Back to Resources

Level Verified

macOS Delete/Disable Users Script

Created by

Level

Type

Script

Category

Security

Platforms
WindowsApple iOSLinux
Import into Level
Copy link

Problem Overview

This script streamlines the process of removing or disabling unauthorized, stale, or compromised macOS user accounts by automating tasks that would otherwise require manual attention, ensuring your organization maintains secure and compliant endpoints with minimal effort.

Description

It uses a comma-separated list of usernames from the “UsersToDelete” variable and iterates through each entry, checking for existing accounts before disabling login shells, removing admin privileges, and locking the account. By default, it only disables users, but you can uncomment a line to delete them entirely. The script seamlessly integrates with Level’s root-level permissions, making manual elevation steps unnecessary and ensuring a consistent approach to user account management across all your Mac devices.

Script

1#!/bin/bash
2
3# This resource is provided as a convenience for Level users. We cannot 
4# guarantee it will work in all environments. Please test before deploying 
5# to your production environment. We welcome contributions to our community 
6# library
7
8# Level Library
9# https://level.io/library/script-macos-delete-disable-users
10
11# Define the list of users to disable/delete (replace with actual values)
12USERS_TO_DELETE="{{UsersToDelete}}"
13
14# Convert the comma-separated list into an array
15IFS=',' read -r -a userArray <<< "$(echo "$USERS_TO_DELETE" | sed 's/, */,/g')"
16
17for user in "${userArray[@]}"; do
18    # Trim spaces from the username
19    user=$(echo "$user" | xargs)
20
21    # Check if user exists
22    if dscl . -list /Users | grep -q "^$user$"; then
23        echo "User $user exists. Proceeding with disabling..."
24
25        # Remove Secure Token if enabled
26        if sudo sysadminctl -secureTokenStatus "$user" 2>&1 | grep -q "ENABLED"; then
27            echo "User $user has Secure Token. Attempting to disable..."
28            sudo sysadminctl -secureTokenOff -username "$user" -password "<current_password>"
29        fi
30
31        # Remove user from admin group
32        if dseditgroup -o checkmember -m "$user" admin | grep -q "is a member"; then
33            sudo dseditgroup -o edit -d "$user" -t user admin
34            echo "User $user has been removed from the admin group."
35        fi
36
37        # Disable login shell
38        sudo dscl . -create /Users/$user UserShell /usr/bin/false
39        echo "User $user's login shell has been disabled."
40
41        # Lock the user account
42        sudo pwpolicy -u "$user" -setpolicy "isDisabled=1"
43        echo "User $user has been locked."
44
45        # Uncomment to delete the user instead of just disabling
46        # sudo sysadminctl -deleteUser "$user" -secure
47        # echo "User $user has been deleted."
48    else
49        echo "User $user does not exist or is system-protected."
50    fi
51done
52

Use Cases

  • Disabling unauthorized or orphaned macOS user profiles
  • Quickly locking out dormant accounts that pose security risks
  • Streamlining compliance for macOS environments by removing inactive or admin-privileged users
  • Combining with admin compliance workflows for a unified security strategy

Recommendations

  • Configure a script-based monitor in Level to automatically disable or remove users detected as unauthorized
  • If ongoing checks are needed, create a Level automation with a schedule trigger to run regular cleanups
  • Test the script in a non-production environment first to validate the behavior and confirm that password parameters (if needed) are set correctly
  • Uncomment the relevant line to permanently delete users if that aligns with your organization’s security policy
  • Check out the Admin Compliance & Remediation Automation

FAQ

  • Can I delete users outright instead of just disabling them?
    Yes. Simply uncomment the “sysadminctl -deleteUser” line and comment out or remove the disabling commands to permanently remove the user.
  • Does this script require special permissions on the Mac?
    No, Level automatically runs scripts as root on macOS, so additional elevation steps aren’t needed.
  • What if the user has a Secure Token enabled?
    The script attempts to disable the secure token before removing privileges, but you must provide a valid password placeholder. Make sure to update this in your final script.
  • Why does the script say ‘User does not exist or is system-protected’?
    This message appears if the username isn’t recognized by the system or if it’s a protected account. In such cases, manual review may be necessary.

Included with this Script:

Below is a list of what you can expect to find when importing this Script.

Script details:

The following data and settings will be imported with your script.

Script Name

macOS - Delete/Disable Users

Description

This Bash script processes a comma-separated list of usernames provided through Level's script variables to perform account disablement on macOS systems. For each username in the list, it performs comprehensive account verification and disablement, including removing Secure Tokens if present, revoking admin privileges, disabling the login shell, and locking the account (with commented code available for full account deletion). The script provides detailed status messages throughout the process, indicating the success of each operation or reporting if the specified user doesn't exist.

Language

Bash

Timeout (In Seconds)

100

Run As

Local system

Import into Level

Related resources

Explore more automations, scripts, and policies to further enhance your IT operations.

View all resources

Start automating thousands of your devices with Level

Start your 14-day free trial today.

Book a demoGet started for free

© 2025 Level Software, Inc.