Creating and Editing User Accounts

Both administrator and standard users use Accounts preferences to manage user accounts. Although standard users can change their own account information, such as the login password, only administrator users can add or delete user accounts. Throughout this lesson, we assume that you are initially logged in as an administrator using an account named Apple Admin. If you prefer to continue using your existing account, that's fine, as long as it's an administrator account. Whenever the Apple Admin account is discussed in the book, substitute your administrator account instead.

To create a new account, click the Add User (+) button. You then provide a long name, a short name, a password, and an optional password hint for the user.

Accounts preferences is divided into four panes:

NOTE

Login Items is only available when you are configuring your own account, and Parental Controls is only available when you're editing standard accounts.

Password You enter the user's full name and short name. Selecting the "Allow user to administer this computer" checkbox changes the account type from standard to administrator. You also enter the user's password and an optional password hint.

TIP

You can create a user account without a password, but doing so is strongly discouraged for security reasons. An alert is displayed when no password is entered.

When a user account is created in Mac OS X, a home folder is created for that user in Users. The home folder has the same name as the user's short name. You can quickly access your home folder by clicking the home icon in the Sidebar at the left of the Finder window. The short name can be as long as 255 Roman characters. However, if a short name is longer than 32 characters, Classic applications (as well as some Mac OS X applications) might give errors while saving files. In such a case, you can save the files in a folder that has a name less than 32 characters in length, and then move them later, using the Finder.

NOTE

When creating a new user account, think carefully about the user's short name. After you create an account you can easily change a user's long name, but changing the short name is a complicated procedure. Renaming the home folder does not change the user's short name because that information is stored in the local NetInfo database (/var/db/netinfo/local.nidb).

MORE INFO

Refer to Knowledge Base document 106824, "Mac OS X: How to change user short name or home directory name."
Picture You select a login picture. This picture is also used as your Address Book picture and as the default picture in iChat. You can upload a custom picture by clicking Edit and then Choose.
Login Items If you are modifying your own account, you can specify which items to open automatically when you log in. This pane was called Startup Items in previous versions of Mac OS X.
Parental Controls For modifying a standard user account, the Parental Controls pane (called Limitations in previous versions of Mac OS X) allows administrators to limit what a standard user can do on the computer with applications such as Mail, Finder & System, iChat, and Safari. For example, you can allow or deny iChat requests and emails from specific people, limit access to System Preferences, and prevent Finder tasks such as burning CDs or DVDs. You can also specify a limited set of applications that the user can open.

NOTE

The accounts list identifies non-administrator accounts as either Standard or Managed, depending upon the Parental Controls settings. This book uses the term "standard user" to refer to both types of non-administrator accounts, regardless of their Parental Controls settings.

To apply your changes, switch to another pane, add a new user, or quit System Preferences.

Setting Login Options

The Login Options pane in Accounts preferences is used to set options that affect how users log in as well as what they can do once they are logged in. To access the Login Options pane, select a user in the list at the left, then click Login Options at the bottom left.

If you are an administrator user, you can configure the computer to log in as a particular user every time it starts up or restarts. Select the "Automatically log in as" checkbox, and choose a user from the corresponding pop-up menu. You will be prompted for that account's password (if any). The next time the computer boots, Mac OS X will automatically log into that account. This option is best for computers with only one user account in a secure environment.

You can configure the login window to display a list of user accounts with a login picture for each one or a prompt for the user name and password. The latter is the best choice for computers with several user accounts, and it also provides an extra measure of security because users must know a valid name and password to log in. If you have selected Network Startup in Startup Disk preferences, you can enter a local user account in the login window, or click Other and enter a network user name and password.

You can also choose whether or not to show the Restart, Sleep, and Shut Down buttons. This security feature can keep a user from restarting in an insecure mode, short of using the reset or power buttons on the computer itself. This security feature is useful in managed environments such as kiosk-type installations, where you want to prevent a user from restarting the computer with a modifier key pressed.

New in Mac OS X 10.4 are the options for showing the Input menu in the login window (necessary for proper input of passwords if users of the computer use different keyboards or language mappings), using VoiceOver at the login window (good for visually-impaired users), as well as whether to show password hints in the login window (recommended only in environments where security is not a priority).

Finally, you can enable fast user switching (discussed later in this lesson). This feature lets multiple users share a computer without quitting applications and logging out. For the purposes of the following exercises, make sure fast user switching is enabled.

Creating a Standard User Account

This exercise guides you through the process of creating a standard user account:

1.	Open System Preferences and click Accounts. If necessary, unlock Accounts preferences by clicking the lock icon and authenticating as an administrator.
2.	Click the Add User button (the plus sign beneath the accounts list), and enter the following information: Name: Chris Johnson Short Name: chris Password: changeme Verify: changeme
3.	Click Create Account. You have created a local user account for Chris.
4.	Verify that the Chris Johnson account is in the Other Accounts list at the left.
5.	Repeat steps 2 and 3 to create another standard user: Name: Martha Flowers Short Name: martha Password: marflo Verify: marflo

Test the New User Account

1.	Choose Log Out Apple Admin from the Apple menu.
2.	In the dialog asking if you are sure, click Log Out.
3.	In the login window, select Chris Johnson.
4.	Enter Chris Johnson's password: changeme
5.	Click Log In. You are now logged in as Chris Johnson.
6.	Log out of the Chris Johnson account.
7.	Log in to the Apple Admin account.

