Help

During removing macOS User by script I got Error: -14120 and user is not fully removed

FOSBOS-SR
New Contributor

2 weeks ago

Hi there,

I try to remove all "old" users from our iMacs, managed with JAMF School. The useres have an AD account and during first login on an iMac we create a local (mobil) account on the mac. At the end of the year we want to rmove all these users and there data.

If I run a "sudo /usr/sbin/sysadminctl -deleteUser $user" on the client, the user is totally removed (after I once gave the terminal full access to the drive in system preferences). But if I run a JAMF Script with the same command, I got the error:

### Error:-14120 File:/AppleInternal/Library/BuildRoots/91a344b1-f985-11ee-b563-fe8bc7981bff/Library/Caches/com.apple.xbs/Sources/Admin/DSRecord.m Line:563

Nearly the same, if using the command "sudo dscl . delete /Users/$user": dscl DS Error: -14120 (eDSPermissionError)

All users, the first local Admin and root have "Secure Token" enabled. After I disabled System Integrity Protection in rescue mode with "csrutil disable", the JAMF Script is doing the job without error, but this is no solution.

My test client is a MacBook Pro on macOS 14.5 Build 23F79.
Any helpful ideas?

Kind regards Chris

0 Kudos
3 REPLIES 3

skeenan07
New Contributor III

2 weeks ago

You'll want to include an admin username and password in your script to delete the account. Like this: 

sysadminctl -deleteUser "$user" -adminUser "$adminUser" -adminPassword "$adminPassword"

I use the bash script in the following GitHub repo to encrypt the admin password: https://github.com/brysontyrrell/EncryptedStrings. Then, I use the input parameters for the script to pass in the encrypted string, passphrase, and salt and decrypt them in the script. A whole script could look something like this

#!/bin/zsh

function DecryptString() {
# Usage: ~$ DecryptString "Encrypted String" "Salt" "Passphrase"
echo "${1}" | /usr/bin/openssl enc -aes256 -md md5 -d -a -A -S "${2}" -k "${3}"
}

adminUser=${4}
adminPassword=$(DecryptString "${5}" "${6}" "${7}")

sysadminctl -deleteUser "$user" -adminUser "$adminUser" -adminPassword "$adminPassword"

 I also have a script in GitHub, deleteInactiveUsers.zsh, that deletes users after they've been inactive for a specified number of days. (I also just realized I hadn't updated it in a while, so I pushed updates this afternoon.) 

0 Kudos

FOSBOS-SR
New Contributor
In response to skeenan07

a week ago

Hi Skeenan07,

thanks for you quick and detailed response. Unfortunately, I'm travelling today, but I'm back tomorrow. I'll report my experience afterwards, but all you wrote makes sense.

Regards Chris

0 Kudos

FOSBOS-SR
New Contributor
In response to skeenan07

a week ago

Hi skeenan07,

I testet your command in the local script. For testing, I wrote in the script the local admin credentials in clear text, because it is a test system and I don't want to mix up something during encryption an decrytion. But anyway the error is the same, Error:-14120, if I start the script via JAMF. And there is no error (user is removed), if I start the script local in the terminal with sudo. The script is removing the user without error.

Regards Chris

0 Kudos