Mac OS X is a multiuser operating system, meaning that your MacBook is designed to be used by multiple people. Each person has his own user account that includes a Home folder for storing files; system preferences for things like Dock configuration, the desktop picture, and screen resolution; application preferences; and security settings. When a user logs in, Mac OS X configures itself based on that user's specific preferences and, in effect, becomes personalized. Understanding how to create and manage user accounts is an important part of getting the most out of your MacBook.
Working with User Accounts
Using Automatic Login
Configuring the Login Window
Working with Fast User Switching
Working with the Root User Account
You use the System Preferences application to create and manage most of the user accounts on your MacBook. Before jumping in there, understand that there are a number of different types of user accounts:
Administrator. Administrator accounts are the second-most powerful type of user account; when logged in under an Administrator account, you have complete access to the System Preferences application to make changes to the operating system, such as to create and manage user accounts and change network settings. Administrators can also install software at the system level, where it can be accessed by other users. The user account that you create the first time you started your MacBook is an Administrator account.
Standard. Someone logged in under a Standard user account can only make changes related to that specific account. For example, someone using a Standard user account can change her desktop picture and application preferences, but can't install applications or create other user accounts.
Note
By default, your MacBook uses the Automatic Login feature; this logs in the default user account (the one you created when you first started your MacBook unless you've changed it) automatically as soon as you start up your computer, which can disguise the fact that you are accessing a user account.
Managed with Parental Controls. The Mac OS X Parental Controls feature enables you to limit the access that a user has to various kinds of content, such as email and Web sites. When you manage this kind of account, you determine specific types of content, applications, and other areas that the user can access. People using this type of account are prevented from doing all actions not specifically allowed by their Parental Control settings.
Sharing Only. This type of account can only access your MacBook to share files across a network and has no access to the operating system or other files that aren't being shared.
Group. Access to folders and files on your MacBook is determined by each item's Sharing and Permissions settings. One of the ways you can assign privileges to an item is by configuring a group's access to it; a group user account is a collection of user accounts and is used only to set access privileges. You create a group, assign people to it, and then use the group to set access permissions for files and folders.
Root. Mac OS X is built on the UNIX operating system and so has an extensive security architecture that specifically controls what each user account can do and the resources that user can access. The Root user account is a unique user account that bypasses all the limitations that are inherent to the other types of user accounts (even Administrator user accounts). When you log in under the Root user account, the system doesn't limit anything you try to do. Because of this, the Root user account is the most powerful kind of user account and is also the most dangerous because you can do things that might damage the system or files that it contains. You typically only use the Root user account during troubleshooting tasks. Unlike the other user accounts, you don't administer the Root user account using the System Preferences application. You learn how to use the Root user account at the end of this chapter.
The following steps show you how to create a new Administrator or Standard user account:
Choose Apple menu
Click the Accounts icon. The Accounts pane opens (see figure 2.1). In the list on the left side of the window, you see the current user accounts. The user account under which you are logged in appears at the top of the list, and its details appear in the right pane of the window along with the tools you use to configure that account. At the bottom of the user list are the Login Options button and the Add (+) and Remove (−) buttons.
Authenticate yourself if needed.
Click the Add (+) button. The New Account sheet appears.
On the New Account pop-up menu, choose Standard to create a Standard user account or Administrator to create an Administrator account. After it is created, you can change a Standard user account into an Administrator account or vice versa.
Type a name for the account in the Full Name field. This can be just about anything you want, but usually a person's actual name works best. The Full Name is one of the names that a user types to log in or authenticate the account (if it is an Administrator account). Mac OS X creates an account name, based on the full name you type.
Edit the account name if you want to change it. This name appears in a number of places, such as in the path to the user's Home folder and in the URL to that user's Web site on the MacBook. It's a good idea to keep the account name short, and you can't include any spaces or special characters in it.
If you want to create a password yourself, type it in the Password box and skip to Step 12; if you want to use the Password Assistant to help you create a password, click the Key icon. The Password Assistant appears (see figure 2.2).
