Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Create completely hidden accounts in 10.5 and 10.4.11 System
Those who manage large installed bases of Macs need to maintain one or more local administrative accounts on the machines, for remote administration, maintenance or troubleshooting. But, it can be undesirable to list an obvious administrator account in the Loginwindow; that same account hangs in the Fast User Switching menu, and in the Accounts Preference Pane. What to do?

Much experimentation, and some lucky finds on the Internet, have turned up the configuration to hide a user account on 10.5, and in later versions of 10.4.

In early versions of Tiger, it was easy to hide an administrator account. As per this hint, adding the array HiddenUsersList to com.apple.loginwindow with the account or accounts to be hidden was enough. But, with Leopard, this is no longer sufficient. Accounts can be hidden well enough using a HiddenUsersList entry, but the login window and Fast User Switching menu will contain an entry for "Other...," advertising the fact that one or more hidden user accounts is lingering on the system. How to get around this?

First, to create the account, open Terminal and type these commands:
sudo dscl . create /Users/$USERNAME
sudo dscl . create /Users/$USERNAME PrimaryGroupID 0
sudo dscl . create /Users/$USERNAME UniqueID 0
sudo dscl . create /Users/$USERNAME UserShell /bin/bash
sudo dscl . passwd /Users/$USERNAME $PASSWORD
sudo dscl . append /Groups/admin GroupMembership $USERNAME
Replace $USERNAME and $PASSWORD with the username and password you want to use. The new account will be created as a root-level account. This may be a bad idea, depending on your implimentation. If you like, change the PrimaryGroupID and UniqueID to something else, so long as the number is below 500. The UID 42 is not in use under Leopard. The following will show which IDs are assigned to which number:
dscl . list /Users UniqueID
Now, to hide user accounts, type the following commands:
$ sudo defaults write /Library/Preferences/com.apple.loginwindow Hide500Users -bool TRUE
$ sudo defaults write /Library/Preferences/com.apple.loginwindow HiddenUsersList -array $USERNAME
The first line will hide users with a UID below 500. The second line will add your user to the list of hidden accounts. This was enough prior 10.4.11. Now, if such a hidden account is created, the login window and Fast User Switching menu will show an option for "Other...," which I find annoying. It's not enough to turn off list view on the login window, as many of my users have come to expect it.

Type the following to disable the "Other..." listing from the Loginwindow and the Fast User Switching menu:

sudo defaults write /Library/Preferences/com.apple.loginwindow SHOWOTHERUSERS_MANAGED -bool FALSE

Reboot to ensure all changes took hold, login to your administrator account to make sure it works, and you're done. I wrote a small script to automate this process, which you can get here. Give it execute permissions with chmod, and run it as an administrator. It takes the first argument as the username to be created, and the second argument as the password.

[robg adds: I haven't tested this one -- either the commands or the linked script.]
    •    
  • Currently 2.42 / 5
  You rated: 4 / 5 (12 votes cast)
 
[72,310 views]  

Create completely hidden accounts in 10.5 and 10.4.11 | 27 comments | Create New Account
Click here to return to the 'Create completely hidden accounts in 10.5 and 10.4.11' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Create completely hidden accounts in 10.5 and 10.4.11
Authored by: macbigdog1 on Feb 01, '08 11:45:29AM

script didn't work in 10.5.1



[ Reply to This | # ]
Create completely hidden accounts in 10.5 and 10.4.11
Authored by: louisk2 on Feb 01, '08 04:25:45PM

There seems to be an issue at dscl -list. Running the command in the terminal on its own yields no response. You should also allow for a UID to be specified along with a new name and password (and check for duplicates) so you don't have to change the script for every new user you make.

Great shell script idea - very helpful.



[ Reply to This | # ]
Create completely hidden accounts in 10.5 and 10.4.11
Authored by: Anonymous on Feb 01, '08 10:44:37PM

Yay! My first hint! Anyway, I modified the script to use a full path through the directory rather than relying on relative paths. Things should work better now. Also, you can now supply a GID and a UID on the command line. It would look like: mkadmin jimnieken password 510 511. I was thinking I should do more error checking to make sure the supplied GID and UIDs are not already in use. For that matter, the script still also places the user in the administrative group. I should fix that.

Please let me know if there are any other problems.



[ Reply to This | # ]
Create completely hidden accounts in 10.5 and 10.4.11
Authored by: aequitas on Feb 02, '08 04:20:02AM

The user directory still show's up in the /Users/ directory right? Would there be a way te get arround that?



