Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Create a 'hidden at login' Admin account System
Although security on a Mac is debated heavily by both sides, I prefer to stay safe and use a standard account for my day-to-day uses, and an extra Administrator account for my, well, administrative uses. The thing that bugs me is that every time I log in, I see a this big login option, Administrator, and that easily tells someone that is physically stealing my notebook that he needs to crack the admin account, and not mine, to hack my system. I prefer to hide the admin account, but I don't really like to use the Terminal.

So, to the hint: from what I've seen, if you create an account named Administrator with a short name of Admin, the computer will automatically hide the account for you. However, this only works when the new Administrator account is the only administrator account in the system.

[robg adds: I tested this hint, and (somewhat to my surprise), it does work. Case matters, though -- make sure you capitalize the short name! In order to have the account auto-hidden, it does need (or so it seems at first) to be the only admin account. My first test failed, and that's because it was the second admin account on the machine. I then converted my standard admin account into a regular account, then created the new Administrator account. On my next login, the Administrator account wasn't listed in the login screen.

However, after logging in as the new admin, I then switched my standard account back to administrator and logged out. This time, the Administrator account stayed hidden. So it seems it has to be the only admin account when it's created, but after that, it will remain hidden if you add additional administrators.]
    •    
  • Currently 3.25 / 5
  You rated: 5 / 5 (8 votes cast)
 
[59,141 views]  

Create a 'hidden at login' Admin account | 26 comments | Create New Account
Click here to return to the 'Create a 'hidden at login' Admin account' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Create a 'hidden at login' Admin account
Authored by: nvdingo on Jun 05, '07 07:38:27AM
While this is a straightforward hint,
I still prefer this method of being able to hide accounts.
http://www.macosxhints.com/article.php?story=20050827123342292

[ Reply to This | # ]
Create a 'hidden at login' Admin account
Authored by: mustang_dvs on Jun 05, '07 07:57:29AM
While the simplicity of this hint is impressive, given that it obviates the need for command-line work, or editing the NetInfo files, the fact that the single option for a hidden name and that it's fairly easy to guess somewhat negates the advantage of a hidden account, if you're banking on it for security. (If you're relying on it to keep kids' curiosity at bay, it's probably very effective.)

If you're looking for something more secure, the previous hint that's listed in the comments above, as well as using NetInfo Utility to delete the user's "Full Name" and change the UID to a number less than 500 (make sure that the UID you're changing it to is not already in use by a background process).

[ Reply to This | # ]

Create a 'hidden at login' Admin account
Authored by: Shawn Parr on Jun 05, '07 08:05:39AM

Bear in mind that this will only work against very casual 'bad guys.'

Anyone who can get a Mac OS installation disk (very easy) can see a list of the user accounts on the computer, change their passwords without having to know the current version, and enable the root account. All just by popping in a disc and holding down the 'C' key.

With that in mind, if you are so worried about people 'seeing' that there is an admin account, why are you using a list of users anyway? Isn't your personal data what is really important? As such if they can click on your name in a list they have already 'guessed' 1/2 of the equation of getting into your account, and thus your personal files, keychain, etc.

Setting the login to display a username and password prompt is a much more effective solution, is easier, and can be done later, rather than having to re-install if you didn't know how to do it initially.

Of course that still doesn't fix the initial issue of using an install disc to change passwords, but you can use filevault to take care of that since changing the password via the install disc is only for the login process, not for the filevault encryption.



[ Reply to This | # ]
Use the keychain too
Authored by: SuperCrisp on Jun 05, '07 09:05:31AM

Yes, yes, security at login level on a Mac is only for casual defense. Store passwords in keychain or a similar app, at the very least. I suffered identity theft twice in my life, once way back in the late 80s when a Mac classic was stolen from my desk, and then again in the 90s by someone who nabbed a palm pilot and wallet off me. It's a hard lesson to learn, but when you get all sorts of bills on your credit card from St. Petersburg, Russia or from a store three states away, you start to catch on. Especially the second time when your bank starts to get a bit annoyed with you. Lock down the stuff that really matters. If you have THAT much stuff that matters secrecy-wise, why are you getting security advice here instead of from Q down in the basement?



[ Reply to This | # ]
Create a 'hidden at login' Admin account
Authored by: pub3abn on Jun 05, '07 09:16:12AM

I believe the install disc technique would only work if someone has not installed the Open Firmware Password utility from Apple (highly recommended for that reason).



