Batch Remove User Accounts From Mac's Using Open Directory
 

I'm hoping someone can help me with this. Our school district uses Open Directory in our labs and many of the computers now have hundreds of user profiles. I know there is a profile deletion utility for PC that I've used but I'm wondering if there is something similar for the macs. Going into System Prefs, Accounts and deleting them one at a time is very tedious, in most cases it's faster to reimage the computer. Does anyone know a good way to automate this? Of course I would want to keep the admin account, the rest of the accounts can go.

I'm not familiar with the OD binding aspect of this, but as far as accounts local to some machine goes... have you looked at the man page for dscl yet?

Anyway, tlarkin is the one to consult with... and he may be typing up a reply as we speak.

I'm a newbie with command line and don't want to mess with dscl unless I'm sure I know what I'm doing. I was hoping there would be a utility someone wrote along the way for doing this. tlarkin has helped me in the past so I hope he sees this and replies.

Are these mobile accounts that have been synchronized to the machine locally? Also, Hal, OD is pretty much the same across the board since Apple implemented directory services under the hood in 10.5. The BSD database either points to local DB, or to LDAPv3 DB on the server. Otherwise you can do almost anything (emphasis on 'almost') locally that you can do in OD.

This should be quite simple, though I suggest you take a different method with your images down the road that keeps all local admin accounts IT staffers use home folders out of /Users. I think it just makes it cleaner for certain tasks.

I actually have a few scripts that already do this, but I need you to explain to me the details.

These are active directory accounts meaning in directory utility the "Create Mobile Account at Login" is selected. In Accounts, they show up and "managed,mobile" and they have a local home folder in /Users

All I want to do is remove all managed mobile accounts, not only from /Users but all from managed preferences and systems prefs>accounts. Basically, I want to do the same thing removing them manually and selecting "Remove the Home Folder" does.

If you run this command, do the AD users show up, I must assume they do but I do not have AD in my environment. Though on a side note I am going to get a VM of Win server 2k7 or whatever the newest version is so I can start tinkering with it again

I am assuming that you just use AD for authentication, and that all user info is stored locally in the local BSD database that directory services uses for the user (dscl) but I don't want to assume too much with out verifying that it does.

all users, both local and AD show up using this command

Ok that is what I thought....so lets outline a work flow here. You want to accomplish the following?

1 - loop through all user accounts, local and AD

2 - find all non admin accounts

3 - delete all non admin accounts from the system entirely?

This correct?

that is correct, all non-admin, managed-mobile accounts can go. I really only want to preserve the local admin account but if it leave AD admin accounts that's fine too.

OK, I guess we could do something like this

Test this out, as I just kind of winged this.

This one didn't work. I had to sudo it which is fine but when I did it gave me a very long list of errors, here is a partial output, it's pretty much more of this until it kicks me back to the command prompt...

