Account Expiry

Thanks for the response Jaime. Yes I should be more clear: there are no open directory accounts on our OS X Server, and there are no home folders being stored/synced on the OS X server. All we are using OS X server for is to set preferences (dock, permissions, etc.) for a particular group of computers. When someone logs into a remote machine in the library, their credentials are verified in active directory, and a local home folder is made for them. To my knowledge there is no home folder anywhere other than the local machine. So when I say "delete the account", I mean delete it from the local machine. It will still exist in active directory of course, so the next time they log in, they will see a fresh account with all of the managed preferences I have set for them.

Make sense? There is a possibility I have this wrong mind you, but this is what I have deduced from the way things seem to be working.

And yes I can write an applescript or shell script to do this. I'd just rather automate the process from the server if possible.

Snow Leopard Server. I found this discussion link which seems to validate the thought that active directory doesnt play well with mobile homes/account expiry:

https://discussions.apple.com/thread/4738153?start=0&tstart=0

And I guess that answers my question... other than knowing what my options are for forcing these mobile accounts to delete on the remote machines.

Yeah I had seen that article, looks like logging into an active directory account doesn't modify/set a login time in the /var/db/shadow/hash/uuid.state file which is why it doesn't reset though.

Yes the symptom is the same... but no, logging in twice or more times does not resolve the problem. I have set the account expiration time from 0 to 24 hours and tried all different ways. The account never deletes on the remote computer.

Alright thanks for the help. I guess I'm okay with going this route I just wanted to make sure I wasn't missing something blatantly obvious.

Peter,

Still working on the script. I actually have a working script but need to modify it a bit more, as well as generate a launch daemon .plist to run it automatically. I'll post my results once I get it done.

So I got the script working. I found most of it on another site but modified it a little bit. Here it is:

#!/bin/bash

UserList=`/bin/ls /Users | /usr/bin/grep -v "Shared"`

for u in $UserList ; do

if [[ `/usr/bin/dscl . read /Groups/admin GroupMembership | /usr/bin/grep $u -c` == 1 ]]

then /bin/echo "Admin account detected skipping..."

else /usr/bin/dscl . delete /Users/$u && /bin/rm -rf /Users/$u

fi

rm -rf /Library/Managed\ Preferences/*

done

I then used Lingon X to write a launch daemon which will run the script every day at 5:30 AM. This way it will only delete user account information when no one is on the computer. You also have to make sure that your computer isn't asleep when the script is run, or else it will just skip it and wait until the next run cycle. So what you could do is set the launch daemon to run the script at 5:31 AM every Monday, but also set your Energy Saver prefs to wake up the machine at 5:30 AM every Monday. You could also build into the script to pass over any currently logged in users, but this is taking up too much of my time and seems to be working just fine.