Log Out Script

Discussion in 'Mac Programming' started by Butler Trumpet, Apr 10, 2014.

  1. Butler Trumpet macrumors 6502

    Butler Trumpet

    Joined:
    May 26, 2004
    Location:
    Dekalb IL
    #1
    I need to create a script that will auto log out a user. This will be used with a hidden admin account (via the HiddenUsersList: http://support.apple.com/kb/HT5017) so if a user logs in to this account it will automatically log them out.

    Any ideas? Thanks!
     
  2. kryten2, Apr 10, 2014
    Last edited: Apr 10, 2014

    kryten2 macrumors 6502a

    Joined:
    Mar 17, 2012
    Location:
    Belgium
    #2
    Together with a launchagent and this will do what I think you want to achieve :

    Example launchagent plist :

    Code:
    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    <plist version="1.0">
    <dict>
    	<key>Label</key>
    	<string>com.kryten.automaticlogout</string>
    	<key>Program</key>
    	<string>/usr/bin/osascript</string>
    	<key>ProgramArguments</key>
    	<array>
    		<string>osascript</string>
    		<string>/Users/kryten/Library/Scripts/Automatic Logout.scpt</string>
    	</array>
    	<key>RunAtLoad</key>
    	<true/>
    </dict>
    </plist>
    
    Example Automatic Logout.scpt :

    Code:
    ignoring application responses
    	tell application "loginwindow"
    		«event aevtrlgo»
    	end tell
    end ignoring
    Note : It lets the user logon then logs the user out and shows the login window again. Tested on Leopard. YMMV.
    Warning !!! : It does not allow that user to log on anymore(well it does but logs them out immediately). Make sure you have more than one user on your system for anyone who wants to test this so you can remove the launchagent plist.
     
  3. Butler Trumpet thread starter macrumors 6502

    Butler Trumpet

    Joined:
    May 26, 2004
    Location:
    Dekalb IL
    #3
    Thanks for that! I will test it in a bit.

    If I were to boot to safe mode (which disables all startup items) would the user still be able to log in?
     
  4. kryten2 macrumors 6502a

    Joined:
    Mar 17, 2012
    Location:
    Belgium
    #4
    I really don't know about safe mode as I rarely have to boot into safe mode but I can test it in couple of minutes if you like. Looking at your signature I think you are better qualified to know what gets disabled on startup regarding launchd and launchagents.
     
  5. Butler Trumpet thread starter macrumors 6502

    Butler Trumpet

    Joined:
    May 26, 2004
    Location:
    Dekalb IL
    #5
    Haha well.... I can take apart your Mac and repair it, and then fix software that is messed up, but when it comes to code and programing its over my head (and most people that are ACMT certified)

    With that being said....

    The two sets of code you posted earlier.... do I just create a .plist file through TextEdit and place it in ~/Library/LaunchAgents and then the second script in the startup folder?
     
  6. chown33 macrumors 604

    Joined:
    Aug 9, 2009
    #6
    I don't quite understand what you mean by "auto log out".

    Does this happen immediately? That is, is an attempt to login immediately met with a logout?

    Or does it happen after a time interval? That is, is a login accepted, but a logout is then forced after a time period, such as 5 minutes.

    If you want immediate logout, then the simplest is to change the account to the equivalent of "Sharing only" using System Preferences > Accounts.

    Try this:
    1. Open System Preferences > Accounts.
    2. Unlock.
    3. Control-click (right-click, secondary-click) on the account you want to change.
    4. Observe a contextual menu "Advanced Options..." appears.
    5. Choose it.
    6. Observe a sheet drops down with settings for the user.
    7. Change Login shell to /usr/bin/false
    8. Change Home directory to /dev/null
    9. Click OK.

    The settings in 6-7 are what a "Sharing only" account receives by default.

    I recommend testing this on an account created expressly for testing. Only after it's been proven to behave correctly should it be applied to the desired target account. Testing includes at least:
    - trying to login as the user,
    - trying to share as the user,
    - and trying to do a fast user switch to the user.


    The above description may differ somewhat from what you see. You didn't identify your OS version, so I described how it works in 10.6 Snow Leopard.

    I don't see much purpose in having an admin acct that can't be logged in, so maybe you can describe what you're trying to achieve with it.
     
