After some poking around, I found that it looks like this is the right way to do it. Here's the reason I asked...
We're going to be using Random Password Manager (RPM) to spin the root account passwords. I also want to remove all visible administrative users from the machine. So thus, the deployment of a machine with no admin privs looks like this:
- Fire up machine out of box, setup with account user will use.
- Install our core services package (contains security settings, virusscan, casper client and self service etc...)
- Reset root password, thus enabling it (through policy or interactively, not sure yet)
- Finish setting up machine
- Deprecate to Standard user using dscl. Even logged in as root through the GUI, OS X won't allow you to deprecate the only >500 UID admin account from Admin to Standard user. Thus the reason I asked the question.
- Enable RPM to spin the root account password.
I'm probably going to make a script for our deploy techs to handle the dscl command. Seeing how they'll be logged in as root (briefly) I don't want them messing anything up, especially with dscl. If anyone's interested, I'll post it to the list.
j
---
Jared F. Nichols
Desktop Engineer, Infrastructure & Operations
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436
