Admin account created is unable to delete network (AD) accounts

[jhbush]

Using the account created by the application any network account (AD) that is created on the machine is unable to be deleted by the Administrator account that the Create User application generated.

[MagerValp]

Since there are multiple ways to accomplish this task, please describe the steps you perform and what the error message is.

[jhbush]

1.Create Administrator user with Create User using defaults 2.Install package created by Create User 3.Image AD bound machine 4.Log in with AD domain account and create a mobile/locally cached account 5.Log in under Administrator(Create User) account attempt to delete mobile account 6.Ability to delete is greyed out

I don't get an error. I'm just unable to delete mobile accounts using the account created by the Create User app. If I create another local admin account I'm able to delete any mobile accounts with it. Staff accounts elevated to admin are also able to delete mobile accounts.

[MagerValp]

attempt to delete mobile account

These are the steps I need. I presume this is in System Preferences? Padlock status? What exactly is grayed out?

[jhbush]

System Preferences under the accounts pane. The minus button is greyed out. Padlock can be unlocked using credentials.

[MagerValp]

Can't reproduce on 10.7.4. I can unlock the padlock in Accounts using my created local admin, select the mobile AD account, and click the minus button.

[jhbush]

reproduced here in 10.7.4 and 10.8 GM. I wonder if it has to due with our AD bind settings. Current script:

!/bin/bash

This script creates a user account under Mac OS X

=== Typically, this is all you need to edit ===

USERNAME=administrator FULLNAME= PASSWORD=

A list of (secondary) groups the user should belong to

This makes the difference between admin and non-admin users.

Leave only one uncommented

SECONDARY_GROUPS="staff" # for a non-admin user

SECONDARY_GROUPS="admin _lpadmin _appserveradm _appserverusr" # for an admin user

====

if [[ $UID -ne 0 ]]; then echo "Please run $0 as root." && exit 1; fi

Find out the next available user ID

MAXID=$(dscl . -list /Users UniqueID | awk '{print $2}' | sort -ug | tail -1)

USERID=$((MAXID+1))

USERID=505

Create the user account

dscl . -create /Users/$USERNAME dscl . -create /Users/$USERNAME UserShell /bin/bash dscl . -create /Users/$USERNAME RealName "$FULLNAME" dscl . -create /Users/$USERNAME UniqueID "$USERID" dscl . -create /Users/$USERNAME PrimaryGroupID 20 dscl . -create /Users/$USERNAME NFSHomeDirectory /Users/$USERNAME dscl . -append /Users/$USERNAME Picture "/Library/User Pictures/Flowers/Lotus.tif"

dscl . -passwd /Users/$USERNAME $PASSWORD

Add use to any specified groups

for GROUP in $SECONDARY_GROUPS ; do dseditgroup -o edit -t user -a $USERNAME $GROUP done

Create the home directory

createhomedir -c -u $USERNAME

echo "Created user #$USERID: $USERNAME ($FULLNAME)"

[MagerValp]

Closing as there's no indication of an actual bug in CreateUserPkg.

[jhbush]

I'm also noticing that I'm unable to disable the "Allow user to administer this computer" checkbox under my AD account unless I go into advanced and change the group.

[jhbush]

Maybe I'm doing something wrong. I also tested the account on a local machine at home with only local accounts and I still can't remove other accounts even though I should be in the admin group.

[MagerValp]

As a workaround:

dscl . -delete /Users/ADUSER

rm -rf /Users/ADUSER

[MagerValp]

Is the AD account you're trying to delete an admin account?

[jhbush]

Yes it's an admin account. All of our cached AD users are made admins on their machines (software developers). Sometimes the techs need to remove the account and recreate it and unfortunately they are not very terminal savvy.

[MagerValp]

Alright, that explains why I couldn't reproduce. Reopening and merging with #12.

[MagerValp]

First attempt commited in 91895ee. Try 1.2b5 in the downloads section.

[MagerValp]

Closing as admin accounts can now be deleted.