Skip to main content

So on my computers, I have the following script creating a hidden user account:

jamf createAccount -username "$userName" -realname "$realName" -password "$password" -home /private/var/"$userName" -shell "$usershell" -picture "/Library/User Pictures/Fun/Ying-Yang.png" -admin -hiddenUser -suppressSetupAssistant

I am trying to reveal this account and unhide it, so users can actually change the password easily.

What is the best way to go about it?

What I almost have working, is to simply delete this account using a similar script:

jamf deleteAccount -username "$userName" -realname "$realName" -password "$password" -home /private/var/"$userName" -shell "$usershell" -picture "/Library/User Pictures/Fun/Ying-Yang.png" -admin -hiddenUser -suppressSetupAssistant

And then have it recreated using the Local Account Payload under a policy, as an Admin account, same name.

Only problem is, it will unlock everything except Users & Groups. On some machines, it tells me it needs to be part of a "Special Use" Group, some machines say it needs to be part of Sudoers group. User is able to log out and log in as Admin and set password that way, but still unable to unlock Users & Groups pane. They can unlock any other pane though.

Really appreciate you saving me here fellas, thanks!

Any help would be appreciated

So if I understand correctly, you create an admin user, but it doesn't have admin rights to alter users and groups?

If you run:
dscl . -read /groups/admin GroupMembership

is the account in the admin group according to dscl?

If not, you can try running:
dscl . -append /groups/admin GroupMembership "$USERNAME"

and see if that gives the account full admin rights

Unfortunately, I've tried that already.

Is there an easier way to simply reveal a hidden account that was created in the fashion I illustrated above?

following.. I only know about the IsHidden dscl command to hide and unhide.

Tried that already :/

Maybe moving the home directory to /Users

How do you guys handle Admin? Cause I'm trying to make a case to promote my users to Admin instead of using a separate Admin account.

@danny.gutman in a previous role. We had elevated accounts for users that needed admin rights username.pc as an example. I also used LAPs for Mac for techs needing to login as an admin on that seat, the username was the same but the password was different for each seat stored in the JSS. Currently, we have some admins, but for those that aren't, we can give them temporary admin rights to their account upon approved request.

Terms & ConditionsCookie settingsAccessibility statement