Batch Remove User Accounts From Mac's Using Open Directory - Page 2

tlarkin · 04-20-2010, 08:45 AM

Quote:

Originally Posted by kaptagat


	Our Mac labs are bound to our AD but we don't tick the "create mobile account" at logon" option. Users can login, get their temporary home folders and their "H" drive, BUT no user profiles are created, so none to delete. Simple!

Yeah but if you got any network issues and the home folder cannot be reached, then no log in. Also, when you create mobile homes, the user will authenticate locally to the synchronized account, and then do everything else with a kerberos ticket.

It has it's merits, but isn't always the best solution for everything and everyone.

lennysweet · 04-20-2010, 08:53 AM

The problem with that is our macbooks, we need to create the account so that is caches the credentials. This speeds up login times. Without the cached credentials students have to wait for the green directory services status light which can take over a minute sometimes.

tlarkin · 04-20-2010, 08:59 AM

Quote:

Originally Posted by lennysweet


	The problem with that is our macbooks, we need to create the account so that is caches the credentials. This speeds up login times. Without the cached credentials students have to wait for the green directory services status light which can take over a minute sometimes.

yup, portable accounts are really preferable with laptops for sure. That is why we use them, and you can sync the home folder when they come back on the network if they leave the network for a while.

kaptagat · 04-20-2010, 09:28 AM

I agree that for laptops then the mobile account option is best, but our labs are desktops and I have found that logins are quicker if the mobile option is not used but that may be down to out particular AD setup. For an AD staff machine, time from logging in to having Word open, is about 7 seconds. Student machine logons are just as quick, but their desktop takes longer to appear because the default user template folders have to be copied to their own home folders.

tlarkin · 04-20-2010, 09:30 AM

I got 6,000 laptops in my deployment, I can't have them all authenticating to the servers at once, the servers don't like it. I hear ya though, I don't have too many desktops in my deployment as everything got shifted in a 1:1 with laptops.

lennysweet · 04-20-2010, 09:30 AM

I was going to try this out in a hard wired lab, I have heard that logins are much faster when no profile needs to be created. The main focus of this post was to find a way to remove profiles from our macbooks but I agree that in a hard wired environment non-mobile logins would be better

kaptagat · 04-20-2010, 10:50 AM

lennysweet.

Please note that the "dscl . read /Users/$me SMBHome" command does not work if you don't create mobile accounts!

This doesn't bother me because I don't put students' H drives into the finder side-bar.

tlarkin · 04-20-2010, 10:56 AM

Quote:

Originally Posted by kaptagat


	lennysweet. Please note that the "dscl . read /Users/$me SMBHome" command does not work if you don't create mobile accounts! This doesn't bother me because I don't put students' H drives into the finder side-bar.

By default dscl always looks at the local node for database info. You can always point it to a server to read off of that as well, if you can authenticate to it. However, I highly doubt directory services would talk to active directory, but I have never tried.

kimpton79 · 05-07-2010, 06:31 AM

Hi there

Can someone please post the finalised script. This is exactly what i am looking for but i keep getting an error DS Error: -14009 (eDSUnKnownNodeName)
delete:Invalid Path

I cannot see the -l in the script at all referred to as causing a conflict

kimpton79 · 05-07-2010, 06:37 AM

Please can you tell me the full corrected script i keep getting this error and cannot see the -| switch you are referring to

Quote:

Originally Posted by tlarkin


	Ahh you know what, I think the -l switch is throwing it off, let me edit the script, and yes this will need to run as root, and this will delete accounts, so test it on a machine you can sacrifice to the computer gods if need be. The script is edited now

tlarkin · 05-07-2010, 08:31 AM

Quote:

Originally Posted by kimpton79


	Please can you tell me the full corrected script i keep getting this error and cannot see the -\| switch you are referring to

This is the correct script here:

http://forums.macosxhints.com/showpo...7&postcount=10

I originally had the -l switch on the ls /Users part but edited it to fix it. What is your error message when running the script? Also, this will delete all non admin accounts out of /Users permanently, so be careful when running it.

panacea · 02-28-2012, 11:14 AM

Wow, I've been hunting and pecking around for just such info in an easily copy/pasted format to automate the removal of our nonadmin user accounts as well. I copy/pasted the script here into Remote Desktop and sent it just to test it and received the error kimpton79 was getting as well.

