Script - Removing User Lync Data/Files

techgeek
New Contributor III

Hi all

I have been tasked with making an uninstall script to remove all Lync data and files for an user. This is primarily to resolve Lync issues we often have in our organisation, and we would like to have a working script that a user can just run via Self Service if Lync is causing issues for their user account.

We have come across this Microsoft recommended list of items to remove...
https://support.microsoft.com/en-gb/kb/2691870

I have created a script to try and match this, except that we are NOT going to remove the Lync app. Since we just want to remove the user Lync data, as it is very rare for us that Lync application itself needs to be re-installed (majority of the time, it's the user data).

My problem? My scripting skills is not top notch as I would like it to be. I seem to be having issues in getting the script to remove a user's stored Keychains application password as it keeps failing for me.

Any advice or assistance would be greatly appreciated...

Many thanks

#!/bin/bash

#domain name
domain=name_of_your_domain

#current user logged in
loggedinuser=`ls -l /dev/console | awk '{ print $3 }'`

#user's email address
emailaddress=$( dscl "/Active Directory/$domain/All Domains/" -read /Users/$loggedinuser EMailAddress | awk 'BEGIN {FS=" "} {print $2}' | tr '[:upper:]' '[:lower:]' )


#remove user lync data files

if [ -e /Users/$loggedinuser/Library/Preferences/com.microsoft.Lync.plist ] ; then
    echo "Removing user's com.microsoft.Lync.plist file..."
    rm -R /Users/$loggedinuser/Library/Preferences/com.microsoft.Lync.plist
else
    echo "No com.microsoft.Lync.plist file located"
fi

if [ -e /Users/$loggedinuser/Library/Preferences/ByHost/MicrosoftLyncRegistrationDB.* ] ; then
    echo "Removing user's MicrosoftLyncRegistrationDB files..."
    rm -R /Users/$loggedinuser/Library/Preferences/ByHost/MicrosoftLyncRegistrationDB.*
else
    echo "No MicrosoftLyncRegistrationDB file located"
fi

if [ ! -e /Users/$loggedinuser/Library/Logs/Microsoft-Lync-0.log ] ; then
    echo "No Microsoft-Lync log file located"
else
    echo "Removing user's Microsoft-Lync log files..."
    function rmlogs() {
    for n
        do
            rm /Users/$loggedinuser/Library/Logs/Microsoft-Lync-${n}.log
    done
    }
    rmlogs
fi

if [ -d /Users/$loggedinuser/Documents/Microsoft User Data ] ; then
    echo "Removing user's Microsoft User Data directory..."
    rm -R /Users/$loggedinuser/Documents/Microsoft User Data
else
    echo "No Microsoft User Data directory located"
fi

#remove lync user stored password
    echo "Removing user's stored lync keychain password..."
    security delete-generic-password -a "Microsoft Lync" /Users/$loggedinuser/Library/Keychains/login.keychain

#remove lync KeyContainer
if [ -e /Users/$loggedinuser/Library/Keychains/OC_KeyContainer__* ] ; then
    echo "Removing user's Lync KeyContainer..."
    rm -R /Users/$loggedinuser/Library/Keychains/OC_KeyContainer__*
else
    echo "No user Lync KeyContainer located"
fi

#remove lync keychain certificate
    echo "Removing user's Keychain Lync Certificate..."
    security delete-certificate -c $emailaddress /Users/$loggedinuser/Library/Keychains/login.keychain

exit 0
9 REPLIES 9

RobertHammen
Valued Contributor II

Be aware that this line:

rm -R /Users/$loggedinuser/Documents/Microsoft User Data

Will nuke an Outlook 2011 profile, if one exists, including any locally-filed mail.

May not be a concern in your environment, but just wanted to point this out.

mm2270
Legendary Contributor III

The security command must operate as the user whenever you need to manipulate contents of the user's login.keychain. This is actually for security reasons as you might expect. Since your script would be running either as root or the service account, its not going to be able to make the changes you're expecting.

There are a few methods you can use to do this (run the command as the user) Some people like to use the sudo -u $loggedinuser type syntax, as shown on this thread. (There are other threads besides that one, so do some searches to pull up other ones)

I personally find using the launchctl asuser (10.10.x and up) or launchctl bsexec (pre 10.10.x) syntax to work more reliably than the sudo -u version. Initially its a little trickier to use, but once you get the hang of it, its not hard at all.

Looking at some of the code you have above, I see you are getting the logged in username with ls -l /dev/console | awk '{ print $3 }'
I would suggest changing this to use either stat -f%Su /dev/console or the method described by @bentoms in this blog post. But regardless, once you have the username, you can grab the user's UID, which you need for the launchctl asuser command, like this id -u $loggedinuser
Now, we can use these 2 items in the script.