Note
While it isn't good practice from a security standpoint, a user account doesn't have to have a password. If you leave the Password and Verify fields empty, the user will have a blank or empty password. He leaves the Password field empty and clicks the Login or other button to complete the action he is performing. While this is more convenient, faster, and easier than typing a password, it is also much less secure.
Choose the password's type from the Type pop-up menu. There are a number of options, such as Memorable and Letters & Numbers. After you choose a type, the Assistant automatically generates a password for you and enters it in the Password field on the New Account sheet.
Drag the slider to the right to increase the length of the password, or to the left to decrease its length. The longer a password is, the more secure it becomes. A good password should include numbers or special characters to make it harder to crack. As you make changes to a password, the Quality gauge shows you how secure the password is.
When the password shown on the Password Assistant is what you want to use, leave the Password Assistant open and click back in the New Account sheet.
Retype the password in the Verify field and type a hint about the password in the Password hint box. This hint helps a user log in to his account when he can't remember the correct password.
Click Create Account. The user account is created and appears on the list of accounts. You are ready to customize it by adding an image and configuring other elements.
Note
FileVault protection is a way to encrypt the information stored under a user account so that it can't be used without the appropriate password. You learn more about this feature in Chapter 16.
An image, such as a photo or other graphic, can be associated with user accounts; these user account images appear in various locations, such as the Login window. Mac OS X automatically chooses an image for each user account from the default images it has. You can leave this image as is, or you can use the following steps to customize the user account with an image of your choice:
Move to the Accounts pane of the System Preferences application and authenticate yourself (if needed).
In the Accounts list, select the user account with which you want to associate an image.
Click the image well, which is the box located to the left of the Change or Reset Password button. (When you select the account currently logged in, the button is Change Password; when you select a different account, the button is Reset Password.)
To choose one of Mac OS X's default images, select an icon from the pop-up menu; to create your own image, click Edit Picture. If you select an icon, the menu closes, the image is associated with the user account, and you can skip the rest of these steps. If you click Edit Picture, the Edit Picture sheet appears (see figure 2.3).
Choose the user's image by doing any of the following:
Drag a file containing the image you want to use from the desktop onto the image on the sheet. The file's image replaces the image currently shown there.
Click Choose, select a file containing the image you want to use, and click Open. The image you select replaces the current image.
Click the Camera icon to take a photo for the image with the MacBook's iSight camera. The photo you take replaces the current image.
Set the portion of the image that is displayed by dragging the slider to the right to include less of the image or to the left to include more of it. The portion of the image that will be displayed is shown within the selection box; the part of the image outside of the box and grayed out will not appear.
Drag the image inside the box until the part you want to be displayed is contained within the box. You may need to use the slider in conjunction with this step to get the image "just right."
Click Set. The Edit Picture sheet closes and you see the image you configured in the image well on the Accounts pane.
If the user has a MobileMe account, type her MobileMe username in the MobileMe username box. This associates the MobileMe account with the Mac OS X user account. This is optional, and the user can log in to her MobileMe account after she logs into her Mac OS X user account. (To learn more about MobileMe, see Chapter 5.)
Lastly, if you selected the Standard account type but change your mind, select the Allow user to administer this computer check box. This changes the account's type to Administrator.
The user account you created appears on the list of accounts and is ready to use (see figure 2.4).
The Mac OS X Parental Controls feature enables you to limit the access a user has to functionality and content, including the following:
Simple Finder. When you limit users to the Simple Finder, they can only access their own documents and specific applications that you choose.
Selected applications. You can use Parental Controls to create a list of applications to which the user has access.
System functions. You can prevent users from administering printers, burning CDs or DVDs, changing their passwords, or changing the Dock.
Dictionary. You can hide profanity in the Mac OS X Dictionary application.
Web sites. You can prevent users from visiting specific Web sites.
Email and iChats. You can specify the people with whom the user can email or chat.
Time Limits. You can determine when the user is able to access her user account.
