Removing Multiple Managed Mobile Users via ARD 3?

Is it possible to find a simple way to delete all non-admin user accounts from a 10.4.8 system without doing it on a one at a time basis?
The basic idea is that at the end of the semester all accounts, other than the local administrator account and system accounts are deleted (immediatly) from the computer. The next semester's crew of students then have a "clean slate" to start from.
My other option is to do a netinstall of an entire software package. This is done at shortly before the start of a new school year with the new software being added and old software being deleted but during the year I woud prefer to simply remove the student accounts.
All accounts to be deleted have Netinfo uid's which are very much above those for accounts which must remain on the computer. This seems to offer a possible way to seperate system accounts from student accounts but so far I have not found an easy way to use this type of seperation to remove the accounts.
Both going to Systems Preferences and Netinfo Manager allow deletion of a single account at a time but do not allow (as near as I have found) any way to list several users for a delete as a block.
If need be, I can live with manually identifying the individual accounts and having them all in a block to be removed from the computer.
Part of the problem is that we are an Active Directory campus and there is a flat out refusal to allow an Apple server access to the systems so this pretty much blows away Workgroup manager as an option.
Any Ideas? I have looked for scripts from Apple or other sources but so far I have not found anything useable. There was one I had been using in 10.3 but it no longer seems to like 10.4 and I have not been able to modify it to work with sucessfully with 10.4

Offhand, I'd say that's probably a job for dscl, running in a loop, looking for any "UniqueID" > 501 (assuming that your admin account is 501 of course).
I'd try asing somewhere like "http://macenterprise.org/". Someone there might have some ideas.

Similar Messages

  • How can I 'login' as a different user via ARD?

    It has been too many years and I cannot remember much of anything anymore...
    My main computer is running the ARD admin app. I have a 'server' that has the
    client software installed and setup to auto login to my admin account on the 'server'.
    I can easily connect to the server using ARD... however I would like to connect
    as a different user ( the postgresql admin account).
    Is is possible to do this via the ARD software?
    If I log out on my main admin account on the server while connected via ARD
    then the remote desktop software on my main
    computer reports that ARD in no longer active on the server client and I cannot access
    the server via ARD without rebooting the server.
    The help menu in ARD gives an Applescript that supposedly will allow a login from
    the clients login screen but I don't seem to recall how to setup the client so
    that one can access the server if the login screen is up...
    I am running the latest everything...
    In short-- Can I use ARD to connect as different users on a client machine? ( if so how)
    Thanks
    Jerry

    Ok,
    Never mind...
    I enabled postgres in the sharing panel.
    When I log out I get the login screen and I can directly
    login to the postgres account via ARD.
    Thanks
    Jerry

  • Manage Mobile Device missing in Exchange Management Console

    Exchange 2007 SP1.
    So up until now, my organization did not support ActiveSync and we had it disabled for all users.
    This summer this will change, and we will start allowing ActiveSync devices to connect.
    As a pilot group I enabled 3 users.  They all connected with their devices days ago (two on Monday, the other on Tuesday).  When looking them up in the Exchange Management console, the Manage Mobile Devices option is not visible.
    If they go into OWA, their devices and all management options are listed there.
    I realize that I could go into ADSIedit and set msExchMobileMailboxFlags to 1 and then it would show up.  That isn't really my concern though. 
    My concern is that when a user leaves the company, we would like to be able to go into EMC and issue a wipe of their device, not have to give ourselves permission to their mailbox, log in to their mailbox via OWA, and issue the wipe there.
    Anybody know why this happens (why a user with a mobile device doesn't get the Manage Mobile Device option in EMC)?
    Thank you

