Hello all,
I'm still seeing some issues with 10.10.5 and 10.11.4 that won't fully load and get stuck on startup. It will load either halfway or even 95% but never past that. Sometimes I'll turn them off, let them go over night, come back and they work next day? Sometimes I'll boot to single user mode and run fsck -fy and reboot and it works. Just so hit and miss. These machines are bound to AD. Is anyone still seeing these issues in their environment?
@SGill Yes, not sure why it removed it when I copied and pasted.
Edit In fact, I've noticed that if I edit that post it shows the asterisk but not when I save it for some reason.
Paste it into the Command field - use the ">_" button above
@SGill Done
@Chriskmpruitt Just wanted to let you know I have applied this fix to over 100+ Macbook Airs & Mac Mini's or iMacs.
Seems to be working great since implementing. Before rolling this out we were seeing mass amount of issues per day in our high usage areas.
Today is testing day! and 0!! let me say it again 0!!!!! reports of computers locking up on startup!!!!
Thank You JAMFNATION TEAM!!!
been away for a while, good to see some traction with this and some happy results!
FYI i reported this to Apple a while back with 10.10.5 and 10.11.0, they acknowledged the issue with no resolution. At that time I wasn't aware of the mobile account bug, and they never asked about my config either. I couldn't get any internal bug report number from them, but they were happy for me to share this (limited) information.
I have had this running for about a month now, and since then all machines have been starting up as expected. I haven't seen any issues related to deleted those files on our machines either. So far so good.
Can I have help with this script please?
I have this VPN application (AppleScript) to redirect students's traffic to our Watch Guard from home but the application pop up every minutes for some students. Anyone knows why the pop up or what I am missing? I have the application located /User/Library/ApplicationSupport/Jamf. And the same application is located in the login Items.
@allanp81 So far so good, no issues since we deployed it and no hanging Macs. :)
@neil.martin83 Sounds good, looks like the issue is sorted then. We've had reports from varying locations around our uni that login times have improved since we rolled this out.
@allanp81 @neil.martin83 This is a great topic - I had the same issue myself with our high traffic workstations running 10.11.x. I was able to get them all to boot consistently after adding the script to a logout policy. I made some minor adjustments to stop the deletion of the users home folder (specific to our environment) and also moving the find/delete commands out of the for loop as it didn't need to run multiple times on each script execution.
I did have 2 workstations that wouldn't reboot at all so I had to log in single-user mode and run the 2 find/delete commands after following the on-screen instructions to make the disk r/w. After that they rebooted consistantly.
#!/bin/sh
UserList=`ls /Users | grep -v "Shared" | grep -v ".localized"`
Dansarray=( $UserList )
#printf "%s
" "${Dansarray[@]}"
for u in ${Dansarray[@]} ; do
if [ "$u" = "administrator" ] || [ "$u" = "admin" ] || [ "$u" = "adobeinstall" ] || [ "$u" = "Administrator" ] ;
then
echo "$u -- detected skipping..."
else
echo "$u -- Deleting..."
/usr/bin/dscl . delete /Users/$u
fi
done
find /private/var/db/dslocal/nodes/Default/sharepoints -name "*" -type f -delete
find /private/var/db/dslocal/nodes/Default/groups -name "com.apple.sharepoint*" -type f -deleteMaybe someone can confirm whether there is benefit to removing the user record from the default local mode using the following line if I am not removing the users home directory
/usr/bin/dscl . delete /Users/$uas the find/delete commands on their own seemed to do the job well enough.
Instead of using dscl to remove an account take a look at sysadminctl (goes back to at least OS X 10.10) for removing accounts cleaner.
This removes any running processes by that user, the home folder, the public share, the cached credentials, and disabling Back To My Mac for that user if set.