Now, as opposed to running this in Remote Desktop all the time, I'm hoping to learn how to set it up to run as a logout hook so that when users log off of the units, their accounts get deleted, unless of course they are an admin. The cats A$$ version of this would allow me to determine a set number of days after the user has logged in to then delete their account. So say after two days and their account hasn't been used, then it gets wiped from the /Users folder.

panacea · 02-29-2012, 05:57 PM

Hey, actually I'm looking to do something similar.

I have several machines running 10.6.8 (soon to be 10.7) and I'd like to run a script on logout that deletes the user account if it's a non-admin. Users are logging in and authenticating to an AD, but we're not caching the account data so if there's no network connection, they can't log in.

Presently I'm just manually deleting all the folders in the /Users folder, save for the local admin user and the Shared folder, via the Terminal once every week or so.

kaptagat · 03-02-2012, 03:03 AM

Try this, it deletes the current user on logout except the admin account called admin :-

#!/bin/sh

# username=$1

if [ ! "$1" = "admin" ]
then rm -r /Users/$1
fi

This variation deletes all accounts except two, admin and default :

find -E /Users -mindepth 1 -maxdepth 1 \! -iregex "^/Users/(admin|default|Shared|\.DS_Store)" -print0 | xargs -0 rm -r

tlarkin · 03-02-2012, 08:36 AM

Long time script, and I have changed my methods...

to populate a list of local users I now use this method

Code:

userList=$(dscl . list /Users UniqueID | awk '$2 > 500 { print $1 }')

That will build an array of local user accounts. If you have any hidden accounts with a loser UID they won't get listed, nor will system accounts, and since a user's home directory could possibly be located outside of the /Users folder.

Shawn · 04-18-2012, 09:50 PM

I was looking to do this on 10.7 stations. My computers have a few local accounts on them. Has anyone found a way to only delete the mobile accounts. These are the ad accounts I want to delete.

tlarkin · 05-08-2012, 10:18 PM

Quote:

Originally Posted by Shawn


	I was looking to do this on 10.7 stations. My computers have a few local accounts on them. Has anyone found a way to only delete the mobile accounts. These are the ad accounts I want to delete.

So, if an AD account is created on a Mac as a mobile account, it will create a local home folder and the UID will be greater than 1000. So, to get a list of AD mobile accounts (not network accounts) you can use the same code as above but change the grater than value, for example:

Code:

$ userList=$(dscl . list /Users UniqueID | awk '$2 > 1000 { print $1 }'); echo ${userList}
testad

testad is my test AD account on my production laptop that has a UID of greater than 1000, so it ignored all my local accounts.

Shawn · 05-18-2012, 07:00 PM

Im sorry, but Im a newbie to IT and Macs in general. I understand that this code will produce a list of users accounts that are mobile. Right?

$ userList=$(dscl . list /Users UniqueID | awk '$2 > 1000 { print $1 }'); echo ${userList}

But how would you recommend going about creating a script that would 1 create a list of mobile accounts and 2 Delete those users and their home folder from the computer. I would love to be able to do this from ARD.

I work at a school and have around 325 Macs ranging from 10.4.11 to 10.7.4 all joined to AD for student login accounts. Students home folders begin to add up taking a lot of space of the hard drives and plus we dump all student accounts when school is over and the next year a student is issued a new login account.

Any help would be greatly appreciated!

04-20-2010, 09:30 AM	#25
tlarkin League Commissioner Join Date: Mar 2003 Location: Kansas City Posts: 11,347	I got 6,000 laptops in my deployment, I can't have them all authenticating to the servers at once, the servers don't like it. I hear ya though, I don't have too many desktops in my deployment as everything got shifted in a 1:1 with laptops. __________________ sudo make me a sammich http://www.tlarkin.com "It just told me what I already knew, that I'm a great and amazing guy, didn't I tell you baby, I'm Zaphod Beeblebrox."

05-07-2010, 06:31 AM	#29
kimpton79 Prospect Join Date: May 2009 Posts: 41	please provide the correction in the script Hi there Can someone please post the finalised script. This is exactly what i am looking for but i keep getting an error DS Error: -14009 (eDSUnKnownNodeName) delete:Invalid Path I cannot see the -l in the script at all referred to as causing a conflict

02-28-2012, 11:14 AM	#32
panacea Prospect Join Date: Feb 2012 Posts: 2	Removing User Accounts Wow, I've been hunting and pecking around for just such info in an easily copy/pasted format to automate the removal of our nonadmin user accounts as well. I copy/pasted the script here into Remote Desktop and sent it just to test it and received the error kimpton79 was getting as well. Now, as opposed to running this in Remote Desktop all the time, I'm hoping to learn how to set it up to run as a logout hook so that when users log off of the units, their accounts get deleted, unless of course they are an admin. The cats A$$ version of this would allow me to determine a set number of days after the user has logged in to then delete their account. So say after two days and their account hasn't been used, then it gets wiped from the /Users folder.

