When you “can’t” delete a user in MacOS

Or “How to get rid of the first user ever created”, this is about getting dscl error 14120 when trying to delete a user.

I bought a second hand Mac mini which came re-installed but with a user called “User”. After setting up my own admin user, I wanted to delete the original user, which proved to be a bit of a challenge.
Speaking to people or Googling didn’t really get me much closer in a hurry. MacOS users seem to be half-way in between Windows and Linux users when it comes to the “Just re-install” attitude, and people seemed to believe that as long as I was admin myself, I should just be able to delete this user.

That was clearly not the case. Even disabling admin for the user, and setting a new password got me no-where using the GUI. I just prompted with a weird message asking me to type in their password, but it always failed saying their password was wrong, even though it wasn’t.

So, let’s define the axioms for this problem as far as I found out:

  • The first user created is an admin user
  • The first user created is assigned a Secure Token
  • You must have at least one admin user on the system
  • You must have at least one user with a Secure Token

and

  • Subsequent admin users are not assigned Secure Tokens
  • Only a Secure Token user can assign Secure Tokens to other users

To resolve this problem, you need to assign a Secure Token to your own admin user, then delete the other user.

NOTE: The following was done after re-enabling admin on the Secure Token user and being the root command line user.

Trying to attack this problem from the command line got me the following error:

Macmini:Default root# dscl . -delete /Users/user
<main> delete status: eDSPermissionError
<dscl_cmd> DS Error: -14120 (eDSPermissionError)

Having a look around, I found this:

/private/var/db/dslocal/nodes/Defaults/secureaccesstoken.plist

Which lead me on the right Google track.

Macmini:Default root# plutil -p secureaccesstoken.plist 
{
"SecureAccessToken" => {length = 124, bytes = 0x307a8001 008120c1 3970b7ef 87515773 ... f52d75ef a35363a6 }
}

Reading about secure access tokens lead to the sysadminctl command, with which I tried once again to delete the user. This gave me much more informative error:

Macmini:Default root# sysadminctl -deleteUser User -adminUser ADMIN -adminPassword PASSWORD 
2020-06-21 08:56:28.479 sysadminctl[937:15957] User User can not be deleted (it's either last admin user or last secure token user neither of which can be deleted).

Aha! There you go, so, the usage text for ‘sysadminctl‘ listed the -secureTokenOn option:

morsing@Macmini nodes % sudo sysadminctl -adminUser User -adminPassword PASSWORD -secureTokenOn morsing -password PASSWORD
Password:
2020-06-21 14:15:34.072 sysadminctl[527:5170] - Done!

And then it was simple to delete the original user:

morsing@Macmini nodes % sudo dscl . -delete /Users/user

P.S. If you get this error, it is because your Secure Token user isn’t admin:

sysadminctl[1529:37416] setSecureTokenAuthorizationEnabled error Error Domain=com.apple.OpenDirectory Code=5101 "Authentication server refused operation because the current credentials are not authorized for the requested operation." UserInfo={NSLocalizedDescription=Authentication server refused operation because the current credentials are not authorized for the requested operation., NSLocalizedFailureReason=Authentication server refused operation because the current credentials are not authorized for the requested operation.}

And if you get this error, it is because the password for the Secure Token user is wrong:

sysadminctl[1081:27166] Operation is not permitted without secure token unlock.

This entry was posted in Darwin, MacOS and tagged , , , , , , . Bookmark the permalink.

Leave a Reply