Scripting User Account Removal


 
Thread Tools Search this Thread
Operating Systems OS X (Apple) Scripting User Account Removal
# 1  
Old 12-20-2011
Scripting User Account Removal

Ok, so I've been looking all over the place for how exactly to do this and I've become so bombarded with information I finally decided I'll pose the question here. I'm not a programmer or anything that hardcore, but if I see things already implemented and working examples I can easily learn and modify them to suit my needs. That being said I have been trying to find the step by step or close to for creating a couple login/logout hooks. And now I'm also reading I should create a launchd job instead and am just beginning to look into that option since it's more secure.

I'm in a mixed 10.6 / 10.7 environment with all moving to 10.7 hopefully soon here in a university environment and manage all the workstations we have in our building. Users log in with their AD accounts and user folders are created locally and pulled from the default new user template that I've modified to suit our environment.

The two (or maybe one?) scripts I need are to do a couple things then. First, I'd like to erase each user account on logout so the user folders don't pile up in the User directory. And then second, I'm thinking I'll also need a login script to put my Admin account folder back each time from a template or something as it too will get erased from the logout script.

Thanks for any help in advance.
# 2  
Old 12-22-2011
step one: get the currently logged in user name.
If it were a loginhook, $1 would work. I've found that problematic for logouthooks, so I use $USER.

step two: verify they aren't admin, or aren't you.
You could test the result of
dscl . -read /Groups/admin GroupMembership | grep "$USER"
If $? (the exit code) equals 0 then leave the logouthook script with "exit 1"
otherwise...

step three: remove the user account
dscl . -delete /Users/$USER

step four: remove the user's home folder
rm -R /Users/$USER


# If user is an admin, exit script
dscl . -read /Groups/admin GroupMembership | grep -q "$USER"
if [ "$? -eq 0 ]; then
# the next line could be substituted for the previous 2 lines
#if [ $USER = "adminuser1" ] || [ $USER = "adminuser2" ] || [ $USER = "adminuser3" ]; then
echo "LOGOUT: admin folders will not be deleted."
exit 1
fi

# If home directory exists, delete
if [ -d "/Users/$USER" ]; then
echo "LOGOUT: user account cleanup."
rm -R /Users/"$USER"
dscl . -delete /Users/"$USER"
fi
exit 0

That should do it. I use a similar script and it works fine except for forced reboot scenarios, but that's what lab admins, and periodic reimaging is for. Smilie

This is fairly rudimentary scripting. Feel free to use awk, case statements, and for loops to your hearts content. Smilie
This User Gave Thanks to [MA]Flying_Meat For This Post:
# 3  
Old 01-08-2012
Super Dummies version?

Hey thanks for the message man! I'm a little unclear what all to copy/paste into my text file though. (sorry) As I said, new to all this stuff and not clear on a lot of it yet. Any chance you can create a super dummies version of the email you sent? I'm reading one article here, https://discussions.apple.com/thread/1454557?start=0&tstart=0, for example, and it's confusing me where to put the file and what exactly I'm writing. I'm using 10.7 on all the machines I want to put this on.
# 4  
Old 01-11-2012
from "# If..." to "exit 0"

Your script should actually start with:
#!/bin/bash
# and insert any comments here, like what this script does

Then you want to name it such that you won't accidentally try to use it as a loginhook. My recommendation is "LogoutHook". Smilie

You can put the script practically anywhere, but try to think of a place that will be common for all such scripts going forward. We created a folder in the main Library folder for all custom scripting. That is where all of our admin level support staff can find them on any previous or future image builds.

You probably don't want read privileges for other, aka "world readable". After creating your script, from the command line, enter this and hit return:
chmod 770 /path/to/LogoutHook

You probably want to make root or "system" the owner, and maybe assign the admin group full access:
sudo chown root:admin /path/to/LogoutHook

I'm sure someone will correct me if I'm wrong on any of this, but it is working this way for my scripts.
This User Gave Thanks to [MA]Flying_Meat For This Post:
# 5  
Old 01-17-2012
greetings

here is an applescript i wrote a while ago. it uses a filemaker database to grab the users name and information. I had one written in bash, but I can't find it,.

