Can’t delete a macOS user with dscl [resolution]

Performing a process on more than a couple of dozen macOS (various versions 10.15.x) without issue and then presented with a couple of macOS laptops that would not allow for the deletion of the user. A very ugly error will appear that reads eDSPermissionError which implies that there is a permissions problem.  As the root administrator to the laptop, this should not pose an issue.  However, after a couple of hours of troubleshooting, the problem became clear and so did the resolution.

A repeatable process of redundant tasks is always easier with ssh.  Using ssh to access the laptop as an administrator, the following command was issued to delete a specific user.

dscl . -delete /Users/user1

On a couple of systems, this returned the following error.

<main> delete status: eDSPermissionError
<dscl_cmd> DS Error: -14120 (eDSPermissionError)

secureToken

It became quite clear what the problem was after finding an article by aixperts.co.uk., the secureToken. The administrator account that was being used to delete the user account did not have secureToken ENABLED, while the user account did.  To test for this and resolve this, do the following.

Test if secureToken is ENABLED.

sysadminctl -secureTokenStatus administrator
sysadminctl -secureTokenStatus user1

Use the user account with the ENABLE status to ENABLE the administrator.

sysadminctl -adminUser administrator -adminPassword - -secureTokenOn user1 -password - -interactive

Perform the test again and when the administrator account has been verified to have secureToken enabled, then repeat the dscl command to delete the user.

dscl . -delete /Users/user1

That should do it.

Conclusions

What had happened on the systems that would not allow the desired user to be deleted by the administrator account was that the user account was created first.  This user account by default has secureToken in the ENABLE status. Subsequent users do not.  These users must have secureToken enabled with whatever user already has secureToken enabled. When the administrator account was created it did not have secureToken enabled where the system must have at least one user with secureToken enabled, this prevented the only user with secureToken enabled from being deleted. Once the problem was identified, the secureToken enabled user account is used to ENABLE the administrator account.  This administrator account may then delete the user account.

Source(s)

  • http://www.aixperts.co.uk/?p=214