Help

Hidden admin account

dmeridith
New Contributor III

Posted on ‎08-08-2013 08:43 AM

Is there any way to make a hidden admin account that cannot login. We would need this so teachers can add their home printers without contacting us and for other teachers to have an account to make changes but an account that they cannot loin in to

0 Kudos
Reply
5 REPLIES 5

mscottblake
Valued Contributor

Posted on ‎08-08-2013 08:52 AM

If you set the user's shell to /usr/bin/false, it will hide it from the login screen and prevent login. I think, but not sure, it will still be usable for authorization.

Existing users can be changed by running a script like this:```

!/bin/sh

sudo dscl . -change /Users/[username] UserShell /bin/bash /usr/bin/false

New users can be set by```
#!/bin/sh
sudo jamf createAccount -username [username] -password [password] -shell /usr/bin/false -hiddenUser -admin
0 Kudos
Reply

charles_hitch
Contributor II

Posted on ‎08-08-2013 09:00 AM

If you add the group staff to the lpadmin group that will allow all users to add printers without having admin rights. As for the rest I don't quite understand what you are trying to describe.

The other way to hide an account is just make the UID less than 500.

0 Kudos
Reply

Matt
Valued Contributor

Posted on ‎08-08-2013 10:40 AM

Sounds like he wants a Service Account with perms that only allow installations.

0 Kudos
Reply

dmeridith
New Contributor III

Posted on ‎08-22-2013 10:49 AM

I do want a service account. That script created the users in 10.8 but i cannot use that account to authenticate.

0 Kudos
Reply

mm2270
Legendary Contributor III

Posted on ‎08-22-2013 11:14 AM

Unfortunately in my testing in the past, changing the login shell to /usr/bin/false prevents the account from authentication for installs or from running any command line operations, so I wouldn't go that route. It stops more than just logging in to the GUI, sadly.
Unless someone knows of a way to do that and still allow you to use it for admin credentials? I kind of doubt it.

I think you're best bet will be to either add users into set groups, like _lpadmin as suggested by charles.hitch, or look at editing the /etc/authorization file.

Something else that might help would be to deploy a LaunchAgent into the hidden account's /Library/LaunchAgents/ folder that would run a script to do a logout command as soon as it logs in. That way if anyone attempts to use it, it would be immediately logged out. You could have the script even write to a log file somewhere so you can keep track of any unauthorized login attempts using an Extension Attribute. And let your users know that it will be tracked. ; )

0 Kudos
Reply