/bin/launchctl asuser $(id -u $loggedinuser) sudo -iu $loggedinuser "security delete-generic-password -a "Microsoft Lync""

Breaking this down, we are calling /bin/launchctl asuser, passing it the logged in user's UID, then running sudo -iu, which means something like "initiate as user", then pass the logged in user's name who we want it to run as, and finally, surrounded in the double quotes is the security command we want that user to run. Note that any double quotes not part of the overall command need to be escaped with a backslash as shown above with the words "Microsoft Lync" to prevent any problems.

Putting this all together, it would look something like this

#remove lync user stored password
    echo "Removing user's stored lync keychain password..."
    /bin/launchctl asuser $(id -u $loggedinuser) sudo -iu "security delete-generic-password -a "Microsoft Lync""

and

#remove lync keychain certificate
    echo "Removing user's Keychain Lync Certificate..."
    /bin/launchctl asuser $(id -u $loggedinuser) sudo -iu "security delete-certificate -c $emailaddress"

Note that the above should work if running this on Yosemite and above. It won't work on older OSes. For that, you need to use launchctl bsexec, which is a little different. Let me know if you also need to run this on 10.9 or lower and I can point you to threads that detail how to do that.

Last note, I didn't test any of the above, but based on the fact that I tend to use this process pretty often these days, I'm fairly confident it should work. That said, test it out and post back if you see any issues.

techgeek
New Contributor III

@RobertHammen
Thanks, yep we are using Office2016 in our environment. So it just made sense + easier to just remove the root Microsoft User Data folder, since it only contains Lync.

@mm2270
Wow - thank you! you have just improved my knowledge and skill set further. Very useful information. I can't test this in my environment until tomorrow, but will definitely do it and let you know how I get on. All of the Macs here are running 10.11, so should be good. Thanks again for taking the time to help me out.

techgeek
New Contributor III

@mm2270 I am now using the stat -f%Su /dev/console to obtain the current logged in username, which works perfectly for me.

However on the /bin/launchctl asuser for the two recommend Keychain changes (password & certification), which I used as...

/bin/launchctl asuser $(id -u $loggedinuser) sudo -iu "security delete-generic-password -a "Microsoft Lync""
/bin/launchctl asuser $(id -u $loggedinuser) sudo -iu "security delete-certificate -c $emailaddress"

I got the following output errors...

sudo: unknown user: security delete-generic-password -a "Microsoft Lync"
sudo: unknown user: security delete-certificate -c [email address]

[email address] above is an actual email address value, removed for obvious reasons.

Any idea as to what the cause could be? Seems to be not recognising the loggedinuser variable correctly.

Many thanks.

mm2270
Legendary Contributor III

@techgeek My bad! I apologize as I see that I made a mistake in my post above. There's something missing in both commands. It should be done as:

/bin/launchctl asuser $(id -u $loggedinuser) sudo -iu $loggedinuser "security delete-generic-password -a "Microsoft Lync""
/bin/launchctl asuser $(id -u $loggedinuser) sudo -iu $loggedinuser "security delete-certificate -c $emailaddress"

Note that after the sudo -iu it has $loggedinuser That's required or you get the error you were seeing. Again, my fault as I did not see I excluded that in my original post above. Try it that way.

bsssuport
New Contributor

Just curious is there a reason not to use

whoami

to get the logged in users name? so this command would become:

loggedinuser=`whoami`

mm2270
Legendary Contributor III

whoami gives you the wrong results unfortunately, at least in the context of Casper Suite policies. If you want to see, create a policy that simply has the following line in the Execute Command field

echo $(whoami)

Then have that run on a test Mac and see the results. Or, put the same command in the Advanced > Execute Command field in Casper Remote and run it on a test Mac. The results will likely show "root"

bsssuport
New Contributor

Ah got it ok.

techgeek
New Contributor III

@mm2270 Thanks for helping me out further.

I did the changes you suggested, and this was my result...

Using the $loggedinuser variable as stat -f%Su /dev/console generated the following errors:

line 7: -f%Su: command not found
sudo: unknown user: security delete-generic-password -a "Microsoft Lync"
sudo: unknown user: security delete-certificate -c dsrectypestandard:users

So I tried again by using $loggedinuser back as `ls -l /dev/console | awk '{ print $3 }' which generated a slightly better result but still errors:

security: SecKeychainSearchCopyNext: The specified item could not be found in the keychain.
security: "[email-address]" is ambiguous, matches more than one certificate
Unable to delete certificate matching "[email-address]"

[email address] above is an actual email address value, removed for obvious reasons.

So it now looks like my errors are related to two things...

Firstly, the type of Keychain object to remove - I need to remove the application password object (screenshot attached). I have tried also using delete-internet-password of security but still doesn't work. I'm not aware of any further delete functions for Security (been looking in its manual).

9fd046771ebc43e49dd56cf16d1dd966
Secondly, the remove certificate function seems to be workable. I just need to find a way to make it remove all multiple results. Would perhaps a function type procedure work here?

Many thanks again for helping me out here.