounts, do you mean a specific set of accounts that you know the name and UID of, or do you mean any account that has admin status?
Both can be done, but the distinction could be important.

In our labs, students login via AD. Their account is then removed on logout with a policy. I have 3 local admin accounts on each machine. I got the following from a previous post a while back so I apologize for not crediting. Hope this helps.

for dir in /Users/* do if [ ! "$dir" = "/Users/admin" ] && [ ! "$dir" = "/Users/viscom" ] && [ ! "$dir" = "/Users/main" ] && [ ! "$dir" = "/Users/Shared" ] ; then echo ${dir} rm -R $dir dscl . -delete $dir fi done

exit 0

If you mean all users that have logged in using AD accounts, and are running 10.10 or newer, this script will delete all, and only, AD accounts when run as root:

#!/bin/bash
################################################################################
# DeleteADUsers.sh
#
# Requires Mac OS X 10.10 or newer
# If run as root, deletes all AD accounts
# If user is logged in, asks to verify login ID and will not delete that account
################################################################################

adusers=$(dscl . list /Users UniqueID | awk '$2 > 1000 {print $1}')
currentuser=$(stat -f "%Su" /dev/console)
response="2" # Presume confirmation failure

if [[ "$currentuser" != "root" ]]; then
    # If we're not root, ask user to verify their login ID
    response=$(/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType utility -title "Verify login ID" -heading "Verify login ID" -description "Please verify that $currentuser is your login ID" -button1 "That's Me" -button2 "Not Me")
    if [ "$response" != "0" ]; then
       echo "Did not get confirmation from user, no accounts will be deleted"
    fi
else
    echo "Running as root, so all AD accounts will be deleted"
    response="0" # Always set confirmation response when root
fi

if [ "$response" == "0" ]; then
    echo "Deleting AD user accounts..."

    for user in $adusers ; do
        if [ "$user" != "$currentuser" ]; then
            /usr/sbin/sysadminctl -deleteUser "$user"
            echo "$user deleted"
        fi
    done
fi

If you run it from Self Service with a logged in AD user it'll verify the user's AD login and then delete all other AD accounts (I use it that way to clean accounts when a MacBook Air is assigned to a specific student)

I was reading the responses and checking the articles in the links mentioned. I'd like to enable some sort of cleaning process as well. I then noticed in 9.97 that there is a Mobility payload in the Configuration profiles that has an Account Expiry tab that can be used to delete mobile accounts. I am currently using the profile to disable syncing and never noticed the Account Expiry option before. Maybe it was added after I configured the profile for the first time.

Has anyone tried this feature?

@msnowdon my experience is the config profile expiry works for some OS's but not others. It's working fine for us in 10.11.5. I don't think it was working in 10.10. I haven't tried 10.12 yet.

@CasperSally If I applied it today and set the expiration for say 30 days, all existing mobile accounts that have not logged in over 30 days would automatically delete?

-

@msnowdon - probably, but if I were you i'd test first with a test computer with something like 2 days or something and make sure it's doing what you think. Depends on OS is what I found. Working fine for us in 10.11 - we set it to 1 hour.

Our script is pretty basic but it's been working for us for a while now (https://github.com/jmahlman/uarts-scripts/blob/master/remove-non-local-users.sh). We keep a few accounts/directories just because we use them for certain things:

#!/bin/sh
# Name: remove-non-local-users
# 
# Purpose: Removes all non-local accounts on machines to help stop HDs from filling up
# Will spare the 'macadmin,' 'student,' and 'Shared' home directories.
#
#
users=`find /Users -type d -maxdepth 1 | cut -d"/" -f3`
# you can edit this to remove only accounts that haven't logged in for x days: add '-mtime +<# of days>' after maxdepth

##########
# Script #
##########
for i in $users; do
    if [[ $i = "macadmin" ]] || [[ $i = "Shared" ]] || [[ $i = "student" ]]; then continue
    else 
        jamf deleteAccount -username $i -deleteHomeDirectory
        rm -Rf /Users/$i
    fi
done
# Remove the student home directory but leave the account at the end.
rm -Rf /Users/student

@jmahlman is your script still working on macOS version 10.15.5?

@bcrockett sorry I never replied...guess I’ve been busy and missed this.

I’m not sure if it works or not as I don’t use it anymore (I’ve since switched companies). I’m assuming it should since it’s using very basic commands.

anyone solve this issue with Big Sur??