Script To Delete User Accounts On Multiple Servers

k45bryant · September 10, 2014, 3:23pm

Hello All,

The servers in question are AIX/Unix servers. I was hoping to find a scripting solution where I could use one server as a jump server and run a script that would check each server for a user account (the source file for the user accounts would be a text file or csv file) , and delete the user account. I don't have root access, but I do have sudo rights. Expect is installed on all of the servers. Can someone assist me with this? Thanks in advance.

Chubler_XL · September 10, 2014, 5:01pm

Do you have password-less ssh access to all the servers, can this be setup?

What should happen if the user is logged in when you attempt to delete them?

Do you need to kill any jobs running as the users?
Do you need to remove cron/at jobs for the user?
What about spooled print jobs?
Files under the users home directory?

k45bryant · September 12, 2014, 9:18am

The accounts that I am trying to delete are for users that are no longer with the company, so there should be no one logged in with these accounts. I have my jump server configured to use keys (instead of a password) to connect to the other servers via ssh. No jobs are running for any of these accounts they can be terminated with extreme prejudice. The home directories can also be deleted with no issue.

gull04 · September 12, 2014, 11:16am

Hi,

Here is a shell script written some time ago to gather the user information on AIX servers, I'm sure that the output could be used to feed a second script to remove the users - comes without warranty - use with caution. This was used as we had servers with 15k local accounts and they changed at the rate of about 60 a week, so we had to develop tools to manage.

#!/bin/ksh
#$Id$
############################################################################################
#
# Check for unused accounts on AIX systems, required that Perl is installed.
#
############################################################################################
# The original script was found on the Web and adapted to suit our environment.
############################################################################################
#
# Dave Hoojikaflip - 14/06/2009
#
############################################################################################
#
# Change History.
#
# Newest Changes to the top please.
#
############################################################################################

############################################################################################
#
# Get the seconds from the epoch.
#
############################################################################################

secs_since_epoch=$(perl -le 'print time')

############################################################################################
#
# Declare function to check what output there was from a test - and make it readable.
#
############################################################################################

function do_the_thing
{
if [[ -n "$1" ]]; then
print "$1" | troff -a
fi
}

############################################################################################
#
# Declare function
#
############################################################################################

function put_it_out_there
{
do_the_thing "$no_password_aging"
do_the_thing "$all_locked_accounts"
do_the_thing "$never_logged_in"
do_the_thing "$not_for_ninety"
do_the_thing "$passwd_set_never_logged_in"
do_the_thing "$too_many_unsuccessful"
do_the_thing "$has_it_expired"
}

############################################################################################
#
# List all users, with the exception of the default users.
#
############################################################################################

for user_name in $( awk -F':' '{print $1}' /etc/passwd | sort ) ; do

############################################################################################
#
# Check the aging of the passwords.
#
############################################################################################

if [[ -n $(awk 'BEGIN{ FS = "\n"; RS = ""} $1 == "'"$user_name"':"{ if (/minage|maxage/ ){print $0} } ' /etc/security/user ) ]]; then
        if [[ -z $no_password_aging ]]; then
                no_password_aging=$( print no passwd aging - $user_name )
        else
                no_password_aging=$( print $no_password_aging $user_name )
        fi
fi

############################################################################################
#
# Check to see if any of the accounts are locked.
#
############################################################################################

if [[ -n $(awk 'BEGIN{ FS = "\n"; RS = ""} $1 == "'"$user_name"':"{ if (/account_locked = true/ ){print $0} } ' /etc/security/user ) ]]; then
        if [[ -z $all_locked_accounts ]]; then
                all_locked_accounts=$( print locked users - $user_name )
        else
                all_locked_accounts=$( print $all_locked_accounts $user_name )
        fi
fi

