Lesson 5. Manage User Accounts

One of the hallmarks of a traditional computer operating system is support for multiple user accounts. UNIX operating systems, like macOS, have a long history of providing such services. Apple has made many improvements to the UNIX functionality, such as advanced user-management features and streamlined administration tools, all with traditional Apple ease of use.

In this lesson, you will explore the technologies that allow individuals to log in and use a Mac. You will also learn how to create and manage multiple user accounts in macOS Sierra.

macOS also supports multiple simultaneous user accounts. Several types of user accounts are available to facilitate different levels of access. Essentially, you choose a specific account type to grant the defined level of access that best meets the user’s requirements.

User accounts are categorized into five types: standard accounts, administrator accounts, the guest account, sharing-only accounts, and the root account. Apple has made these different account types available to provide greater flexibility for managing user access. Because each account type is designed to allow different levels of access, you should also be aware of each account type’s potential security risk.

Standard user accounts are allowed to use nearly all the resources and features of the Mac, but they generally can’t change anything that might affect other users on the system. The lone exception to this rule is that standard account users can install application and system updates from the Mac App Store. This ability includes applying system updates, which obviously have systemwide effects.

Even though standard accounts are allowed full access to the Mac App Store, they are not allowed to manually modify the /Applications folder or use other installation methods that attempt to modify shared parts of the system. This means that standard account users are not allowed to install many items that are distributed outside the Mac App Store. This may seem unfair for developers who don’t distribute via the Mac App Store. However, Apple has instituted tight controls over Mac App Store distribution that provide assurance that the content remains safe for standard account users to install.

If your organization needs to restrict users’ ability to install their own applications, install system updates, or install Mac App Store items, then you should create managed accounts. A managed account is a standard account with parental controls enabled, as covered in Reference 5.3, “Restrict Local User Access.”

By default, administrator account users do not have access to other users’ items outside of shared items like the Public folders. Despite this, administrator account users can bypass these restrictions both in the graphical environment and using Terminal, if needed.

Because an administrator account is the initial account type created when the Mac is configured for the first time using Setup Assistant, many use this as their primary account type. This is advantageous because it lets the user change literally anything on the computer, as is required for system management. The downside is that this user is allowed to make changes or install software that can render the system insecure or unstable.

Additional administrator accounts can be used for daily tasks, but this isn’t always the best idea, because, again, all administrator accounts are created equal. In other words, all administrator accounts have the ability to make changes to virtually anything on the system, including deleting or changing the passwords to other administrator user accounts. Administrator users can also change the administrator rights for any other user account, either disabling current administrators or changing standard users into administrators. Further, opening poorly written or intentionally malicious software as an administrator user could cause harm to any user’s home folder items or compromise the security of the system.

Most significantly, though, any administrator user can enable the root account or change an existing root account password using the Directory Utility application, located in the /System/Library/CoreServices/Applications folder. For these reasons, you should seriously consider limiting the number of administrator user accounts on your Mac systems. Additional standard accounts can be created for more secure daily use, but managing macOS requires access to at least one administrator account.

However, when the guest user logs out, the guest account’s home folder is deleted, including any home folder items that would normally be saved, like preference files or web browser history. The next time someone logs in as a guest, a brand-new home folder is created for that user.

Even though the guest home folder is deleted every time a guest logs out, the obvious security risk here is that literally anyone has access equivalent to that of a standard user account, including access to the /Users/Shared folder and users’ Public folders. Unlike the guest user’s home folder, the contents of these other folders remain after the guest logs out. This means a guest user could execute some potentially nasty applications or fill your disk with unwanted files. Guest users can also restart or shut down your Mac, potentially allowing them to compromise the system during startup.

Fortunately, parental controls enable you to restrict the guest account from running unapproved applications or restarting the Mac. Giving the guest account only limited access, as covered in Reference 5.3, “Restrict Local User Access,” can provide a safe mechanism for temporary user access. Additionally, you can change the access permissions on shared folders so that the guest account is not allowed to copy any items to your disk. Changing file and folder permissions is covered in Lesson 11, “Manage Permissions and Sharing.”