Using Parental Controls is a two-step process. First, create the user account that you want to limit; you can use Parental Controls with accounts of the Standard or Managed with Parental Controls types. (The only difference between these two types is that a Manage with Parental Controls type is set for restrictions from the start while you have to select an additional check box for a Standard account.) Second, configure the controls you want to use with the account; each of these controls is covered in its own section.
Creating Managed User Accounts is similar to creating Standard or Administrator user accounts. Just choose Managed with Parental Controls from the New Account pop-up menu. When you are done with the creation process, you see that the Enable Parental Controls check box is selected. To set limits on a Standard user account, select the account and select this check box (when you do so, the account's type becomes Managed instead of Standard).
You are now ready to use the Parental Controls pane to configure the restrictions the user account has. There are two ways to start this process:
Open the System Preferences application and click the Parental Controls icon. Select the user account that you want to limit (only accounts of the Managed type are shown) on the list of accounts in the left part of the window.
Open the System Preferences application and click the Accounts icon. On the Accounts pane, select the user account you want to manage and click the Open Parental Controls button.
After you open the Parental Controls pane with the appropriate user selected, you can configure that user's limitations by using the tabs at the top of the pane.
You can determine the Finder's behavior, the applications a Managed user can use, and access to certain system functions by clicking the System tab.
Click the System tab. The System controls appear (see figure 2.5).
To enable the Simple Finder for the user, select the Use Simple Finder check box. When the user logs in, he sees a very simple desktop. The Dock contains only three folders; when the user clicks a folder, it opens on the desktop and the user has access to the applications that you enable and to documents that he creates. Within Finder windows, everything opens with a single click.
To limit the access of the user to specific applications, select the Only allow selected applications check box.
Deselect the check boxes for the categories or individual applications that you don't want the user to be able to use, and select the check boxes for the categories or individual applications that you do want the user to be able to use.
Select the check boxes at the bottom of the pane to allow (or deselect them to prevent) access to selected system actions, such as administering printers or burning CDs or DVDs. If you selected the Simple Finder option in Step 1, the Can modify the Dock option is disabled.
You can limit the user's access to various kinds of content by performing the following steps:
Click the Content tab. You see the Content controls in the pane (see figure 2.6).
To prevent profanity from appearing in the Mac OS X Dictionary, select the Hide profanity in Dictionary check box.
Limit the user's access to Web sites by doing one of the following:
Select the Try to limit access to adult websites automatically option, then click Customize. On the resulting sheet, add the URLs you want the user to be able to visit to the top pane by clicking the upper Add (+) button and typing the URL, or block access to specific sites by clicking the lower Add (+) button and typing the URLs you want to block. Then click OK. The user can visit the sites you added to the allow list and can't visit sites you enter on the prevent list. Access to other sites (such as "adult" Web sites) may be blocked, too.
Select the Allow access to only these websites option. When you choose the second option, the list of allowed Web sites (bookmarks) appears at the bottom of the pane. To add a site to the list (so the user is able to visit it), click the Add (+) button at the bottom of the list, choose Add bookmark, create a bookmark you want to add to the list, and click OK. To organize the bookmarks on the list, click the Add (+) button at the bottom of the list and choose Add Folder; name the folder and then add bookmarks to it. To remove a bookmark from the list so that a user can't access the related Web site, select the bookmark and click the Remove (–) button.
Another area of activity that you can limit for a Managed user account is email and chatting. You can define specific email addresses and chat accounts with which the user can communicate. To provide more flexibility, you can set up a notification that you receive when someone not on the approved list attempts to communicate with the user; on the notification, you can choose to allow the contact, in which case the person is added to the approved list, or you can choose to reject it, in which case the communication is blocked.
In the Mail & iChat tab (see figure 2.7), you can limit email and chats by selecting the Limit Mail or Limit iChat check boxes.
To define the people with whom the user can email or chat, click the Add (+) button. The Contact sheet appears, as shown in figure 2.8.