  7. Butler Trumpet thread starter macrumors 6502

    Butler Trumpet

    Joined:
    May 26, 2004
    Location:
    Dekalb IL
    #7
    Thanks for the response. I'd need the account to log out immediately after login so a user can not use the account at all.

    I'm running 10.9.x on my machine, but this will also be used on older machines that are running 10.7 and up.

    By changing settings in the Advanced Options, will this remove it from the list in System Prefs - Accounts (Users and Groups)?
     
  8. chown33 macrumors 604

    Joined:
    Aug 9, 2009
    #8
    Create a test account, try it, see what happens.

    To fully test what happens, you'll also need to add the test account to your HiddenUsersList.

    If it's not obvious, make sure to test it on each of the older OS versions, to ensure it works as desired.
     
  9. kryten2, Apr 10, 2014
    Last edited: Apr 10, 2014

    kryten2 macrumors 6502a

    Joined:
    Mar 17, 2012
    Location:
    Belgium
    #9
    Yes. If that's not what you want then put the plist file in the /System/Library/LaunchAgents folder and change the script to this :

    Code:
    tell application "System Events"
    	set userName to name of current user
    end tell
    
    -- Change the empty list to include your hidden users
    -- example {"bill","steve"}
    if userName is in {""} then
    	ignoring application responses
    		tell application "loginwindow"
    			«event aevtrlgo»
    		end tell
    	end ignoring
    end if
    Yes you can use TextEdit and the placement of the plist depends on what you
    want see above. You do NOT want to put the script in the startup folder. Third-party launchagents and startup items are disabled in safe boot. As you can see in the example plist file I put mine in my ~/Library/Scripts folder.

    If chown33's solution does exactly what you want I would go with that.

    Note : I tested in safe boot mode. If the plist is in ~/Library/LaunchAgents or /Library/LaunchAgents then the user can still log in. Ownership of the plist in /System/Library/LaunchAgents is important so don't forget to
    Code:
    sudo chown 0:0 /System/Library/LaunchAgents/yourplist.plist
     
  10. Butler Trumpet thread starter macrumors 6502

    Butler Trumpet

    Joined:
    May 26, 2004
    Location:
    Dekalb IL
    #10
    I'm not worried about it being disabled in Safe Boot. 99.9% of our users have no idea what that is and if anything it will make it easier for us to fix things later if needed. I'll try this method and see how it goes.

    I tried chown33's method, but it removes the user from System Preferences which I'm trying to avoid.
     
  11. DeltaMac macrumors 604

    DeltaMac

    Joined:
    Jul 30, 2003
    Location:
    Delaware
    #11
    Just curious -
    What would be the circumstances where you would use the account, and how would you go about logging in, so you stay logged in?

    Wouldn't it be simpler to just prevent log in entirely (by not sharing the login creds?)
     
  12. Butler Trumpet thread starter macrumors 6502

    Butler Trumpet

    Joined:
    May 26, 2004
    Location:
    Dekalb IL
    #12
    The purpose of the account is for users (who don't have admin rights) to be able to install updates / minor software when needed. They can do this from their standard account. So they have to know the creds.

    (Yes, I know that with the creds they can go to system preferences and make their own account an admin account and do whatever.... this is just what my boss has asked. I'm assuming he is counting on the fact that most of our users wouldn't know that they could do that. They're all college professors and have enormous knowledge in their field.... which the Mac is not.)

    Edit: Just an FYI - this is not at Butler University, despite my username. That is simply where I went to undergrad when I created this account 10 years ago.
     
  13. kryten2 macrumors 6502a

    Joined:
    Mar 17, 2012
    Location:
    Belgium
    #13
    Please do and report how it turned out. Use the method from my first post. Remember you can only do something useful with the accounts when you safe boot! Normal boot is log in and you're immediately logged out again.
     
  14. Butler Trumpet thread starter macrumors 6502

    Butler Trumpet

    Joined:
    May 26, 2004
    Location:
    Dekalb IL
    #14
    Solution Found!

    I used kryten2's script paired with Automator to make an application. Then placed the Application in the Login Items.... works like a charm.

    Thanks so much everyone!
     

Share This Page