Script to remove user

macboy
Contributor

I am looking for a script that will remove a user (might be different every time so not specific). I can find scripts for removing an already known user but need on to remove a username that is not predefined. This will be the only user on the machine at the time and replaced eventually in another script with a different admin user. In the end I am looking to remove the user created in Prestage Enrollment that is created automatically when they log in for first time through LDAP. If anything doesn't make sense please let me know.

12 REPLIES 12

thoule
Valued Contributor II

You can run a script with a parameter passed to it at runtime. When you run the script (in a policy), put the account name in the 'parameter 4' box.

accountName=$4

if [ ! -z "$accountName" ] && [[ `/usr/bin/dscl . list /Users | grep "$accountName"` == "$accountName" ]]; then
    /usr/local/bin/jamf -deleteAccount -username "$accountName" -deleteHomeDirectory 2>/dev/null
fi

macboy
Contributor

"You can run a script with a parameter passed to it at runtime. When you run the script (in a policy), put the account name in the 'parameter 4' box. "

And what would that script be? Still a lot to learn in writing scripts for me. If I understand correctly this script will do nothing until I pull accountName which requires another script.

Thanks.

mm2270
Legendary Contributor III

@macboy I'm assuming you want a script that will figure out what account to remove for each machine without needing to code that into the script or even use a passed parameter. Is that right?
By Prestage Enrollment, do you mean you're using DEP? Are the accounts you're looking to remove always a local account that the Mac setup application creates? If so, although I'm not using DEP, my assumption is it creates a 501 account, meaning the UID of the account it makes upon going through DEP will have a Unique ID of 501. If that is the case, the following code should get the 501 UID user on the system.

dscl . list /Users UniqueID | awk '$2 == 501 {print $1}'

You can incorporate that into the script to get the username to do the removal on. That isn't to say there won't be additional accounts on the Mac that might also need to get removed, so you might want to look at all accounts in a certain range, like 501 - 999 or something and loop over them to remove them all, but I don't really know exactly what you're after here.

macboy
Contributor

Yes that is exactly what I am looking for. I am removing the first and only account created on the Mac from Prestage Enrollment prior or after a reboot so no other accounts are created until it runs the configuration. I will test this and see if that works. Looks like it should though.

I am trying to get the pieces in place to Prestage a Mac, name it correctly, remove the LDAP user created and then apply a configuration (which will put the Mac in AD). Trying to figure things out one step at at time prior to combining for hopefully a working solution. Perhaps I am going about his all wrong?

Thank you.

mm2270
Legendary Contributor III

What do you mean by "remove the LDAP user created"? I'm not sure I understand. Are these local Mac accounts you need to remove, or LDAP accounts? If they're LDAP ones, the code I posted above won't get that account. LDAP accounts don't have low UIDs typically. They start in the 1000 and up range.

macboy
Contributor

No when I use the Prestage it asks the user to to log in using an LDAP account and then recreates that LDAP account as an admin on the Mac but as a local user. It no longer uses LDAP at that point but rather the user is "recreated" as a local user mirroring the LDAP credentials you used. Your method should work in this scenario. I will test it.

mm2270
Legendary Contributor III

Ah, I see. Thanks for clarifying that. As I mentioned, I don't use this kind of setup, so I wasn't clear on the process. If it is creating a local user, then yes, it should work to remove that account.

I assume though that this would only be happening after you've created the user's proper LDAP account on the Mac, correct?

macboy
Contributor

Yes exactly. After the User is created.

macboy
Contributor

@mm2270 Ok I tested and cannot figure out how to pass the variable (Username) to the rest of the script. I am fairly new to scripting and tried to figure it out. I can get it to see the User and pass that to the screen but I am stuck as to how the user will end up int he rest of script that does the removal process.

Ideas?

Thanks.

PatrickD
Contributor II

@macboy you can assign the output of @mm2270 's command to a variable by using something like this...

accountName=$(dscl . list /Users UniqueID | awk '$2 == 501 {print $1}')

Then variable accountName contains the username that you want to remove provided mm2270's command listed the appropriate username.

Then you should be able to run @thoule 's script to remove that user.

if [ ! -z "$accountName" ] && [[ `/usr/bin/dscl . list /Users | grep "$accountName"` == "$accountName" ]]; then
    /usr/local/bin/jamf -deleteAccount -username "$accountName" -deleteHomeDirectory 2>/dev/null
fi

Let me know if you have any other questions.

Cheers,
Pat

Reboot2611
New Contributor

@macboy Did you get this working in your DEP workflow?

Chrisdahfur
New Contributor II

Hey,

My team needed a similar script since we have specific users we wanted to delete. So I edited the one above a little bit so that we can have more than one specific account deleted.

I did see another similar script that deleted accounts by group on JAMF NATION but we didn't need that since our users are very specific.

#!/bin/sh

deleteaccounts() {
    for accountName in "$@"; do
        echo "deleting account $accountName"
        if [ ! -z "$accountName" ] && [[ `/usr/bin/dscl . list /Users | grep "$accountName"` == "$accountName" ]]; then
    /usr/local/bin/jamf -deleteAccount -username "$accountName" -deleteHomeDirectory 2>/dev/null
        fi
    done
}

## Change the users you would like to date here 
deleteaccounts "name1" "name2" "name3" "name4"

exit 0