[ Reply to This | # ]
Create a 'hidden at login' Admin account
Authored by: designr on Jun 05, '07 09:58:39AM
I believe the install disc technique would only work if someone has not installed the Open Firmware Password utility from Apple (highly recommended for that reason).
The Open Firmware Password is useless if someone has physical possession of the box.

To remove Open Firmware password setting:
1. The total amount of RAM in the computer must change. This can be done by either adding or removing DIMMs.
2. The PRAM must be reset 3 times by holding down CMD+OPT+P+R at restart.
This will completely bypass the password protection.

Instead I use FileVault for the account that has really important data. I use Keychain or a third party password utility like Password Wallet for everything else.

[ Reply to This | # ]
Create a 'hidden at login' Admin account
Authored by: tirerim on Jun 05, '07 08:07:39AM

Or you could just have the login window require that you type your username rather than selecting it from a list (under Accounts -> Login Options). Then none of your account names will be known.

Of course, given physical access to the machine, it doesn't matter much.



[ Reply to This | # ]
Create a 'hidden at login' Admin account
Authored by: mantrid on Jun 05, '07 08:29:46AM

The point of this hint isn't to hide the admin account for security reasons. It is to keep a rarely used admin account from cluttering the login window. It says so right in the hint.

That said, HiddenUsersList way is more flexible, and may actually be more secure because of the guessability factor of "Admin", knowing that a successful crack will give the attacker admin privs.



[ Reply to This | # ]
Create a 'hidden at login' Admin account
Authored by: Shawn Parr on Jun 05, '07 09:38:04AM
The thing that bugs me is that every time I log in, I see a this big login option, Administrator, and that easily tells someone that is physically stealing my notebook that he needs to crack the admin account, and not mine, to hack my system. I prefer to hide the admin account, but I don't really like to use the Terminal.
I think the submitter doesn't agree with that sentiment. :)

[ Reply to This | # ]
Create a 'hidden at login' Admin account
Authored by: PostScript on Jun 05, '07 04:40:24PM

I actually do! xD

You see, I'm not one of the best writers in the world, and I have trouble expressing my thoughts...

And, on the matter of security, as 85% of the people who use computers use Windows, I wouldn't be TOO worried about a hacker getting into the account...

---
Phillip
"If at first you don't succeed... so much for skydiving." -HY



[ Reply to This | # ]
Create a 'hidden at login' Admin account
Authored by: Paul Cook on Jun 05, '07 08:40:13AM

It was a while ago, but I have personally seen a variation of this cause problems when the "admin" account is deleted. Following is what I think happened.

One of my clients set up a computer with both "admin" as both the long and short user name. The admin account was later deleted and the computer stopped working properly and all admin users lost admin privileges. (I don't remember the exact symptoms.) A check in Netinfo Manager showed that there was no "admin" group.

What I think happened:
When you create an account with a short user name of "xyz", OS-X creates a group called "xyz." Many files created by/for the "xyz" user will be owned by the "xyz" user and the "xyz" group will have group level privileges to those files. When the "xyz" user is deleted, normally the "xyz" group is deleted as well.

There is already a group named "admin" and all admin users are part of that group. It is their presence in the "admin" group that makes them admin users.

What I think happened is that when the "admin" user was deleted, the admin group was as well.

This experience was a while ago and it may have now been fixed, but I think it is wise to stay away from using long or short named that are the same as any preexisting users or group in OS-X (i.e. admin, wheel, www. daemon, jabber, bin, etc.) I would be inclined to avoid different case (upper vs lower) versions of these names as well.

If it hasn't been fixed, it should be. As it is not "user friendly" to allow a user to create names that will cause such problems.

Instead, I suggest following nvdingo's suggestion for hiding user names.



[ Reply to This | # ]
Create a 'hidden at login' Admin account
Authored by: mozart111 on Jun 05, '07 08:51:53AM

How do you convert a standard admin account into a regular account?



[ Reply to This | # ]
Preferences, Accounts pane
Authored by: SuperCrisp on Jun 05, '07 08:59:50AM

If you take a good look at the Accounts panel in Preferences, the answer will reveal itself to you. Bottom of screen, checkbox: allow user to administer this computer.

To maintain karma, answer the next "stupid" question you come across. No insult intended; I ask seven or eight "stupid" questions every day.



[ Reply to This | # ]
How do you log into a hidden account
Authored by: rhowell on Jun 05, '07 09:23:03AM

How do you log into a hidden account when names and icons are displayed at the login window?



