Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

kryten2

macrumors 65816
Mar 17, 2012
1,114
99
Belgium
I need to create a script that will auto log out a user. This will be used with a hidden admin account (via the HiddenUsersList: http://support.apple.com/kb/HT5017) so if a user logs in to this account it will automatically log them out.

Any ideas? Thanks!

Together with a launchagent and this will do what I think you want to achieve :

Example launchagent plist :

Code:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>Label</key>
	<string>com.kryten.automaticlogout</string>
	<key>Program</key>
	<string>/usr/bin/osascript</string>
	<key>ProgramArguments</key>
	<array>
		<string>osascript</string>
		<string>/Users/kryten/Library/Scripts/Automatic Logout.scpt</string>
	</array>
	<key>RunAtLoad</key>
	<true/>
</dict>
</plist>

Example Automatic Logout.scpt :

Code:
ignoring application responses
	tell application "loginwindow"
		«event aevtrlgo»
	end tell
end ignoring

Note : It lets the user logon then logs the user out and shows the login window again. Tested on Leopard. YMMV.
Warning !!! : It does not allow that user to log on anymore(well it does but logs them out immediately). Make sure you have more than one user on your system for anyone who wants to test this so you can remove the launchagent plist.
 
Last edited:

Butler Trumpet

macrumors 6502a
Original poster
May 26, 2004
510
355
Dekalb IL
Thanks for that! I will test it in a bit.

If I were to boot to safe mode (which disables all startup items) would the user still be able to log in?
 

kryten2

macrumors 65816
Mar 17, 2012
1,114
99
Belgium
I really don't know about safe mode as I rarely have to boot into safe mode but I can test it in couple of minutes if you like. Looking at your signature I think you are better qualified to know what gets disabled on startup regarding launchd and launchagents.
 

Butler Trumpet

macrumors 6502a
Original poster
May 26, 2004
510
355
Dekalb IL
Haha well.... I can take apart your Mac and repair it, and then fix software that is messed up, but when it comes to code and programing its over my head (and most people that are ACMT certified)

With that being said....

The two sets of code you posted earlier.... do I just create a .plist file through TextEdit and place it in ~/Library/LaunchAgents and then the second script in the startup folder?
 

chown33

Moderator
Staff member
Aug 9, 2009
10,706
8,345
A sea of green
I need to create a script that will auto log out a user. This will be used with a hidden admin account (via the HiddenUsersList: http://support.apple.com/kb/HT5017) so if a user logs in to this account it will automatically log them out.

Any ideas? Thanks!

I don't quite understand what you mean by "auto log out".

Does this happen immediately? That is, is an attempt to login immediately met with a logout?

Or does it happen after a time interval? That is, is a login accepted, but a logout is then forced after a time period, such as 5 minutes.

If you want immediate logout, then the simplest is to change the account to the equivalent of "Sharing only" using System Preferences > Accounts.

Try this:
1. Open System Preferences > Accounts.
2. Unlock.
3. Control-click (right-click, secondary-click) on the account you want to change.
4. Observe a contextual menu "Advanced Options..." appears.
5. Choose it.
6. Observe a sheet drops down with settings for the user.
7. Change Login shell to /usr/bin/false
8. Change Home directory to /dev/null
9. Click OK.

The settings in 6-7 are what a "Sharing only" account receives by default.

I recommend testing this on an account created expressly for testing. Only after it's been proven to behave correctly should it be applied to the desired target account. Testing includes at least:
- trying to login as the user,
- trying to share as the user,
- and trying to do a fast user switch to the user.


The above description may differ somewhat from what you see. You didn't identify your OS version, so I described how it works in 10.6 Snow Leopard.

I don't see much purpose in having an admin acct that can't be logged in, so maybe you can describe what you're trying to achieve with it.
 

Butler Trumpet

macrumors 6502a
Original poster
May 26, 2004
510
355
Dekalb IL
I don't quite understand what you mean by "auto log out".

Does this happen immediately? That is, is an attempt to login immediately met with a logout?

Or does it happen after a time interval? That is, is a login accepted, but a logout is then forced after a time period, such as 5 minutes.

If you want immediate logout, then the simplest is to change the account to the equivalent of "Sharing only" using System Preferences > Accounts.

Try this:
1. Open System Preferences > Accounts.
2. Unlock.
3. Control-click (right-click, secondary-click) on the account you want to change.
4. Observe a contextual menu "Advanced Options..." appears.
5. Choose it.
6. Observe a sheet drops down with settings for the user.
7. Change Login shell to /usr/bin/false
8. Change Home directory to /dev/null
9. Click OK.

The settings in 6-7 are what a "Sharing only" account receives by default.

