 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
Mac Forum / Applications / Mac Applications / February 2005How to create another admin user in OS X
I have a G5 with OS 10.3.6 on it. I have provisioned one admin user and 3 standard users. How do I create another admin user? If I log in as the admin user and then from the System Preferences panel for accounts, select my account and click the "+", it always creates a standard user. What am I missing? - Jeff > I have a G5 with OS 10.3.6 on it. I have provisioned one admin > user and 3 standard users. How do I create another admin user? If > I log in as the admin user and then from the System Preferences > panel for accounts, select my account and click the "+", it > always creates a standard user. It's there, advanced tab or something, but why would you not keep _the_ admin account separate? It's just for admin tasks, each individual should have their own personal, non-admin account for daily work. > What am I missing? There's another screen you can get to from the "set up my user's account" screen, but I'm not in front of a Mac at the moment. > > I have a G5 with OS 10.3.6 on it. I have provisioned one admin > > user and 3 standard users. How do I create another admin user? If [quoted text clipped - 5 lines] > admin account separate? It's just for admin tasks, each individual > should have their own personal, non-admin account for daily work. Question (for info purposes): Is there such a thing as an "admin account" that is fundamentally different from a "user account"? Or an "admin user" who is not also, inevitably, an "individual" or "standard" user"? Phrasing this another way: Could the basic structure be described as, "There are always one or more users, at least one of whom (and sometimes more than one of whom) must always have administrative privileges"? > Question (for info purposes): Is there such a thing as an "admin > account" that is fundamentally different from a "user account"? Or an > "admin user" who is not also, inevitably, an "individual" or "standard" > user"? AFAIK, the only thing that distinguishes an admin account from any other kind of account is that it's a member of the admin group. It's that group membership that confers the power "to administer this computer". >>Question (for info purposes): Is there such a thing as an "admin >>account" that is fundamentally different from a "user account"? Or an [quoted text clipped - 4 lines] > kind of account is that it's a member of the admin group. It's that > group membership that confers the power "to administer this computer". Actually, it is more than that. There is a subset of userID number values on the system (a range of values, actually), that have some extra powers, at least at the UNIX level. Although a lot comes from membership in the admin group, there are certain extra priviledges to being an admin. - Jeff > Actually, it is more than that. There is a subset of userID > number values on the system (a range of values, actually), that > have some extra powers, at least at the UNIX level. Although a > lot comes from membership in the admin group, there are certain > extra priviledges to being an admin. The first user-created account in OS X is 501. The second is 502, and so on, no matter whether the accounts have admin privileges. It does not appear that there is any special numerical range for admin accounts. OS X does not, by default, make admin users members of the staff or wheel groups, but does add them to the appserverad group. The only other attribute (in my very limited knowledge) relevant to admin status is the sudoer designation. My sudoers file lists only one user (root) and the admin group. However other UNIX systems may do it, it looks like OS X simply piggybacks admin privileges on group membership. >>Actually, it is more than that. There is a subset of userID >>number values on the system (a range of values, actually), that [quoted text clipped - 7 lines] > X does not, by default, make admin users members of the staff or wheel > groups, but does add them to the appserverad group. Thanks for correcting me on that. I've used many Unix systems but I'm still quite new to Darwin. > The only other attribute (in my very limited knowledge) relevant to > admin status is the sudoer designation. My sudoers file lists only one > user (root) and the admin group. However other UNIX systems may do it, > it looks like OS X simply piggybacks admin privileges on group > membership. Good information to know (at least for myself). - Jeff >>>Question (for info purposes): Is there such a thing as an "admin >>>account" that is fundamentally different from a "user account"? Or an [quoted text clipped - 4 lines] >> kind of account is that it's a member of the admin group. It's that >> group membership that confers the power "to administer this computer". > Actually, it is more than that. There is a subset of userID > number values on the system (a range of values, actually), that > have some extra powers, at least at the UNIX level. Although a > lot comes from membership in the admin group, there are certain > extra priviledges to being an admin. I doubt that. The first account created on a new Mac is assigned uid 501, and it's an administrator. Subsequent accounts get consecutive numbers. Enabling or disabling admin status for an account does not change its uid. My account has a higher uid than the one originally assigned, for purposes of NFS compatibility with other machines on the network. It doesn't affect my admin status.  