TECH-IMAC:~ admin$ sudo /Users/admin/Desktop/profiledelete.sh
delete: Invalid Path
<dscl_cmd> DS Error: -14009 (eDSUnknownNodeName)
delete: Invalid Path
<dscl_cmd> DS Error: -14009 (eDSUnknownNodeName)
grep: unrecognized option `--r--r--'
Usage: grep [OPTION]... PATTERN [FILE]...
Try `grep --help' for more information.
delete: Invalid Path
<dscl_cmd> DS Error: -14009 (eDSUnknownNodeName)
delete: Invalid Path
<dscl_cmd> DS Error: -14009 (eDSUnknownNodeName)
Admin account detected skipping...
delete: Invalid Path
<dscl_cmd> DS Error: -14009 (eDSUnknownNodeName)
delete: Invalid Path
<dscl_cmd> DS Error: -14009 (eDSUnknownNodeName)
delete: Invalid Path
<dscl_cmd> DS Error: -14009 (eDSUnknownNodeName)
delete: Invalid Path
<dscl_cmd> DS Error: -14009 (eDSUnknownNodeName)
delete: Invalid Path
<dscl_cmd> DS Error: -14009 (eDSUnknownNodeName)
delete: Invalid Path
<dscl_cmd> DS Error: -14009 (eDSUnknownNodeName)
delete: Invalid Path
<dscl_cmd> DS Error: -14009 (eDSUnknownNodeName)
delete: Invalid Path
<dscl_cmd> DS Error: -14009 (eDSUnknownNodeName)
delete: Invalid Path
<dscl_cmd> DS Error: -14009 (eDSUnknownNodeName)
delete: Invalid Path
<dscl_cmd> DS Error: -14009 (eDSUnknownNodeName)
delete: Invalid Path
<dscl_cmd> DS Error: -14009 (eDSUnknownNodeName)
delete: Invalid Path
<dscl_cmd> DS Error: -14009 (eDSUnknownNodeName)
delete: Invalid Path
<dscl_cmd> DS Error: -14009 (eDSUnknownNodeName)
delete: Invalid Path
<dscl_cmd> DS Error: -14009 (eDSUnknownNodeName)
delete: Invalid Path
<dscl_cmd> DS Error: -14009 (eDSUnknownNodeName)
delete: Invalid Path
<dscl_cmd> DS Error: -14009 (eDSUnknownNodeName)
Admin account detected skipping...
delete: Invalid Path
<dscl_cmd> DS Error: -14009 (eDSUnknownNodeName)
delete: Invalid Path
<dscl_cmd> DS Error: -14009 (eDSUnknownNodeName)
delete: Invalid Path
<dscl_cmd> DS Error: -14009 (eDSUnknownNodeName)
delete: Invalid Path
<dscl_cmd> DS Error: -14009 (eDSUnknownNodeName)
delete: Invalid Path

Ahh you know what, I think the -l switch is throwing it off, let me edit the script, and yes this will need to run as root, and this will delete accounts, so test it on a machine you can sacrifice to the computer gods if need be.

The script is edited now

I'm using our test box, it's just for things like this.

I'm going to try it this morning, I'll post my results

works perfectly! It even clears out the managed preferences folder as well. I made a package using iceberg so now I can clear out an entire lab in seconds. Thank you!

It does clear off domain admin accounts and leaves only the local admin account which is exactly what I want.

slight correction to the above...

It does not remove the user folder out of /Library/Managed Preferences

this is OK but I may try to revise the script even further to do this. Something like

rm -r /Library/Managed\ Preferences

should do the trick. All folders inside Managed Preferences will recreate themselves at login anyway so nothing in the folder is needed.

I suggest people locate their local admin accounts for internal IT usage home folders outside of /Users. Therefore, you can always assume the /Users is for your user base, and say, /private/var/homes is for your local admin accounts that your IT staff will use. That way, you can always just scrub out everything in /Users if you wanted to clean up a machine, and you also know for a fact that /Users should have no local or otherwise admin accounts present there.

I didn't know you could specify the admin account home folder location, how would I go about doing that without hosing the account?

When you create the account you can specify the path of the home folder:

If you redo your image that is something to consider. Just my personal preference as I can then run checks against /Users to see that there are no admin accounts present, ie someone hacking the Mac.

Our Mac labs are bound to our AD but we don't tick the "create mobile account" at logon" option. Users can login, get their temporary home folders and their "H" drive, BUT no user profiles are created, so none to delete. Simple!

Yeah but if you got any network issues and the home folder cannot be reached, then no log in. Also, when you create mobile homes, the user will authenticate locally to the synchronized account, and then do everything else with a kerberos ticket.

It has it's merits, but isn't always the best solution for everything and everyone.

The problem with that is our macbooks, we need to create the account so that is caches the credentials. This speeds up login times. Without the cached credentials students have to wait for the green directory services status light which can take over a minute sometimes.

yup, portable accounts are really preferable with laptops for sure. That is why we use them, and you can sync the home folder when they come back on the network if they leave the network for a while.

I agree that for laptops then the mobile account option is best, but our labs are desktops and I have found that logins are quicker if the mobile option is not used but that may be down to out particular AD setup. For an AD staff machine, time from logging in to having Word open, is about 7 seconds. Student machine logons are just as quick, but their desktop takes longer to appear because the default user template folders have to be copied to their own home folders.

I got 6,000 laptops in my deployment, I can't have them all authenticating to the servers at once, the servers don't like it. I hear ya though, I don't have too many desktops in my deployment as everything got shifted in a 1:1 with laptops.

