Script to delete users and home folders but not admin accounts.

EliasG
Contributor

Has anyone come up with a way to delete users that have logged into carts with a script for summer maintenance? Want to only leave the admin accounts on it.

Thanks

1 ACCEPTED SOLUTION

blackholemac
Valued Contributor III

Just read a post from a guy from the MacEnterprise group covering this very issue. I don't use this myself I use a configuration profile, if you're looking for a good script the guys at Penn State know a lot about managing labs so it's worth checking out.

https://mikesolin.com/2017/03/14/resolving-a-freezing-problem-on-lab-macs/

View solution in original post

15 REPLIES 15

mconners
Valued Contributor

Hello @EliasG what I have been using so far, it has worked well. I didn't create it, I borrowed it from somewhere from JAMF Nation I believe. I run it between our semesters. I simply have the grep section spelling out the admin or local user names I don't want to remove, everything goes including the account.

Here is the link I followed, the solution is below and it works for us.

mm2270
Legendary Contributor III

When you say leave only the admin accounts, do you mean a specific set of accounts that you know the name and UID of, or do you mean any account that has admin status?
Both can be done, but the distinction could be important.

grecopj
Contributor

In our labs, students login via AD. Their account is then removed on logout with a policy. I have 3 local admin accounts on each machine. I got the following from a previous post a while back so I apologize for not crediting. Hope this helps.

for dir in /Users/* do if [ ! "$dir" = "/Users/admin" ] && [ ! "$dir" = "/Users/viscom" ] && [ ! "$dir" = "/Users/main" ] && [ ! "$dir" = "/Users/Shared" ] ; then echo ${dir} rm -R $dir dscl . -delete $dir fi done

exit 0

blackholemac
Valued Contributor III

Just read a post from a guy from the MacEnterprise group covering this very issue. I don't use this myself I use a configuration profile, if you're looking for a good script the guys at Penn State know a lot about managing labs so it's worth checking out.

https://mikesolin.com/2017/03/14/resolving-a-freezing-problem-on-lab-macs/

sdagley
Esteemed Contributor II

If you mean all users that have logged in using AD accounts, and are running 10.10 or newer, this script will delete all, and only, AD accounts when run as root:

#!/bin/bash
################################################################################
# DeleteADUsers.sh
#
# Requires Mac OS X 10.10 or newer
# If run as root, deletes all AD accounts
# If user is logged in, asks to verify login ID and will not delete that account
################################################################################

adusers=$(dscl . list /Users UniqueID | awk '$2 > 1000 {print $1}')
currentuser=$(stat -f "%Su" /dev/console)
response="2" # Presume confirmation failure

if [[ "$currentuser" != "root" ]]; then
    # If we're not root, ask user to verify their login ID
    response=$(/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType utility -title "Verify login ID" -heading "Verify login ID" -description "Please verify that $currentuser is your login ID" -button1 "That's Me" -button2 "Not Me")
    if [ "$response" != "0" ]; then
       echo "Did not get confirmation from user, no accounts will be deleted"
    fi
else
    echo "Running as root, so all AD accounts will be deleted"
    response="0" # Always set confirmation response when root
fi

if [ "$response" == "0" ]; then
    echo "Deleting AD user accounts..."

    for user in $adusers ; do
        if [ "$user" != "$currentuser" ]; then
            /usr/sbin/sysadminctl -deleteUser "$user"
            echo "$user deleted"
        fi
    done
fi

If you run it from Self Service with a logged in AD user it'll verify the user's AD login and then delete all other AD accounts (I use it that way to clean accounts when a MacBook Air is assigned to a specific student)

msnowdon
Contributor

I was reading the responses and checking the articles in the links mentioned. I'd like to enable some sort of cleaning process as well. I then noticed in 9.97 that there is a Mobility payload in the Configuration profiles that has an Account Expiry tab that can be used to delete mobile accounts. I am currently using the profile to disable syncing and never noticed the Account Expiry option before. Maybe it was added after I configured the profile for the first time.

Has anyone tried this feature?

CasperSally
Valued Contributor II

@msnowdon my experience is the config profile expiry works for some OS's but not others. It's working fine for us in 10.11.5. I don't think it was working in 10.10. I haven't tried 10.12 yet.

msnowdon
Contributor

@CasperSally If I applied it today and set the expiration for say 30 days, all existing mobile accounts that have not logged in over 30 days would automatically delete?

dbuskariol
New Contributor II

-

CasperSally
Valued Contributor II

@msnowdon - probably, but if I were you i'd test first with a test computer with something like 2 days or something and make sure it's doing what you think. Depends on OS is what I found. Working fine for us in 10.11 - we set it to 1 hour.

jmahlman
Valued Contributor

Our script is pretty basic but it's been working for us for a while now (https://github.com/jmahlman/uarts-scripts/blob/master/remove-non-local-users.sh). We keep a few accounts/directories just because we use them for certain things:

#!/bin/sh
# Name: remove-non-local-users
# 
# Purpose: Removes all non-local accounts on machines to help stop HDs from filling up
# Will spare the 'macadmin,' 'student,' and 'Shared' home directories.
#
#
users=`find /Users -type d -maxdepth 1 | cut -d"/" -f3`
# you can edit this to remove only accounts that haven't logged in for x days: add '-mtime +<# of days>' after maxdepth

##########
# Script #
##########
for i in $users; do
    if [[ $i = "macadmin" ]] || [[ $i = "Shared" ]] || [[ $i = "student" ]]; then continue
    else 
        jamf deleteAccount -username $i -deleteHomeDirectory
        rm -Rf /Users/$i
    fi
done
# Remove the student home directory but leave the account at the end.
rm -Rf /Users/student

bcrockett
Contributor III

@jmahlman is your script still working on macOS version 10.15.5?

jmahlman
Valued Contributor

@bcrockett sorry I never replied...guess I’ve been busy and missed this.

I’m not sure if it works or not as I don’t use it anymore (I’ve since switched companies). I’m assuming it should since it’s using very basic commands.

IT-Chris
New Contributor III

anyone solve this issue with Big Sur??

dross
New Contributor III

I have this script working on a restart trigger in Big Sur. Slight modification below but thats it. 

for i in $users; do
if [[ $i = "fsadmin" ]] || [[ $i = "Shared" ]] || [[ $i = "rduser" ]] || [[ $i = "fsa" ]]; then continue
else
jamf deleteAccount -username $i -deleteHomeDirectory
chmod -Rf 777 /Users/$i
rm -Rf /Users/$i