Hidding The Administrator Account in OS X 10.5 (Leopard)

unimachead · March 20, 2008, 5:57pm

I would like to know how to hide my initial account (which is an administrator account) in the new Leopard 10.5 operating system.
In the old OS 10.4 this could be done very easily with the help of NetInfo Manager. You could change the UID to anything below 500 and secure your account, however in the new 10.5 OS this is no longer possible. NetInfo manager is no longer. Is there a script that can be entered via terminal that takes care of this?
In terminal you can check the user database with the following:
dscl . list /Users UniqueID

In raw UNIX you can check with the following:
cat /etc/passwd

Any pro help would be appreciated.

xbin · March 24, 2008, 4:03am

Try this:

sudo defaults write /Library/Preferences/com.apple.loginwindow HiddenUserList -array-add <admin_name>

Substitute <admin_name> with the admin user name. You'll probably need to reboot the system.

tlarkin · March 24, 2008, 2:16pm

I think also if you set the UID to under 500 it will hide it from the finder but not the loginwindow, if you use the previous line above with the sudo default write command it should do from both.

Sorry, I didn't fully read the original post. I take quick breaks from work and browse forums to clear my mind of something I am working on, and so as of a result I sometimes hastily answer things.

To answer your question about the user id, UID, you can set it by using the dscl command in OS X. For example, lets say you have a user called hidden administrator, short name hadmin

dscl . -create /Users/hadmin UniqueID 401

I am not exactly sure if you can modify a UID on a system, and I am willing to bet OS X doesn't like you doing that. I know in Work Group Manager in an OD environment you can't change the shortname nor can you change the UID once it has been generated. So, you may have to recreate your hidden user account.

unimachead · March 24, 2008, 5:30pm

Thanks Guys, I'll give it a shot. But I think I'm pretty close to finding what I'm looking for. I'll post as soon as I can verify the solution.

unimachead · March 27, 2008, 12:37pm

I think I've found a solution for the hiding the admin account, but it took a little experimenting to get it to work. At first I had dropped the UID & GID to 102 and along with script: sudo dscl .-change /Users/pgsql UserShell "/bin/bash" "/usr/bin
false" ... it hides the account, but weirdly locks you out at the login screen.

Things seem to be much smoother by dropping the UID to 499 and the GID to 501 along with the script: defaults write /Library/Preferences/com.apple.loginwindow Hide500Users -bool YES

This hides the account well with no problems. I'm still experimenting with a few other things, but this should do the trick.

unimachead · March 29, 2008, 1:43pm

Just a special thanks to Mark S. for working with us on this down in Texas.

tlarkin · April 24, 2008, 4:37pm

I have a script that creates this now, the script is still with in testing phases so it may or may not work 100% please use at your own risk, and if you make any tweaks let me know to make it better.

#!/bin/bash

if [ -z $1 ] ; then
	echo "usage: `basename $0` [username] [password] ([UID] optional) ([GID] optional)"
	exit 1
fi

USERNAME=$1
PASSWORD=$2
USERID=$3
GROUPID=$4

if [ `uname -r | cut -c1` = 8 ] ; then
	PATH='/NetInfo/root'
elif [ `uname -r | cut -c1` = 9 ] ; then
	PATH='/Local/Default'
else
	exit 1
fi

if [ -z $GROUPID ] || [ -z $UNIQUEID ] ; then
	GROUPID=0
	UNIQUEID=489
fi

checkUser ()
{
	if [[ `/usr/bin/dscl localhost list /Local/Default/Users | /usr/bin/grep "$USERNAME" | /usr/bin/grep -v "$USERNAME." | /usr/bin/grep -v ".$USERNAME"` == "$USERNAME" ]] ; then
		echo "the username '$USERNAME' already exists"
		exit 1
	fi
}