[ Reply to This | # ]
Create completely hidden accounts in 10.5 and 10.4.11
Authored by: Anonymous on Feb 02, '08 12:45:49PM
In fact, there are two ways around this. Either don't give the user a home directory, or put it in a hidden place. Accounts don't really NEED a home directory, particularly if it runs with root permission. A good place to hide a home directory is /var/root, which is the home directory for the root account. When creating a new user, following line will set the home directory as /var/root:

sudo dscl localhost create /Local/Default/Users/$USERNAME home /var/root

Otherwise, just do not specify a home directory.

[ Reply to This | # ]
Create completely hidden accounts in 10.5 and 10.4.11
Authored by: stewarsh on Feb 02, '08 02:28:30PM

This is not a good idea at all. W/O a home directory the behavior of some programs can become un-predictiable. Remember OS X is UNIX now, and there are certain things that you have to deal with.



[ Reply to This | # ]
Create completely hidden accounts in 10.5 and 10.4.11
Authored by: Anonymous on Feb 02, '08 02:36:40PM

If this were a normal user account, I would agree with you. But for most (if not all) administrative functions, a home directory does not seem to be necessary. You may get an error here and there, but everything from ARD to Disk Utility, System Preferences and Terminal all work as usual. You can download files, install software, delete and add accounts, change system settings, et cetera.

About the only thing you don't get is permanence between logins, because there is no ~/Library to save settings to. For my purposes, this doesn't really bother me. Plus, it keeps overhead for the hidden account to a bare minimum.



[ Reply to This | # ]
Create completely hidden accounts in 10.5 and 10.4.11
Authored by: da2357 on Mar 14, '08 10:28:56AM

I agree. I tried this with a 10.4.11 iMac and while it created the user fine and hides it from the login window, it does leave problems... it doesn't provide a home directory setup, trying to get into System Preferences > Accounts results in a blank panel, and running a few commands/apps result in slow performance since there isn't a /Users/$USER/Library folder to write to. I was initially very excited, but this needs a user home in order to be a complete solution.



[ Reply to This | # ]
Create completely hidden accounts in 10.5 and 10.4.11
Authored by: jeremyp on Feb 02, '08 06:17:03AM

I don't understand why it is considered a problem for admin accounts to be visible to other users. Just make sure it is protected by a good strong password.



[ Reply to This | # ]
Create completely hidden accounts in 10.5 and 10.4.11
Authored by: q3 on Feb 04, '08 12:00:25AM

Maybe just because it looks ugly?

And just to get rid of the 'big brother' impression you users get when they always see that there is an 'admin user' on THEIR machine?

You are right. There is no technical reason to hide the admin user.
But sometimes there are reasons beyond the technical horizon which may also be of some importance.



[ Reply to This | # ]
Create completely hidden accounts in 10.5 and 10.4.11
Authored by: zpjet on Feb 04, '08 03:16:00AM

is it then better to be "big brother" without users knowing it? ;)



[ Reply to This | # ]
Create completely hidden accounts in 10.5 and 10.4.11
Authored by: da2357 on Feb 04, '08 07:50:03AM
I'm not sure if the issue is whether we want to play "Big Brother" without others knowing it. I think that some users act "paranoid" if they know --by visibly seeing an "admin" account in /Users-- that there is an admin account, regardless of whether their actions are honorable or not.

I would hope that it's a given that we're all choosing relatively strong passwords for our admin accounts. An added benefit to having a hidden admin account is that in addition to not knowing what the admin password is, the user (for those who wish to try hacking past their allowed privileges) doesn't know what the admin user-name is -- assuming that you choose an admin user-ID that's NOT "admin" or "administrator". For me, it's not about "Big Brother" ethics but rather having a way to make it easier for me to maintain a large number of Macs---for staff-members worried about "Big Brother", I don't have time or the interest in watching what people are or aren't doing on their computers; my interest is in providing a computer with a solid, tested image that contains the apps my staff needs to perform their job duties--and if that takes a few minutes to set up a hidden admin account to minimize problems, so be it.