    Hi
    Here's a link for how to wipe a device remote
    http://technet.microsoft.com/en-us/library/aa998614%28EXCHG.80%29.aspx
    Hope it will be helpful for you!
    Jonas Andersson MCTS: Microsoft Exchange Server 2010, Configuration | MCITP: EMA | MCSE/MCSA Blog: http://www.testlabs.se/blog
    Thanks for the link, but I know how to perform a remote wipe.
    My question would be why does the "Manage Mobile Devices" button not appear when highlight some users that do have Mobile Devices?  Yes I could go into the OWA of their mailbox to wipe their device.  Yes, I could use the Shell to wipe
    their devices.  But neither of these would be as convenient as just going into Manage Mobile Devices via Exchange Management Console and performing a wipe there.  Especially for my user admins.
    Right now I am basically looking at creating some script that goes in and makes sure that "msExchMobileMailboxFlags" is set to 1 for every user that has ActiveSync enabled.  My main issue is that I feel I shouldn't have to do this. :P

  • Change home page for mobile user

    Is it possible to change safari home page for mobile user via script or locally? We have OD profile which is set to delete all data after logout.
    Also is it possible do automatic login for mobile user?
    thank you...

    Hi,
    From your description, my understanding is that you want to customize home page for different user.
    There are two methods to accomplish your requirement. You could
    create a webpart with code or a control the page that redirect to a new page based on the users or groups.
    Please refer to this article:
    https://social.msdn.microsoft.com/Forums/office/en-US/08a2b1fd-6951-4e70-ba03-7f546a337fbe/set-different-home-page-for-each-user?forum=sharepointgeneralprevious.
    Best Regards,
    Vincent Han
    TechNet Community Support
    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact
    [email protected]

  • Deploying AppleMail settings via ARD - is it possible?

    Hello,
    I want to set AppleMail settings for about 50 Users via ARD.
    First of all IMAP settings, next account details based on the local non-admin user.
    Any idea?
    Thanks a lot!
    Jochen

    ARD cant do this directly, but you can send an OSA script to do this. Here is one I use. You send a UNIX command:
    osascript -e 'tell application "System Events"' -e 'keystroke "q" using command down' -e 'end tell'
    You can string together commands by using -e. This comes in really useful for product serial numbers, for instance:
    osascript -e 'tell application "System Events"' -e 'keystroke "Company Name"' -e 'keystroke tab' -e 'keystroke "Company Location"' -e 'keystroke tab' -e 'delay 2' -e 'keystroke "REALLY long pointless serial number"' -e 'delay 2' -e 'keystroke return' -e 'end tell'
    In this example, "delay 2" means wait two seconds. Older systems / apps will actually have an issue with receiving the keystrokes to fast, and do nothing. Quark is the worst offender here, and I need to run a delay of 5 seconds, even on mac Pros.
    I also use it for logging in a bunch of system as a maintenance user. I will log out everyone, and then issue:
    osascript -e 'tell application "System Events"' -e 'keystroke "Service User"' -e 'keystroke tab' -e 'delay 2' -e 'keystroke "myPasswordHere"' -e 'delay 2' -e 'keystroke return' -e 'keystroke return' -e 'end tell'
    You will notice here that you need to hit enter twice... This is a bug in the login system. 50% of your systems will not continue with hitting enter only once in script (although they work perfectly fine hitting enter once at the keyboard).
    Hope this helps.

  • Delete multiple users with ARD or applescript or shell?

    I know how to delete a mobile user that has their home folder synced to a desktop or laptop via a shell command. Does anyone know how to delete all but specific users? For instance all 100 computers have one local admin account, but all others are mobile accounts synced and since even though I have the MCX set to delete a user after 2 weeks after a successful sync it does not work properly. So at the end of the school year I want to push a command to delete all but the local admin user. any ideas?

    maybe you can turn off, only after successful sync? that way two week old accounts get deleted any way. if that's set in your directory server that might be a setting you can just turn off. Or if it's locally set, maybe user ARD to send a unix command.
    Ushally I just re-image the lab computers every summer using a netrestore image hosted on a mac os x server. The server has a featurer called netboot. Apple System Imaging Utility makes it easy to create an netrestore image based off of one computer.  I can use ARD to tell the computers to reboot to netboot. When the computers boot to the netrestore the image over the local network it automaticaly erase and then copes a clone of the computer I based the netrestore off of.
    After imaging the computer the computer will automaticaly re-name it self, and then the computer will automaticaly bind it self to the directory server. It dose this because I included the directory and all the computer names  in system imaging utility while making the netrestore image.
    I don't have to purge old accounts because the whole computer is being erase. I have a nice stable clean computer image for the next year.
    After re-imaging I can quickly deploy printer settings using ARD. This is specific to each area/lab.

