Managing Users

Traditional Unix systems typically store their user and group information in the /etc/passwd and /etc/group files—and if you go looking, you can find these files on your Mac. However, after Mac OS X boots, it does not use these files. Instead, it uses Open Directory (discussed in Chapter 7) to store its user and group information. This allows the system to work equally well in home setups where there is only one machine and in enterprise environments where there might be hundreds of machines that use a central server for authentication.

While there are many ways to manage users on Mac OS X, the simplest and most direct by far is to use the Accounts preference panel.

Managing Users with the Accounts Panel

When you open the Accounts preference panel, you are presented with a list of users on the system and a set of tabbed panes to modify users, as shown in Figure 6-1.

The Accounts preference panel

Figure 6-1. The Accounts preference panel

Creating a user

To create a user, click the plus (+) button. A sheet drops down asking for information about the new user. The various fields are:


This is the full name for the user. This name shows up in most places where Mac OS X displays user information, such as the log in panel and any of the alert screens that prompt you for an administrator password.

Short Name

This is the Unix-style name for the user and is what you’ll typically see on the command line. The default short name runs your first and last names together with no spaces in it (e.g., jasonderaleau) and is represented in lowercase letters. Unix usernames of yore used to be limited to eight characters or less, while Mac OS X allows short usernames up to 255 characters.


Don’t feel like you have to stick with the Short Name that Mac OS X gives you. Having to type in your full name to login can be a bit of a pain, so if you want, change the Short Name to just your first name (e.g., jason), or something else (such as jldera) that makes sense to you.

Remember, just because the system gives you something as a default doesn’t necessarily mean that you have to use it. If the field is editable and you’d rather use something different, change it.

Password & Verify

This is where you set the password for the user.

Password Hint

This is where you define a hint that will be displayed to the user if an incorrect password is entered more than three times.

Allow user to administer this computer

If you enable this checkbox, the user account will be added to the admin group and given administrative privileges on the machine.

There are three tabs of the Accounts preference panel that allow you to fine-tune the settings for a user. They are:


This tab allows you to view the user’s name, short name, and address book card entry. You can also change the user’s password and grant administrative access. Remember, when you allow somebody to become an administrator, that user becomes a member of the admin group and can modify the system however she sees fit.


This allows you to associate a picture with a user, which is handy for the various user lists. You can either use one of the Apple provided pictures or choose one of your own. Also, if you have an iSight camera connected to your computer, the Add Picture dialog box will let you take a snapshot, which you can use for this picture.

Login Items

Shown only when viewing the current user’s account, this list of applications is launched every time you log into your Mac. You can also specify that an application should load at login by enabling the Open at Login option on the app’s Dock menu.

Parental Controls

A new feature in Tiger, the Accounts panel’s Parental Controls tab is used to restrict a user’s access to various Mac OS X applications. While administrator accounts cannot be controlled through this means, it is quite useful for protecting younger Mac users from some of the dangers of the Internet. You can read more about their configuration in the "Parental Controls" section found later in this chapter.

When you’ve finished setting up a user, his Home folder is created in the /Users folder, and he will be able to log into the system.


When you create an account using the Accounts preference panel, all properties about that user are stored in the local NetInfo database managed by Open Directory. To see the contents of this database, use NetInfo Manager (/Applications/Utilities), which provides a barebones view of the NetInfo database and will allow you to make substantial changes. You’ll see more about NetInfo Manager and how user records are stored in Open Directory in Chapter 7.

Deleting a user

To delete a user, select the name of the user from the list and click the minus button (-). You are presented with a dialog box asking whether you really want to delete the user and what you want to do with the contents of the user’s Home folder. You can either archive the user’s folder to a disk image (.dmg) file in the /Users/Deleted Users directory or quickly and permanently erase it, as shown in Figure 6-2.

If you choose to save the contents, you can browse through them at any time by double-clicking the .dmg file. This mounts a temporary drive from which you can restore a user’s data. Another option is to save the disk image and then burn it to CD or DVD for historical purposes. When you have decided that you no longer need the files for the user, you can delete the disk image from the /Users/Deleted Users directory as long as you have admin privileges.

Deleting a user with the Accounts preference panel

Figure 6-2. Deleting a user with the Accounts preference panel

Parental Controls

Though earlier versions of Mac OS X included a means to restrict a user’s access to the Finder, Tiger takes restricting the user environment a step further with Parental Controls (see Figure 6-3). Parental Controls allow you to easily limit a user’s experience in several bundled Mac OS X applications. While most of these controls are presented as a means for parents to protect their children, they could be just as useful in a business environment. Corporate systems administrators, however, will find that Mac OS X Server’s Workgroup Manager provides a more flexible means of managing preferences.

A user account’s Parental Controls

Figure 6-3. A user account’s Parental Controls

As shown in Figure 6-3, the applications that can be managed are:


Mail can be configured to allow correspondence only with addresses that you specify. Additionally, permission emails can be sent to a parent’s email address for review.


You can choose to restrict the user to a version of Finder that provides a somewhat limited experience, or enable the Simple Finder and specify the exact documents, folders, and applications a user can access.


Much like Mail, iChat can be configured with a list of users who may instant message the child’s account.


After enabling a user’s Parental Controls for Safari, you cannot browse to pages that are not on the user’s Bookmarks Bar, as shown in Figure 6-4. Attempting to modify the Bookmarks Bar will prompt you for an administrator’s password, allowing for finite control of the user’s browsing experience.


Enabling Parental Controls for Dictionary prevents searches for words that may be considered inappropriate for children (just think of George Carlin’s “Seven Words You Can’t Say on Television” routine, and you get what I mean).

The restricted Safari in action

Figure 6-4. The restricted Safari in action

