Set up users, guests and groups on Mac
If your Mac has multiple users, you should set up an account for each person so each can personalise settings and options without affecting the others. You can let occasional users log in as guests without access to other users’ files or settings. You can also create groups. You must be an administrator of your Mac to perform these tasks.
Add a user
On your Mac, choose Apple menu 
> System Preferences, then click Users & Groups.
Click the lock icon 
to unlock it.
Enter an administrator name and password.
Click the Add button 
below the list of users.
Click the New Account pop-up menu, then choose a type of user.
Administrator: An administrator can add and manage other users, install apps and change settings. The new user you create when you first set up your Mac is an administrator. Your Mac can have multiple administrators. You can create new ones, and convert standard users to administrators. Don’t set up automatic login for an administrator. If you do, someone could simply restart your Mac and gain access with administrator privileges. To keep your Mac secure, don’t share administrator names and passwords.
Standard: Standard users are set up by an administrator. Standard users can install apps and change their own settings, but can’t add other users or change other users’ settings.
Sharing Only: Sharing-only users can access shared files remotely, but can’t log in to or change settings on the computer. To give the user permission to access your shared files or screen, you may need to change settings in the File Sharing, Screen Sharing or Remote Management pane of Sharing preferences. See Set up file sharing and Share the screen of another Mac.
For more information about the options for each type of user, click the Help button in the lower-left corner of the dialogue.
Enter a full name for the new user. An account name is generated automatically. To use a different account name, enter it now — you can’t change it later.
Enter a password for the user, then enter it again to verify. Enter a password hint to help the user remember their password.
Depending on the type of user you create, you can also do any of the following:
For an administrator, select “Allow user to administer this computer”.
Use Sharing preferences to specify whether the user can share your files and share your screen.
For information about Apple’s privacy policy, see the Apple Privacy Policy website.
If your Mac has Touch ID, a new user can add a fingerprint after logging in to the Mac. The user can then use Touch ID to unlock the Mac and password-protected items, and purchase items from the iTunes Store, App Store and Apple Books using their Apple ID. See Use Touch ID.
Create a group
A group allows multiple users to have the same access privileges. For example, you can grant a group specific access privileges for a folder or a file, and all members of the group have access. You can also assign a group specific access privileges for each of your shared folders.
On your Mac, choose Apple menu > System Preferences, then click Users & Groups.
Click the lock icon to unlock it.
Enter an administrator name and password.
Click the Add button below the list of users.
Click the New Account pop-up menu, then choose Group.
Give the group a name, then click Create Group.
Select each user and group you want to add to the new group.
Use Sharing preferences to specify whether the group members can share your files and share your screen.
Convert a standard user to an administrator
On your Mac, choose Apple menu > System Preferences, then click Users & Groups.
Click the lock icon to unlock it.
Enter an administrator name and password.
Select a standard user or managed user in the list of users, then select “Allow user to administer this computer”.
Let occasional users log in as guests
You can let other people use your Mac temporarily as guest users without adding them as individual users.
Guests don’t need a password to log in.
Guests can’t change user or computer settings.
Guests can’t log in remotely when remote login is turned on in Sharing preferences.
Files created by a guest are stored in a temporary folder, but that folder and its contents are deleted when the guest logs out.
Guest access works with the Find My app to help you find your Mac if you lose it. You can locate your Mac if someone finds it, logs in as a guest, and then uses Safari to access the internet. See Set up the Find My app to locate a missing Mac.
Note: If FileVault is turned on, guests can access Safari but can’t access your encrypted disk or create files.
On your Mac, choose Apple menu > System Preferences, then click Users & Groups.
Click the lock icon to unlock it.
Enter an administrator name and password.
Select Guest User in the list of users.
Select “Allow guests to log in to this computer”.
If you like, select “Limit Adult Websites” to prevent the guest from accessing adult websites.
To let guests use your shared folders from another computer on the network, select “Allow guest users to connect to shared folders”.
Customise the login experience
If you are an administrator, you can specify how the login window looks to all the other users.
On your Mac, choose Apple menu > System Preferences, click Users & Groups, then click Login Options.
Click the lock icon to unlock it.
Enter an administrator name and password.
Click the “Automatic login” pop-up menu, then choose a user or choose Off.
If you choose a user, then whenever the Mac starts up, that user is automatically logged in. If you choose Off, then at startup the Mac opens a login window showing all the users. Automatic login takes effect the next time you restart the Mac.
