This has been a fun one... I have been using the script posted by @allanp81 and for the most part it's working perfectly. I have it set to run ongoing at startup with my management accounts excluded. We use google school, so deleting all accounts isn't a huge deal. I am however intermittently getting calls about "OS X Library needing repair" which I know is resulting from people logging in while the script is still running. Is there anyway I can delay the process of the user logging in until the script has completed? Not a huge deal, this eventually goes away once all accounts get erased. I was just hoping to prevent a few help desk calls.

Thank You

@Jalves how are you running the script? Looks like via a Casper policy.

Try running it via a launch daemon on the machine itself and see what happens. That's how we are doing it, probably means it runs earlier than via a Casper policy.

@Jalves Right now I've implemented a script that just removes the necessary files on logout.

@Chuey One thing to be aware of (which might not be an issue for your environment) is that part of the problem from what I've read is that some students (or adults) are force shutting down the Mac which would bypass the cleanup script at log out.

@Chuey So your getting by with the two lines listed below while retaining the home folder? That may make more sense for us, since us deleting the home folders was only a reaction to this issue.

find /private/var/db/dslocal/nodes/Default/sharepoints -name "" -type f -delete
find /private/var/db/dslocal/nodes/Default/groups -name "com.apple.sharepoint" -type f -delete

@Jalves Correct. I have a logout script that removes the necessary files every time a user logs out. BUT. . . I did notice if a user already logged in before, files were removed and they log into the same computer again those files are not recreated. I'm not sure what types of issues it may cause or what but I've seen no issues from doing that.

Has anyone opened a case with apple to see what the long term effects are when deleting these files?

How are things looking for everyone now things are back in the swing? We haven't had a complaint now for weeks so all is looking good.

I have not had a complaint in about a week. But it scares me that we are deleting a file that does not come back, nor do we know what the long term effect is.

I don't see there's any effect from it, especially if accounts are being cleaned up automatically.

Just to chime in - When I started in my role in September, I noticed some of our lab Macs being stuck at the loading bar. But because we were in the process of re-imaging them anyway I didn't pay too much attention. We are AD bound with mobile homes. Also, I know an in-place upgrade from OS X 10.10 to OS X 10.11 was attempted on some of them (Casper Admin generated pkg AFAIK) so I put it down to that being a possible factor.

Fast forward to December and a few Macs that were imaged in September in the open access area of our library, start doing this again. We also received reports of slow/poor performance of those library Macs in general. I went the PRAM/SMC reset/Apple Hardware Diagnostic route on them which didn't reveal any problems, then re-imaged. It's also worth noting that we delete cached user homes on these Macs every day.

Thanks to this thread, I'm trying out those 2 find commands in a recurring logout script to see how we get on this semester. Time will tell! We don't use the File Sharing service and removing those ~/Public folder sharepoints is good for us from a security perspective. :)

@neil.martin83 Do let us know how you get on, it seems to have definitely fixed it for us.

I am about to pull the trigger on applying this "fix" on all student machines.

I just wanted to verify that everyone is just running this

find /private/var/db/dslocal/nodes/Default/sharepoints -name "*" -type f -delete

We have some state wide testing starting next week and would just like to have a "fix" in place

@Chriskmpruitt We are running the 2 commands:

find /private/var/db/dslocal/nodes/Default/sharepoints -name "*" -type f -delete
find /private/var/db/dslocal/nodes/Default/groups -name "com.apple.sharepoint*" -type f -delete

so is the asterisk in the quotes or not?

"" or "*"

@SGill Yes, not sure why it removed it when I copied and pasted.

Edit In fact, I've noticed that if I edit that post it shows the asterisk but not when I save it for some reason.

Paste it into the Command field - use the ">_" button above

@SGill Done

@Chriskmpruitt Just wanted to let you know I have applied this fix to over 100+ Macbook Airs & Mac Mini's or iMacs.

Seems to be working great since implementing. Before rolling this out we were seeing mass amount of issues per day in our high usage areas.

