How-to disable "Create new account"

ThijsX
Valued Contributor
Valued Contributor

Gents,

We have the following situation in our macOS environment.

The user is using a macbook, on the macbook are the following accounts pre-defined
- local administrator account that is only available for IT Support staff.
- The user his personal account (Managed, Mobile)

The users have the possibility at this moment to create local accounts for family members or kids or even co-workers.
We really want to block that, but keep the admin user rights active for the user of the macbook.

Anyone knows how?

Many thanks!b82d4f9a2af74a8381eedbf2bed5f10f

9 REPLIES 9

Johnny_Kim
Contributor II

You could use configuration profile to disable the 'users & groups'.
522902e3bffb402ab7824d48cff655df

ThijsX
Valued Contributor
Valued Contributor

Hi,

Thanks for your answer, are they still able to change there password in this section?

Thanks.

Johnny_Kim
Contributor II

Once blocked, Users and Groups will be unaccessible.

osxadmin
Contributor II

@txhaflaire you could have them change their password in System Preferences-> Security & Privacy

ThijsX
Valued Contributor
Valued Contributor

@Johnny.Kim Thanks, we have deployed the mobileconfig but when using ADPASSMON and they use change password the still are able to come in the pane.

@osxadmin Thanks for your reply!

davidacland
Honored Contributor II
Honored Contributor II

There's a few other ways the users could create accounts if they really wanted to. sysadminctl and dscl could both do it from the terminal.

Not sure how technical the users are so this might not be an issue.

I would probably go with blocking the users and groups preference pane as a "deterrent" on the understanding that there are other ways they could get around it.

Any other solutions I can think of would be quite "hacky".

ThijsX
Valued Contributor
Valued Contributor

@davidacland Thank you for your reply !

SimonLovett
New Contributor III

Hi,

One way to monitor whether the user has made use of those commands might be to set up a extended attribute to count the number of local accounts, including invisible and service accounts, via a dscl call, and then subtract all known legitimate service accounts from that count.

Your remaining count should then be two - the local admin account and the legitimate user account. You could even take two off that to get a good result of 0.

Any machines which return above 0 are then visible together in a smart group as "out of security policy".

I think something like that would work, but I don't quite have time to bash it out myself this moment, if anyone wants to run with it, or is it flawed as an idea?

apizz
Valued Contributor

@txhaflaire you're going to want to move away from ADPassMon per macmule's blog post - https://macmule.com/2017/04/01/adpassmon-is-dead-long-live-nomad/#more-2662 - as it is no longer being maintained.

We were using ADPassMon as well, but are in process of moving to NoMAD.