[ Reply to This | # ]
How do you log into a hidden account
Authored by: tinb on Jun 05, '07 09:43:52AM

Click "Other...", then type...



[ Reply to This | # ]
How do you log into a hidden account
Authored by: Echidna on Jun 05, '07 04:34:15PM

Or, if you don't have the "Other" enabled, hit option-down arrow and then hit enter (or return). Even though it selects a named account, it will bring up the name/password fields. It's a bizarre key combo, but it works.



[ Reply to This | # ]
If there is no "Other..."
Authored by: gabester on Jun 06, '07 09:35:31AM

I found that selecting an account from the list, then holding down option and hitting return or enter called up the text entry lines for username and password.



[ Reply to This | # ]
Create a 'hidden at login' Admin account
Authored by: mmouse on Jun 05, '07 10:03:45AM
I use Mike Bombich's simple LoginWindow Manager for this purpose (and others). It's free (do tip!) and simple. One checkbox click and an admin password, and all admin accounts are hidden:
http://www.bombich.com/software/lwm.html

---
--mmouse

[ Reply to This | # ]

Create a 'hidden at login' Admin account
Authored by: emale on Jun 05, '07 10:36:23AM

I guess this is new in 10.4. Some Macs I updated from 10.3 to 10.4 "lost" the Administrator-Account at the login-window. For me it's likely more annoying, because logging in as administrator as gone laborious.
Bug or feauture?



[ Reply to This | # ]
Create a 'hidden at login' Admin account
Authored by: HelloThisIsAdam on Jun 06, '07 05:12:17AM

It's been my experience that any account created with the short name 'Admin' (upper case "A") is the root account. Call it what you want in the long name, but it IS root and acts as such. So while 10.4 will allow you to create such an account in the Accounts System Prefs panel, it is smart enough to keep that account off of the login screen. 10.3 would allow that account to be displayed on the login screen. I upgraded a machine for someone from 10.3 to 10.4 and his default login account vanished from the list. The long name had nothing to do with the word "Administrator" but it's short name was "Admin". I had to re-create his envrionment for him under a new login name and deactivate root. A short name of "admin" (lower case "a") does not link to the root account.

So, if you want a hidden, all-powerful account, use "Admin" for the short name. If you don't trust your user with that much power, then stay away from it....



[ Reply to This | # ]
Create a 'hidden at login' Admin account
Authored by: mantrid on Jun 06, '07 08:21:31AM

Any member of the admin group can perform root functions, usually by entering their password, but that isn't quite the same as being root.

Apart from not appearing in the login window, I haven't noticed anything in 10.4 to set apart the user with the name "Admin" from any other admin user, and removing "Admin" from the admin group even demotes it to a standard account. With what sort of activities are you seeing "Admin" behaving as root, as a function of the name?



[ Reply to This | # ]
Create a 'hidden at login' Admin account
Authored by: HelloThisIsAdam on Jun 08, '07 07:18:34AM

Well, it's been a while since I encountered a machine set up this way, but the fact that a number of functions that would normally need an administrator's name and password entered (i.e., installs of some programs, certain System Prefs changes) just happen with no password request, and the fact that I could view and change the contents of all the Users folders on that machine lead me to think that I'm functioning as root. It's like a GUI version of sudo on everything I try to do...

I'll try and verify this. I work in a school system and should encounter at least one Mac with this account setup over the summer break...



[ Reply to This | # ]
Hide account from "fast user switching" list?
Authored by: fud on Jun 06, '07 11:14:51AM

Does anyone know how to hide accounts from the "fast user switching" menubar list, admin or not? I would just as soon not see my admin or repair accounts listed.



[ Reply to This | # ]
Hide account from "fast user switching" list?
Authored by: mustang_dvs on Jun 07, '07 11:52:14AM

You have to remove the user's "Full Name" in the NetInfo file -- see my comment at the top of this page for details.



[ Reply to This | # ]
Create a 'hidden at login' Admin account
Authored by: postglock on Oct 20, '08 02:25:03AM

I don't quite understand this hint. Robg mentions that he "converted my standard admin account into a regular account", before creating the new "Admin" account, but I fail at this step.
Currently, I have one admin account. When I am logged in with this account, I can't uncheck the "Allow user to administer this computer" checkbox. What do I need to do?



[ Reply to This | # ]
Create a 'hidden at login' Admin account
Authored by: postglock on Oct 20, '08 02:27:06AM

Oh. I just realised I was replying to a hint from over a year ago...



[ Reply to This | # ]