02-29-2012, 05:57 PM	#33
panacea Prospect Join Date: Feb 2012 Posts: 2	script to remove users on logout? Hey, actually I'm looking to do something similar. I have several machines running 10.6.8 (soon to be 10.7) and I'd like to run a script on logout that deletes the user account if it's a non-admin. Users are logging in and authenticating to an AD, but we're not caching the account data so if there's no network connection, they can't log in. Presently I'm just manually deleting all the folders in the /Users folder, save for the local admin user and the Shared folder, via the Terminal once every week or so.

03-02-2012, 03:03 AM	#34
kaptagat Major Leaguer Join Date: Jul 2003 Posts: 329	remove all except an an admin account Try this, it deletes the current user on logout except the admin account called admin :- #!/bin/sh # username=$1 if [ ! "$1" = "admin" ] then rm -r /Users/$1 fi This variation deletes all accounts except two, admin and default : find -E /Users -mindepth 1 -maxdepth 1 \! -iregex "^/Users/(admin\|default\|Shared\|\.DS_Store)" -print0 \| xargs -0 rm -r

04-20-2010, 08:53 AM	#22
lennysweet Triple-A Player Join Date: Jun 2008 Posts: 92	The problem with that is our macbooks, we need to create the account so that is caches the credentials. This speeds up login times. Without the cached credentials students have to wait for the green directory services status light which can take over a minute sometimes.

04-20-2010, 09:28 AM	#24
kaptagat Major Leaguer Join Date: Jul 2003 Posts: 329	I agree that for laptops then the mobile account option is best, but our labs are desktops and I have found that logins are quicker if the mobile option is not used but that may be down to out particular AD setup. For an AD staff machine, time from logging in to having Word open, is about 7 seconds. Student machine logons are just as quick, but their desktop takes longer to appear because the default user template folders have to be copied to their own home folders.

04-20-2010, 10:50 AM	#27
kaptagat Major Leaguer Join Date: Jul 2003 Posts: 329	lennysweet. Please note that the "dscl . read /Users/$me SMBHome" command does not work if you don't create mobile accounts! This doesn't bother me because I don't put students' H drives into the finder side-bar.

03-02-2012, 08:36 AM	#35
tlarkin League Commissioner Join Date: Mar 2003 Location: Kansas City Posts: 11,347	Long time script, and I have changed my methods... to populate a list of local users I now use this method Code: userList=$(dscl . list /Users UniqueID \| awk '$2 > 500 { print $1 }') That will build an array of local user accounts. If you have any hidden accounts with a loser UID they won't get listed, nor will system accounts, and since a user's home directory could possibly be located outside of the /Users folder. __________________ sudo make me a sammich http://www.tlarkin.com "It just told me what I already knew, that I'm a great and amazing guy, didn't I tell you baby, I'm Zaphod Beeblebrox."

04-18-2012, 09:50 PM	#36
Shawn Prospect Join Date: Apr 2012 Location: TN Posts: 10	Lion I was looking to do this on 10.7 stations. My computers have a few local accounts on them. Has anyone found a way to only delete the mobile accounts. These are the ad accounts I want to delete.

05-18-2012, 07:00 PM	#38
Shawn Prospect Join Date: Apr 2012 Location: TN Posts: 10	Im sorry, but Im a newbie to IT and Macs in general. I understand that this code will produce a list of users accounts that are mobile. Right? $ userList=$(dscl . list /Users UniqueID \| awk '$2 > 1000 { print $1 }'); echo ${userList} But how would you recommend going about creating a script that would 1 create a list of mobile accounts and 2 Delete those users and their home folder from the computer. I would love to be able to do this from ARD. I work at a school and have around 325 Macs ranging from 10.4.11 to 10.7.4 all joined to AD for student login accounts. Students home folders begin to add up taking a lot of space of the hard drives and plus we dump all student accounts when school is over and the next year a student is issued a new login account. Any help would be greatly appreciated!

Thread Tools
Show Printable Version Email this Page
Display Modes	Rate This Thread
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode	Rate This Thread: