During removing macOS User by script I got Error: -14120 and user is not fully removed
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-25-2024 02:15 AM
Hi there,
I try to remove all "old" users from our iMacs, managed with JAMF School. The useres have an AD account and during first login on an iMac we create a local (mobil) account on the mac. At the end of the year we want to rmove all these users and there data.
If I run a "sudo /usr/sbin/sysadminctl -deleteUser $user" on the client, the user is totally removed (after I once gave the terminal full access to the drive in system preferences). But if I run a JAMF Script with the same command, I got the error:
### Error:-14120 File:/AppleInternal/Library/BuildRoots/91a344b1-f985-11ee-b563-fe8bc7981bff/Library/Caches/com.apple.xbs/Sources/Admin/DSRecord.m Line:563
Nearly the same, if using the command "sudo dscl . delete /Users/$user": dscl DS Error: -14120 (eDSPermissionError)
All users, the first local Admin and root have "Secure Token" enabled. After I disabled System Integrity Protection in rescue mode with "csrutil disable", the JAMF Script is doing the job without error, but this is no solution.
My test client is a MacBook Pro on macOS 14.5 Build 23F79.
Any helpful ideas?
Kind regards Chris
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-25-2024 10:18 AM
You'll want to include an admin username and password in your script to delete the account. Like this:
sysadminctl -deleteUser "$user" -adminUser "$adminUser" -adminPassword "$adminPassword"
I use the bash script in the following GitHub repo to encrypt the admin password: https://github.com/brysontyrrell/EncryptedStrings. Then, I use the input parameters for the script to pass in the encrypted string, passphrase, and salt and decrypt them in the script. A whole script could look something like this
#!/bin/zsh
function DecryptString() {
# Usage: ~$ DecryptString "Encrypted String" "Salt" "Passphrase"
echo "${1}" | /usr/bin/openssl enc -aes256 -md md5 -d -a -A -S "${2}" -k "${3}"
}
adminUser=${4}
adminPassword=$(DecryptString "${5}" "${6}" "${7}")
sysadminctl -deleteUser "$user" -adminUser "$adminUser" -adminPassword "$adminPassword"
I also have a script in GitHub, deleteInactiveUsers.zsh, that deletes users after they've been inactive for a specified number of days. (I also just realized I hadn't updated it in a while, so I pushed updates this afternoon.)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-26-2024 08:57 AM
Hi Skeenan07,
thanks for you quick and detailed response. Unfortunately, I'm travelling today, but I'm back tomorrow. I'll report my experience afterwards, but all you wrote makes sense.
Regards Chris
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-27-2024 03:29 AM
Hi skeenan07,
I testet your command in the local script. For testing, I wrote in the script the local admin credentials in clear text, because it is a test system and I don't want to mix up something during encryption an decrytion. But anyway the error is the same, Error:-14120, if I start the script via JAMF. And there is no error (user is removed), if I start the script local in the terminal with sudo. The script is removing the user without error.
Regards Chris
