Account Management Delete User Not Working

[mahoskwitz]

Hello, when running the create local account script (or the delete user script) if there is already an account setup with the same username the sysadminctl -deleteUser command does not fully work from the Intune agent's system context. The admin user gets demoted from admin to standard and the directory is deleted, but the user persists as standard and the create fails as the user is still present.

If I sudo -i to root and run the same sysadminctl -deleteUser command it fully deletes the user.

The error given at the end of the delete when Intune runs is as follows...

Error:-14120 File:/System/Volumes/Data/SWE/macOS/BuildRoots/5b2e67f8af/Library/Caches/com.apple.xbs/Sources/Admin/Admin-911/DSRecord.m Line:563

There are errors present in the createUser as well when running from Intune that are not present when running locally as root.

##############################################################

Wed Dec 22 12:30:12 CST 2021 | Starting Create Local Admin Account

############################################################

Creating new local admin account [user]
Adding user to hidden users list
Deleting the account if it already exists...
2021-12-22 12:30:13.081 sysadminctl[24785:186509] ----------------------------
2021-12-22 12:30:13.082 sysadminctl[24785:186509] No clear text password or interactive option was specified (adduser, change/reset password will not allow user to use FDE) !
2021-12-22 12:30:13.082 sysadminctl[24785:186509] ----------------------------
2021-12-22 12:30:13.085 sysadminctl[24785:186509] User user not found.
Creating the account...
2021-12-22 12:30:13.472 sysadminctl[24787:186530] ### Error:-14090 File:/System/Volumes/Data/SWE/macOS/BuildRoots/5b2e67f8af/Library/Caches/com.apple.xbs/Sources/Admin/Admin-911/DSAuthenticator.m Line:94
2021-12-22 12:30:13.480 sysadminctl[24787:186530] ----------------------------
2021-12-22 12:30:13.481 sysadminctl[24787:186530] No clear text password or interactive option was specified (adduser, change/reset password will not allow user to use FDE) !
2021-12-22 12:30:13.481 sysadminctl[24787:186530] ----------------------------
2021-12-22 12:30:13.844 sysadminctl[24787:186530] Creating user record…
2021-12-22 12:30:15.740 sysadminctl[24787:186530] Assigning UID: 501 GID: 20
2021-12-22 12:30:15.843 sysadminctl[24787:186530] ### Error:-14120 File:/System/Volumes/Data/SWE/macOS/BuildRoots/5b2e67f8af/Library/Caches/com.apple.xbs/Sources/Admin/Admin-911/DSRecord.m Line:418
2021-12-22 12:30:15.983 sysadminctl[24787:186530] Creating home directory at /Users/user

This is running on macOS Monterey 12.1.

[mahoskwitz]

This machine has file vault turned on, so wondering if it has something to do with secure token. The root account has secure token DISABLED, but so does the account being created by Intune. There are a few mentions of accounts receiving the 14120 error code when an account with secure token DISABLED attempted to delete an account with secure token ENBLED, however in this case neither accounts are ENABLED.

Is the Intune agent not running as root? Is it another user? Its parent process is launchd which is running as root specifically.

[cashxx]

That was going to be my question with these scripts. What about if FileVault is enabled? Is there anyway to get a token for the admin account when it's created? Only way I know how is the first account created at login can only enable another user. Another issue, was the first login user, Intune doesn't enable FileVault by configuration profile, the user has to go in and turn it on from what I have found. What if that user is a standard user and tries to enable FileVault, I think you need admin privileges don't you?

[00zombie00]

Any update on this? I've ran into the same issue, FileVault also enabled.

[mahoskwitz]

No, I was unfortunately never able to get this to work correctly. The reason I was attempting to do something like this in the first place was to try and have a local administrative account that I would recreate on a daily basis in order to get around password expiration policies for all normal user accounts. Essentially, providing an administrative non-exipiring account for our techs to utilize.

Instead, I was able to script the resetting of the password on a daily basis to the already existing account. In policy we don't allow the usage of the latest three passwords, so the script changes the password four times subsequently as to finally reset back to the original password.

[truthabovefaith]

If these scripts run at first push to the devices (not after enrollment) FileVault doesn't seem to push initiate on a users account until first restart, at least that's how my deployment is acting even with the profiles saying to do so. Of course this would be a fresh device employment, so maybe thats the difference.
So the initial creation of the "Local Admin" script does work, and I set a static password since I am just testing this all anyway, but what DOESN'T seem to work is demoting the original user account to standard and just demotes both accounts OR doesn't demote anything.

Now, oddly enough, I stumbled across this tid bit of code online (DO NOT USE, YOU WILL BE LOCKED OUT):
#!/bin/zsh

Username and Password to create

username=whateveryouwant
password="whateverpasswordyouwant"

Create User and add to admins

dscl . -create /Users/$username
dscl . -create /Users/$username UserShell /bin/bash
dscl . -create /Users/$username RealName $username
dscl . -create /Users/$username UniqueID "510"
dscl . -create /Users/$username PrimaryGroupID 20
dscl . -create /Users/$username NFSHomeDirectory /Users/$username
dscl . -passwd /Users/$username $password
dscl . -append /Groups/admin GroupMembership $username

Get list of regular users

users=$(dscl . -list /Users | grep -v -e '_' -e root -e nobody -e daemon -e $username)

Loop through them and remove them from Admins group

for i in $users
do
dseditgroup -o edit -d $i -t user admin
done

Now, this DOES work exactly as it should when pushed through Intune. It demotes the original account, adds the administrator account, however no matter what I do for the password portion it doesn't seem to save it correctly or possibly is adding characters that I am not familiar enough with Mac at this point to find out what that password is (what logs were being looked at that showed the password?)

So please, do not use it, but am curious what the difference might be between the actions of the given script in the packages and why it demotes properly, but the ones in this group do not?

So I guess another question for this might be, and I am just getting started so I am not exactly sure how one might go about doing this, but is there a way to by default set the initial account to standard through configuration profile, device applied script (which will run on the device at startup, not at user login), that would block defacto demote to standard user, with the included Admin script creating an actual admin account? Circumvent the issue of local user initially being set as an Admin, or determining that there is already an admin account and defaulting the additional account as a standard instead of an admin.

Or, by default, is this not "the way" with Mac devices?

[fr3dr1x]

Does anyone find another solution to downgrade and create admin accounts from Intune when the device is already up and running?