Mac OSX – How to Create a Hidden Admin Account via Terminal

mac-osxmac-osx-serverremote desktopterminaluser-management

I have around 300 baby macs to look after, and they have lots of different admin accounts, which is a nightmare to work with.

ARD has slowly been configured with the accounts of the machine owners, but that doesn't help when bringing on board another sysadmin, who now has to collect all the usernames and passwords of the users.

I figure, it's better for me to run a script using ARD that creates a hidden admin user on each system, with a known username and password. I just don't know how to do it.

Any hints and tips would be appreciated. I am currently trying to work on a draft script now, which I'll post, but anyone else, feel free to jump in with a solution 🙂

Best Answer

Something like this should work:

# Create user record in directory services
dscl . -create /Users/hiddenadmin
dscl . -create /Users/hiddenadmin RealName "Hidden Administrator"
dscl . -create /Users/hiddenadmin UniqueID 499  # Use something between 100 and 500 to hide the user
dscl . -create /Users/hiddenadmin PrimaryGroupID 20
dscl . -create /Users/hiddenadmin UserShell /bin/bash
dscl . -passwd /Users/hiddenadmin "e38TpBs1g;.r"  # Obviously, use something else here

# Set up a hidden home folder
dscl . -create /Users/hiddenadmin NFSHomeDirectory /var/hiddenadmin  # or other hidden location
cp -R /System/Library/User\ Template/English.lproj /var/hiddenadmin
chown -R hiddenadmin:staff /var/hiddenadmin

# Grant admin & ARD rights
dseditgroup -o edit -t user -a hiddenadmin admin
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -on -users hiddenadmin -privs -all -restart -agent

# Tell loginwindow not to show the user
defaults write /Library/Preferences/com.apple.loginwindow Hide500Users -bool TRUE
# Alternate: defaults write /Library/Preferences/com.apple.loginwindow HiddenUsersList -array hiddenadmin

Note that kickstart (the command-line interface for configuring the ARD client) is rather complex and unintuitive, and you may have to play around with it to get exactly the config you want. Here's an Apple KB article and a man page for it.

Related Solutions

mac-osx – Creating User Accounts from Terminal in Mac OS X 10.5

Use the dscl command. This example would create the user "luser", like so:

dscl . -create /Users/luser
dscl . -create /Users/luser UserShell /bin/bash
dscl . -create /Users/luser RealName "Lucius Q. User"
dscl . -create /Users/luser UniqueID "1010"
dscl . -create /Users/luser PrimaryGroupID 80
dscl . -create /Users/luser NFSHomeDirectory /Users/luser

You can then use passwd to change the user's password, or use:

dscl . -passwd /Users/luser password

You'll have to create /Users/luser for the user's home directory and change ownership so the user can access it, and be sure that the UniqueID is in fact unique.

This line will add the user to the administrator's group:

dscl . -append /Groups/admin GroupMembership luser

Bash – How to find the path to an executable in OSX

which will search your path for the arguments you supply, it's found on just about any BSD or SysV UNIX

moriarty:~ dave$ which bash true false
/bin/bash
/usr/bin/true
/usr/bin/false

Best Answer

Related Solutions

mac-osx – Creating User Accounts from Terminal in Mac OS X 10.5

Bash – How to find the path to an executable in OSX

Related Topic