Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

An introduction to groups System
One of the first things I wanted to do when I got my shiny new OS X computer was set up groups for my users (me, partner, guest). I wanted one group for me and my partner, and some other group or no group for guest access. That way my partner and I could share files easily, but any guests that I admitted to the machine could not see our data. Imagine my disappointment to find out that this is not supported well under OS X (non-server; OS X Server apparently has a wonderful GUI utility for managing users and groups).

Background: with standard Unix, the administrator edits files in the /etc directory to create users and assign them to groups. OS X does not work this way; instead, it uses a powerful, flexible, and cryptic system called NetInfo to manage these bits and pieces of administrivia. So, forget about going into /etc/groups and editing the file to put users in groups. Side note: apparently, the point of the NetInfo system is to be able to organize user administration data so that someone can use a remote computer, and seamlessly access his/her usual home directory, etc.

Read the rest of the article for an overview of using groups in OS X...

Disclaimer: changing values in the NetInfo database is not without risk. Be very careful and mindful of the changes you are making, or you could end up with a system that won't let you log in or won't let you access files that you want to access. OS X does not include documentation on NetInfo Manager, so the following includes some intelligent guesses on my part.

It turns out that Apple provides a GUI utility called NetInfo Manager even in the non-server edition, and this can be used to edit NetInfo data. By default, when you create a user with the User pane of the System Preferences utility, it assigns that user a group id (gid) of 20. It turns out that this corresponds to the group "staff", however, the job is only half done: the user has been assigned a group id, but the group part of the database hasn't been updated to include whatever users you create. What you need to do is go into NetInfo Manager, find the group "staff", and make it list the users that you want put together. A relatively simple extension of this idea is to create an entirely new group, assign users to it, and then edit the user's profiles to use the newly-created group id.

Begin by starting up NetInfo Manager (found in the Utilities directory under Applications). The main form shows a display similar to the List view of the Finder: clicking on one item in the main window advances the window to the right and shows a new level of detail below in the hierarchy. Some orientation: items in the upper half of the form are termed "directories"; within a given directory there are properties (shown below in the lower left window), and each property may have one or more values, shown in the lower right window. Directories, in this context, are not literally directories like you find on the disk; they are more like categories of information within a database of information. If all this sounds similar to the Windows registry, well, you're right, they are similar.

The top level of the directories is "/", just like in the file directory system. Below that, you'll see a list of directories with familiar names: groups, mounts, printers, users, and some others. If you click on users, for instance, the column view will show a list of users at the right, including all the users that you've added. Clicking on one of those user names will fill in the lower pane of the display with properties, including values for that user's home file directory, starting shell, etc. Note that the gid for users that you've added is 20.

Suppose you wish to finish the job of putting all your added users into the "staff" group. Starting on the top of the hiearchy, click on "/", then on "groups", then on "staff". You'll see that a group has four properties; one of them is called users, and that's the one we are interested in. If you've never made any changes before, the only user within "staff" will be "root". Make sure that you have permission to make changes by clicking on the little lock icon in the lower left of the form. Then click once on the "users" property in the lower part of the form. Then, under the Directory menu item you'll find a command to "Append value." Select this, and you'll be able to add a second user's name to the group. Do this as many times as it takes to add all the users that you wish to add to "staff". If you click on a different directory item, NetInfo Manager will ask if you want to save your changes.

It should be possible to extend this concept to create entirely new groups.

Don't forget that the directory that holds the file that is to be shared with the group must be read - writeable - executable to the group, as well.

[Editor's note: I haven't done any work with groups in OS X, and I have not tried these instructions myself.]
  • Currently 2.67 / 5
  You rated: 5 / 5 (3 votes cast)

An introduction to groups | 6 comments | Create New Account
Click here to return to the 'An introduction to groups' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
also commando style ;-)
Authored by: macubergeek on Apr 29, '02 05:30:18AM

There is a thread on how to add and delete users from command line here:

[ Reply to This | # ]
I use SharePoints
Authored by: Ducon Lajoie on Apr 29, '02 02:32:18PM
I use SharePoints to create groups and assign shares. I often get unexpected results, but I think that's more an issue with my lack of knowledge of the group system and netinfo than a problem with the program.