  • OS X Server 4.0.3 Profile Manager Settings for Mobile Users problems

    OS X Yosemite 10.10.2 with Server 4.0.3
    We are using Profile Manager to control Settings for Mobile Users, and give homeSync to the users. Our problem is that the exclude / Skip items (Items matching any of the following will not sync" This setting is not working an example. I have put this folder to Skip Items ~/Downloads but the home Sync still Syncing items in the Downloads folder.
    I have this problem on all the 3 users/machines on that server. Every client is using os x 10.10.1 og 10.10.2 I have check that the profile from the server is on the client.
    Has any a solution to that?
    Regards
    Brian

    I have no solution but have experienced failing sync settings (quite often) in both 10.6 Server and 10.9 + Server 3 (upgraded from 10.6 Server) in the same way as you described, it syncs too much. We have given up on synched home folders and will cut them and use other backup methods since we’re not so dependant on switching between different devices. Our users usually have one computer, one iPhone, one iPad and stay with those until it’s time to exchange them.

  • Apple Ipad has been factory reset and removed from manage devices but the new user can't register it under a new ID

    iPad generation 2 has been factory reset, removed from managed devices, apple support, and the device still continues to say it's locked by my ID and cannot be unlocked and registered to a new ID.
    HELP!

    Even if you are sure you have done all of this, do it again slowly and in the order given:
    Prepare your device to sell or give away
    If there is still a problem, post back with the exact complete wording of the error message
    received.

  • Questions on MCX Policies for Laptop/Mobile Users:

    Questions on MCX Policies for Laptop/Mobile Users:
    I have several managed Macs running Leopard. Many of them are MacBook laptops. My main MCX policies involve mapping printers and mounting network volumes at login. These are simple computer and group policies to help make the users life a little easier when it comes to finding and using network resources such as file server volumes and network printers.
    Since most of my users are laptops, they are expressing 2 major concerns involving their laptops when they are off the LAN (i.e.; on the road at a cafe, working at home, staying at a hotel or when they have no network at all)
    1) When users are off our LAN, the Mac still tries to mount the network volumes in their OD/MCX login items when the user logs in (with cached mobile credentials). Can this be avoided? Windows PCs do not do this. If the PC laptop cant find an AD DC, they simply don't run the login scripts and thus dont try to mount/map network volumes. How can I make the Mac laptops only mount network volumes when they are on the LAN?
    2) Most Mac users have a Cisco VPN client, and use it regularly to connect to the company's LAN from home, hotels etc. Of course when they log into the network via VPN, their network volumes are not mounted automatically. Is their a way to re-run the MCX managed login items script once they connect to the VPN and mount (i.e.; "map") their network drives? Sure, users can simple use the "Connect To Server" option in the FInder (or perhaps try and use the god-awful Leopard Finder side bar discovery browser thingy which I hate - never mind), but I need a consistent automated way to mount volumes quickly and easily for my mobile users. There must be a way to run (or re-run) the login items part of my MCX policies.

    Ping!
    I'm looking for this functionality too. Anyone have a solution to either of these? One that came to mind is to wrap the login items in a script which detects if the LAN is available.

