4

I have around 300 baby macs to look after, and they have lots of different admin accounts, which is a nightmare to work with.

ARD has slowly been configured with the accounts of the machine owners, but that doesn't help when bringing on board another sysadmin, who now has to collect all the usernames and passwords of the users.

I figure, it's better for me to run a script using ARD that creates a hidden admin user on each system, with a known username and password. I just don't know how to do it.

Any hints and tips would be appreciated. I am currently trying to work on a draft script now, which I'll post, but anyone else, feel free to jump in with a solution :)

Mister IT Guru
  • 1,178
  • 3
  • 15
  • 35
  • 1
    Why must the acount be hidden? And why don't you have a central authentication system? And: What is a baby mac? A Mac Mini? – Sven Jul 27 '11 at 09:46
  • Why does "bringing on board another sysadmin" change anything? Can't that person use the account information you have already collected? Isn't that information stored in a suitable database (PasswordSafe, PassKeeper, etc.) to which the other admin can be granted access? – John Gardeniers Jul 27 '11 at 10:25
  • the account must be hidden, because as we know end users like clicking on things that they shouldn't. And who wants to field questions starting with, "I noticed this new account on my system... etc" – Mister IT Guru Jul 27 '11 at 16:47
  • The phrase "Baby Macs" just means, that macs are cute - nothing more :) - Also that admin account will be hidden, and used for running scripts and things, such as system updates, location software, many other things. We don't have a database system available to be used for passwords, I much rather use centralised authentication - but I need a local admin account to configure the systems, and I'd rather not walk to 300+ machines, hence the admin account, with the same credentials, which will then be used to run scripts to automatically configure the systems appropriately. See, I'm not mad! :) – Mister IT Guru Jul 27 '11 at 16:51

2 Answers2

6

Something like this should work:

# Create user record in directory services
dscl . -create /Users/hiddenadmin
dscl . -create /Users/hiddenadmin RealName "Hidden Administrator"
dscl . -create /Users/hiddenadmin UniqueID 499  # Use something between 100 and 500 to hide the user
dscl . -create /Users/hiddenadmin PrimaryGroupID 20
dscl . -create /Users/hiddenadmin UserShell /bin/bash
dscl . -passwd /Users/hiddenadmin "e38TpBs1g;.r"  # Obviously, use something else here

# Set up a hidden home folder
dscl . -create /Users/hiddenadmin NFSHomeDirectory /var/hiddenadmin  # or other hidden location
cp -R /System/Library/User\ Template/English.lproj /var/hiddenadmin
chown -R hiddenadmin:staff /var/hiddenadmin

# Grant admin & ARD rights
dseditgroup -o edit -t user -a hiddenadmin admin
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -on -users hiddenadmin -privs -all -restart -agent

# Tell loginwindow not to show the user
defaults write /Library/Preferences/com.apple.loginwindow Hide500Users -bool TRUE
# Alternate: defaults write /Library/Preferences/com.apple.loginwindow HiddenUsersList -array hiddenadmin

Note that kickstart (the command-line interface for configuring the ARD client) is rather complex and unintuitive, and you may have to play around with it to get exactly the config you want. Here's an Apple KB article and a man page for it.

Gordon Davisson
  • 11,216
  • 4
  • 28
  • 33
  • Ah! This looks promising! (scraps own script!) I'm going to run this on my test rigs, and see where I get, but this is an excellent jump off point! (I'm going to test first before answering! hehe!) – Mister IT Guru Jul 27 '11 at 17:02
  • This worked great when running the script then logging out but as soon as I rebooted the machine the option for other disappeared. Any thoughts? – abe Mar 03 '23 at 14:38
  • @abe Do you have FileVault turned on? If so, that complicates things, and I haven't dealt with the setup for it under recent versions of macOS. – Gordon Davisson Mar 03 '23 at 20:33
  • @Gordon ya that was the issue. No idea how to get round it will make a post – abe Mar 07 '23 at 15:56
0
# Tell loginwindow not to show the user
defaults write /Library/Preferences/com.apple.loginwindow Hide500Users -bool TRUE
# Alternate: defaults write /Library/Preferences/com.apple.loginwindow HiddenUsersList -array hiddenadmin

Except that it will still show up in the fast switch mode.. (at the right, next to the spotlight icon)

Falcon Momot
  • 25,244
  • 15
  • 63
  • 92
emm
  • 1