############################################################################################
#
# Check for accounts that have never logged in.
#
############################################################################################

if [[ -z $( awk 'BEGIN{ FS = "\n"; RS = ""} $1 == "'$user_name':" ' /etc/security/lastlog) ]] || [[ -n $( awk 'BEGIN{ FS = "\n"; RS = ""} $1 == "'"$user_name"':" { if (!/time_last_login/ ){print $1} } ' /etc/security/lastlog ) ]]; then
        if [[ -z $never_logged_in ]]; then
                never_logged_in=$( print never logged in - $user_name )
        else
                never_logged_in=$( print $never_logged_in $user_name )
        fi
fi

############################################################################################
#
# Have any accounts not been used for the last 90 days.
#
############################################################################################

if [[ -n $( awk 'BEGIN{ FS = "\n"; RS = ""} $1 == "'"$user_name"':"{ if (/time_last_login/ ){print $1} }' /etc/security/lastlog) ]]; then
        if (( $secs_since_epoch - $( awk 'BEGIN{ FS = "\n"; RS = ""} $1 == "'"$user_name"':"{if (match($0,/time_last_login/ = [0-9]+/) ){ print substr($0, RSTART+18, 10)} }' /etc/security/lastlog ) > 7776000 )); then
                if [[ -z $not_for_ninety ]]; then
                not_for_ninety=$( print not used 90+ - $user_name )
                else
                not_for_ninety=$( print $not_for_ninety $user_name )
                fi
        fi
fi

###########################################################################################
#
# Check to see if the password has been set, but account not used.
#
###########################################################################################

if [[ -n $( awk 'BEGIN{ FS = "\n"; RS = ""} $1 == "'"$user_name"':"{ if (/flags = ADMCHG/ ){print $1} } ' /etc/security/passwd) ]]; then
                if [[ -z $passwd_set_never_logged_in ]]; then
                passwd_set_never_logged_in=$( print passwd set but user never logged in - $user_name )
                else
                passwd_set_never_logged_in=$( print $passwd_set_never_logged_in $user_name )
        fi
fi

###########################################################################################
#
# Now we count the number of failed logins.
#
###########################################################################################

num_unsuccessful_logins=$( awk 'BEGIN{ FS = "\n"; RS = ""} $1 == "'"$user_name"':" {if (match($0, unsuccessful_login_count = [0-9]+/) ) {print substr($0, RSTART+27, 1)} }' /etc/security/lastlog )
if [[ -n $num_unsuccessful_logins ]] && (( $num_unsuccessful_logins >= 4 )) ; then
        if [[ -z $too_many_unsuccessful ]]; then
        too_many_unsuccessful=$( print 5 or more unsuccessful logins - $user_name )
        else
        too_many_unsuccessful=$( print $too_many_unsuccessful $user_name )
        fi
fi

###########################################################################################
#
# Have any of the accounts got an expired password.
#
###########################################################################################

time_now=$(perl -le 'print time')
password_last_update=$( awk 'BEGIN{ FS = "\n"; RS = ""} $1 == "'"$user_name"':" { if (match($0,/lastupdate/) ) {print substr($0, RSTART+13, 10)} } ' /etc/security/passwd )
if [[ -n $password_last_update ]]; then
        if (( $(( $time_now - $password_last_update )) > $(( 60*60*24*7*4)) )); then
                if [[ -z $has_it_expired ]]; then
                has_it_expired=$( print Password older than 4 weeks - $user_name )

               else
                has_it_expired=$( print $has_it_expired $user_name )
                fi
        fi
fi
done
##########################################################################################
#
# All done, lets get the output to some where - so as we can have a look at it.
#
##########################################################################################

if [[ $1 = "-o" ]]; then
this_script=$(basename $0)
output_file=/var/adm/rebuild/${this_script%%.sh}.txt
print '$Id$' >$output_file
put_it_out_there >>$output_file
else
put_it_out_there
fi

This script was found on the web and adapted by me, it did work fine - I nolonger have any AIX to test it on - so you'll have to run this first on a sandbox system which will need perl installed.

Regards

Dave

k45bryant · September 12, 2014, 4:03pm

Ok. I will exercise caution. Thank you for your help. I will try it and let you know.