Enter contact information on the sheet manually by typing first name, last name, and email or chat address; then choose Email, AIM, or Jabber from the pop-up menu to identify the type of address you entered and click Add. You add a contact from your Address Book by clicking the downward-facing triangle next to the Last Name box, selecting the contact you want to add to the list, and clicking Add; all the addresses for the contact you select are added to the allowed list.
If you want to receive a permission email when someone not on the list is involved in an email exchange, select the Send permission requests to check box and type your email address.
Figure 2.8. Configure the Contact sheet to allow the user to communicate with someone via email or chat.
Warning
The email and chat controls only work with Mail and iChat. If the user can access other applications for these functions, the controls won't limit her access. Use the System controls to ensure she can only access Mail for email and iChat for chatting to make sure the limits you set apply.
You can use the Time Limits tab to limit the amount of time for which the user can use the MacBook. When a time limit is reached or when the time is outside of an allowed window, the user can't log into his user account, or if he is currently logged in, he is logged out after a brief warning that allows him time to save open documents. Here's how to set time limits:
Click the Time Limits tab (seefigure 2.9).
Note
When a user has been logged out because of time limits, a red circle with a hyphen in it appears next to the user's name in the Login window. The time at which the user can log in again is also shown.
To set the amount of time for which the user can be logged in on weekdays and/or weekends, select the Weekday time limits or Weekend time limits check box and set the time limit using the related slider.
To prevent the user from being logged in to the user account for specific periods of time Sunday to Thursday, select the School nights check box and enter the time period during which user activity should be prevented using the two time boxes.
To prevent the user from being logged in to the user account for specific periods of time on Friday and Saturday, select the Weekend check box and enter the time period during which user activity should be prevented using the two time boxes.
Note
Time limits apply only to the managed user account. If the user can log in under another user account, he'll be able to continue to use the MacBook regardless of the limits set on his own account.
Any application added to the Login Items list for a user is automatically opened when a user logs in to her account. For example, if a user opens Safari and Mail every time she uses the MacBook, you can add these applications to the user's Login Items so that they open when the user logs in to her account. Here's how you can make life easier for users (including yourself):
Log in under the user's account (you can set Login Items for your own account by logging into your account).
Open the System Preferences application and click the Accounts icon to open the Accounts pane.
Click the Login Items tab, as shown in figure 2.10.
Add items to the list by clicking the Add (+) button at the bottom of the pane.
Use the resulting dialog box to move to and select the files you want to add to the list. Hold the
Click Add.
Select check boxes for any items on the list that you want to be hidden by default. For example, if you want Mail to open but be hidden, select its check box. The next time the user logs in, the files you selected open and those whose check boxes are checked are hidden.
Typically, you create Sharing Only user accounts for groups of people who need to get to files on your MacBook. Creating a Sharing Only user account is similar to creating other types of accounts; create a new account, choose Sharing Only on the New Account pop-up menu, and complete the New Account sheet. When you are done with the creation process, you see that the only tools for the Sharing Only account are for the username, image, password reset, and MobileMe username.
You don't use a Sharing Only user account from your MacBook; its purpose is to enable people to log in to your MacBook from other computers. Provide the username and password to each person whom you want to allow access to your MacBook, and those users can log in to access files that you share.
Creating a Group user account is much simpler than the other types. Here's how:
Open the System Preferences application.
Click the Accounts icon.
Click the Add (+) button.
On the New Account pop-up menu, choose Group.
Type the group's name in the Name field.
Click Create Group. You move to the group's screen, on which you see all the user accounts on your MacBook (see figure 2.11).
Select the check box for each user whom you want to be a member of the group. The group is ready to be used to assign access permissions.
You change existing user accounts using the same set of tools that you use to create accounts. To make changes, follow these steps:
Note
The safest way to change an account's username is to delete the account and re-create it with a different username. However, when you delete a user account, you might delete all of its files so be careful before doing this.
If you no longer need a user account, you can delete it.