Sharing-only user accounts cannot log in to the Mac otherwise, and can be required to use a password, so designating sharing accounts is generally much safer than using the guest account for file sharing. You can further control sharing-only account users’ access to your files by adjusting file and folder permissions

The potential for nefarious activity is quite high with root account access. To help prevent abuse of this account, the default macOS configuration does not have a password set for the root account, and therefore you cannot log in with the account.

However, as covered previously, any administrator user can choose to enable the root account or change an existing root account password using the Directory Utility application. Again, because it only takes an administrator account to initially access the root account, strictly limiting administrator usage is the key to safeguarding the root account.

The pop-up menu at the top of the user creation pane allows you to define the type of local user account being created: Administrator, Standard, Managed with Parental Controls, or Sharing Only. When creating a new local user account, you should enter a full name, an account name, and the initial password for the user. You can also enter an optional Password hint, but the text cannot match the user’s password.

If two-step verification or two-factor authentication is enabled for the user’s Apple ID, the user will also have to provide additional verification. The user may also be asked to enable iCloud Keychain, update to iCloud Drive, and enable iCloud Desktop and Documents, as detailed in Lesson 17, “Manage Documents.” Finally, the user will be prompted to accept a new Terms and Conditions agreement and enable Siri before the new user Setup Assistant completes.

Fortunately, most of these attributes can also be easily accessed from Users & Groups preferences. An administrator can access these normally hidden user account attributes by using a secondary (or Control-) click on a user account to display the Advanced Options dialog.

Each user has a variety of attributes that define the account details. And although you can easily edit these attributes to make a desired change or fix a problem, you can just as easily break the account by entering improper information. For example, you can restore access to a user’s home folder by correcting the Home Directory information, or you can accidentally prevent a user from accessing his or her home folder by mistyping this information.

User account attributes include the following:

User ID—A numeric attribute used to identify the account with file and folder ownership. This number is almost always unique to each account on a single system, though overlaps are possible. User accounts start at 501, whereas most system accounts are below 100. It’s important to note that the user ID is only “unique” from those of other users on the local system. Every other Mac system uses similar ID numbers, so between computers, this uniqueness is lost. For example, every first user created on a Mac computer will have the ID number 501. Further, if you delete a user, that user’s ID is now up for grabs, and the system will reuse it for a new user.

Group—The user’s primary group. As covered previously, the default primary group for all local users is the staff group. This means that when you create a new file, it belongs to your user account and to the staff group.

Account name—Sometimes also referred to as “short name,” this is the name used to uniquely identify the account and by default also to name the user’s home folder. A user can use either the full name or the account name, interchangeably, to authenticate. However, no other account on the system can have the same account name, and it cannot contain any special characters or spaces. Special characters not allowed include commas, slashes, colons, semicolons, brackets, quotes, and symbols. Allowed characters include dashes, underscores, and periods.

Full name—The full name of the user. It can be quite long and contain nearly any character. However, no other account on the system can have the same full name. You can easily change the full name later, at any point.

Login shell—This file path defines the default command-line shell used in Terminal by the account. Any user who is allowed to use the command line in Terminal has this set to /bin/bash by default. Both administrator and standard users are given this access by default.

Home directory—This file path defines the location of the user’s home folder. All users except for sharing users, who do not have home folders, have this set to /Users/<name>, where <name> is the account name.

Universally Unique ID (UUID)—Sometimes also referred to as Generated UID, or GUID, this alphanumeric attribute is generated by the computer during account creation and is unique across both space and time. Once the attribute is created, no system anywhere will ever create an account with the same UUID. It is used to refer to the user’s password and for group membership and file permissions. It’s important to note that while UUIDs may be truly unique, one Mac won’t be able to identify another’s UUID. In other words, UUIDs created on one Mac are not known by another. Thus, locally created UUIDs cannot be used between Mac computers for mutual identification.

Apple ID—Used to associate the local Mac user account with an Apple ID that can be used to reset the local account password. This is configured automatically if the user enters an Apple ID during Setup Assistant or signs in to iCloud. However, setting or changing an Apple ID from the Advanced Options pane in Users & Groups does not affect the user’s iCloud service configuration.

Aliases—Used to associate the local Mac user account with other service accounts. For example, a user’s Apple ID can be associated with a local account. This attribute is optional for macOS, but it is required for integration with Apple Internet services like iCloud and its Back to My Mac feature.