makeUser ()
{
	/usr/bin/sudo /usr/bin/dscl localhost create $PATH/Users/$USERNAME
	/usr/bin/sudo /usr/bin/dscl localhost create $PATH/Users/$USERNAME PrimaryGroupID 0
	/usr/bin/sudo /usr/bin/dscl localhost create $PATH/Users/$USERNAME UniqueID 0
	/usr/bin/sudo /usr/bin/dscl localhost create $PATH/Users/$USERNAME UserShell /bin/bash
	/usr/bin/sudo /usr/bin/dscl localhost passwd $PATH/Users/$USERNAME $PASSWORD
	/usr/bin/sudo /usr/bin/dscl localhost append $PATH/Groups/admin GroupMembership $USERNAME
}

moveUser ()
{
    /bin/echo "creating new admin account homedir..."
	/bin/mkdir -p /var/home/$USERNAME
	/usr/bin/ditto -rsrc -V /System/Library/User\ Template/English.lproj/ /var/home/$USERNAME/
	/usr/sbin/chown -Rf $USERNAME:admin /var/home/$USERNAME
	/bin/echo "confirming what we just did..."
	/bin/ls /var/home/$USERNAME/
	/usr/bin/id $USERNAME
	/bin/echo "if that looks good, we're all set."
}	

deleteUser ()
{
	/usr/bin/sudo /usr/bin/dscl localhost delete $PATH/Users/$USERNAME
	/usr/bin/sudo /usr/bin/dscl localhost delete $PATH/Groups/admin GroupMembership $USERNAME
}

hideUser ()
{
	/usr/bin/sudo /bin/cp -n /Library/Preferences/com.apple.loginwindow.plist /Library/Preferences/com.apple.loginwindow.plist.backup
	/usr/bin/sudo /usr/bin/defaults write /Library/Preferences/com.apple.loginwindow Hide500Users -bool TRUE
	/usr/bin/sudo /usr/bin/defaults write /Library/Preferences/com.apple.loginwindow HiddenUsersList -array $USERNAME
	/usr/bin/sudo /usr/bin/defaults write /Library/Preferences/com.apple.loginwindow SHOWOTHERUSERS_MANAGED -bool FALSE
}

checkUser
makeUser
moveUser
hideUser
#deleteUser

You will need to fill in the blanks, and it also moves the hidden account's home directory to /private/var/home

unimachead · April 26, 2008, 12:51am

Interesting redirection, I'd like to experiment with it and do a little more tweaking. thanks so much for your input. In addition to the Admin Account, I'm also thinking about the guest account which is below 200. Disabling it is not enough, it's a nice addition to Apple's new OS, but this poses possible questions if not regulated in a controlled environment.

digitol · February 12, 2009, 4:49am

welcome

Hope this helps out.

LtFawkes78 · May 10, 2009, 12:35am

This is going to sound ridiculous but I was testing on my first Mac and wanted to play around with this hidden user account feature. After following the notes on this thread and lowering the UID to below 500, I ran the terminal command stated above to add it to the Hidden list. Now, for the life of me, I can't figure out how to reverse the process so I can access the account again under Sys Preferences.

Any help would be greatly appreciated. I'm pulling my hair out in frustration.

Thanks!

unimachead · October 20, 2009, 3:57pm

You'll need to re-image more than likely. once the UID has been lowered (and machine restarted), the change is propagated throughout the OS and it can't be restored unless you re-image the HD with the OS again and start fresh. Don't perform this mod unless you're serious about managing your administrator account.

_MA_Flying_Meat · October 27, 2009, 1:42pm

No need to reimage.
To reverse the situation,
sudo defaults delete /Library/Preferences/com.apple.loginwindow Hide500Users

This will make the account visible in the Accounts preference pane unless you had added the HiddenUsersList dealie someone else suggested, in which case:
sudo defaults delete /Library/Preferences/com.apple.loginwindow HiddenUsersList

should do the trick.

Log in as a different admin (create one if necessary?) and control+click the previously hidden user icon in Accounts pref pane and change the user account ID, and/or home folder location.

If you change the uid, you will need to chown the home folder to the new uid by:
sudo chown <adminusername> /path/to/home/folder

If you changed the home folder location, you'll either move the old home folder to the new location, or allow the system to create a new home folder when you log in as the previously hidden admin user (if you created a second admin account that you no longer need, delete the second admin account through Accounts pref pane) and dispose of the old home folder.

I hope that's helpful. It can all be scripted also (though I doubt there would be much call for that).