Login or Register to Ask a Question and Join Our Community


Shell Programming and Scripting

Script To Delete User Accounts On Multiple Servers

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Top Forums Shell Programming and Scripting Script To Delete User Accounts On Multiple Servers
# 1  
Old 09-10-2014
Script To Delete User Accounts On Multiple Servers
Hello All,

The servers in question are AIX/Unix servers. I was hoping to find a scripting solution where I could use one server as a jump server and run a script that would check each server for a user account (the source file for the user accounts would be a text file or csv file) , and delete the user account. I don't have root access, but I do have sudo rights. Expect is installed on all of the servers. Can someone assist me with this? Thanks in advance.
# 2  
Old 09-10-2014
Do you have password-less ssh access to all the servers, can this be setup?

What should happen if the user is logged in when you attempt to delete them?

Do you need to kill any jobs running as the users?
Do you need to remove cron/at jobs for the user?
What about spooled print jobs?
Files under the users home directory?
# 3  
Old 09-12-2014
The accounts that I am trying to delete are for users that are no longer with the company, so there should be no one logged in with these accounts. I have my jump server configured to use keys (instead of a password) to connect to the other servers via ssh. No jobs are running for any of these accounts they can be terminated with extreme prejudice. The home directories can also be deleted with no issue.
# 4  
Old 09-12-2014
Hi,

Here is a shell script written some time ago to gather the user information on AIX servers, I'm sure that the output could be used to feed a second script to remove the users - comes without warranty - use with caution. This was used as we had servers with 15k local accounts and they changed at the rate of about 60 a week, so we had to develop tools to manage.

Code:
#!/bin/ksh
#$Id$
############################################################################################
#
# Check for unused accounts on AIX systems, required that Perl is installed.
#
############################################################################################
# The original script was found on the Web and adapted to suit our environment.
############################################################################################
#
# Dave Hoojikaflip - 14/06/2009
#
############################################################################################
#
# Change History.
#
# Newest Changes to the top please.
#
############################################################################################

############################################################################################
#
# Get the seconds from the epoch.
#
############################################################################################

secs_since_epoch=$(perl -le 'print time')

############################################################################################
#
# Declare function to check what output there was from a test - and make it readable.
#
############################################################################################

function do_the_thing
{
if [[ -n "$1" ]]; then
print "$1" | troff -a
fi
}

############################################################################################
#
# Declare function
#
############################################################################################

function put_it_out_there
{
do_the_thing "$no_password_aging"
do_the_thing "$all_locked_accounts"
do_the_thing "$never_logged_in"
do_the_thing "$not_for_ninety"
do_the_thing "$passwd_set_never_logged_in"
do_the_thing "$too_many_unsuccessful"
do_the_thing "$has_it_expired"
}

############################################################################################
#
# List all users, with the exception of the default users.
#
############################################################################################

for user_name in $( awk -F':' '{print $1}' /etc/passwd | sort ) ; do

############################################################################################
#
# Check the aging of the passwords.
#
############################################################################################

if [[ -n $(awk 'BEGIN{ FS = "\n"; RS = ""} $1 == "'"$user_name"':"{ if (/minage|maxage/ ){print $0} } ' /etc/security/user ) ]]; then
        if [[ -z $no_password_aging ]]; then
                no_password_aging=$( print no passwd aging - $user_name )
        else
                no_password_aging=$( print $no_password_aging $user_name )
        fi
fi

############################################################################################
#
# Check to see if any of the accounts are locked.
#
############################################################################################

if [[ -n $(awk 'BEGIN{ FS = "\n"; RS = ""} $1 == "'"$user_name"':"{ if (/account_locked = true/ ){print $0} } ' /etc/security/user ) ]]; then
        if [[ -z $all_locked_accounts ]]; then
                all_locked_accounts=$( print locked users - $user_name )
        else
                all_locked_accounts=$( print $all_locked_accounts $user_name )
        fi
fi