Management options available via parental controls are organized into the following functions:

Apps—Disallow use of the camera and Game Center, limit contacts in Mail, and limit the user to only specific applications.

Web—Enable automatic Safari website content filtering, or manually manage a list of permitted websites or a combination of both automatically and manually permitted websites.

Stores—Disable iTunes and iBooks stores, restrict explicit music, restrict explicit sexual content, and limit age ratings for content.

Time—Set weekday and weekend time-usage limits.

Privacy—Limit changes to privacy settings, thus preventing users from choosing which applications and services can access potentially private user information.

Other—Disable system dictation, limit editing of printers and scanners, prevent burning of optical discs, restrict explicit language in Dictionary, prevent modification of the Dock, and enable Simple Finder for a simplified user interface.

Logs button—Maintain Safari, Messages, and application usage logs. The logs show both allowed and attempted-but-denied access.

A user can add login items, including both applications and Finder destinations, by dragging them into the Login Items list or by clicking the Add (plus) button and then browsing for the item. Removing items is as simple as selecting an item from the list and clicking the Remove (minus) button. Also note the Hide checkbox, allowing the user to define an application that should open but then hide itself from view. This option is useful for applications that provide a background function that doesn’t require you to see the application itself, like a streaming music application.

Login window options include the ability to:

Enable or disable automatic login as the Mac starts up. This option is off in macOS by default, unless during the macOS Setup Assistant process the user deselected the option to require a password for login. Obviously, you can define only one account for automatic login.

Choose whether the login window shows a list of available users, the default setting, or blank name and password fields. Choosing to have name and password fields is more secure.

Select the availability of the Restart, Sleep, and Shut Down buttons at the login window. Mac computers in environments that require more stringent security should not have these buttons available at the login window.

Specify whether users can use the input menu. This allows users easy access to non-Roman characters, like Cyrillic or Kanji, at the login window.

Determine whether the login window will show password hints after three failed password attempts. This may seem like an insecure selection, but remember that password hints are optional for each user account.

Disable the fast user switching menu and adjust the look of the menu item. In other words, the fast user switching menu can appear as the user’s full name, the account name, or the generic user icon.

Enable users to take advantage of VoiceOver audible assistant technology at the login window.

Configure the Mac to use accounts hosted from a shared network directory. Again, you can find out more about Apple management technologies at https://support.apple.com/business-education.

Fast user switching lets a Mac move between user accounts without users having to log out or quit open applications. This allows a user to keep work open in the background while one or more other users are also logged in to the computer. Returning users can later resume tasks instantly, right where they left off.

Fast user switching is enabled by default in macOS, but the fast user switching menu doesn’t appear until additional local user accounts are created. This menu item appears on the far right, next to the Spotlight search menu. By default, the fast user switching menu appears as your user account full name. If you don’t see this menu item, you can turn it on from the Login options pane of Users & Groups preferences. When another user is logged in, you can initiate the switch to another user by simply selecting that user’s name from the fast user switching menu and then entering the appropriate password.

Examples of fast user switching resource contention include:

Application contention—Some applications are designed such that only one user at a time can use them. If other users attempt to open these applications, either they encounter an error dialog or the application simply doesn’t open. Most of the applications that fall into this category are professional applications, which tend to be resource intensive, so it’s better to keep only one instance running at a time.

Document contention—Sometimes one user has a document open and remains logged in with fast user switching, often preventing other users from fully accessing the document. As an example, Microsoft Office applications such as Word and Excel allow other users to open a document as read-only and display an error dialog if the user tries to save changes. Other applications do not allow other users to open the document at all. In the worst-case scenario, an application allows two people to edit the file simultaneously but will save only changes made by the user who saved last. In this case, the application’s developers simply didn’t account for the possibility that two users might edit the same document at the same time, so you often won’t even see an error message.

Peripheral contention—Many peripherals can be accessed by only one user at a time. This becomes a fast user switching issue if a user leaves an application running that has attached itself to a peripheral. The peripheral will not become available to other applications until the original application is quit. Examples of this include video cameras, scanners, and audio equipment.