I was going to try this out in a hard wired lab, I have heard that logins are much faster when no profile needs to be created. The main focus of this post was to find a way to remove profiles from our macbooks but I agree that in a hard wired environment non-mobile logins would be better

lennysweet.

Please note that the "dscl . read /Users/$me SMBHome" command does not work if you don't create mobile accounts!

This doesn't bother me because I don't put students' H drives into the finder side-bar.

By default dscl always looks at the local node for database info. You can always point it to a server to read off of that as well, if you can authenticate to it. However, I highly doubt directory services would talk to active directory, but I have never tried.

please provide the correction in the script
 

Hi there

Can someone please post the finalised script. This is exactly what i am looking for but i keep getting an error DS Error: -14009 (eDSUnKnownNodeName)
delete:Invalid Path

I cannot see the -l in the script at all referred to as causing a conflict

help please
 

Please can you tell me the full corrected script i keep getting this error and cannot see the -| switch you are referring to

This is the correct script here:

http://forums.macosxhints.com/showpo...7&postcount=10

I originally had the -l switch on the ls /Users part but edited it to fix it. What is your error message when running the script? Also, this will delete all non admin accounts out of /Users permanently, so be careful when running it.

Removing User Accounts
 

Wow, I've been hunting and pecking around for just such info in an easily copy/pasted format to automate the removal of our nonadmin user accounts as well. I copy/pasted the script here into Remote Desktop and sent it just to test it and received the error kimpton79 was getting as well.

Now, as opposed to running this in Remote Desktop all the time, I'm hoping to learn how to set it up to run as a logout hook so that when users log off of the units, their accounts get deleted, unless of course they are an admin. The cats A$$ version of this would allow me to determine a set number of days after the user has logged in to then delete their account. So say after two days and their account hasn't been used, then it gets wiped from the /Users folder.

script to remove users on logout?
 

Hey, actually I'm looking to do something similar.

I have several machines running 10.6.8 (soon to be 10.7) and I'd like to run a script on logout that deletes the user account if it's a non-admin. Users are logging in and authenticating to an AD, but we're not caching the account data so if there's no network connection, they can't log in.

Presently I'm just manually deleting all the folders in the /Users folder, save for the local admin user and the Shared folder, via the Terminal once every week or so.

remove all except an an admin account
 

Try this, it deletes the current user on logout except the admin account called admin :-


#!/bin/sh

# username=$1

if [ ! "$1" = "admin" ]
then rm -r /Users/$1
fi


This variation deletes all accounts except two, admin and default :

find -E /Users -mindepth 1 -maxdepth 1 \! -iregex "^/Users/(admin|default|Shared|\.DS_Store)" -print0 | xargs -0 rm -r

Long time script, and I have changed my methods...

to populate a list of local users I now use this method

That will build an array of local user accounts. If you have any hidden accounts with a loser UID they won't get listed, nor will system accounts, and since a user's home directory could possibly be located outside of the /Users folder.

Lion
 

I was looking to do this on 10.7 stations. My computers have a few local accounts on them. Has anyone found a way to only delete the mobile accounts. These are the ad accounts I want to delete.

So, if an AD account is created on a Mac as a mobile account, it will create a local home folder and the UID will be greater than 1000. So, to get a list of AD mobile accounts (not network accounts) you can use the same code as above but change the grater than value, for example:

testad is my test AD account on my production laptop that has a UID of greater than 1000, so it ignored all my local accounts.

Im sorry, but Im a newbie to IT and Macs in general. I understand that this code will produce a list of users accounts that are mobile. Right?


$ userList=$(dscl . list /Users UniqueID | awk '$2 > 1000 { print $1 }'); echo ${userList}

But how would you recommend going about creating a script that would 1 create a list of mobile accounts and 2 Delete those users and their home folder from the computer. I would love to be able to do this from ARD.

I work at a school and have around 325 Macs ranging from 10.4.11 to 10.7.4 all joined to AD for student login accounts. Students home folders begin to add up taking a lot of space of the hard drives and plus we dump all student accounts when school is over and the next year a student is issued a new login account.


Any help would be greatly appreciated!