  • Mobile User iCal Sync not syncing

    Hi,
    I've got a mobile user account that doesn't seem to be syncing properly. It only seems to affect iCal sync, though.
    On the user's MacBook, they have two calendars which are local calendars and one CalDAV account back on the iCal Server.
    On the user's mac mini in the office, they aren't getting the local calendars from the MacBook despite the MacBook doing a full sync before they log in to the Mac Mini.
    Does this mean that local iCal calendars are stored outside of the user's home directory? Has anyone else come across this problem?
    Cheers,
    Stu

    In Lion, iCal is now synced via iCal Preferences.
    This from iCal help using the search criteria "sync"
    Set up a MobileMe account
    If you’re a MobileMe subscriber, you can use iCal to access and manage your MobileMe calendars. For example, in iCal, you can add subscribed calendars to your MobileMe Calendar account so you can view them in iCal and on devices with iOS 4 or later. You can also share calendars, which allows others to see or edit the calendars.
    If your calendars are already set up to be synced using MobileMe, then your MobileMe Calendar account is already set up. To sync your calendars using MobileMe, see:
    Sync calendars across devices
    Choose iCal > Preferences and click Accounts.
    To add a new account, click Add in the lower-left corner.
    Enter your MobileMe email address and password, and then click Create.iCal finds any calendar accounts associated with the email address you provide.
    For more information about working with MobileMe calendars, visit the MobileMe website.
    MobileMe website

  • Root vs. admin softwareupdate via ARD 2.0

    Hello,
    I've searched here and have not been able to find a similar post. I have an office of about 25 Tiger clients (10.4.6) which get their directory information via LDAP from a Tiger server(10.4.6). If I run softwareupdate from the GUI as an admin account or even from the command line as admin, softwareupdate looks to the local server, which is running the softwareupdate service. If, however, I run softwareupdate as root (which I have to do via ARD, from what I can tell) it checks Apple's servers and wants to download from them. This is a source of frustration because I don't want to have to visit every machine, nor do I prefer to download updates on my admin machine and then push the package out with ARD.
    I'm wondering if using softwareupdate via root is designed to work this way, or if it's a bug. If it's a bug, I'll report it to Apple.
    If this has happened to any of you, please resond with your solution.
    By the way, if I send this command:
    sudo -u admin softwareupdate -i -a
    via ARD as root user, I am prompted for a password, which I'm not sure how to enter. The task just fails.
    Thanks in advance!
    Sean

    It sounds like your group is pushing out Workgroup Management (MCX) from your MacOS X Server box, specifically they are setting the Software Update server. But it sounds like they are setting this as a policy based on groups, rather than on computers. So since root is not in any of the groups managed by the MCX settings, when you run Software Update it is not set, and is defaulting to the built-in address.
    If you really wanted to do it without making changes (if they don't want to put that in for "guest" computers and every other one), then you could use:
    defaults write /Library/Preferences/com.apple.SoftwareUpdate CatalogURL http://your.softwareupdateserver.com:8088/
    note that that last goes all on one line, and is taken from afp548.com.

  • Pushing out a script to run via ARD

    I have the following script I am running into two issues with
    1)  Instead of running it as root, can we run as a member of the admin group.
    2)  Can this be pushed out via ARD?
    #!/bin/bash
    #This script needs to run as root
    ROOT_UID=0
    if [[ $UID -ne $ROOT_UID ]]; then
    echo "YOU MUST BE ROOT TO RUN THIS SCRIPT"
    exit 1
    fi
    OLD="<string>The owner or any administrator can unlock the screensaver.<\/string>"
    NEW="<string>(Use SecurityAgent.) The owner or any administrator can unlock the screensaver.<\/string>"
    cp /private/etc/authorization /tmp/auth.tmp
    sed "s/$OLD/$NEW/" /tmp/auth.tmp > /tmp/authorization
    mv /private/etc/authorization /private/etc/authorization.previous
    mv /tmp/authorization /private/etc/authorization
    rm /tmp/auth.tmp

    Do not remove the "root user reference" from the script. Without "the reference" the script will place a modified authorization file in the /tmp directory. To modify the /private/etc/authorization file you must be root or an admin user with the proper authorization (You would use sudo in the shell environment). Here's a safer and cleaner version of that script->
    #!/bin/bash
    OLD="<string>The owner or any administrator can unlock the screensaver.<\/string>"
    NEW="<string>(Use SecurityAgent.) The owner or any administrator can unlock the screensaver.<\/string>
    # use sed to make a backup of the original file then edit the file in place
    /usr/bin/sed -i.previous "s/$OLD/$NEW/" /private/etc/authorization