############################################################################################
#
# Check for accounts that have never logged in.
#
############################################################################################

if [[ -z $( awk 'BEGIN{ FS = "\n"; RS = ""} $1 == "'$user_name':" ' /etc/security/lastlog) ]] || [[ -n $( awk 'BEGIN{ FS = "\n"; RS = ""} $1 == "'"$user_name"':" { if (!/time_last_login/ ){print $1} } ' /etc/security/lastlog ) ]]; then
        if [[ -z $never_logged_in ]]; then
                never_logged_in=$( print never logged in - $user_name )
        else
                never_logged_in=$( print $never_logged_in $user_name )
        fi
fi

############################################################################################
#
# Have any accounts not been used for the last 90 days.
#
############################################################################################

if [[ -n $( awk 'BEGIN{ FS = "\n"; RS = ""} $1 == "'"$user_name"':"{ if (/time_last_login/ ){print $1} }' /etc/security/lastlog) ]]; then
        if (( $secs_since_epoch - $( awk 'BEGIN{ FS = "\n"; RS = ""} $1 == "'"$user_name"':"{if (match($0,/time_last_login/ = [0-9]+/) ){ print substr($0, RSTART+18, 10)} }' /etc/security/lastlog ) > 7776000 )); then
                if [[ -z $not_for_ninety ]]; then
                not_for_ninety=$( print not used 90+ - $user_name )
                else
                not_for_ninety=$( print $not_for_ninety $user_name )
                fi
        fi
fi

###########################################################################################
#
# Check to see if the password has been set, but account not used.
#
###########################################################################################

if [[ -n $( awk 'BEGIN{ FS = "\n"; RS = ""} $1 == "'"$user_name"':"{ if (/flags = ADMCHG/ ){print $1} } ' /etc/security/passwd) ]]; then
                if [[ -z $passwd_set_never_logged_in ]]; then
                passwd_set_never_logged_in=$( print passwd set but user never logged in - $user_name )
                else
                passwd_set_never_logged_in=$( print $passwd_set_never_logged_in $user_name )
        fi
fi

###########################################################################################
#
# Now we count the number of failed logins.
#
###########################################################################################

num_unsuccessful_logins=$( awk 'BEGIN{ FS = "\n"; RS = ""} $1 == "'"$user_name"':" {if (match($0, unsuccessful_login_count = [0-9]+/) ) {print substr($0, RSTART+27, 1)} }' /etc/security/lastlog )
if [[ -n $num_unsuccessful_logins ]] && (( $num_unsuccessful_logins >= 4 )) ; then
        if [[ -z $too_many_unsuccessful ]]; then
        too_many_unsuccessful=$( print 5 or more unsuccessful logins - $user_name )
        else
        too_many_unsuccessful=$( print $too_many_unsuccessful $user_name )
        fi
fi

###########################################################################################
#
# Have any of the accounts got an expired password.
#
###########################################################################################

time_now=$(perl -le 'print time')
password_last_update=$( awk 'BEGIN{ FS = "\n"; RS = ""} $1 == "'"$user_name"':" { if (match($0,/lastupdate/) ) {print substr($0, RSTART+13, 10)} } ' /etc/security/passwd )
if [[ -n $password_last_update ]]; then
        if (( $(( $time_now - $password_last_update )) > $(( 60*60*24*7*4)) )); then
                if [[ -z $has_it_expired ]]; then
                has_it_expired=$( print Password older than 4 weeks - $user_name )

               else
                has_it_expired=$( print $has_it_expired $user_name )
                fi
        fi
fi
done
##########################################################################################
#
# All done, lets get the output to some where - so as we can have a look at it.
#
##########################################################################################

if [[ $1 = "-o" ]]; then
this_script=$(basename $0)
output_file=/var/adm/rebuild/${this_script%%.sh}.txt
print '$Id$' >$output_file
put_it_out_there >>$output_file
else
put_it_out_there
fi

