{"id":214,"date":"2020-06-21T14:33:35","date_gmt":"2020-06-21T14:33:35","guid":{"rendered":"http:\/\/www.aixperts.co.uk\/?p=214"},"modified":"2020-06-23T20:34:49","modified_gmt":"2020-06-23T20:34:49","slug":"when-you-cant-delete-a-user-in-macos","status":"publish","type":"post","link":"https:\/\/www.aixperts.co.uk\/?p=214","title":{"rendered":"When you &#8220;can&#8217;t&#8221; delete a user in MacOS"},"content":{"rendered":"\n<p><strong>Or &#8220;How to get rid of the first user ever created&#8221;, this is about getting dscl error 14120 when trying to delete a user.<\/strong><\/p>\n\n\n\n<p>I bought a second hand Mac mini which came re-installed but with a user called &#8220;User&#8221;. After setting up my own admin user, I wanted to delete the original user, which proved to be a bit of a challenge.<br>Speaking to people or Googling didn&#8217;t really get me much closer in a hurry. MacOS users seem to be half-way in between Windows and Linux users when it comes to the &#8220;Just re-install&#8221; attitude, and people seemed to believe that as long as I was admin myself, I should just be able to delete this user.<br><br>That was clearly not the case. Even disabling admin for the user, and setting a new password got me no-where using the GUI. I just prompted with a weird message asking me to type in their password, but it always failed saying their password was wrong, even though it wasn&#8217;t.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"780\" height=\"598\" src=\"http:\/\/www.aixperts.co.uk\/wordpress\/wp-content\/uploads\/2020\/06\/Screenshot-2020-06-14-at-15.06.46.png\" alt=\"\" class=\"wp-image-223\" srcset=\"https:\/\/www.aixperts.co.uk\/wordpress\/wp-content\/uploads\/2020\/06\/Screenshot-2020-06-14-at-15.06.46.png 780w, https:\/\/www.aixperts.co.uk\/wordpress\/wp-content\/uploads\/2020\/06\/Screenshot-2020-06-14-at-15.06.46-300x230.png 300w, https:\/\/www.aixperts.co.uk\/wordpress\/wp-content\/uploads\/2020\/06\/Screenshot-2020-06-14-at-15.06.46-768x589.png 768w\" sizes=\"auto, (max-width: 780px) 100vw, 780px\" \/><\/figure>\n\n\n\n<p>So, let&#8217;s define the axioms for this problem as far as I found out:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>The first user created is an admin user<\/li><li>The first user created is assigned a Secure Token<\/li><li>You must have at least one admin user on the system<\/li><li>You must have at least one user with a Secure Token<\/li><\/ul>\n\n\n\n<p>and<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Subsequent admin users are not assigned Secure Tokens<\/li><li>Only a Secure Token user can assign Secure Tokens to other users<\/li><\/ul>\n\n\n\n<p><em>To resolve this problem, you need to assign a Secure Token to your own admin user, then delete the other user.<\/em><\/p>\n\n\n\n<p>NOTE: The following was done after re-enabling admin on the Secure Token user and being the root command line user.<\/p>\n\n\n\n<p>Trying to attack this problem from the command line got me the following error:<\/p>\n\n\n\n<p><code>Macmini:Default root# dscl . -delete \/Users\/user<br>&lt;main&gt; delete status: eDSPermissionError<br>&lt;dscl_cmd&gt; DS Error: -14120 (eDSPermissionError)<\/code><\/p>\n\n\n\n<p>Having a look around, I found this:<\/p>\n\n\n\n<p><code>\/private\/var\/db\/dslocal\/nodes\/Defaults\/secureaccesstoken.plist<\/code><\/p>\n\n\n\n<p>Which lead me on the right Google track.<\/p>\n\n\n\n<p><code>Macmini:Default root# plutil -p secureaccesstoken.plist&nbsp;<br>{<br>   \"SecureAccessToken\" =&gt; {length = 124, bytes = 0x307a8001 008120c1 3970b7ef 87515773 ... f52d75ef a35363a6 }<br>}<\/code><\/p>\n\n\n\n<p>Reading about secure access tokens lead to the <em>sysadminctl<\/em> command, with which I tried once again to delete the user. This gave me much more informative error:<\/p>\n\n\n\n<p><code>Macmini:Default root# sysadminctl -deleteUser User -adminUser ADMIN -adminPassword PASSWORD&nbsp;<br>2020-06-21 08:56:28.479 sysadminctl[937:15957] User User can not be deleted (it's either last admin user or last secure token user neither of which can be deleted).<\/code><\/p>\n\n\n\n<p>Aha! There you go, so, the usage text for &#8216;<em>sysadminctl<\/em>&#8216; listed the -secureTokenOn option:<\/p>\n\n\n\n<p><code>morsing@Macmini nodes % sudo sysadminctl -adminUser User -adminPassword PASSWORD -secureTokenOn morsing -password PASSWORD<br>Password:<br>2020-06-21 14:15:34.072 sysadminctl[527:5170] - Done!<\/code><\/p>\n\n\n\n<p>And then it was simple to delete the original user:<\/p>\n\n\n\n<p><code>morsing@Macmini nodes % sudo dscl . -delete \/Users\/user<\/code><\/p>\n\n\n\n<p>P.S. If you get this error, it is because your Secure Token user isn&#8217;t admin:<\/p>\n\n\n\n<p><code>sysadminctl[1529:37416] setSecureTokenAuthorizationEnabled error Error Domain=com.apple.OpenDirectory Code=5101 \"Authentication server refused operation because the current credentials are not authorized for the requested operation.\" UserInfo={NSLocalizedDescription=Authentication server refused operation because the current credentials are not authorized for the requested operation., NSLocalizedFailureReason=Authentication server refused operation because the current credentials are not authorized for the requested operation.}<\/code><\/p>\n\n\n\n<p>And if you get this error, it is because the password for the Secure Token user is wrong:<\/p>\n\n\n\n<p><code>sysadminctl[1081:27166] Operation is not permitted without secure token unlock.<\/code><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Or &#8220;How to get rid of the first user ever created&#8221;, this is about getting dscl error 14120 when trying to delete a user. I bought a second hand Mac mini which came re-installed but with a user called &#8220;User&#8221;. &hellip; <a href=\"https:\/\/www.aixperts.co.uk\/?p=214\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[60,59],"tags":[54,61,53,55,52,58,56],"class_list":["post-214","post","type-post","status-publish","format-standard","hentry","category-darwin","category-macos","tag-54","tag-darwin","tag-delete-user","tag-dscl","tag-macos","tag-secureaccesstoken","tag-sysadminctl"],"_links":{"self":[{"href":"https:\/\/www.aixperts.co.uk\/index.php?rest_route=\/wp\/v2\/posts\/214","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.aixperts.co.uk\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.aixperts.co.uk\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.aixperts.co.uk\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.aixperts.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=214"}],"version-history":[{"count":12,"href":"https:\/\/www.aixperts.co.uk\/index.php?rest_route=\/wp\/v2\/posts\/214\/revisions"}],"predecessor-version":[{"id":229,"href":"https:\/\/www.aixperts.co.uk\/index.php?rest_route=\/wp\/v2\/posts\/214\/revisions\/229"}],"wp:attachment":[{"href":"https:\/\/www.aixperts.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=214"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.aixperts.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=214"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.aixperts.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=214"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}