Example:
bash-3.2# ls /var/db/dslocal/nodes/Default/sharepoints/ Tester's Public Folder.plist eholtam's Public Folder.plist admin's Public Folder.plist bash-3.2# sysadminctl -deleteUser tester 2017-03-14 21:28:05.241 sysadminctl[2093:60392] Killing all processes for UID 503 2017-03-14 21:28:05.242 sysadminctl[2093:60392] Removing tester's home at /Users/tester 2017-03-14 21:28:05.877 sysadminctl[2093:60392] Deleting Public share point for tester 2017-03-14 21:28:05.903 sysadminctl[2093:60392] Deleting record for tester 2017-03-14 21:28:05.930 sysadminctl[2093:60392] AOSKit INFO: Disabling BTMM for user, no zone found for uid=503, usersToZones: { 502 = "1234567.members.btmm.icloud.com."; } bash-3.2# ls eholtam's Public Folder.plist admin's Public Folder.plist
Will definitely have a look. Currently building Sierra images for next academic year so will move to that process if it works better as it looks simpler.
@eholtam Tried this and on Sierra it doesn't seem to remove the problem entries from /var/db/dslocal/nodes/Default/groups and sharepoints even though the results of the command said it did.
Edit it DOES work, but only if the machine was rebooted first, which is fine as that's when we run our cleanup script.
Is it possible (probably, but my noob is showing), to edit the script posted by @nigelg to only delete AD users that have not logged in for "X" days?
The script works, as is, but we would only like to delete user accounts that haven't been used in 30 - 60 days
Alrighty then...run it on hundreds of macs with no trouble but you're right that I never run it on a logged-in user ...use it for labs but probably better not to tempt 1-1 managers with it. Also it's not my script and it's posted elsewhere here by others.
@sgill That script is dangerous, and not consistent, and can delete logged in users. I want to stick with using sysadminctl.
Thanks, though
I'm trying to modify this script to only delete accounts older than "X" days
adusers=$(dscl . list /Users UniqueID | awk '$2 > 1000 {print $1}')
currentuser=$(stat -f "%Su" /dev/console)
response="2" # Presume confirmation failure
if [[ "$currentuser" != "root" ]]; then
# If we're not root, ask user to verify their login ID
response=$(/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType utility -title "Verify login ID" -heading "Verify login ID" -description "Please verify that $currentuser is your login ID" -button1 "That's Me" -button2 "Not Me")
if [ "$response" != "0" ]; then
echo "Did not get confirmation from user, no accounts will be deleted"
fi
else
echo "Running as root, so all AD accounts will be deleted"
response="0" # Always set confirmation response when root
fi
if [ "$response" == "0" ]; then echo "Deleting AD user accounts..."
for user in $adusers ; do
if [ "$user" != "$currentuser" ]; then
/usr/sbin/sysadminctl -deleteUser "$user"
echo "$user deleted"
fi
done
fi
I've revised my script a bit, removed some of the duplicated commands etc.
I've tried using the sysadminctl method and although it always deletes the accounts, it sometimes leaves the Sharepoint files behind which is the exact problem that ends up stopping a Mac from booting.
It will also now only run if there are any accounts to actually be cleaned up, whereas before it would always run.
#!/bin/bash
#This Script will remove all accounts that are not
#specified below (e.g. Administrator, etc.)
#Accounts are case sensitive
UserList=`ls /Users | grep -v "Shared" | grep -v -i "admin" | grep -v -i ".localized" | grep -v -i "kingston" | grep -v -i "administrator" | grep -v -i "arduser"`
Dansarray=( $UserList )
#printf "%s
" "${Dansarray[@]}"
if [ ${#Dansarray[@]} -eq 0 ];
then
echo "Nothing to do, exiting"
exit 0
else
for u in ${Dansarray[@]} ; do
echo "$u -- Deleting..."
`/usr/bin/dscl . delete /Users/$u && /bin/rm -rf /Users/$u`
done
#Remove sharepoints and groups
find /private/var/db/dslocal/nodes/Default/sharepoints -name "*" -type f -delete
find /private/var/db/dslocal/nodes/Default/groups -name "com.apple.sharepoint*" -type f -delete
fi@rlegge I happen to have spent some time finding ways to delete account folders after a time delay so adding here. These commands remove the targets after 40days of no activity one layer below their account( i.e. something in any of the Desktop, Library, etc., was touched in the last 40 days.)
This does NOT deal with the /private/var/db/dslocal/nodes/Default/sharepoints and groups folder problems if you have them. But the command process might be integrated into that process. We happen to be in a situation where we want to delete user folders after a period of inactivity rather than all at once.
find -x /(path)/ ( -mtime +40 -and -maxdepth 1 -and -type d ) -print -exec rm -rf {} Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.