SignatureDave Seaman Judge Yohn's mistakes revealed in Mumia Abu-Jamal ruling. <http://www.commoncouragepress.com/index.cfm?action=book&bookid=228> >> > I have a G5 with OS 10.3.6 on it. I have provisioned one admin >> > user and 3 standard users. How do I create another admin user? If [quoted text clipped - 5 lines] >> admin account separate? It's just for admin tasks, each individual >> should have their own personal, non-admin account for daily work. > Question (for info purposes): Is there such a thing as an "admin > account" that is fundamentally different from a "user account"? Or an > "admin user" who is not also, inevitably, an "individual" or "standard" > user"? Any member of group "admin" is an administrator. > Phrasing this another way: Could the basic structure be described as, > "There are always one or more users, at least one of whom (and sometimes > more than one of whom) must always have administrative privileges"? When you boot a Mac for the very first time, you are asked for a user ID and password that will be used to create the first account, which is always an admin account. In order to add or delete accounts (admin or not) you must be logged in as an admin user. However, you cannot delete the account of any user who is currently logged in. Therefore, it is not possible to delete all the admin accounts. SignatureDave Seaman Judge Yohn's mistakes revealed in Mumia Abu-Jamal ruling. <http://www.commoncouragepress.com/index.cfm?action=book&bookid=228> > In order to add or delete accounts (admin or not) you must be logged in > as an admin user. However, you cannot delete the account of any user who > is currently logged in. Therefore, it is not possible to delete all the > admin accounts. If you're logged in as an admin account, you can revoke your own admin status. So while you might not be able to delete all the admin accounts, you could effectively remove all users from admin status. SignatureTom "Tom" Harrington Macaroni, Automated System Maintenance for Mac OS X. Version 2.0: Delocalize, Repair Permissions, lots more. See http://www.atomicbird.com/ >>In order to add or delete accounts (admin or not) you must be logged in >>as an admin user. However, you cannot delete the account of any user who [quoted text clipped - 4 lines] > status. So while you might not be able to delete all the admin > accounts, you could effectively remove all users from admin status. Interesting isn't it! Have you tried this?? :-) Actually, the system won't let you delete your' priviledges as an admin if there are no others around. Try it! On a system with a single admin account, go into it and try to remove the priviledges. It won't let you. But create a second account with admin priviledges and all of a sudden the priviledge box for your original account is no longer greyed out. If you go and login to the other new admin account, go to the security pane and turn off its admin priviledge. now go back to the original admin account and see that the priviledge check box is once again greyed out. Now technically you can enable superuser, log into root, and kill the last admin account but then you couldn't disable the superuser account. It's lonely at the top. You can't even commit suicide :-) - Jeff P.S. can you imagine all the original UNIX testing that went on to ensure all permutations of these types of things were covered? > > In order to add or delete accounts (admin or not) you must be logged in > > as an admin user. Wrong. You need to know an admin's name & password so you can authenticate when you click on the lock icon, but you don't have to be logged in as an admin. You also need sufficient access to run System Preferences and open the Accounts pane; it's possible to control which non-admin users are allowed to do that. > > However, you cannot delete the account of any user who is currently > > logged in. Therefore, it is not possible to delete all the admin [quoted text clipped - 3 lines] > status. So while you might not be able to delete all the admin > accounts, you could effectively remove all users from admin status. No, you can't. If there's only one admin account, the admin option for that account is greyed out; you can't turn it off. OS X forces you to always have at least one working admin account. If you want to revoke the admin status of the only admin, you must first make someone else an admin. > Question (for info purposes): Is there such a thing as an "admin > account" that is fundamentally different