Go into the System Preferences > Users & Groups on a Mac, look on the user list on the left side and you will invariably see at least one example of the three main types of accounts on Mac OS X:
So what do all those little subheadings mean?
You may recall that Mac OS X accounts are essentially made up of two components; their profile index (the user record) and their home folders (the actual workspace).
To stretch this concept further (and hopefully make it easier to explain…), imagine a Mac system as an office building, and each of the accounts above are office workers in this building.
To get into the building, each worker has an ID card – this ID card just holds their basic information like name and employee number… hence, the ID card is their profile index.
Once the employee is in the building, they need to get to their workspace, where-ever or whatever it may be… aka their home folders.
With this analogy tentatively established, let’s see if we can use this to learn about the difference between each type of employee (account).
Ignoring the Guest account at the bottom, the next two up in the list marked “Standard” and “Admin” are regular local accounts. Admin being the overlord of everything, Standard being the regular Joe worker with restricted access privileges.
These workers never leave the office – they are the master of their own universe and answer to no-one but themselves. They are always there, ever reliable, but very antisocial. Their interest extends only up to the walls of the office building and no further. In terms of networking they are completely unrecognised and will be turned away at every door that leads outside of their building.
Local accounts are completely separate from network accounts and so are not subject to the same management rules such as password policies and local restrictions – in an Enterprise environment these may not be as practical for day-to-day operations, but are handy in times when a network account is not available.
It is recommended to keep a local administrator account on a Mac for those times when troubleshooting is needed (Remember that this account can also be hidden away if needed.)
This is your typical employee in the building – they swipe their ID to get in, get to their workspace while logged in, and then leave the building when they finish (Network accounts only appear in the user list while the user is actually logged in). Network accounts are centrally managed and subject to password policies, remote management and other company rules – however it also means they can use their credentials to access network resources and go places where local accounts cannot.
There are two main types of network accounts – those with local home folders and those with network home folders:
- Local home folder: The user’s workspace is stored on one machine in building, any new machine the user logs onto will create an entirely new workspace for them.
- Pro: This setup is very simple to implement and very reliable. Since everything is stored on the machine – It also means the user can take their machine off the network and work offline if they so desired.
- Con: This type of setup is not so practical for users who use a different machine every day – they will need to use the same machine if they wish to keep consistent with their workspace.
- Network home folder: The user’s workspace is stored elsewhere in the company, outside of the building and the user connects to it remotely when they sign in.
- Pro: The user can use any machine in the building and still get the same user-experience – all their preferences and documents are pulled from a central server when needed. The workspaces can be thought of as kept in a safe location and backups can be easily be made without requiring the user to be present.
- Con: The machine needs to maintain a constant connection to the remote workspace while the user is logged in. If the connection is broken or inaccessible – then the user could lose work and may even be kicked out of the building completely. This also means that network accounts with network home folders cannot take their machines offline and work in the coffee shop across the road.
Note: In the screenshot above, my Network Account has also been given overlord permissions via a Centrify group policy – this is why it is also listed as an “Admin” on the Mac. However it does not mean that it is now considered local account – Network Accounts are explicitly labelled “Network”, while local accounts only show their level of access.
This is where my office building analogy breaks down (if it hasn’t already!).
Mobile accounts are essentially a combination of both local and network accounts mushed together into a kind of hybrid account:
- The system will recognise it has having a local profile, which means that it will stay persistent in the user list even after the user logs out.(This is necessary for FileVault users who need to use their network credentials to unlock FileVault at startup.)
- The account will also be recognised as a network account outside of the Mac which means that it will see the same policies and access as a regular network account.
- The account can have both a local home folder and a network home folder at the same time, with periodic syncing configured between the two.
- The main drawback to Mobile Accounts is in the complexity of the setup – the increase in moving parts mean there is a lot more to configure and maintain.
- In general, the two scenarios in which a Mobile Account would be recommended would be when FileVault is in use, or if a constant backup of the local home directory is needed.
Note: If setting up a Mobile Account via group policy – you may see the “Managed” label in the user list as well – this just means that the Mobile Account’s settings are being configured by Active Directory, instead of by the user themselves.
Hopefully this has helped clarified some of the differences between the account types that can appear on a Mac. If you have any further questions or suggestions where I can elaborate further, please leave a comment below and I will see what I can do to help you out.