Today is testing day! and 0!! let me say it again 0!!!!! reports of computers locking up on startup!!!!

Thank You JAMFNATION TEAM!!!

been away for a while, good to see some traction with this and some happy results!

FYI i reported this to Apple a while back with 10.10.5 and 10.11.0, they acknowledged the issue with no resolution. At that time I wasn't aware of the mobile account bug, and they never asked about my config either. I couldn't get any internal bug report number from them, but they were happy for me to share this (limited) information.

I have had this running for about a month now, and since then all machines have been starting up as expected. I haven't seen any issues related to deleted those files on our machines either. So far so good.

Can I have help with this script please?
I have this VPN application (AppleScript) to redirect students's traffic to our Watch Guard from home but the application pop up every minutes for some students. Anyone knows why the pop up or what I am missing? I have the application located /User/Library/ApplicationSupport/Jamf. And the same application is located in the login Items.

@allanp81 So far so good, no issues since we deployed it and no hanging Macs. :)

@neil.martin83 Sounds good, looks like the issue is sorted then. We've had reports from varying locations around our uni that login times have improved since we rolled this out.

@allanp81 @neil.martin83 This is a great topic - I had the same issue myself with our high traffic workstations running 10.11.x. I was able to get them all to boot consistently after adding the script to a logout policy. I made some minor adjustments to stop the deletion of the users home folder (specific to our environment) and also moving the find/delete commands out of the for loop as it didn't need to run multiple times on each script execution.

I did have 2 workstations that wouldn't reboot at all so I had to log in single-user mode and run the 2 find/delete commands after following the on-screen instructions to make the disk r/w. After that they rebooted consistantly.

#!/bin/sh

UserList=`ls /Users | grep -v "Shared" | grep -v ".localized"`

Dansarray=( $UserList )
#printf "%s
" "${Dansarray[@]}"

for u in ${Dansarray[@]} ; do
    if [ "$u" = "administrator" ] || [ "$u" = "admin" ] ||  [ "$u" = "adobeinstall" ] ||  [ "$u" = "Administrator" ] ;
    then
        echo "$u -- detected skipping..."
    else
        echo "$u -- Deleting..."
        /usr/bin/dscl . delete /Users/$u
    fi
done
find /private/var/db/dslocal/nodes/Default/sharepoints -name "*" -type f -delete
find /private/var/db/dslocal/nodes/Default/groups -name "com.apple.sharepoint*" -type f -delete

Maybe someone can confirm whether there is benefit to removing the user record from the default local mode using the following line if I am not removing the users home directory

/usr/bin/dscl . delete /Users/$u

as the find/delete commands on their own seemed to do the job well enough.

Instead of using dscl to remove an account take a look at sysadminctl (goes back to at least OS X 10.10) for removing accounts cleaner.

This removes any running processes by that user, the home folder, the public share, the cached credentials, and disabling Back To My Mac for that user if set.

Example:

bash-3.2# ls /var/db/dslocal/nodes/Default/sharepoints/ Tester's Public Folder.plist eholtam's Public Folder.plist admin's Public Folder.plist bash-3.2# sysadminctl -deleteUser tester 2017-03-14 21:28:05.241 sysadminctl[2093:60392] Killing all processes for UID 503 2017-03-14 21:28:05.242 sysadminctl[2093:60392] Removing tester's home at /Users/tester 2017-03-14 21:28:05.877 sysadminctl[2093:60392] Deleting Public share point for tester 2017-03-14 21:28:05.903 sysadminctl[2093:60392] Deleting record for tester 2017-03-14 21:28:05.930 sysadminctl[2093:60392] AOSKit INFO: Disabling BTMM for user, no zone found for uid=503, usersToZones: { 502 = "1234567.members.btmm.icloud.com."; } bash-3.2# ls eholtam's Public Folder.plist admin's Public Folder.plist

Will definitely have a look. Currently building Sierra images for next academic year so will move to that process if it works better as it looks simpler.

