This post has been brewing for a while, and a MacEnterprise thread from today finally got me to write about this problem, and how we resolved it.
Our university has many computer labs – some in public, open spaces, and some in classrooms. Although we don’t use roaming profiles (a technology that Apple finally removed in macOS 10.12), we do bind to Active Directory and create mobile accounts upon logging in with a valid AD account. To prevent the buildup of cruft, we remove student and faculty accounts periodically. In the public labs, we do it overnight, using a script based off of this one from Marnin Goldberg:
The most important parts of that script are:
# Delete the account
/usr/bin/dscl . -delete $a
This deletes the cached Active Directory account from the system.
# Delete the home directory
/bin/rm -rf $a
This deletes the home folder, freeing up space for more accounts.
We noticed something strange, though. After a couple of weeks of usage, the iMacs in our public labs would freeze at random points: at boot, at login, when using applications, when logging out, even when shutting down. Here’s a list of things we noted while trying to resolve the issue:
- We use Munki to deploy software, so one by one, we removed potential culprits from the manifests. Eventually, we whittled down the manifest items to three things we could not remove from this particular lab: Microsoft Office, the Xerox printer driver, and Active Directory binding.
- We investigated if this was an issue with our network, power, or Active Directory setup. For a few weeks, all iMacs were plugged into UPSs.
- We replaced all of the iMacs with brand new models – some with SSDs, and some not.
- As this issue persisted over ~3 years or so, we tested against multiple macOS versions – including 10.9, 10.10, and 10.11 (and the minor versions in between).
- We enabled OD debug logging, but couldn’t make much sense of the logs. They were very, very verbose.
- Ultimately, the best fix was to reimage the Mac. This would hold off the freezing for at least another week or two.
- The freezing seemed linked to computer usage. If an entire lab was reimaged at the same time, the first Macs to freeze were located near the printers. During the summer, when usage was decreased, we rarely had reports of freezing issues in the public labs.
We were in the process of reaching out to our Apple Systems Engineer, when we found a long-running thread on Jamf Nation, detailing the exact problems we were facing. It was a relief to see others were trying similar tactics, too. Then, towards the bottom of the thread, Frank Kong noted that with every use login, some files were being left behind – and the script we were using did not clear those out. In System Preferences > Sharing > File Sharing, you could see a long list of shares, all named things similar to “Mike Solin’s Public Folder”. Bingo, there’s our culprit.
Alan Petty, in the same thread, added this code to his profile deletion script:
/usr/bin/find /private/var/db/dslocal/nodes/Default/sharepoints -name "*" -type f -delete
/usr/bin/find /private/var/db/dslocal/nodes/Default/groups -name "com.apple.sharepoint*" -type f -delete
We found this code can be run while a user is logged in, so we don’t need to exclude the current user from this part of the script. It will, however, delete all file shares present on the computer (whether they are for public folders or not). This isn’t an issue in our labs, but it’s still worth mentioning.
We’ve had this fix in production for just over a month, and I can safely say the freezing problems haven’t returned.
Long-term, it might be best to look into deleting profiles using a configuration profile – Marnin posted his here. For now, we’re sticking with the script, as it gives us more control over where and when it runs.
Mike, have you tried using the sysadminctl command that Apple added with 10.10? The -deleteUser [-secure || -keepHome] option for that command will delete the home directory and share for the user being deleted.
Thanks, that looks really encouraging! Eric Holtam mentioned this command, too:
Looks like it was added in 10.10:
I’ll need to do some testing on AD accounts. We don’t currently use createmobileaccount, but if both could handle AD, that might be useful.
Is this script working on Catalina?
Yep, we’re still using dscl to delete user accounts. For a brief moment, we switched to scripting sysadminctl, but Apple broke that with 10.13.
If you don’t actually need to cache user credentials from AD, I’d switch from mobile to network accounts instead. That way, you can just clear out home folders without needing to worry about AD users in your local directory.
Currently for our summer work we’re having to manually remove users from our iMac labs which takes forever. I was browsing the Jamf forums today which led me to your blog. I’m looking for a quicker, more automated way for us to do this process. I don’t have any experience with Apple Scripts. I’m tinkering right now to get your script to run. I made some user modifications that makes sense in our organization. When I pasted your script into the script editor and I tried to run it, I got the error expected expression but found unknown token. What do I need to do to make that go away and run the script correctly?