Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Change the default screen unlock behavior System
As noted in this earlier hint, requiring authentication to unlock the computer from screen saver, or to wake it from sleep, can be done by the currently logged-in user or any user who is a member of the local admin group (any local administrator). It is possible to change this behavior to suit your needs. First, here's how Mac OS X determines if it should ask for authentication when waking or exiting screen saver and which users it authorizes to do so.

If the Security System Preference panel's Require Password to Wake box is checked, the askForPassword key is written with numeric value of 1 in the[ID].plist preferences file, which is stored in ~/Library/Preferences/ByHost. As with other ByHost items, the [ID] is the Ethernet address of the primary ethernet port (en0); the ID is simply used as an identifier.

With this preference set, the loginwindow process now requires that the system.login.screensaver authorization right be satisfied. By default, satisfying that right requires that the rule authenticate-session-owner-or-admin be true. These rights and rules are part of the authorization system employed by Mac OS X. The system maintains a list of rights and rules in the /etc/authorization file, which defines which users or groups are authorized to perform specific tasks.

You can change the wake/exit screen saver authorization right by following these steps.

You'll need Property List Editor (part of the Developer Tools or Server Admin Tools) or a third-party plist editor, and some familiarity with the command line.
  1. First make a copy of the authorization file in /etc. Place the copy on your desktop (for example), and make changes to that file.
  2. Change the behavior as desired:
    • If you prefer that only the current user (called the session owner) be able to unlock his/her screen, make this change. Expand the rights dictionary, and look for the system.login.screensaver right. Expand that dictionary, and change the value of the rule string from authenticate-session-owner-or-admin to authenticate-session-owner.
    • If you want the current user and members of a particular group other than admin to be able to wake/unlock the screen, make these changes:
      • You need to make a new group. We'll use screengroup for the short name. You can do this via dscl or the Accounts System Preferences pane. This is the group that will be the screen admins -- any member can unlock any user's screen.
      • You need to make a new rule. Pick a name for your new rule; we'll use authenticate-session-owner-or-screengroup. Expand and select the rules dictionary, and click New Child. Name the child authenticate-session-owner-or-screengroup, and change its type to Dictionary. Then expand the authenticate-session-owner-or-screengroup dictionary, highlight it, and add six new children (via New Child button). The new children should be:
        • allow-root of type boolean (choose yes or no). No disables root's ability to unlock the screen.
        • class of type string, and it should have a value of user.
        • comment of type string -- this can be your notes.
        • group of type string is the short name of the group whose members can unlock the screen. This example uses screengroup for the group name.
        • session-owner of type boolean should be set to Yes.
        • shared of type boolean should be set to No.
      • Modify the system.login.screensaver right to use the new rule. As above, expand the rights and system.login.screensaver dictionaries. Change the value of the rule string to authenticate-session-owner-or-screengroup.
  3. Save changes to the desktop copy of authorization. Then use Terminal move the existing authorization file:
    sudo mv /etc/authorization /etc/
  4. Copy the edited (desktop copy) of authorization to /etc. You can do this with Terminal or the Finder -- use Go to Folder to navigate to /etc, which is hidden.
  5. Ensure that the POSIX owner and group for /etc/authorization are correct:
    sudo chown root:admin /etc/authorization
    Since you made a copy of the original /etc/authorization, the POSIX permission bits are preserved - they are 0644.
  6. Reboot.
To undo your changes, simply switch out the authorization files and reboot:
$ sudo mv /etc/authorization /etc/authorization.mychanges
$ sudo mv /etc/ /etc/authorization
[robg adds: I haven't tested this one -- and it does involve modifying a system file, so take care...]
  • Currently 2.00 / 5
  You rated: 2 / 5 (9 votes cast)

Change the default screen unlock behavior | 10 comments | Create New Account
Click here to return to the 'Change the default screen unlock behavior' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Change the default screen unlock behavior
Authored by: zcrow on Jan 02, '08 08:11:16AM

Thanks for the post. I have asked before (not here but other places) about whether it is possible to ONLY have it ask for a password when coming out of sleep but NOT when coming out of the screen saver. In my situation, I work from home and at night I put the computer to sleep. Would be nice to have it require a password the next morning. But to do this every time the screen saver kicks in is a pain.

I don't have enough knowledge to know how this system works or if it is possible to tweak it in any way but just thought it would be nice to give people a choice on this one.

[ Reply to This | # ]
Change the default screen unlock behavior
Authored by: lihtox on Jan 02, '08 09:58:08AM

I felt inspired to brainstorm your problem, if you don't mind. :)

* You could setup a bare-bones non-administrator (even Simple-Finder) account, and switch to that before putting it to sleep for the night; you'll need your password to switch back to the useful account in the morning.