Note: Automatic login allows anyone to access your Mac simply by restarting it. If automatic login is enabled, make sure your Mac doesn’t automatically log in an administrator. When FileVault is turned on, automatic login is disabled.
Select the options you want. If you have any questions, click the Help button 
for detailed information.
To permit new users to access your shared files or screen, you may need to change settings in the File Sharing, Screen Sharing or Remote Management pane of Sharing preferences. See Set up file sharing and Share the screen of another Mac.
To open Sharing preferences, choose Apple menu > System Preferences, then click Sharing.
How to: Add a User from the OS X Command Line on Mac
Adding a user is something easily accomplished using the built in GUI tools that ship with OS X, however any power user can appreciate the possible efficiency gained from using the command line. So in the spirit of efficiency here are the steps necessary to add a user to your Mac OS X system all with our good friend, Terminal.app.
Adding User Accounts to Mac from OS X Command Line
These commands need to be run as either the root user or with the “sudo” command. For more information on the sudo command see the sudo man page.
Create a new entry in the local (/) domain under the category /users.
dscl / -create /Users/toddharris
Create and set the shell property to bash.
dscl / -create /Users/toddharris UserShell /bin/bash
Create and set the user’s full name.
dscl / -create /Users/toddharris RealName «Dr. Todd Harris»
Create and set the user’s ID.
dscl / -create /Users/toddharris UniqueID 503
Create and set the user’s group ID property.
dscl / -create /Users/toddharris PrimaryGroupID 1000
Create and set the user home directory.
dscl / -create /Users/toddharris NFSHomeDirectory /Local/Users/toddharris
Set the password.
dscl / -passwd /Users/toddharris PASSWORD
If you would like Dr. Harris to be able to perform administrative functions:
dscl / -append /Groups/admin GroupMembership toddharris
The dscl command works in all versions of Mac OS X, so if you need to add a user to a Mac from the command line, this is the way to do it.
If you know of another method, let us know in the comments.
Related
Related articles:
53 Comments
Awesome . It work for me..
Just change / to .
Thank you @Rusty Myers
i have a postfix mail server on 9.8.0 Darwin Kernel Version 9.8.0, but i can’t create mail account/user
I needed to make one important modification: instead of
But that’s a minor detail. If this were on StackOverflow or apple.stackexchange.com, I would definitely upvote it.
The scripts works?
I have a PowerBook G4, but the user is a standar user…. and if i reboot with cmd+s in the command line: rm /var/db/.AppleSetupDone
tell me that this file is read only mode….
now.. in your scripts use the command “SUDO”, then if i am not an admin… how execute this script.
i dont have the admin user and password, i dont have the CD, how create or change de admin pass?
Thanks Rusty, but in single user mode how does one invoke the script, and where should it be stored for the ./makeuser.sh command to work? If I save the .sh file to the desktop and add the path to it (ie sudo ./Users/jay/Desktop/makeuser.sh) it fails to be run.
It may be easier to install the free OSX server tools. Open up Workgroup Manager & select the local directory node, then you can import a text file of users laid out like so…
It is the standard record format so you could also do the import via the ‘dsimport’ command line tool, specifying ‘–template=StandardUser’ option.
[…] You’ll need a different dscl command for various user attributes. There is a guide for a standard-type user account here: https://osxdaily.com/2007/10/29/how-to-add-a-user-from-the-os-x-command-line-works-with-leopard/ […] […] osxdaily.com article September 17, 2010 10:06 am Tim Yates Thanks. The man pages tell you what commands you can use, but don’t give you any help on what fields to use and what to set them to. I was just going to copy the config from another account, but this gives a good example. September 17, 2010 11:12 am Gordon Davisson For a hidden system account, take a look at some existing system accounts for better examples. E.g. `dscl /Local/Default -read /Users/_sshd` (`dscl /Local/Default -ls /Users` will get you a list of local accounts). Note that you don’t have to set all attributes; GeneratedUID is generated randomly, and RecordType is automatic metadata. Also, most OS X system accounts have a primary account name that starts with underscore, and an alias without it for backward compatibility; I recommend using the underscore convention, but don’t bother with the plain alias unless you need to. September 18, 2010 1:45 am […]Just read this lot, rather late.
