Bulk deletion of accounts

Due to GitLab coming with open signup out of the box, and me not initially noticing this, I now have 10,000+ accounts on my instance that are pure garbage. I want to delete them all.

There appears to be no bulk deletion mechanism in the web GUI.

I’ve found a way in the API to get a list of all users; great. The delete mechanism in the API is defeating me. For a sample username Fred, sample ID 4444, I have gotten “{“error”:“404 Not Found”}” from curl on all of the following URL attempts:

curl --request DELETE -H “PRIVATE-TOKEN: my-private-token” “https://gitlab.my.domain/api/v4/users/:4444/hard_delete

curl --request DELETE -H “PRIVATE-TOKEN: my-private-token” “https://gitlab.my.domain/api/v4/users/:Fred/hard_delete

curl --request DELETE -H “PRIVATE-TOKEN: my-private-token” “https://gitlab.my.domain/api/v4/users?id=4444&hard_delete

curl --request DELETE -H “PRIVATE-TOKEN: my-private-token” “https://gitlab.my.domain/api/v4/users?username=Fred&hard_delete

If I go with what is explicitly in the documentation, I get a much more detailed error message instead:

curl --request DELETE -H “PRIVATE-TOKEN: my-private-token” “https://gitlab.my.domain/users/:4444

which boils down to “The page could not be found or you don’t have permission to view it.”.

What is an actual, proper, constructed URL for my sample user, so that the delete command will work? “DELETE /users/:id” (from Users API | GitLab) isn’t working as an example. I can extrapolate from a sample based on a given username or ID.

My token is an impersonation token for my account (which is an admin account). It has the following scopes enabled:

api, read_user, read_api, sudo

Try removing the : before the ID, this should just be the number of the user account without the colon. Also hard_delete is if you want to remove anything in your Gitlab instance that they might have created in repositories etc - without this option it would move their contributions to the ghost user. I think although not sure the correct format then would be?hard_delete after the user id, so:

curl --request DELETE -H “PRIVATE-TOKEN: my-private-token” “https://gitlab.my.domain/api/v4/users/4444”

should work.

That URL works, but not with the trailing ‘/hard_delete’.

I want hard_delete because these accounts appear to have been made by a dodgy SEO company. The content should absolutely be deleted, not kept.

curl --request DELETE -H “PRIVATE-TOKEN: my-private-token” “https://gitlab.my.domain/api/v4/users/4444?hard_delete”

at least does not produce an error. But this also seems to work:

curl --request DELETE -H “PRIVATE-TOKEN: my-private-token” “https://gitlab.my.domain/api/v4/users/4444?wigglesnurf”

which makes me think that I’m not getting the actual functionality.