If you have a system that is used by other people, you may want to give them managed user accounts and then reserve a separate administrative account for installing apps and changing system settings. This is especially true for situations where many people may be using one computer, such as in classrooms. While you can always create an administrative account, by default such accounts will show up along with others at the login window, in the Fast User Switch menu, and other locations; however, you can set this up to be hidden from most of these locations.
The root account
One approach for a hidden user account is to enable the root account. However this being fully unrestricted comes with inherent risks. Even though admin accounts may authenticate for root access, this ability is time- or session-limited, meaning that authentication is regularly required to ensure administrative actions are truly desired. However, with the root account no such checks are done, and faulty administrative actions can be harmful. Since practically every root action can be done from an administrative account, its best to avoid enabling root unless some action cannot be done otherwise.
To create a special hidden user account that has administrative rights, you can go one of two routes based on the version of OS X that you have, but first you must create the account. This can either be done in the Users & Groups system preferences, or by using the command line (useful for scripting or remote-access approaches). For the second approach, open the Terminal and then run the following set of commands (replace USERNAME with the corresponding name of your account):
- Get a list of current User ID numbers:
dscl . list /Users UniqueID
- Create the user’s account in the local directory:
sudo dscl . create /Users/USERNAME
- Set the user’s password:
sudo dscl . passwd /Users/USERNAME
- Set the user’s full name:
sudo dscl . create /Users/USERNAME RealName "USER NAME"
- Set the user’s default shell:
sudo dscl . create /Users/USERNAME UserShell /bin/bash
- Add the user to the “admin” group:
sudo dscl . append /Groups/admin GroupMembership USERNAME
Now the following commands will create and assign the user’s home folder, which by default is in the /Users directory, but since this is a hidden account we are putting it in the hidden /var directory:
- Create the folder:
sudo mkdir /var/USERNAME; sudo chown USERNAME /var/USERNAME
- Set the home directory:
sudo dscl . create /Users/USERNAME NFSHomeDirectory /var/USERNAME
- Set the user’s ID to a value unique from the list of User IDs you found in the first step above (change NUM to reflect the value of your selected ID):
sudo dscl . create /Users/USERNAME UniqueID NUM
If your version of OS X is prior to Yosemite, then you can set this unique value to something less than 500, and OS X should hide it. Otherwise, run the following command to have the login window hide users under 500:
sudo defaults write /Library/Preferences/com.apple.loginwindow Hide500Users -bool TRUE
Note that if you have created the user account in the Users & Groups system preferences, then you can change the User ID and home folder location in the system preferences by right-clicking the user and choosing the advanced options, then adjusting the values accordingly.
If your version of OS X is Yosemite or later, then you have additional approaches available to you for hiding the user account. Instead of being forced to use a User ID value under 500, you can use any ID you want and then set a special attribute for the user account that will hide it:
sudo dscl . create /Users/USERNAME IsHidden 1
To undo this change, re-run the command with “0” instead of “1,” or run the following command to remove the attribute altogether:
sudo dscl . delete /Users/USERNAME IsHidden
Finding hidden user accounts
While these approaches will hide a user account from the login window, the Users & Groups system preferences, and the Fast User Switching menu, you can still view the account. The following command will list the users on the system and then filter out system-based accounts, so you will see the short usernames of all the current users:
dscl . list /Users | grep -v "_\|nobody\|root\|daemon"
I created an admin account in Users & Groups and then picked up with “1. Create the folder,” restarted my computer, and the user still shows up in the list of users (which is weird because I have my login options set to “Name and password.” When I log in with a different account, the other account no longer appears in Users & Groups. Any idea why the hidden account still shows up on the login screen, or why I’m getting a list of users when the preference is set to Name and password? Thanks.
I can’t answer your question with absolute certainty, but I think that probably you have FileVault enabled for the boot volume, and that the “login screen” you are seeing is actually the screen that pops up right after you turn on the computer and that allows you to select one of the users allowed to unlock the encrypted drive.
That screen is virtually identical to the login screen you get when you log off a user or select “Login Window…” from the fast-user-switch menu, and furthermore the user you select will be automatically logged in after the system is loaded. This leads us to believe that both “login screens” are the same, even though technically they aren’t.
Now, I guess that you can reset the disk-unlocking window so that it asks for name and password instead of offering a list of authorized users by flipping the option in the Users & Groups panel. If that fails, you can remove the hidden account from the list of users authorized to unlock the disk.
Strod, you are correct, the disk had FileVault enabled. However, I couldn’t see how to “reset the disk-unlocking window so that it asks for name and password” or remove any account from the list of users authorized to unlock the disk. Even the Guest user showed up. Once I turned FileVault off, the login window was back to normal showing just name and password. I think I must have something going on with my disk because even after creating a new admin account, I can’t demote the original admin to a standard user (from the new account, of course). When I upgrade to El Capitan, I’m going to do a clean install. I haven’t done that since Lion, LoL. When I do, I’ll re-enable FileVault.
Any idea why, when I run `sudo chown USERNAME /var/USERNAME` I get a “chown: USERNAME: illegal user name” error?
Also, what is the semicolon the the end of the `sudo mkdir /var/USERNAME;` line for?
Did you do Steps 1-6 above first? Did you replace USERNAME with the actual username you used when you created the new administrative account?
Yes, I ran through all the prior steps and was using a custom username.
Not sure, but maybe you mistyped something somewhere. Everything worked fine for me.
Any ideas on removal of a “rouge” user account? Logical solutions such as clean install have failed:(