Quick comments on shell script usage of grep etc. to test for existing user: no need for intermediate variable (by the way, avoid names like $test, too near to test(1) programme name): grep(1) returns 0 on match, 1 otherwise, so:
DSCL=/usr/bin/dscl # avoid aliases, scripts, spoof.
GREP=/usr/bin/grep
function UserExists <
$DSCL. -list /Users | $GREP$1 > /dev/null 2>&1
# redirection removes stdout/stderr, XPG4 grep has “-q”
return $?
>
USER=$1
if UserExists $USER; then
echo do whatever ….
else
echo $0: $USER not found >&2
exit 1 #or try again or ….
fi
Also, when reading password, use stty -echo and stty echo
e.g.
echo -n Enter password
stty -echo
read P1
stty echo
Who knows who is looking over your shoulder.
if you do not know a filevault password you can not recover the files protected by it as far as i know
you can add a root user by using the command above or just by going to the user accounts pref pane and adding a new admin user which is a lot easier. i think the entire point of the tip above is for advanced unix geeks who want to roll their 12 sided dice instead of clicking icons.
Can someone help me I’m running mac os x 10 5 8
I need instructions on how to set up a root user account I guess. Filevault has locked me out. I have no idea what’s going on or what I’m doing.
when I try to go launch dscl
I got error message
launch_msg() : Socket is not connected.
How can I go further ?
I also need help with this
I’d like to remove a user from the Admin group. I ssh’d in as root and tried:
dscl . -delete /Groups/admin GroupMembership testadmn
The command completed without error but the user account still shows up as an administrator.
Did you manage to get this working? I also have a need to remove a local account from the Admin group.
You can avoid the admin status setting the PrimaryGroup to 20 instead of 80.
[…] in what command sequence you used to make the user account. this is what i was working from: How to: Add a user from the OS X command line, works with Leopard! – OS X Daily Following that I ran into problems with creating the home directory and upon reboot into the gui it […]Thanks a million! I was able to use this in sigle user mode, but I had to replace the solitary “/” with just “.”
[…] users through bash from these two sites, Mac OS X: Creating a new user from the command-line and How to: Add a user from the OS X command line, works with Leopard! – OS X Daily. The important thing about the script is that it creates the user’s home directory on an external […]Well, here’s my problem….
I have a macbook running OSX 10.5.5 that didn’t want to load in to osx…
First of all, when i turned on my macbook, it would just show the gray screen with either a “Prohibition Sign” or a flashing folder with a “?” on it.
I entered the Mac OSX installer from a Boot Disc, and i realized that my home folder is renamed to “root”, which I suppose is the problem (original name was MacMau).
I did all the steps recommended by Ivan (thx btw =]) and I think it loads osx, but still, all I get is a blue screen with the mouse pointer on it, which i can move. But still, it doesnt load any users, or a Login window.
I’m sort of a newbie at all this, so I would appreciate if any help would be given as if it were for a 10 yr old…
thanks for taking the time to read my problem, and thx in advance for any help that can be provided.
I really miss my computer and the delightful voice of Vicky telling me the time every half an hour.. xP
The script above works well (once you replace the non-ascii characters by ascii characters in it) but (sorry…) I’ve found script that does more things, such as creating automatically a new UniqueID, creating a default group for the user, etc…: http://codesnippets.joyent.com/tag/dscl#post1374
[…] the new commands use dscl (directory services client) for managing users and groups. its still a bit confusing and less straight forward than the normal unix commands , usermod, groupadd, etc. […]When i run your script (above) on 10.5.6 i get the following after typing a username that i for sure know doesn’t exist on my system:
“The username “?? already exists”
Articles very interested, thank you very much
Maybe check out also these snippets:
Create & delete user accounts from the command line on Mac OS X
Creating & deleting system service agent accounts on Mac OS X
I followed this guide, and it all seemed to work. But when I restarted apache I got: “PHP Warning: PHP Startup: Unable to load dynamic library ‘/usr/lib/php/extensions/no-debug-non-zts-20060613/gd.so’ – (null) in Unknown on line 0″. I checked the folder /usr/lib/php/extensions/no-debug-non-zts-20060613/ and found a gd.so that was not empty. Any ideas?
I’m back!