Switching Between Users

Mac OS X 10.3 introduced a new feature, fast user switching, which lets multiple users share a computer without quitting applications and logging out. When one user logs in to his or her own account, other accounts remain active in the background with applications running and documents still open.

Although the UNIX-based security model in Mac OS X helps keep data and applications secure, enabling fast user switching can introduce some potential security risks. For example, an encrypted disk image currently opened under one account would be potentially accessible from another account if both accounts are currently logged in with fast user switching. For this reason, you should not enable fast user switching on a computer where you do not know and trust all of the users (such as in a computer lab or a kiosk).

When you activate fast user switching in the Login Options pane of Accounts preferences, a new menu appears on the right side of the menu bar. You can use this menu to switch between accounts. If you switch to an active user account (an account that is logged in), you'll see the account in the same state in which it was last left, with any applications running. This feature enables you to keep each account's user environment distinct and intact without wasting time.

[View full size image]

When using fast user switching, keep in mind that you might encounter resource conflicts. Many peripherals cannot be shared among multiple users on the same computer simultaneously. For example, if a user opens a scanner application and then switches out, a second user logging in may not be able to access the scanner. In some cases, applications that control peripherals will release control of the device when a user switches out.

Some applications have issues when two or more people attempt to use the application at the same time. Mac OS X includes a list of versions of applications that are known to have issues when opened by more than one user. When a second user attempts to open the application, the system will warn the user that the application is already in use and cannot be opened. If you encounter an application that has problems being opened by multiple switched users, contact the application's developera more recent version may have fixed the problem.

MORE INFO

Refer to Knowledge Base document 25619, "Mac OS X 10.3, 10.4: Some applications only work in one account at a time."

You can also experience conflicts in accessing documents. A user with the right permissions can open the same document that a previous user was editing, and can make changes to it, even if the first user left the document open. This can result in conflicts. Therefore, you should coordinate work on shared documents with other users of the system to avoid problems.

Also, only one account at a time can use the Classic environment. If one account has a Classic application open, other users on that Mac OS X computer will not be able to run Classic applications until the first user quits the running Classic application and stops the Classic environment.

NOTE

If fast user switching is turned on, an administrator user cannot select or edit the account of any user that is currently logged in (the account name appears dimmed in Accounts preferences).

Deleting User Accounts

As an administrator user, you can use Accounts preferences to delete any user account. However, you cannot remove all the administrator users because there must be at least one.

To delete an account, select it, then click the Delete User (minus sign) button. The system will prompt you to put the contents of the user's home folder in a disk image (.dmg) file in the /Users/Deleted Users folder or to delete the home folder contents immediately.

If you click OK, the user's home folder will be moved into a disk image file in /Users/Deleted Users. If the files need to be transferred to another user account, an administrator user can move the disk image to that user's home folder. The user can then mount the disk image and retrieve the needed files. (Disk images are covered in Lesson 4, "File Systems.")

NOTE

If you click Delete Immediately, the user's home folder will be deleted and cannot be recovered. It is not put in the Trash, so this command should be used with caution.

TIP

When deleting a user that has FileVault configured, be sure that you first turn off FileVault for the user and then delete the user account.

Deleting a User Account

The following steps walk you through deleting a user account:

1.	In Accounts preferences, select the Martha Flowers user account. If you are still logged in as Chris Johnson, you must first click the lock icon then authenticate using the Apple Admin account before you can make changes in Accounts preferences.
2.	Click the Delete User button (the minus sign). A dialog appears, informing you that the contents of the user's folder will be put in the Deleted Users folder. You have two options when deleting a user account: you can save the contents of the user's home folder in a disk image, or you can immediately delete the user's home folder.
3.	Click OK.
4.	Verify that Martha Flowers is no longer listed in the Other Accounts list.
5.	Quit System Preferences.
6.	Open the Users folder in the Finder. Verify that the folder martha has been deleted and that a martha.dmg file has been placed in the Deleted Users folder.

Restoring a Deleted User's Files

The contents of the martha home folder have been stored in the martha.dmg disk image. (Disk images are covered in Lesson 4, "File Systems.") The following steps show you how to open the disk image and restore its contents:

1.	Navigate to /Users/Deleted Users.
2.	Double-click martha.dmg. The martha volume will be mounted on your desktop and its contents displayed in a new window. You should be able to view the folders and files from the old Martha Flowers home folder. If you need to have another user take over the files from the Martha Flowers account, you could copy the disk image to the new user's home folder, and that user could mount the disk image and copy any needed files.
3.	Create a new folder in Users named martha.
4.	Copy the contents of the mounted image into the folder /Users/martha.
5.	Unmount the martha volume from the desktop.
6.	Open System Preferences.
7.	Click Accounts.
8.	Unlock the Accounts pane by authenticating as Apple Admin.
9.	Add a new user, Martha Flowers (Short Name: martha, Password: marflo). A dialog appears stating that a folder in the Users folder already has the name "martha."
10.	Click OK to use that folder as the home folder for the new account you are creating.
11.	Quit System Preferences.
12.	Use the user accounts menu at the top right to switch user accounts, and log in as Martha Flowers (Password: marflo).
13.	Log out of the Martha Flowers account.
14.	Log in to the Apple Admin account.