Update: The easiest way to do this is actually to install Offset and then put a RemoveLastUserKeychains script into /usr/local/offset/logout-every (make sure it’s owned by root:wheel and has 755 permissions).
What’s the problem?
If you’re in a primarily or exclusively Mac environment, but you’re managing logins through Active Directory, password changes on the AD level confuse the local Macs, which will log you in just fine but will not know what to do with your previous login keychain.
One potential solution is to delete the keychains after a mandatory password change… or just at a regular interval. Here are two ways to do that.
Method #0: Use a Launch Agent
Go to Deleting keychains at user logout for the best way to do this.
Method #1: Use a Logout Hook
Why you might not want to use the logout hook
Apple deprecated the login/logout hooks as of Mac OS X 10.4 (Tiger), and—as of this writing—we’re up to OS X 10.10 (Yosemite), and the hooks still work. In theory, though, Apple could yank support for the login/logout hooks at any time.
Credit where credit is due…
If you’d like to use a logout hook, this is what you do (credit to How to delete Keychains at logout for being the basis of these instructions).
Make a location for your script
Amsys recommends creating one special for your organization (they use /Library/amsys, and we would use /Library/siprep), so create one appropriate for your organization.
In the terminal, you can create that directory using this command:
Make your script
To make the script, you can use the graphical text editor of your choice (e.g., TextWrangler or Sublime Text). If you prefer Mac OS X’s built-in TextEdit, just be sure you’re saving as plain text and not rich text format. Just remember, once you copy the script to /Library/nameofyourorg, that you need to change ownership of the file to root (owner) and wheel (group).
A simple way to use the terminal to make the script (and avoid having to change ownership of the file later) is to just use the built-in text editor, nano:
Then, paste in this code:
rm -Rf /Users/$1/Library/Keychains/*
Then save (Control-X).
Amsys had $USER instead of $1, but I couldn’t get the script to work unless I used $1.
Make the script executable
Whether you used a graphical text editor or a terminal based one, you’ll still want to change the permissions on the file so anyone can execute it:
Add your script to the logout hook
To get the logout to invoke your script, use this command
Method #2: Use a Launch Daemon at boot time
This second method uses a Launch Daemon (which is not deprecated), but it also assumes you will reboot the machine from time to time (for example, if you have your machines scheduled to reboot every night or every weekend).
The advantage, of course, is that if Apple decides to no longer support the logout hook, this method will likely still work. The disadvantage is that this will work only when you reboot the machine and not every time a user logs out.
I haven’t found a way to successfully create a launchd process that executes at logout (instead of just login). someone on Stack Exchange claims to have been able to do it, but I couldn’t replicate those steps with success.
So what this does is, at boot time at a system level, just delete all user keychains.
Create the shell script
Similarly to the other method, we’re going to create (if it doesn’t already exist yet), a custom directory for your organization:
Then make the script (again, you can do this in your favorite graphical text editor, move it over to the directory, and then change ownership to root user and wheel group, but this is a fairly straightforward way to do it one fell swoop without having to change ownership later):
In the text editor, paste in:
# Delete keychains for all users
rm -rf /Users/*/Library/Keychains/*
Then save (Control-X).
Make it executable
Create the Launch Daemon
You’re going to create a custom .plist file
In the text editor, put in:
Save the file (Control-X) and reboot.
2 responses to “Deleting Mac Keychains in an Active Directory Environment”
[…] is a sequel to Deleting Mac Keychains in an Active Directory Environment, which talked about a way to delete keychains at logout using the (Apple-deprecated but still […]
[…] assuming you already know how to create a script. If you don't, use method #2 in Deleting Mac Keychains in an Active Directory Environment as an […]