Speaking of netinfo, I'm still trying to figure out a way to allow a user to use a home directory located on another machine on the network. Apparently, it's doable with OS X server. Any way to pull that off with the regular OS X?

[ Reply to This | # ]

Make both Admin
Authored by: JohnnyMnemonic on Apr 29, '02 02:58:18PM
OS X does support three groups, actually, and it sounds like this may have worked for this situation: root, admin group, non-priv group. For ex, you could have made both yourself and your partner admins, changed the root password via "NetInfo" and then only allowed guests non-admin accounts.

Although OS X only allows for 3 groups through the GUI users panel, it does allow for those three, that I wonder if all this mucking about in the NetInfo was really necessary--usually only necessary if you want to create more than those three.

[ Reply to This | # ]
MacWorld article expands on Groups posting
Authored by: klieb2002 on May 09, '02 03:14:42PM

It turns out that my guesses on NetInfoManager's operation were mostly correct. The latest (June 2002) issue of MacWorld has an OS X Secrets column by Dan Frakes on page 102 that goes further, describing how to copy groups and add users, and also how to change the group associated with a given file using a GUI shareware utility called XRay.

There is also a link to a page which purports to tell you how to set up OS X such that your home directory is on another (possibly remote?) volume. The link given is:

This may help the respondent who wanted to be able to move his/her home directory to a remote volume.

Also, someone suggested that I could achieve what I wanted using OS X's three built-in groups, without resorting to NetInfoManager; I had considered that approach, but didn't want my partner to have Administrator priviliges, so no go.

[ Reply to This | # ]
MacWorld article expands on Groups posting
Authored by: robleach on Feb 18, '03 06:49:54PM
I tried out the article's reccommendations and it didn't work for me. Here's what happened:
[hoth:/Volumes/thila] robleach% sudo ditto -rsrc "/Users/robleach" "/home/plague2/users1/robleach/pub/robleach"
/private/automount/home/plague2/users1/robleach/pub/robleach: Operation not permitted
[hoth:/Volumes/thila] robleach% 
I'm trying to "merge" my network account and my local account so I don't always have to deal with file permissions in an RCS system on a UNIX machine. I've managed to figure out an automount of the remote disk via help on this website, but am now having trouble with this account problem. The 2 accounts have the same username, but different uids and groups. Even if I change the home directories and all its subdirectories to be owned by the uid and gid of my network account, I get the same error from ditto. I'm attempting now to tar it up an mv it to the location, but as far as merging the two accounts, I imagine that will be a nightmare. I think I know what to do so that I won't harm my network account, but as far as getting the mac to still work afterwards I imagine will be wrought with peril. I did make a back-up user account under a different name as a safeguard.

Our sysadmin had suggested simply changing the uid/gid on my current local account to match the network account, but I tried that and ran into trouble. Luckily, I was able to reverse the damage.

Any advice on this? How should I go about merging the accounts? My current network account makes decisions in the .login and .cshrc files based on the return of uname to differentially create my path and aliases etc depending on the system I log into (sun, linux, sgi, etc). Is there any reason to believe the same strategy won't work for my mac?


[ Reply to This | # ]
An introduction to groups
Authored by: dsquared on Dec 27, '03 05:31:42PM

I just got a new 20" iMac ( 10.3.1 ) and was hoping to synchronize the file systems between it and my G4 desktop running 10.2.8. I copied my wife's directory to the new computer using tar and was a bit disconcerted t find that the new computer had her group the same as her user id. The old computer had her group as "staff". I tried in vain to re-set her group to staff via netinfo manager. I changed her user group to "staff" -- no luck. I changed the "staff" group to include her -- no luck. Finally I discovered that for whatever reason, the files inside your user directory ( and apparently other directories as well ) inherit the group of the folder they are in. I changed all of the folders/files via "chown" to "staff" and voila, new files have the group "staff". Now I should be able to keep the two file systems in sync and either of us will be able to use either computer.

[ Reply to This | # ]