How to Create Hidden Administrative Accounts in macOS?

If you have a system that is used by other people, you may want to give them managed user accounts and then reserve a separate administrative account for installing apps and changing system settings. This is especially true for situations where many people may be using one computer, such as in classrooms. While you can always create an administrative account, by default such accounts will show up along with others at the login window, in the Fast User Switch menu, and other locations; however, you can set this up to be hidden from most of these locations.

The root account

One approach for a hidden user account is to enable the root account. However this being fully unrestricted comes with inherent risks. Even though admin accounts may authenticate for root access, this ability is time- or session-limited, meaning that authentication is regularly required to ensure administrative actions are truly desired. However, with the root account no such checks are done, and faulty administrative actions can be harmful. Since practically every root action can be done from an administrative account, its best to avoid enabling root unless some action cannot be done otherwise.

Dedicated administrative accounts

To create a special hidden user account that has administrative rights, you can go one of two routes based on the version of macOS that you have, but first you must create the account. This can either be done in the Users & Groups system preferences, or by using the command line (useful for scripting or remote-access approaches). For the second approach, open the Terminal and then run the following set of commands (replace USERNAME with the corresponding name of your account):

Get a list of current User ID numbers:

  • dscl . list /Users UniqueID

Create the user’s account in the local directory:

  • sudo dscl . create /Users/USERNAME

Set the user’s password:

  • sudo dscl . passwd /Users/USERNAME

Set the user’s full name:

  • sudo dscl . create /Users/USERNAME RealName "USER NAME"

Set the user’s default shell:

  • sudo dscl . create /Users/USERNAME UserShell /bin/bash

Add the user to the “admin” group:

  • sudo dscl . append /Groups/admin GroupMembership USERNAME

Now the following commands will create and assign the user’s home folder, which by default is in the /Users directory, but since this is a hidden account we are putting it in the hidden /var directory:

Create the folder:

  • sudo mkdir /var/USERNAME;
  • sudo chown USERNAME /var/USERNAME

Set the home directory:

  • sudo dscl . create /Users/USERNAME NFSHomeDirectory /var/USERNAME

Set the user’s ID to a value unique from the list of User IDs you found in the first step above (change NUM to reflect the value of your selected ID):

  • sudo dscl . create /Users/USERNAME UniqueID NUM

If your version of macOS is prior to Yosemite, then you can set this unique value to something less than 500, and macOS should hide it. Otherwise, run the following command to have the login window hide users under 500:

  • sudo defaults write /Library/Preferences/com.apple.loginwindow Hide500Users -bool TRUE

Note that if you have created the user account in the Users & Groups system preferences, then you can change the User ID and home folder location in the system preferences by right-clicking the user and choosing the advanced options, then adjusting the values accordingly.

If your version of macOS is Yosemite or later, then you have additional approaches available to you for hiding the user account. Instead of being forced to use a User ID value under 500, you can use any ID you want and then set a special attribute for the user account that will hide it:

  • sudo dscl . create /Users/USERNAME IsHidden 1

To undo this change, re-run the command with “0” instead of “1,” or run the following command to remove the attribute altogether:

  • sudo dscl . delete /Users/USERNAME IsHidden

Finding hidden user accounts

While these approaches will hide a user account from the login window, the Users & Groups system preferences, and the Fast User Switching menu, you can still view the account. The following command will list the users on the system and then filter out system-based accounts, so you will see the short usernames of all the current users:

  • dscl . list /Users | grep -v "_|nobody|root|daemon"

Leave a Comment