Open the System Preferences application and click the Accounts icon.
Select the account that you want to delete.
Click the Remove (–) button at the bottom of the user list. A sheet appears with three options for handling the user's Home folder:
Save the Home folder in a disk image. All the files in the user's Home folder are saved into a disk image located in the Deleted Users folder under the Users folder. You can access the files in the disk image by opening it.
Don't change the Home folder. If you choose this option, the user's Home folder remains in its current location under the user's folder in the Users folder, but its permissions are changed so that you can access it from an Administrator user account.
Delete the Home folder. If you choose this option, all traces of the user are removed from your MacBook.
Click OK. The user account is deleted and the user's Home folder is handled according to the option you selected.
The Mac OS X Automatic Login feature does just what it says. You can choose to log in to a specific user account each time your MacBook restarts. Enable Automatic Login by following these steps:
Open the System Preferences application and click the Accounts icon.
Click Login Options. The Login Options pane appears, as shown in figure 2.12.
From the Automatic Login pop-up menu, choose the name of the user that you want to be automatically logged in.
Type the user's password and click OK. Each time your MacBook starts or restarts, the user you selected is logged in automatically.
Warning
Enabling Automatic Login makes your MacBook less secure because anyone who has access to it can use it because no additional information is needed to log in. While this feature is convenient, you should only enable Automatic Login if your MacBook is in an area that you can control and you're sure other people won't be able to use it without your knowledge.
The Login window appears to prompt a user to log in. If Automatic Login is disabled, it appears when your MacBook starts up. If a user logs out of her user account, the Login window also appears. You can also make it appear by choosing Login Window in the Fast User Switching menu (this is covered in the next section). There are a number of options you can configure for the Login window. Follow these steps:
Open the System Preferences application and click the Accounts icon.
Click Login Options. The Login Options pane appears.
Select a Login window option by clicking one of the following two radio buttons:
List of users. When this option is selected, each user account's name and picture is shown in the Login window. The person logging in can click the appropriate user account to be prompted to type the password for that account. This option is more convenient because the user only has to recognize her user account and remember her password to be able to log in.
Name and password. When this option is selected, the Login window contains empty Name and Password fields. The user must type the account's name (full name or account name) and password to be able to log in.
If you want to be able to restart your MacBook, put it to sleep, or shut it down from the Login window, select the Show the Restart, Sleep, and Shut Down buttons check box.
Warning
If you've enabled Automatic Login, don't select the Show the Restart, Sleep, and Shut Down buttons check box. If you do, someone can gain access to your MacBook when the Login window is displayed without having a user account by clicking the Shut Down button and then restarting the MacBook.
If you want to be able to choose the language layout from the Login window, select the Show input menu in login window check box. This is useful if people who use different languages share your MacBook.
To show a hint when a user forgets his password, select the Show password hints check box. The user can click the Forgot Password button to see the hint for his account.
To have your MacBook read the text in the Login window, select the Use VoiceOver in the login window check box.
The Fast User Switching feature is great because it allows multiple users to be logged in at the same time. Instead of having to log out of your account for someone else to log in, the other user can log in by using the commands on the Fast User Switching menu. This is good because when you log out of an account, all processes are shut down, meaning that all open documents and applications are closed. If you have a lot of work ongoing, this can be a nuisance. With Fast User Switching, other users can log in while your account remains active in the background. When you log back in to your account, it is in the same state as when the other user logged in, and you can get back to what you were doing immediately.
Fast User Switching is disabled by default; to enable it, do the following:
Open the System Preferences application and click the Accounts icon.
Click Login Options.
Select the Show fast user switching menu as check box.
Choose one of the following options on the pop-up menu:
Name. The Fast User Switching menu is indicated by the user account's full name.
Short name. The Fast User Switching menu is indicated by the user account's username (short name).
Icon. The Fast User Switching menu is indicated by a silhouette.
To use Fast User Switching, open the Fast User Switching menu on the menu bar by clicking the current user's full name, the short name, or the silhouette. The Fast User Switching menu appears (see figure 2.13).