I recommend testing this on an account created expressly for testing. Only after it's been proven to behave correctly should it be applied to the desired target account. Testing includes at least:
- trying to login as the user,
- trying to share as the user,
- and trying to do a fast user switch to the user.


The above description may differ somewhat from what you see. You didn't identify your OS version, so I described how it works in 10.6 Snow Leopard.

Thanks for the response. I'd need the account to log out immediately after login so a user can not use the account at all.

I'm running 10.9.x on my machine, but this will also be used on older machines that are running 10.7 and up.

By changing settings in the Advanced Options, will this remove it from the list in System Prefs - Accounts (Users and Groups)?
 

chown33

Moderator
Staff member
Aug 9, 2009
10,706
8,345
A sea of green
By changing settings in the Advanced Options, will this remove it from the list in System Prefs - Accounts (Users and Groups)?

Create a test account, try it, see what happens.

To fully test what happens, you'll also need to add the test account to your HiddenUsersList.

I'm running 10.9.x on my machine, but this will also be used on older machines that are running 10.7 and up.
If it's not obvious, make sure to test it on each of the older OS versions, to ensure it works as desired.
 

kryten2

macrumors 65816
Mar 17, 2012
1,114
99
Belgium
Thanks for that! I will test it in a bit.

If I were to boot to safe mode (which disables all startup items) would the user still be able to log in?

Yes. If that's not what you want then put the plist file in the /System/Library/LaunchAgents folder and change the script to this :

Code:
tell application "System Events"
	set userName to name of current user
end tell

-- Change the empty list to include your hidden users
-- example {"bill","steve"}
if userName is in {""} then
	ignoring application responses
		tell application "loginwindow"
			«event aevtrlgo»
		end tell
	end ignoring
end if

The two sets of code you posted earlier.... do I just create a .plist file through TextEdit and place it in ~/Library/LaunchAgents and then the second script in the startup folder?

Yes you can use TextEdit and the placement of the plist depends on what you
want see above. You do NOT want to put the script in the startup folder. Third-party launchagents and startup items are disabled in safe boot. As you can see in the example plist file I put mine in my ~/Library/Scripts folder.

If chown33's solution does exactly what you want I would go with that.

Note : I tested in safe boot mode. If the plist is in ~/Library/LaunchAgents or /Library/LaunchAgents then the user can still log in. Ownership of the plist in /System/Library/LaunchAgents is important so don't forget to
Code:
sudo chown 0:0 /System/Library/LaunchAgents/yourplist.plist
 
Last edited:

Butler Trumpet

macrumors 6502a
Original poster
May 26, 2004
510
355
Dekalb IL
I'm not worried about it being disabled in Safe Boot. 99.9% of our users have no idea what that is and if anything it will make it easier for us to fix things later if needed. I'll try this method and see how it goes.

I tried chown33's method, but it removes the user from System Preferences which I'm trying to avoid.
 

DeltaMac

macrumors G5
Jul 30, 2003
13,422
4,390
Delaware
Thanks for the response. I'd need the account to log out immediately after login so a user can not use the account at all.
...

Just curious -
What would be the circumstances where you would use the account, and how would you go about logging in, so you stay logged in?

Wouldn't it be simpler to just prevent log in entirely (by not sharing the login creds?)
 

Butler Trumpet

macrumors 6502a
Original poster
May 26, 2004
510
355
Dekalb IL
Just curious -
What would be the circumstances where you would use the account, and how would you go about logging in, so you stay logged in?

Wouldn't it be simpler to just prevent log in entirely (by not sharing the login creds?)

The purpose of the account is for users (who don't have admin rights) to be able to install updates / minor software when needed. They can do this from their standard account. So they have to know the creds.

(Yes, I know that with the creds they can go to system preferences and make their own account an admin account and do whatever.... this is just what my boss has asked. I'm assuming he is counting on the fact that most of our users wouldn't know that they could do that. They're all college professors and have enormous knowledge in their field.... which the Mac is not.)

Edit: Just an FYI - this is not at Butler University, despite my username. That is simply where I went to undergrad when I created this account 10 years ago.
 

kryten2

macrumors 65816
Mar 17, 2012
1,114
99
Belgium
I'll try this method and see how it goes.

Please do and report how it turned out. Use the method from my first post. Remember you can only do something useful with the accounts when you safe boot! Normal boot is log in and you're immediately logged out again.
 

Butler Trumpet

macrumors 6502a
Original poster
May 26, 2004
510
355
Dekalb IL
Solution Found!

I used kryten2's script paired with Automator to make an application. Then placed the Application in the Login Items.... works like a charm.

Thanks so much everyone!
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.