Hidden admin account

dmeridith
New Contributor III

Is there any way to make a hidden admin account that cannot login. We would need this so teachers can add their home printers without contacting us and for other teachers to have an account to make changes but an account that they cannot loin in to

5 REPLIES 5

mscottblake
Valued Contributor

If you set the user's shell to /usr/bin/false, it will hide it from the login screen and prevent login. I think, but not sure, it will still be usable for authorization.

Existing users can be changed by running a script like this:```

!/bin/sh

sudo dscl . -change /Users/[username] UserShell /bin/bash /usr/bin/false

New users can be set by```
#!/bin/sh
sudo jamf createAccount -username [username] -password [password] -shell /usr/bin/false -hiddenUser -admin

charles_hitch
Contributor II

If you add the group staff to the lpadmin group that will allow all users to add printers without having admin rights. As for the rest I don't quite understand what you are trying to describe.

The other way to hide an account is just make the UID less than 500.

Matt
Valued Contributor

Sounds like he wants a Service Account with perms that only allow installations.

dmeridith
New Contributor III

I do want a service account. That script created the users in 10.8 but i cannot use that account to authenticate.

mm2270
Legendary Contributor III

Unfortunately in my testing in the past, changing the login shell to /usr/bin/false prevents the account from authentication for installs or from running any command line operations, so I wouldn't go that route. It stops more than just logging in to the GUI, sadly.
Unless someone knows of a way to do that and still allow you to use it for admin credentials? I kind of doubt it.

I think you're best bet will be to either add users into set groups, like _lpadmin as suggested by charles.hitch, or look at editing the /etc/authorization file.

Something else that might help would be to deploy a LaunchAgent into the hidden account's /Library/LaunchAgents/ folder that would run a script to do a logout command as soon as it logs in. That way if anyone attempts to use it, it would be immediately logged out. You could have the script even write to a log file somewhere so you can keep track of any unauthorized login attempts using an Extension Attribute. And let your users know that it will be tracked. ; )