I think it's an unfortunate necessity that we need to create hidden user accounts... this is either a reflection of my staff or society in general. I work in a school department where I am one person in a two-person IT team, managing almost 600 Macs. We prefer to deploy a standard image that's been tested w/all the apps they need to perform their duties--and we don't have time to troubleshoot problems when someone has added an app without permission. My predecessor used to give out the admin login and password to anyone who asked for it, much to the dismay of my supervisor and me (it's taken me a year to pick up the mess created). I would much rather have to connect via ARD and spend five minutes installing a special app a staff-member needs than to give them an admin account AND THEN have to fix the mess.

[ Reply to This | # ]

Create completely hidden accounts in 10.5 and 10.4.11
Authored by: gdane on Feb 07, '08 03:06:22PM

Where does this account reside when it's created using these commands? If I want to delete the account, I need to know where it's located.

Help, anybody?



[ Reply to This | # ]
Create completely hidden accounts in 10.5 and 10.4.11
Authored by: Absconsus on Feb 08, '08 12:29:46PM
In case anyone has tried to do this in SUM, the below code will allow the use of dscl sans /etc/rc in 10.5:

/bin/launchctl load /System/Library/LaunchDaemons/com.apple.DirectoryServices.plist &

I did a fresh install and skipped the initial setup by creating the .AppleSetupDone file in /var/db, then created my own hidden admin and went from there. Stealthy.

[ Reply to This | # ]

Create completely hidden accounts in 10.5 and 10.4.11
Authored by: foilpan on Mar 05, '08 02:49:50PM
i modified your makeuser function to provide a little feedback and to create a home in /var/home so the user directory is a little out of the way. most apps will work fine without a homedir, but it's easy enough to create one, especially if the user won't be storing much of anything there. i run this as root via single user mode or with sudo, so all the sudo lines are unnecessary in the script. the UID is hardcoded in my edited version, too. thanks for putting this together!

makeUser ()
{
	/bin/echo "creating admin user account…"
	/usr/bin/dscl localhost create $PATH/Users/$USERNAME
	/usr/bin/dscl localhost create $PATH/Users/$USERNAME PrimaryGroupID 0
	/usr/bin/dscl localhost create $PATH/Users/$USERNAME UniqueID 444
	/usr/bin/dscl localhost create $PATH/Users/$USERNAME UserShell /bin/bash
	/usr/bin/dscl localhost passwd $PATH/Users/$USERNAME $PASSWORD
	/usr/bin/dscl localhost append $PATH/Groups/admin GroupMembership $USERNAME
	/usr/bin/dscl localhost create $PATH/Users/$USERNAME NFSHomeDirectory /var/home/$USERNAME
	/bin/echo "creating new admin account homedir…"
	/bin/mkdir -p /var/home/$USERNAME
	/usr/bin/ditto -rsrc -V /System/Library/User\ Template/English.lproj/ /var/home/$USERNAME/
	/usr/sbin/chown -Rf $USERNAME:admin /var/home/$USERNAME
	/bin/echo "confirming what we just did…"
	/bin/ls /var/home/$USERNAME/
	/usr/bin/id $USERNAME
	/bin/echo "if that looks good, we're all set."
}


[ Reply to This | # ]
Create completely hidden accounts in 10.5 and 10.4.11
Authored by: nsupple on Mar 12, '08 07:55:21PM

can someone please tell me how to reverse everything in this hint , it is causing serios problems with my computer. please, and btw the user account is still visable at login but my original account woulnt let me enable fast user switching now and now the colour of my original user account screen is messed up, he only account that somewhat works is the one i created with this one...i dont know if it matters but i downloaded the file but it didnt do anything (that i know of)



[ Reply to This | # ]
Create completely hidden accounts in 10.5 and 10.4.11
Authored by: treleven on Mar 26, '08 02:07:46AM

First repeat this mantra, "Big guns make big holes."
The command line has the power to really stuff things up.
That said, Let's fight fire with fire. Get another dreaded terminal window.

To get rid of the "HiddenUsersList" paste this into the terminal
sudo defaults -currentHost delete /Library/Preferences/com.apple.loginwindow \HiddenUsersList

Set this true or false depending whether you want the "Other" entry in the login window.
sudo defaults -currentHost write /Library/Preferences/com.apple.loginwindow SHOWOTHERUSERS_MANAGED -bool false

The rest you should be able to delete in "Accounts" or using "Workgroup Manager" (from Apple.