from a "user account"? Or an > "admin user" who is not also, inevitably, an "individual" or "standard" > user"? Taking from my old unix days--All accounts are really "user accounts". An Admin account is a special type of user account. In addition to belonging to the "admin" group, it has some of the administrative powers of a superuser (e.g., the ability to change other people's passwords even if they have nothing to do with the admin group. Some types of unix services actually have their own accounts as well but nobody actually logs into them. They are for processes that are set up so that if something goes nuts or is hijacked, other processes in the system are protected from them. > Phrasing this another way: Could the basic structure be described as, > "There are always one or more users, at least one of whom (and sometimes > more than one of whom) must always have administrative privileges"? There is always at least one user account and that is the superuser. However and admin can do nearly anything a superuser can do only they tendto have to keep entering their password all the time. Once logged in as superuser, this usually is not necessary. The superuser account is disabled in OS X but it can be enabled for certain tasks but most Unix admins will tell you it is almost always better to have admin account and the sudo type commands to accoumplich superuser activities than to actually log in as the superuser. BTW, i forget the actual values, but superuser is either userID number 0 or 1. Admins are all users with userIDs that are less than a certain value (again I forget the value used). Normally in the Mac you never see the userID number but if you go into the terminal window and do a long listing on files in your home directory (e.g., "ls -l") the numberic values for you as a user (your userID) and your group (your groupID) are visible on each file. When you do a get info on a file or folder in the finder and look at the permissions, those numberic values are mapped into the text values of your account name and group name. - Jeff >> > I have a G5 with OS 10.3.6 on it. I have provisioned one admin >> > user and 3 standard users. How do I create another admin user? If [quoted text clipped - 10 lines] > "admin user" who is not also, inevitably, an "individual" or "standard" > user"? Yes. The admin account is allowed to interfere with system-level files, where a "joe user" account can only break their own stuff. > Phrasing this another way: Could the basic structure be described as, > "There are always one or more users, at least one of whom (and sometimes > more than one of whom) must always have administrative privileges"? Yes, unless you want to run the stock Apple install forever, chances are you'll need admin rights at some point. The first account you create is automatically granted those rights, which are need to add more accounts and so on. It's more complicated than that, but this is fundamentally accurate. Dave Hinz > I have a G5 with OS 10.3.6 on it. I have provisioned one admin > user and 3 standard users. How do I create another admin user? If [quoted text clipped - 3 lines] > > What am I missing? The Security pane and the "Allow user to administer this computer" checkbox. m. Signaturematt neuburg, phd = matt@tidbits.com, http://www.tidbits.com/matt/ AppleScript: The Definitive Guide http://www.amazon.com/exec/obidos/ASIN/0596005571/somethingsbymatt Read TidBITS! It's free and smart. http://www.tidbits.com > I have a G5 with OS 10.3.6 on it. I have provisioned one admin > user and 3 standard users. How do I create another admin user? If [quoted text clipped - 5 lines] > > - Jeff Tab Security>Allow user to administer this computer. HTH MArc > I have a G5 with OS 10.3.6 on it. I have provisioned one admin > user and 3 standard users. How do I create another admin user? If [quoted text clipped - 5 lines] > > - Jeff System Preferences -> Accounts Highlight the account and click on security. Check the "Allow user to administer this computer" box. Signature-Ernie- "There are only two kinds of computer users -- those who have suffered a catastrophic hard drive failure, and those who will." Have you done your backup today? > I have a G5 with OS 10.3.6 on it. I have provisioned one admin user and > 3 standard users. How do I create another admin user? If I log in as the > admin user and then from the System Preferences panel for accounts, > select my account and click the "+", it always creates a standard user. > > What am I missing? Thanks all! Several folks pointed out the security pane. The thing that threw me was originally when I only had a single admin account on the system, selecting the "+" for a new account automatically made it an admin account. once you create a standard account, you have to create a new standard account and then edit it to give it admin priviledges. - Jeff |
Reply to this Message |
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2009 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.