@eholtam Tried this and on Sierra it doesn't seem to remove the problem entries from /var/db/dslocal/nodes/Default/groups and sharepoints even though the results of the command said it did.

Edit it DOES work, but only if the machine was rebooted first, which is fine as that's when we run our cleanup script.

Is it possible (probably, but my noob is showing), to edit the script posted by @nigelg to only delete AD users that have not logged in for "X" days?

The script works, as is, but we would only like to delete user accounts that haven't been used in 30 - 60 days

Alrighty then...run it on hundreds of macs with no trouble but you're right that I never run it on a logged-in user ...use it for labs but probably better not to tempt 1-1 managers with it. Also it's not my script and it's posted elsewhere here by others.

@sgill That script is dangerous, and not consistent, and can delete logged in users. I want to stick with using sysadminctl.

Thanks, though

I'm trying to modify this script to only delete accounts older than "X" days

!/bin/bash

####################################################################

DeleteADUsers.sh

Requires Mac OS X 10.10 or newer

If run as root, deletes all AD accounts

If user is logged in, asks to verify login ID and will not delete that account

####################################################################

adusers=$(dscl . list /Users UniqueID | awk '$2 > 1000 {print $1}')
currentuser=$(stat -f "%Su" /dev/console)
response="2" # Presume confirmation failure

if [[ "$currentuser" != "root" ]]; then # If we're not root, ask user to verify their login ID response=$(/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType utility -title "Verify login ID" -heading "Verify login ID" -description "Please verify that $currentuser is your login ID" -button1 "That's Me" -button2 "Not Me") if [ "$response" != "0" ]; then echo "Did not get confirmation from user, no accounts will be deleted" fi
else echo "Running as root, so all AD accounts will be deleted" response="0" # Always set confirmation response when root
fi

if [ "$response" == "0" ]; then echo "Deleting AD user accounts..."

for user in $adusers ; do if [ "$user" != "$currentuser" ]; then /usr/sbin/sysadminctl -deleteUser "$user" echo "$user deleted" fi done
fi

I've revised my script a bit, removed some of the duplicated commands etc.

I've tried using the sysadminctl method and although it always deletes the accounts, it sometimes leaves the Sharepoint files behind which is the exact problem that ends up stopping a Mac from booting.

It will also now only run if there are any accounts to actually be cleaned up, whereas before it would always run.

#!/bin/bash
#This Script will remove all accounts that are not
#specified below (e.g. Administrator, etc.)
#Accounts are case sensitive

UserList=`ls /Users | grep -v "Shared" | grep -v -i "admin" | grep -v -i ".localized" | grep -v -i "kingston" | grep -v -i "administrator" | grep -v -i "arduser"`

Dansarray=( $UserList )
#printf "%s
" "${Dansarray[@]}"

if [ ${#Dansarray[@]} -eq 0 ]; 
    then
        echo "Nothing to do, exiting"
        exit 0
    else
        for u in ${Dansarray[@]} ; do
            echo "$u -- Deleting..."
            `/usr/bin/dscl . delete /Users/$u && /bin/rm -rf /Users/$u`
        done
        #Remove sharepoints and groups
        find /private/var/db/dslocal/nodes/Default/sharepoints -name "*" -type f -delete
        find /private/var/db/dslocal/nodes/Default/groups -name "com.apple.sharepoint*" -type f -delete
fi

@rlegge I happen to have spent some time finding ways to delete account folders after a time delay so adding here. These commands remove the targets after 40days of no activity one layer below their account( i.e. something in any of the Desktop, Library, etc., was touched in the last 40 days.)

This does NOT deal with the /private/var/db/dslocal/nodes/Default/sharepoints and groups folder problems if you have them. But the command process might be integrated into that process. We happen to be in a situation where we want to delete user folders after a period of inactivity rather than all at once.

find -x /(path)/ ( -mtime +40 -and -maxdepth 1 -and -type d ) -print -exec rm -rf {}