Create completely hidden accounts in 10.5 and 10.4.11

Feb 01, '08 07:30:03AM

Contributed by: Anonymous

Those who manage large installed bases of Macs need to maintain one or more local administrative accounts on the machines, for remote administration, maintenance or troubleshooting. But, it can be undesirable to list an obvious administrator account in the Loginwindow; that same account hangs in the Fast User Switching menu, and in the Accounts Preference Pane. What to do?

Much experimentation, and some lucky finds on the Internet, have turned up the configuration to hide a user account on 10.5, and in later versions of 10.4.

In early versions of Tiger, it was easy to hide an administrator account. As per this hint, adding the array HiddenUsersList to com.apple.loginwindow with the account or accounts to be hidden was enough. But, with Leopard, this is no longer sufficient. Accounts can be hidden well enough using a HiddenUsersList entry, but the login window and Fast User Switching menu will contain an entry for "Other...," advertising the fact that one or more hidden user accounts is lingering on the system. How to get around this?

First, to create the account, open Terminal and type these commands:

sudo dscl . create /Users/$USERNAME
sudo dscl . create /Users/$USERNAME PrimaryGroupID 0
sudo dscl . create /Users/$USERNAME UniqueID 0
sudo dscl . create /Users/$USERNAME UserShell /bin/bash
sudo dscl . passwd /Users/$USERNAME $PASSWORD
sudo dscl . append /Groups/admin GroupMembership $USERNAME
Replace $USERNAME and $PASSWORD with the username and password you want to use. The new account will be created as a root-level account. This may be a bad idea, depending on your implimentation. If you like, change the PrimaryGroupID and UniqueID to something else, so long as the number is below 500. The UID 42 is not in use under Leopard. The following will show which IDs are assigned to which number:
dscl . list /Users UniqueID
Now, to hide user accounts, type the following commands:
$ sudo defaults write /Library/Preferences/com.apple.loginwindow Hide500Users -bool TRUE
$ sudo defaults write /Library/Preferences/com.apple.loginwindow HiddenUsersList -array $USERNAME
The first line will hide users with a UID below 500. The second line will add your user to the list of hidden accounts. This was enough prior 10.4.11. Now, if such a hidden account is created, the login window and Fast User Switching menu will show an option for "Other...," which I find annoying. It's not enough to turn off list view on the login window, as many of my users have come to expect it.

Type the following to disable the "Other..." listing from the Loginwindow and the Fast User Switching menu:

sudo defaults write /Library/Preferences/com.apple.loginwindow SHOWOTHERUSERS_MANAGED -bool FALSE

Reboot to ensure all changes took hold, login to your administrator account to make sure it works, and you're done. I wrote a small script to automate this process, which you can get here. Give it execute permissions with chmod, and run it as an administrator. It takes the first argument as the username to be created, and the second argument as the password.

[robg adds: I haven't tested this one -- either the commands or the linked script.]

Comments (27)


Mac OS X Hints
http://hints.macworld.com/article.php?story=20080127172157404