14 Replies Latest reply: Jul 8, 2013 10:21 AM by MyrkridianRhapsody
MyrkridianRhapsody Level 2 Level 2 (470 points)

Hi there,


I work at a college as the Mac Support Speciallist. We have an OS X server that is integrated with our Active Directory setup. The Library Macs are tied to this server so students can log in with their active directory accounts. This was all set up by my predecessor so I am trying to make sense of everything here so bear with me... it looks like he had configured the server to have accounts be mobile, and expire after 24 hours (meaning the local home folder would be deleted after that time). However, my research indicates that this will not work when using active directory accounts. And as a matter of fact, everyone here was under the impression that it WAS auto deleting the accounts, although all of the Macs have like 400 accounts on them now, apparently over the course of a year since the server was set up.


So my question is this: Is there a way to have the accounts delete on their own? We want the luxury of the students being able to login with their network credentials, but it isn't super important for them to store information for a long duration of time on the library computers, so having them expire/delete is fine even though it is not being synced to a server somewhere. The only option I can think of is to write a startup script to delete the accounts and have the machine auto restart at like 3 AM so it runs everyday. Any other ideas would be much appreciated!

  • JaimeMagiera Level 2 Level 2 (305 points)

    Lets be clear on nomencalure: You don't want to delete the account. You want to delete the account's homefolder on the server. Correct?


    I don't believe there is anything in OS X Server that manages account folder deletion (there are login controls, but the data would still be there). You could easily write a script however to delete the home folders. What is your experience in shell or Applescript?


    You don't need to restart the server to run a script, delete folders or even manage accounts. If you want to write a script that launches at regular intervals, you can do so using launchd.


    https://developer.apple.com/library/mac/documentation/darwin/reference/manpages/ man8/launchd.8.html


    Does that help?

  • MyrkridianRhapsody Level 2 Level 2 (470 points)

    Thanks for the response Jaime. Yes I should be more clear: there are no open directory accounts on our OS X Server, and there are no home folders being stored/synced on the OS X server. All we are using OS X server for is to set preferences (dock, permissions, etc.) for a particular group of computers. When someone logs into a remote machine in the library, their credentials are verified in active directory, and a local home folder is made for them. To my knowledge there is no home folder anywhere other than the local machine. So when I say "delete the account", I mean delete it from the local machine. It will still exist in active directory of course, so the next time they log in, they will see a fresh account with all of the managed preferences I have set for them.


    Make sense? There is a possibility I have this wrong mind you, but this is what I have deduced from the way things seem to be working.

  • MyrkridianRhapsody Level 2 Level 2 (470 points)

    And yes I can write an applescript or shell script to do this. I'd just rather automate the process from the server if possible.

  • JaimeMagiera Level 2 Level 2 (305 points)

    No, you're fine. I'm still waking up I wasn't thinking about Mobile Homes. What version of OS X Server are you using?

  • MyrkridianRhapsody Level 2 Level 2 (470 points)

    Snow Leopard Server. I found this discussion link which seems to validate the thought that active directory doesnt play well with mobile homes/account expiry:




    And I guess that answers my question... other than knowing what my options are for forcing these mobile accounts to delete on the remote machines.

  • JaimeMagiera Level 2 Level 2 (305 points)

    Well, there is this...



  • MyrkridianRhapsody Level 2 Level 2 (470 points)

    Yeah I had seen that article, looks like logging into an active directory account doesn't modify/set a login time in the /var/db/shadow/hash/uuid.state file which is why it doesn't reset though.

  • JaimeMagiera Level 2 Level 2 (305 points)

    Right, but is that the behavior you are seeing? Does it properly get deleted if the user has logged in more than once?

  • MyrkridianRhapsody Level 2 Level 2 (470 points)

    Yes the symptom is the same... but no, logging in twice or more times does not resolve the problem. I have set the account expiration time from 0 to 24 hours and tried all different ways. The account never deletes on the remote computer.

  • JaimeMagiera Level 2 Level 2 (305 points)

    OK, well, scripting it is. What you'll want to do is iterate through the accounts with dscl, checking mobile status, and remove the entry and the appropriate home folder. Let me know if you need some help with that.

  • MyrkridianRhapsody Level 2 Level 2 (470 points)

    Alright thanks for the help. I guess I'm okay with going this route I just wanted to make sure I wasn't missing something blatantly obvious.

  • Peter Greco Level 1 Level 1 (35 points)

    Not sure if you came up with a solution since your last post but would be grateful if you could post a follow up to what you did. I am struggling to come up with a solution. I've used the account expiry with 10.68 server with 10.68 clients and all works great. Not so with 10.94 server and 10.84 clients. Not happy.




  • MyrkridianRhapsody Level 2 Level 2 (470 points)



    Still working on the script. I actually have a working script but need to modify it a bit more, as well as generate a launch daemon .plist to run it automatically. I'll post my results once I get it done.

  • MyrkridianRhapsody Level 2 Level 2 (470 points)

    So I got the script working. I found most of it on another site but modified it a little bit. Here it is:




    UserList=`/bin/ls /Users | /usr/bin/grep -v "Shared"`


    for u in $UserList ; do


    if [[ `/usr/bin/dscl . read /Groups/admin GroupMembership | /usr/bin/grep $u -c` == 1 ]]


    then /bin/echo "Admin account detected skipping..."


    else /usr/bin/dscl . delete /Users/$u && /bin/rm -rf /Users/$u




    rm -rf /Library/Managed\ Preferences/*




    I then used Lingon X to write a launch daemon which will run the script every day at 5:30 AM. This way it will only delete user account information when no one is on the computer. You also have to make sure that your computer isn't asleep when the script is run, or else it will just skip it and wait until the next run cycle. So what you could do is set the launch daemon to run the script at 5:31 AM every Monday, but also set your Energy Saver prefs to wake up the machine at 5:30 AM every Monday. You could also build into the script to pass over any currently logged in users, but this is taking up too much of my time and seems to be working just fine.