* Is there a way to go directly to the login screen without logging out? That would be easier.

* Write a cron job which turns on the password protection feature at night, and off in the morning. And set up two scripts/automator flows/etc to do so automatically.

[ Reply to This | # ]
Change the default screen unlock behavior
Authored by: jpbjpbjpbjpb on Jan 02, '08 11:47:30AM

Go into Keychain Access, then Preferences, then click "Show Status in Menu Bar" under the general pane.

Then you can choose "Lock Screen" from the lock menu in the menu bar and avoid the aggravation and extra ram use of having two accounts logged in.

[ Reply to This | # ]
Change the default screen unlock behavior
Authored by: barefootguru on Jan 02, '08 12:32:07PM

If you don't want a password prompt when deactivating the screensaver why use one? Have the screen dim instead of the screensaver kick in and then you won't be asked for a p/w.

[ Reply to This | # ]
Change the default screen unlock behavior
Authored by: theauharem on Jan 02, '08 12:29:06PM
I tried using the "lock" menubar item but it always proved buggy for me. I eventually settled on the following:

1) Set SysPrefs to ask for password on wake/exit screensaver.
2) Turn screensaver off (time delay set to "never").
3) Download and install Dockables: (
4) I personally use Dockables with Quicksilver but you may add the either the "Lock Screen" or "Start Screensaver" icons to your Finder menu or dock.

My computer will not run the screensaver unless I call up the relevant Dockable (which I do if I want to lock the screen). At the end of the night, however, I sleep my computer to force an "ask password" in the morning.

p.s. Dockables, I believe, are simply Applescripts with nice icons.

[ Reply to This | # ]
No need to edit the plist by hand...
Authored by: brianwells on Jan 02, '08 05:56:18PM
I wrote a command-line utility called 'authutil' for making changes to rights in the authorization policy database. You can download it from my web site:

For example, to change the right so that only the current user can unlock the screen saver, use:

sudo authutil write system.login.screensaver rule authenticate-session-owner

To change it back to the default:

sudo authutil write system.login.screensaver rule authenticate-session-owner-or-admin

The utility is limited at present to editing rights and not rules. Of course, the source code is included just in case someone feels like adding support for editing rules ;-)

[ Reply to This | # ]

Change the default screen unlock behavior substantially
Authored by: bcarter5876 on Jan 03, '08 06:08:12AM

I'd like to be able to substantially change this behavior. We have many computer lab users who leave their workstation logged in. Due to the required security settings, the screen locks, and then the workstation is unusable until either an administrator unlocks it and logs it out, or someone hits the power button and reboots it.

I'd like for any legitimate user ID to be able to unlock the screen, but force the current user to be logged out, thus preserving security but freeing up the workstation for other users when necessary.

[ Reply to This | # ]
Change the default screen unlock behavior substantially - try multiple login
Authored by: spaceMan on Jan 03, '08 10:35:32AM

I have enabled Multiple users login (system preferences->accounts).

Now when I unlock the screen, I don't need to know the currently logged in users password. Instead, I click the 'other users...' button, and login with my user account.

This will leave the previous user 'logged in', and running 'in the background'.

This should also work in a lab setting, presuming all users are defined with unique accounts.


[ Reply to This | # ]
Change the default screen unlock behavior substantially
Authored by: mkluskens on Jan 07, '08 06:14:34AM

Use the Security setting to force login out after 10 minutes of inactivity -- of course this will fail if the user leaves applications running with unsaved changes, but it is an improvement over your current status.

Multiuser logins (Accounts, Login Options) is turned on via fast user switching I believe and is another thing you absolutely should have turned on for that environment.

It is possible to force a login out via a cron job or remotely via ssh by killing the LoginWindow process, generally it's better to kill the user's processes before killing the LoginWindow Process. I use this under 10.4 to force the kids off the computer before dinner time. You'd probably want something fancier if you have to go this route.

[ Reply to This | # ]
Change the default screen unlock behavior
Authored by: fireyice01 on Aug 05, '08 11:35:13PM

So, I'm not allowed to want my computer to turn on the screensaver (which I sometimes enjoy starting blankly at) when it's inactive? I realize I could just have it turn the screen off, and not have to worry, but I think as a security precaution, I should be able to have my mac ask for my password when it wakes from sleep, and NOT ask for my password when I'm using it, and step away for a moment. The computer is in a secure location when I leave it, and when I'm leaving for the day, I close the lid (putting it to sleep), at which time I would expect it to prompt for a password when it woke.

It seems to me that Apple should allow users to have one without the other. Anybody come up with a viable workaround?

[ Reply to This | # ]