Shared network volumes remain secure in a fast user switching environment. By default, only the user who originally connected to the share can access it. Even if multiple users attempt to access the same network share, the system automatically generates multiple mounts with different access for each user. The exception to this rule is network home folder shares used by network accounts. While one network user can successfully log in, additional network users from the same server will not be able to access their network home folders. For this reason, fast user switching does not support network accounts.

If you cannot log out the other users—perhaps because they are currently unavailable and you don’t know their passwords—your options are to force the other users’ suspect applications to quit or to force the other users to log out by restarting the Mac. Changing a logged-in user’s password isn’t an option at this point, because administrators cannot manage user accounts that are currently logged in. These accounts will be dimmed and not available in Users & Groups preferences, as shown by the Michelle account in the following screenshot.

Thus, an administrator will have to either force the other users’ applications to quit or restart the Mac to free up any contested items or make any changes to the logged-in users. Neither option is ideal, because forcing an application to quit with open files can result in data loss. If you have no other choice, though, you can force an open application to quit, using techniques covered in Lesson 18, “Manage and Troubleshoot Applications.”

However, attempting to restart reveals another fast user switching issue: if any other users are still logged in, an administrator will have to force those users’ open applications to quit in order to restart. The system makes it easy for an administrator to force these applications to quit via an authenticated restart dialog, but once again, this may cause data loss to any open files.

You already created an administrator account during the initial configuration of your computer. In this exercise, you will create an additional account to gain a better understanding of the user experience. The next user account will be a standard user. It is a best practice to use a standard user account for day-to-day use. You should use the Local Admin account only for system administration tasks such as software installation and system configuration, and you can perform most of these tasks while logged in as a standard user, simply by providing the administrator account’s name and password.

You will also have the option to link the new account to an Apple ID to allow access to Apple iCloud services. This is not required but is recommended and will enable you to do other exercises later in this guide that take advantage of iCloud.

1 If necessary, log in as Local Admin (password: ladminpw, or whatever you chose when you created the account).

2 Open System Preferences, and click the Users & Groups preferences.

3 Unlock the Users & Groups preferences by clicking the Lock button and authenticating as the Local Admin user.

4 Click the New User (+) button beneath the account list, and enter the following information:

New Account: Standard

Full Name: Chris Johnson

Account Name: chris

If you are performing this exercise in a class, enter chris in the Password and Verify fields. If you are performing this exercise on your own, select a more secure password for the Chris Johnson account. Be sure to remember the password you have chosen, as you will need to reenter it periodically as you use this computer. If you want, you can provide a hint to help you remember the password.

5 Click Create User.

6 If you are notified that the account will not be able to unlock FileVault until it has logged in at least once, click OK.

7 If a dialog appears with an “Automatic login is turned on. Do you want to turn it off?” prompt, click Turn Off Automatic Login.

Note that because you authenticated as an administrator, you could configure several other account properties here, including changing Chris’s user icon, granting Chris admin rights, or using parental controls to limit the account.

1 From the Apple menu, choose Log Out Local Admin.

2 In the dialog asking if you are sure, click Log Out.

3 At the login screen, select Chris Johnson and enter the password.

You are now logged in as Chris Johnson. Since this account is not yet tied to an Apple ID account, a screen appears to allow you to configure an Apple ID. There are several ways to do this. Choose the appropriate one for your situation:

If you are performing these exercises in a classroom environment, the instructor will provide you with an Apple ID to use with the “Option 1: Link Chris Johnson with an existing Apple ID” instructions that follow.

If you are performing these exercises on your own and have an existing Apple ID that you want to use, you can use your own Apple ID with the “Option 1: Link Chris Johnson with an existing Apple ID” instructions.

If you are performing these exercises on your own and do not have an existing Apple ID or prefer to use a new Apple ID for these exercises, follow the “Option 2: Create a New Apple ID” instructions that follow.

1 Enter the Apple ID and password your instructor provided (or for your own Apple ID account), and click Continue.

2 If you used an Apple ID with two-step verification or two-factor authentication, you are prompted to verify your identity via one of your devices. Follow the prompts to finish authenticating.

3 If a Terms and Conditions screen appears, read through the terms, and if they are acceptable, click Agree; then click Agree in the confirmation dialog that appears.

