Linux Delete/Disable Users Script

Problem Overview

This script addresses the challenge of promptly and consistently managing user accounts on Linux systems by automatically disabling or removing those that are unauthorized, stale, or otherwise no longer needed. It helps reduce security vulnerabilities linked to overlooked or dormant accounts that retain unnecessary privileges.

Description

The script references a “UsersToDelete” variable containing comma-separated usernames, then iterates through each to either disable or delete the corresponding user account on a Linux system. By default, it locks the accounts, preventing them from logging in, but you can uncomment specific lines to fully remove the user profiles and their home directories. Because it runs with root-level permissions through Level, you can incorporate it into script-based monitors that identify unauthorized users in real time or schedule regular compliance checks through Level automations.

Script

1#!/bin/bash
2
3# This resource is provided as a convenience for Level users. We cannot 
4# guarantee it will work in all environments. Please test before deploying 
5# to your production environment. We welcome contributions to our community 
6# library
7
8# Level Library
9# https://level.io/library/script-linux-delete-disable-users
10
11# Define the list of users to disable/delete (replace with actual values)
12USERS_TO_DELETE="{{UsersToDelete}}"
13
14# Convert the comma-separated list into an array
15IFS=',' read -r -a userArray <<< "$(echo "$USERS_TO_DELETE" | sed 's/, */,/g')"
16
17for user in "${userArray[@]}"; do
18    # Trim spaces from the username
19    user=$(echo "$user" | xargs)
20
21    # Check if the user exists
22    if id "$user" &>/dev/null; then
23        # Disable the user by locking the account
24        sudo chage -E0 "$user"
25        echo "User $user has been disabled."
26         
27         # Remove the user from the sudo (admin) group
28        # if groups "$user" | grep -q '\bsudo\b'; then
29        #     sudo gpasswd -d "$user" sudo
30        #     echo "User $user has been removed from the sudo group."
31        # fi
32        
33        # Uncomment the next two lines to **delete** the user instead of just disabling
34        #sudo userdel -r "$user"
35        #echo "User $user has been deleted."
36    else
37        echo "User $user does not exist."
38    fi
39done
40
41

Use Cases

• Automatically disabling accounts for recently offboarded employees
• Removing abandoned or dormant accounts discovered through periodic audits
• Responding in real time to security incidents or unauthorized user alerts
• Enforcing compliance mandates for least privilege or data security

Recommendations

• Pair this script with a script-based monitor in Level to disable suspicious or unapproved users on demand
• For scheduled enforcement, create a Level automation with a set trigger to routinely run the script
• Test the script on a non-production environment first to confirm proper functionality and results
• Uncomment the “userdel” line to permanently delete users once you’ve verified they’re truly unauthorized
• Check out the Admin Compliance & Remediation Automation

FAQ

• Does the script require any additional permissions to run?
  ‍No, Level executes scripts with root permissions on Linux endpoints, so it’s already equipped with the necessary privileges.

• How do I switch from disabling to fully deleting user accounts?
  ‍Remove the comment marks (“#”) on the userdel lines in the script to fully remove the user instead of just locking their account.

• What if a user doesn’t exist?
  ‍The script skips any username not found in the system and outputs a message indicating the user does not exist.

• Can I remove users from other privileged groups like ‘sudo’?
  ‍Yes, the script includes commented-out lines that remove the user from the sudo group. Uncomment them if you’d like to ensure no admin privileges remain.