Code:
tell application "FileMaker Pro"
	set RecordName to cell "RecordName" of current record
end tell
display dialog " WARNING !!!!!!!

THIS ACTION WILL
DELETE THE ACCOUNT ......." & RecordName & "......


Are you sure you want to proceed ? " with icon 0 with title " Time to Delete " buttons {"Exit", "Continue"} default button "Continue"
if button returned of the result is "Continue" then
	try
		do shell script "dscl -u diradmin -P PASSWORD /LDAPv3/my.ldap1.com -delete /Users/" & RecordName & ""
		beep 3
		display dialog " username " & RecordName & " Was Deleted from ODM" with icon 1 with title " Laters " buttons {"Okay F00"} default button 1
	on error errMsg number errorNumber
		display dialog errMsg
	end try
else
	display dialog "SEE YA f00!!!"
	beep 1
end if

# 6  
Old 01-30-2012
Thanks guys. Just getting to my new images now so I'll keep you posted as to whether or not I hose the machines. Smilie
# 7  
Old 02-27-2012
Still No Luck

Maybe I'm creating the script wrong or something, for it's not cooperating. The part you said to copy/paste, should that just be put into a new TextEdit doc and saved out as a plain text file?

And I can copy directly what you entered and not need to modify anything?

Like I said, noob to the scripting here. Smilie
Login or Register to Ask a Question

Previous Thread | Next Thread

9 More Discussions You Might Find Interesting

1. HP-UX

User account

I need to check actual date a user was disabled on my HP-UX server. Audit is claiming the user account was active during the last audit exercise. (7 Replies)
Discussion started by: cyriac_N
7 Replies

2. Linux

User Account Policy

Hi, i have the following config in the system-auth files auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth required /lib/security/$ISA/pam_deny.so account required ... (2 Replies)
Discussion started by: yprudent
2 Replies

3. Red Hat

User Account Sync

Hi All, I want to know is there any way where if i add a user in a centos machine the can be replicated to another centos automatically. As i have setup DRBD with heartbeat for apache webserver everything is working fine but the only thing im stuck in is about system account for ftp. Can any... (3 Replies)
Discussion started by: search4u2003
3 Replies

4. Cybersecurity

Please help identify these user account

Please help me identify these user accounts.. bin, lp, nuucp, smbnull, mysql, tftp Can we remove these user or disable these users?We have to apply the security policy about the user identification.Since it was settup by our vendor long time ago. We do not have these informations about these... (3 Replies)
Discussion started by: rdstkg
3 Replies

5. Red Hat

RPM Updation & Keeping User Change files during removal

Hi All, I have a RPM for an Java based application. Currently it works fine. But recently I want to implement that when newer packages gets installed over the older one, the rpm should only update the older files with the newer one (I know this could be done by rpm -Uvh xxx.rpm), but it... (0 Replies)
Discussion started by: jw_amp
0 Replies

6. Shell Programming and Scripting

How to suspend a user account?

Hi, guys. I have two questions: I need to write a script, which can show all the non-suspended users on system, and suspend the selected user account. There are two things I am not sure: 1. How can I suspend user's account? What I think is: add a string to the encrypted password in shadow... (2 Replies)
Discussion started by: daikeyang
2 Replies

7. UNIX for Dummies Questions & Answers

Difference between : Locked User Account & Disabled User Accounts in Linux ?

Thanks AVKlinux (3 Replies)
Discussion started by: avklinux
3 Replies

8. Post Here to Contact Site Administrators and Moderators

user account

hi how to disable the useraccount in aix (should not remove). (1 Reply)
Discussion started by: chomca
1 Replies

9. UNIX for Dummies Questions & Answers

creatin user account

hi all, i m tryin to create a new account on the unix work station. do i use 'useradd' command? can u guyz advice on the usage of 'useradd' command as it can comes with 'useradd -D' or 'useradd -e' thanks :confused: (1 Reply)
Discussion started by: damian
1 Replies
Login or Register to Ask a Question