4 If you are prompted to enter the password from one of your other devices, do so.

5 If an iCloud Keychain screen appears, select “Set up later,” and click Continue.

6 If an iCloud Drive screen appears, this Apple ID has been used with an older version of OS X or iOS and has documents stored in an older format. See Reference 17.5, “Use iCloud Drive,” for more information about iCloud Drive.

If you are performing these exercises in a classroom environment, select “Upgrade to iCloud Drive,” click Continue, and then click Continue in the confirmation dialog that appears.

If you are performing these exercises on your own and want to upgrade your iCloud account’s document storage to iCloud Drive, select “Upgrade to iCloud Drive,” click Continue, and then click Continue in the confirmation dialog that appears.

If you are performing these exercises on your own and do not want to upgrade your iCloud account’s document storage at this time, select Not Now, click Continue, and then click Don’t Upgrade in the confirmation dialog that appears.

Note that you can always upgrade later in iCloud preferences.

7 If an “All your files in iCloud” screen appears, deselect “Store files from Documents and Desktop in iCloud Drive,” and click Continue.

You are welcome to experiment with this feature on your own, but having it turned on for the Chris Johnson account may interfere with subsequent exercises.

8 If an Enable Siri screen appears, deselect “Enable Siri on this Mac,” and click Continue.

9 If you are prompted to set up Touch ID, click Continue, then click Set Up Touch ID Later, then click Continue in the confirmation dialog.

1 In the “Sign In with Your Apple ID” window, click “Create new Apple ID.”

2 If you are notified that you cannot create an Apple ID because “This Mac is no longer eligible to create Apple ID accounts,” your computer has reached the number of accounts it is allowed to create. In this case, you have two options:

You may create an Apple ID account on another Mac computer or iOS device, and then click the Back button and follow Option 1 (the preceding section) to use the new account.

If you cannot create an Apple ID account on another device, you can click Continue, and then skip ahead to the “Adjust Chris Johnson’s Preferences” section of this exercise. In this case, you will not be able to perform the iCloud sections in later exercises unless you create an Apple ID on another device, and then use the iCloud pane of System Preferences to sign in to iCloud for the Chris Johnson account.

3 In the first “Create an Apple ID” screen, use the pop-up menus to enter your birthday, and then click Continue.

4 Enter your name.

5 Depending on whether you want to create an Apple ID linked to an existing email address or create a new iCloud.com email address, do one of the following:

To use an existing email address, enter the address in the Email address field.

To create a new iCloud.com email address, click “Get a free iCloud email address,” and then enter the account prefix you would like.

6 Choose a password, and enter it in the “password” and “verify password” fields.

7 Click Continue.

If you see a warning that says your Apple ID couldn’t be created because the email address you chose is “no longer available” or “in use by another Apple ID,” choose a different name.

8 Choose three security questions, enter their answers, and click Continue.

9 In the Terms and Conditions screen, read through the terms, and if they are acceptable, click Agree; then click Agree in the confirmation dialog that appears.

10 In the iCloud Keychain screen, select “Set up later,” and click Continue.

11 If an “All your files in iCloud” screen appears, deselect “Store files from Documents and Desktop in iCloud Drive,” and click Continue.

You are welcome to experiment with this feature on your own, but having it turned on for the Chris Johnson account may interfere with subsequent exercises.

12 If an Enable Siri screen appears, deselect “Enable Siri on this Mac,” and click Continue.

13 If you are prompted to set up Touch ID, click Continue, then click Set Up Touch ID Later, then click Continue in the confirmation dialog.

14 If you linked your Apple ID to an existing email address, the new account is not fully enabled until you verify ownership of the email address. Check your existing email account for a verification request, and follow the instructions in that message.

1 In the Finder, choose Finder menu > Preferences.

2 Select the options to show hard disks and connected servers on the desktop.

3 From the “New Finder windows show” pop-up menu, choose your system volume (typically Macintosh HD).

4 Click the Sidebar button at the top of the Finder Preferences window.

5 Select “chris” in the Favorites section of the sidebar and “Hard disks” in the Devices section. Note that “Hard disks” should be fully selected (a checkmark in the checkbox), not just partially selected (a dash in the checkbox).

