Help

Self-enrollment; cleanup

Go to solution
dpertschi
Valued Contributor

Posted on ‎03-11-2014 08:22 AM

For new machine deployments, I'm looking to move away from Casper Imaging and go to a self-enrollment (user or field tech).

So after the user/tech boots, downloads the QuickAdd, enrolls, and triggers the deployment policy via the Enrollment Complete trigger; how do you destroy the first account that the user created?

Seek and Destroy user ID 501?

0 Kudos
Reply
1 ACCEPTED SOLUTION

Go to solution
mm2270
Legendary Contributor III

Posted on ‎03-11-2014 12:16 PM

How about

dscl . delete /Users/$(dscl . list /Users UniqueID | awk '$2 == 501 {print $1}')

View solution in original post

0 Kudos
Reply
4 REPLIES 4

Go to solution
yan1212
Contributor

Posted on ‎03-11-2014 09:45 AM

We have completely moved away from imaging new clients and have developed a similar workflow that is based on the tech naming the first account as "setup". Then, post-enrolment this account is deleted via a policy triggered at log-out. This works regardless of what password is set for the "setup" account.

This policy runs at log-out and is scoped against a smart group that picks up clients that:

  1. Have the "setup" account created.
  2. Are bound to Active Directory (so that other people can log in after the "setup" account is created)
  3. Have our hidden local admin accounts created (so that we have a back door when "setup" is deleted)

The frequency is set to "Ongoing". This way if for whatever reason a setup account is not deleted the first time the tech logs out then it will run when the client is picked up again.

The real challenge is to get your techs to stick to using "setup" and nothing else....

Hope this helps.

0 Kudos
Reply

Go to solution
dpertschi
Valued Contributor

Posted on ‎03-11-2014 12:02 PM

Yep, and it's that last point you make, getting the techs to use the same account name, that I cannot bank on always being done the way I want it. That's an opportunity for human error I can't accept.

Nuking account ID 501 on a new machine should be what we want, but I can't figure out the syntax.

I thought this would work, but doesn't: ```
dscl . -delete /Users UniqueID 501
```

0 Kudos
Reply

Go to solution
mm2270
Legendary Contributor III

Posted on ‎03-11-2014 12:16 PM

How about

dscl . delete /Users/$(dscl . list /Users UniqueID | awk '$2 == 501 {print $1}')
0 Kudos
Reply

Go to solution
dpertschi
Valued Contributor

Posted on ‎03-11-2014 01:12 PM

Yes, that might just do it. I'll add that to the end of the initial deploy policy and see how it goes.
The management account will be < 500, and I'll set my standard admin account to maybe ID 510.

thank you,

0 Kudos
Reply