Hope it helped, Treleven

PS: I didn't try the script, but the commands all worked exactly as described for me on Macos 10.5.2



[ Reply to This | # ]
Create completely hidden accounts in 10.5 and 10.4.11
Authored by: nsupple on Mar 12, '08 08:18:38PM

how do i undo everything that this hint says and delete the user account. i followed this and the user account is not in the accounts tab under preferences and now i cant enable fast user switching and the color scheme is messed up on all my accounts except the new one i created... which i can only acces through the login window

someone please help.
also also i downloaded the script thing and it did nothing (that i know of)
i have 10.4.11 and even if you can tell me how to back-up and restore everything that would be appriciated......please



[ Reply to This | # ]
UID 1000 is hidden in Leopard
Authored by: treleven on Apr 01, '08 06:03:19PM
I have always had a UID of 1000 for my main account. After importing users into Leopard it disappeared in the login window! So I logged in as another admin user, unlocked the "Accounts" system preference and right clicked the account to get "advanced options". Then I changed my UID to 1001. That leaves my home dir unaccessible, so I opened Terminal and ran the command sudo chown 1001 /Users/myaccountname Now my account appears in the login window again.

What caused the login window to hide UID 1000?

Can this be used to reliably create a hidden account?

Is running the chown all I need to do after changing UID?

BTW What's the keystroke combination to get the "Other" password window when it isn't displayed in the login window's list?

[ Reply to This | # ]

UID 1000 is hidden in Leopard
Authored by: HPRA on May 04, '09 11:40:51AM
To get the user/password-fields just:

1. Select a visible user, using the keyboard (i.e. press the down arrow key)
2. press [opt]+[return]

Not my own work, but cribbed from this comment:
http://www.macosxhints.com/comment.php?mode=view&cid=64536

Tested on 10.5.2

[ Reply to This | # ]
UID 1000 is hidden in Leopard
Authored by: 4kerm on Apr 24, '10 03:21:30PM

I have the same problem, I changed my UID to 1000 to access our SuSE Linux NFS Server.
But now my User is hidden in the login panel a I have to use "others".
Is there a way to unhide the user? I sought only users under 500 are hidden ?

Thanks for any tip

Kerm



[ Reply to This | # ]
UID 1000 is hidden in Leopard
Authored by: 4kerm on Apr 24, '10 03:31:05PM

I have the same problem.
I had to change my uid to 1000 to access our NFS server (openSuSE 11.2)
But no my login is hidden. I have to use now "Other".
Is there a way to unhide it?

Tanks for any tip

--Kerm



[ Reply to This | # ]
Create completely hidden accounts in 10.5 and 10.4.11
Authored by: digitol on Feb 12, '09 01:49:34AM
I'm late to the party, but Hopefully this will help someone out there out. Check out this guide:

http://www.tcsn.net/mont/hiddenuserleopard/welcome.html

-Digitol-

[ Reply to This | # ]
Create completely hidden accounts in 10.5 and 10.4.11
Authored by: jakov on Jul 22, '09 12:01:13AM
The best guide I found on how to create a hidden admin is available in a Peachpit-book. They put the guide online at

http://www.peachpit.com/articles/article.aspx?p=1228912&seqNum=2 (browse to halfway the page)

I use it and it works really nice

Jako

[ Reply to This | # ]
Create completely hidden accounts in 10.5 and 10.4.11
Authored by: dinosaur2 on Apr 25, '11 06:03:13AM

Made the account of creating the account under UID 0. As 0 is root, is there any way for me to revert back to the original settings? I can now log into the root account with the credentials I created with the OP's steps.
Thanks ahead.



[ Reply to This | # ]
UID 1000 is hidden in Leopard
Authored by: linuxslave on Sep 10, '11 08:47:17PM

Did anyone ever find a way to unhide user with UID 1000? This is driving me crazy that I have to type my name on the login screen every single time.



[ Reply to This | # ]
Create completely hidden accounts in 10.5 and 10.4.11
Authored by: irongolem on Oct 14, '13 02:41:05PM

ya so i am using sum to do this so here is what happens


i type mount -uw /

then i type:
launchctl load /System/Library/LaunchDaemons/com.apple.DirectoryServices.plist

and that works then i type:
sudo dscl . create /Users/$USERNAME

and then it gets weird
it sends me like stuff on how to use dscl like it tells me the verson of dscl and the datasources the options the commands and the mcx extensions

i thought that it was supposed to do that so i finished the commands and tried to boot in it but not even the directory is there so i don't know what to do

i have typed all the commands case sensitive so ya

help is appreciated



[ Reply to This | # ]