6 Close the Finder Preferences window.

7 Navigate to the /Applications folder (choose Go menu > Applications or press Command-Shift-A).

8 Just as you did in the Local Admin account, drag the TextEdit application into the left side of Chris’s Dock.

9 Navigate to /Users/Shared. Since Chris’s Finder preferences are set to show the hard disks on the desktop, you can open Macintosh HD from the desktop, open Users, and then open Shared.

10 Drag the StudentMaterials folder into the right side of Chris’s Dock.

11 Open System Preferences, and click the Desktop & Screen Saver preferences.

12 Select a different desktop picture.

13 If you like, adjust the Mouse and Trackpad preferences to your personal taste, just like you did in the Local Admin account.

Notice that you have different options than you had when logged in as Local Admin. For instance, you cannot allow yourself to administer the computer or turn on parental controls for yourself. You can, however, configure a Contacts card or add login items (which will open every time you log in). Also, you cannot select any account other than your own.

2 In the lower-left corner, click the Lock button, and authenticate as Local Admin (either the full name Local Admin or the account name ladmin). This unlocks Users & Groups preferences and allows you to make changes to other user and group accounts while remaining logged in as Chris.

3 Control-click Chris’s account in the account list, and choose Advanced Options from the shortcut menu.

The Advanced Options dialog appears and displays the hidden attributes of the Chris Johnson account.

Note that your alias list may have entries relating to your Apple ID. This depends on whether you linked the account to iCloud and exactly how your iCloud account is configured.

4 Click Cancel (or press Command-Period) to dismiss the dialog. It is always a good idea to cancel a settings dialog when you have not made changes to it.

5 Leave System Preferences open for the next exercise.

In this exercise, you will create a managed account with parental controls applied and observe the resulting restrictions on that account.

2 Click the New User (+) button beneath the account list, and enter the following information:

New Account: Managed with Parental Controls

Age: 4+

Full Name: Johnson Junior

Account Name: junior

Password: If you are performing this exercise in a class, enter junior in the Password and Verify fields. If you are performing this exercise on your own, select a more secure password for the Johnson Junior account. Be sure to remember the password you have chosen because you will need to reenter it later.

You may provide a password hint if you want.

3 Click Create User.

4 Verify that Johnson Junior’s account is selected in the account list.

Since you created the account as managed, the “Enable parental controls” checkbox is selected.

5 Click Open Parental Controls.

This takes you to Parental Controls, another pane in System Preferences.

6 If you are prompted to authenticate again, enter Local Admin’s account name and password.

7 On the Apps tab, make sure that “Limit Applications on this Mac” is selected.

8 Click the Other Apps disclosure triangle to see what applications are allowed by default.

9 Click the Web tab to configure Junior’s web restrictions.

10 Make sure the “Allow access to only these websites” option is selected, and leave the default site list.

11 Click through the Stores, Time, Privacy, and Other tabs of Parental Controls to see what other restrictions are available.

12 On the “Other” tab, select Use Simple Finder.

13 Quit System Preferences, and log out of the Chris Johnson account.

1 At the login screen, select Johnson Junior, enter the password (junior, or whatever you chose), and press Return.

2 If you are prompted to sign in with your Apple ID, select “Don’t sign in,” click Continue, and then click Skip in the confirmation dialog.

3 If you are prompted to enable Siri, deselect that option, and then click Continue.

Because you restricted Junior’s account to the Simple Finder, the interface looks a bit different than normal.

4 If you are prompted to set up Touch ID, click Continue, then click Set Up Touch ID Later, then click Continue in the confirmation dialog.

5 Look at the options available in the Apple, Finder, File, and Help menus. Notice that most of the usual Finder capabilities are missing.

6 In the Dock, click the leftmost of the folder icons (marked with a stylized A for Applications).

The Simple Finder application launcher opens and shows icons for the applications Junior is allowed to open.

7 Open Safari. If Safari is not shown on the first screen of applications, click the right arrow to show more applications.

Use the Safari address bar to navigate to www.wikipedia.org.

8 Since Wikipedia is not on the list of allowed sites, an error message appears.

9 Click Add Website, and authenticate as Local Admin.

10 If necessary, reload the page by choosing View menu > Reload Page or pressing Command-R.

This time, the Wikipedia front page loads.

11 Quit Safari, and log out as Johnson Junior.