How to Create a Hidden Local Admin Account on Mac Systems (Redux)

Lance showed us a top tip for creating an invisible Local Administrator account by placing a period character (.) in front of the username.

Doing this was handy for preventing the admin user from showing up in the Users & Groups System Preferences, but it was discovered that this would also cause the account to be skipped over when doing an OS upgrade (e.g., updating from 10.8 Mountain Lion to 10.9 Mavericks).

As a result – after the update; the user no longer exists under the new OS and thus needs to be recreated.

It’s likely that this is because the period also stops the user from being listed in the Directory Service directory list:

dscl . -list /Users

So what can we do to ensure that the hidden local account stays put?

There are actually multiple ways for creating hidden local accounts on Mac systems, and Apple has handily listed the different methods here: http://support.apple.com/kb/HT5017

The gist of the Apple article is that there is an attribute in the com.apple.loginwindow plist that we can set to hide all users with a UID below 500, and we can also move the user’s home folder to the /var/ directory to keep it away from non-admin users.

Note:

As before – in order to create these hidden accounts, you DO need an existing Admin account on the Mac to begin with. This account could then be removed after creating its hidden counterpart.

The GUI method (Basic):

  1. Login as your regular Local Admin, open the Terminal and run the command:
    sudo defaults write /Library/Preferences/com.apple.loginwindow Hide500Users -bool YES
  2. Go to System Preferences > Users & Groups
  3. Press the [ + ] button and create a new Administator user like normal.Note: Make sure not to login as that newly created user yet!
  4. Once the user appears in the list on the left, right-click on the name and select “Advanced Options…”Ninja right-click Advanced Properties
  5. Change the “User ID” to something in the 400-range, like: 401
    Change the “Home directory” path to: /var/username

Ninja Advanced Properties

  • Save the changes, go to the “Login Options” section and make sure the following is set:- Display login window as: Name and passwordThis will ensure that the name and password box is immediately available without having to press the “Other…” icon at the login screen.
  • Close and reopen the System Preferences > Users & Groups, your new user will now be hidden.
  • Logout and login as the hidden user… Tadaaa!

The command-line method (Advanced):

  1. Login as regular Local Admin and open the Terminal (or SSH in as Local Admin)
  2. Create the user.- The following will create a new user with the following properites:
    — Username    : ninja_admin
    — Password    : 123
    — Home Folder : /var/ninja_admin- Feel free to change values as needed.

    sudo dscl . -create /Users/ninja_admin UniqueID 401 
    sudo dscl . -create /Users/ninja_admin PrimaryGroupID 20 
    sudo dscl . -create /Users/ninja_admin NFSHomeDirectory /var/ninja_admin 
    sudo dscl . -create /Users/ninja_admin UserShell /bin/bash 
    sudo dscl . -create /Users/ninja_admin RealName "Ninja Admin" 
    
    sudo dscl . -passwd /Users/ninja_admin 123
  3. Create the user’s home folder and own it to the new user:
    sudo mkdir /var/ninja_admin 
    sudo chown -R ninja_admin /var/ninja_admin
  4. Add the user into the Local Admin group
    sudo dscl . append /Groups/admin GroupMembership ninja_admin

    – You could skip this command by setting the user’s PrimaryGroupID to 80 (Administrators) in Step 2.
    – There seems to be no difference with either method of making the user an Admin, but this way seems to be the native way that OS X does things, so we’ll go with that.

  5. Enable the hidden functions:
  6. sudo defaults write /Library/Preferences/com.apple.loginwindow Hide500Users -bool YES

     

  7. Ensure that the “Others” option will appear at the login window – in case the Login Options is still set to “List of users” (So that we can still get to the name and password login boxes).
    sudo defaults write /Library/Preferences/com.apple.loginwindow SHOWOTHERUSERS_MANAGED -bool TRUE
  8. Logout and login as the Hidden Admin.
  9. Logout and login in as the original Local Admin, look in System Preferences > Users & Groups…  Tadaaa!

The cool thing about the command-line method is that you can stick all the above commands into a bash script and run it off with a single command.

Attached is an example script that you can take a look at and try out for yourself.

To test it, save the script to the Mac Desktop, TextEdit the parameters inside to your desired values, save and run the following command:

sudo sh ~/Desktop/create_hidden_local_admin.sh

************************************************************
************************** NOTE **************************

  • The example script has been tested on OS X versions 10.7 – 10.9 and is provided as-is with the assumption that you know your way around the Terminal and bash commands.
  • NO official support for this script will be provided by Centrify as this is all pure native OS X.

************************************************************
************************************************************

Unhiding the account:

There are two options to unmask the hidden user:

Option 1:

  • Turn off Hide500Users using:
    sudo defaults write /Library/Preferences/com.apple.loginwindow Hide500Users -bool NO
  • This can be done under the hidden account itself.

Option 2:

  • Change the user’s UID to the next available UID above 501 and then move and reset the permissions of the home folder:
    sudo dscl . -change /Users/ninja_admin UniqueID 401 502
    sudo dscl . -change /Users/ninja_admin NFSHomeDirectory /var/ninja_admin /Users/ninja_admin
    sudo mv /var/ninja_admin /Users/ninja_admin
    sudo chown -R ninja_admin /Users/ninja_admin
  • This CANNOT be done while the hidden user is still logged in.

If you just need to see if the hidden account is on the Mac, then you can use the following command to list all accounts with a UID higher than 400:

dscl /Local/Default -list /Users UniqueID | awk '$2 > 400 { print $1; }'

– To see what is happening here, check out this article.

If the account is in that list, but not seen in the Users & Groups System Preferences, then that’s your hidden account. Alternatively, just look in the /var/ folder.

…and that’s all that’s needed to creating and managing your own hidden local admin accounts on Mac systems.

Hope that’s handy!

Attachments:
create_hidden_local_admin.zip ‏2 KB