This script was found on the web and adapted by me, it did work fine - I nolonger have any AIX to test it on - so you'll have to run this first on a sandbox system which will need perl installed.Smilie

Regards

Dave
Last edited by gull04; 09-12-2014 at 12:19 PM.. Reason: Additional notes.
# 5  
Old 09-12-2014
Ok. I will exercise caution. Thank you for your help. I will try it and let you know.
Login or Register to Ask a Question

Previous Thread | Next Thread

9 More Discussions You Might Find Interesting

1. Shell Programming and Scripting

How to change passwords for User accounts on multiple UNIX/Linux machines remotely?

Hello Experts, Need some direction on creating shell script for following environment: We have about 20 people in the team working as Oracle DBA's (sysdba's and appdba's). Total Servers which is a mix of Unix and Linux are 200. We do not have Root user access on any of the servers and... (3 Replies)
Discussion started by: sha2402
3 Replies

2. Shell Programming and Scripting

New To UNIX - Need Script to create report of user & group accounts

Hi, I'm new to the world of UNIX and have been asked to create a complex script (at least complex to me:confused:) for AIX UNIX to create a report of all the users on the server including server, user, UID, groups, GID, etc. Found a script using lsuser, but the output is still lacking. 2 things I... (2 Replies)
Discussion started by: panthur
2 Replies

3. Shell Programming and Scripting

Prevent wrong user from using shell script for multiple remote servers

Hi, I am running a shell script from a central server to multiple remote servers using the following code: application_check() { # Linux/UNIX box with ssh key based login SERVERS=`cat /tmp/server-details` # SSH User name USR="user" # create new file > /tmp/abc.log # connect... (2 Replies)
Discussion started by: mystition
2 Replies

4. Shell Programming and Scripting

user id creation of multiple servers

Need help in creating a user with passord in mulptiple solaris servers using a script.. (0 Replies)
Discussion started by: ningy
0 Replies

5. Shell Programming and Scripting

script to change passwords for the same user on multiple servers

I am trying to write a script to change passwords for the same user on multiple servers. My environment runs purely ssh / scp not rsh / rcp and therefore coping using rcp is not an option. I have been playing with expect to perform tasks but think there must be a better way. Has anyone got... (7 Replies)
Discussion started by: stolz
7 Replies

6. Shell Programming and Scripting

Loop through the accounts and servers

Hi everyone, I am trying to use loop (for loop but can be any loop) which will read from the file (text file) which will have 2 column one for account and another for server which kind of look like this account1 server1 account2 server2 account3 server1 account4 server1 5 server3 6 server2... (1 Reply)
Discussion started by: pareshan
1 Replies

7. Shell Programming and Scripting

Need a Shell script to create Multiple User Accounts

Hi All, Am New to shell scripting , Can u please Help me to Create a shell script which Creates Multiple Users (say up to 250 users) ,am using Rehat server 5 enterprise Edition .. I am really in need of this script So tat i can save time and effort for this Job .. KIndly help me Please ... (1 Reply)
Discussion started by: rksubash
1 Replies

8. Solaris

need script for locked and unused user accounts in /export/home directory

Hi all, i have to need one script: 1. it will capture the unused user accounts in /export/home directory. 2. it will capture the locked user accounts in /export/home directory. Note: locked accounts will show in /etc/passwd like /bin/false --> (instead of ksh it will show false) the... (1 Reply)
Discussion started by: krishna176
1 Replies

9. Shell Programming and Scripting

User add on multiple servers

I have 85 Unix servers & I need to add single user ID on multiple servers at same time Can anyone help in this? I have written one script for single servers.same I need to user for multiple servers #!/bin/sh echo Enter user login ID read loginID echo Enter Group ID read GroupID ... (6 Replies)
Discussion started by: sandeep_pan
6 Replies
Login or Register to Ask a Question