Hiding admin account

dpasawongse
New Contributor

Does anyone know of a script to hide the admin account, and works with Casper Admin/Imaging?

11 REPLIES 11

cbrewer
Valued Contributor II

dpasawongse
New Contributor

I've added this script to an image configuration, but it did not work.

Aziz
Valued Contributor

For what it's worth, this makes the admin account hidden.

It's part of my imaging configuration with a priority of 3 with 'install on boot drive after imaging'.

https://github.com/MagerValp/CreateUserPkg

hzimmerman
New Contributor III

The IsHidden works for me. Be careful to not put a trailing slash at the end of the command.

dscl . create /Users/hiddenuser IsHidden 1

will work.

dscl . create /Users/hiddenuser/ IsHidden 1

will silently fail, from what I remember.

In addition, I normally do this to hide the admin's home folder:

chflags hidden /Users/hiddenuser

You could move the home folder somewhere like /var/home but I find it easier to simply hide the folder the Finder. If someone wants to poke around in the terminal and find the hidden user folder, that is on them. I have also found that some applications do not like home folders moved out of /Users/

dpasawongse
New Contributor

@hzimmerman I tried it, making a .sh file and running it on CasperAdmin, then Casper Imaging: fail
I tried it running on Casper Remote, and it failed. How are you typing the commands in shell?
@Abdiaziz: will try yours and get back to you

tlarkin
Honored Contributor

Hi Everyone,

You can use the JAMF binary as well to accomplish this. Also with the release of Yosemite I think Apple wants you to stay out of dscl and they introduced a new binary called sysadminctl which can create user accounts.

An example command for JAMF binary would be:

sudo jamf createAccount -username tlarkin -realname "Tom Larkin" -password "tac0sRGr8" -home /Users/tlarkin -shell /bin/bash -admin -hiddenUser

I used to use the JAMF binary in post imaging scripts to create the user accounts for local admin usage and then use a policy in the JSS to rotate the password if necessary.

Unfortunately sysadminctl does not have a man page, but it has help output:

sysadminctl -help
2015-07-07 16:16:16.296 sysadminctl[9302:6022788] Usage: sysadminctl
    -deleteUser <user name> [-secure || -keepHome]
    -newPassword <new password> -oldPassword <old password> [-passwordHint <password hint>]
    -resetPasswordFor <local user name> -newPassword <new password> [-passwordHint <password hint>]
    -addUser <user name> [-fullName <full name>] [-UID <user ID>] [-password <user password>] [-hint <user hint>] [-home <full path to home>] [-admin] [-picture <full path to user image>]

There is no -hidden swtich in sysadminctl though so I don't think it can be easily used to hide accounts.

dweb
New Contributor
https://support.apple.com/en-us/HT203998

I dont suppose there is a script created for this so we can just run it by clicking on it once to make it easy to do on multiple machines?

anickless
Contributor II

This is what I use from 10.6 to 10.11.3

sudo dscl . -create /Users/teacherlocal UniqueID 450 sudo dscl . -create /Users/teacherlocal PrimaryGroupID 80 sudo dscl . -create /Users/teacherlocal NFSHomeDirectory /var/teacherlocal
sudo dscl . -create /Users/teacherlocal UserShell /bin/bash sudo dscl . -create /Users/teacherlocal RealName "teacherlocal" sudo dscl . -passwd /Users/teacherlocal Sch00L
sudo mkdir /var/teacherlocal
sudo chown -R teacherlocal /var/teacherlocal
sudo defaults write /Library/Preferences/com.apple.loginwindow Hide500Users -bool YES
sudo defaults write /Library/Preferences/com.apple.loginwindow SHOWOTHERUSERS_MANAGED -bool TRUE

hope it helps

blackholemac
Valued Contributor III

check out this write up on the subject...not my work but it sounds intuitive enough:

https://babodee.wordpress.com/2017/10/05/sysadminctl-changes-in-10-13/

Mkh
New Contributor III

is there any script or extension attribute that checks if the management account is hidden or not ? I need it to create a smart group for the Mac that have visible management account.

rsteffens
New Contributor III

I also need to hide a local user admin account. Does anyone have any other method for doing this besides dscl? Can the Jamf binary be used to hide an already existing account without creating a new one?