  • ??  installing small network/mobile user network --mini as server- wireless

    Hello,
    Could someone point me to information regarding setting up a small wireless configuration, where each user node (probably mac laptops) can support multiple mobile users. I would like to use a headless mini as a file server ... again connected wireless,... and then run 3-5 laptops wirelessly.
    My goal is that one could login to any node (laptop) and have the files seamlessly accessible. Do I need to load server software on the mini in order to support network/mobile users? I am not looking to control anything else. Are there any documented examples around?
    Many, many thanks

    I ended up doing something similar, but I didn't want to be responsible for my son's Dock.  So, I set a different Managed Preference for "Mobility".  I added "com.apple.dock.plist" to the list of Excluded files.  Now the Docks won't sync back to the Open Directory master account, so there can be a different Dock on every Mac for this user.  I'd have to repeat that for other users too.

  • Problems with Adobe CS5 on mobile user accounts

    Hello Everyone,
    I'm a high school web design teacher and I’m having trouble getting Adobe CS5 to run on my student workstations when they are logged in as a “mobile” user.
    Workstation 10.5.8
    Server 10.4.9
    Workgroup manager 10.5.3
    Students can browse the web, use Microsoft products and everything else. They are only having trouble with CS5. If I log into the workstation as “administrator” I can use any Adobe product without problems.
    Any Ideas?
    Thanks,
    Todd

    First thing I would suggest is to upgrade your server OS to a newer version if possible. Secondly try removing the apps out of the allowable apps list and instead change it so that you allow the apps that are within the specific application folder, ex: Applications/Adobe Photoshop CS5
    I had similar problems with CS5 apps and by adding the apps by allowable folder instead it corrected my problem. Granted, if you have savvy users, there is the potential to open a can of worms here but it was the only way I could get it to work for "standard" non-admin user types.

  • How do I set the DVD region code via ARD?

    We recently deployed around 200 MacBooks in a k12 environment and manage them via ARD & WGM. We forgot to set the DVD region when creating our master image and as a result, every single MacBook prompts for an admin password when attempting to use the DVD Player to view a DVD for the first time.
    Instead of attending to each of the 200+ MacBooks personally and putting a DVD in and setting the region code one by one, is there a way I could do this via ARD? Unix command? Managed preference via WGM? Thanks, I appreciate any input.

    I've been working on this very topic for about a year. Here's what you need to know.
    1) setting the region code on your master image would result in the same behavior. Setting the region code triggers an update to the DVD drive firmware itself - it's not something that's stored in software. Obviously this is something that needs to be set on each machine individually. Setting it on the image won't affect the imaged-machines.
    2) Apple seems to have gone to great lengths to hide the app that triggers this action. If they had provided a simple CLI interface to trigger this on a client machine we'd be able to use ARD to trigger the action on all of our client machines. Alas, this app is buried somewhere I can't find and seems to only rear its head when a DVD with a region code is inserted into the drive. There is one idea that popped into my head while at Macworld that I want to try to see if I can find this app but I have my doubts.
    3) Failing my last ditch effort to find this app, I think our fallback will be to give users explicit rights to set the initial DVD region code on thier machines. This is something that can be done using WGM. There is a rule in /etc/authorication specifically allowing users/groups to set the region code for the first time. According to the notes, giving this access will NOT allow users to change the region code - which is a good thing - but only give them rights to do so the initial time. This way, we can empower our users to help themselves while also protecting them from resetting the region code accidentally.
    In conclusion, I haven't found any way to script/push this command to a client machine. I'll definitely file this with Bug Reporter and hope Apple will give us a CLI or an ARD command to trigger this action after imaging.
    G4   Mac OS X (10.4.8)  
    G4    
    G4    

Maybe you are looking for