On this menu, you see the following:
List of user accounts. Each user account configured on your MacBook appears in the list.
Login Window. Choose this command to cause the Login window to appear.
Account Preferences. Choose this command to move to the Accounts pane of the System Preferences application.
To switch to a different user account, select it on the menu. The password prompt appears. If the password is typed correctly, that user account becomes active. The current account remains logged in but is moved into the background.
You can have as many user accounts logged in simultaneously as you want. However, remember that each account that is logged in can have active processes, all of which use your MacBook's resources. So, you don't want to get carried away with this idea.
Note
To quickly secure your MacBook without logging out, choose Login Window from the Fast User Switching menu. The Login window appears, but you remain logged in (you see a check mark next to your username). In order for someone to use your MacBook, he must know a valid password to be able to log in (unless you've configured a user account to not require a password).
Because Mac OS X is based on UNIX, it includes the Root user account. In a nutshell, the Root user account is not limited by any security permissions. If something is possible, the Root user account can do it. This is both good and bad. It's good because you can often solve problems using the Root user account that you can't solve any other way. It's bad because you can also cause problems from which it can be difficult, if not impossible, to recover. By contrast, when you use an Administrator account, you have limited access to certain system files, and so there is no way you can delete them; however, under the Root user account, anything goes, and it's possible for you to do things that cause your MacBook to be unusable.
You should only use the Root user account for troubleshooting. While you shouldn't use the Root user account often, when you need to use the Root user account, you'll really need it.
By default, the Root user account is disabled. You must enable it before you can log in to use it. You can enable the Root user account with the Directory Utility application, as described in the following steps:
Open the Accounts pane of the System Preferences application, select Login Options, and click Join or Edit.
At the resulting prompt, click Open Directory Utility.
Click the Lock icon.
Note
If you're comfortable using UNIX commands, you can also enable and use the Root user account by opening the Terminal application and entering the appropriate commands to enable the Root user account, set its password, and log in.
Type an Administrator username (if necessary) and password, and click OK.
Choose Edit
Type a password in the Password and Verify fields (see figure 2.14). I recommend using a different password than what you use for your normal user account so that it's more secure.
Click OK. The sheet closes, but nothing else appears to happen. Don't worry, the Root user account is now enabled and you can use it.
Quit the Directory Utility application.
Because it has unlimited permissions, you can add or remove files to any directory on your MacBook while you are logged in under the Root user account, including those for other user accounts. You can also make changes to any system file, which is where the Root user account's power and danger come from.
Note
The full name of the Root user account is System Administrator. You therefore see that term instead of Root wherever the full account name is shown.
To log in to the Root user account, start from the Login window by choosing Login Window on the Fast User Switching menu, logging out of the current account, or restarting your MacBook (if Automatic Login is disabled). If the Login window is configured to show a list of users, scroll down and select the Other username; the Name and Password fields appear. If the Login Window is configured to show name and password, you don't need to scroll because these appear immediately. Type root as the name, type the password you created for the Root user account, and click Login. You log in as the Root user account (or under root, as UNIX aficionados would say). The Root user account's desktop appears, and you can get to work. (Another difference between the root and other user accounts is that the root's Home folder contains only two folders, which are Desktop and Library.)
Note
If you want to disable the root account, open the Directory Utility application and choose Edit
When you are logged in to the Root user account, you can use your MacBook as you can with other user accounts, except — and this is a big exception — you have no security limitations. You can place files into any folder, delete any files, or complete any other action you try, regardless of the potential outcome. And, if you use the System Preferences application, you see that you no longer have to authenticate because all possible actions are always enabled for the root account.
Warning
Be careful when you are working under the root account. You can cause serious damage to Mac OS X as well as to data you have stored on your MacBook. You should be logged in under the root account only for the minimum time necessary to accomplish specific tasks. Log in, do what you need to, and then log out of root again. This minimizes the chance of doing something you didn't intend to.