Thanks for your update Bertrand! I took what you did and added it, plus a little dash of checking userID’s too! Here is the new script. So far, I have tested it very successfully. Email me if you have any problems running it or any questions I might be able to help with…rustymyers@gmail.com
I also added the ability to run it from single user mode, should you need to use it there. I bet there is an easier way to check if your in singleuser mode, but I decided just to ask.
I added the dsexport command to check existing userID’s in the script so you don’t have to exit. It also cleans its self afterwards.
I tried to make most of the checks functions.
There is no need to create the user home folder in this script because the system creates it when you log into the account.
You don’t see the user account in the login window if you use a list style, unless restarting. Change it to the username and password style to type it in and log in without restart. Once you log in the first time, you can change it back to list style, or you can just restart.
I will be pushing it out to all my new computers to make user account creation easier, and so I don’t have to go through the setup assistant every time I get a new computer. Hope this helps someone else!
#This script will create a user of your choice using your credentials. The user will not show up in the login window until a restart.
#Function to check the current usernames against the new username.
function checkusername <
local testun=$(dscl . -list /Users | grep $userA)
if [ “$testun” == “$userA” ];
then
echo “The username “$userA” already exists”
exit
else
echo “Username is unique!”
fi
>
#Function to check the current userID’s against the new userID.
function checkuserid <
local testuid=$(dscl . -list /Users UniqueID | grep “$userid” | awk ‘
if [ “$testuid” == “$userid” ];
then
echo “The userid “$userid” already exists”
exit
else
echo “UserID is unique!”
fi
>
#Funtion to check that both passwords are the same.
function chkpasswd <
if [ $password != $password2 ]
then
echo “Passwords do not match or are blank. Passwords can’t be blank. Exiting…”
exit 0
else
echo “Passwords Match!”
fi
>
#Step 1, enter new credentials to create user with.
echo “Enter Real Name”
read realname
echo “Enter Username”
read userA
checkusername
echo “Enter Password”
read password
echo “Re-Enter Password”
read password2
chkpasswd
#Check to see if your sure you want to use the entered credentials.
echo “Use these creds?”
echo “Real Name: “$realname
echo “Username: “$userA
echo “Password: “$password
echo “Y or N:”
read creds
if [ $creds = y -o $creds = Y ];
then
echo “Let’s make a user named “$userA” with the password “$password
echo “Are you in Single User Mode? (Default N)”
read sum
#Checks to see if your in single user mode. If you are, it loads the directory services plist.
if [ $sum = y -o $sum = Y ];
then
echo “Loading Directory Services”
launchctl load /System/Library/LaunchDaemons/com.apple.DirectoryServices.plist
else
echo “Skipping launchctl load”
fi
#Asks if you need to see all the userID’s already used.
echo “Making user…”
echo “Do you know what userID is availible? (Default Y)”
read existuserid
if [ $existuserid = n -o $existuserid = N ];
then
#Prints the existing user account records and inserts them to users.out.
dsexport users.out /Local/Default dsRecTypeStandard:Users
#Prints users.out to screen.
tail -n 5 users.out
echo “Find the next userID available.”
#Removes users.out to clean up after printing to screen.
rm users.out
fi
#Asks for the new userID. Checks if userID exists using checkuserid function.
echo “OK, Enter new userID number:”
read userid
checkuserid
#The meat of the script. These are the commands that create the user with your specified credentials.
dscl . -create /Users/””$userA””
dscl . -create /Users/””$userA”” UserShell /bin/bash
dscl . -create /Users/””$userA”” RealName “$realname”
dscl . -create /Users/””$userA”” UniqueID $userid
dscl . -create /Users/””$userA”” PrimaryGroupID 80
dscl . -create /Users/””$userA”” NFSHomeDirectory /Users/””$userA””
dscl . -passwd /Users/””$userA”” $password
dscl . -append /Groups/admin GroupMembership “”$userA””
echo “All Done, “$userA” was created!”
sleep 2
exit
else
echo “Please Try Script Again!”
exit 1
fi
sudo dscl . -create /Users/$userName NFSHomeDirectory /Users/$userName
sudo dscl . -create /Users/$userName home /Users/$userName
Hello.
When i log in as the new user created with dscl i get a message that the home folder can’t be found.
sudo dscl . -create /Users/$userName
sudo dscl . -create /Users/$userName UniqueID 555
sudo dscl . -create /Users/$userName UserShell /bin/bash
sudo dscl . -create /Users/$userName RealName “$forNavn $etterNavn”
sudo dscl . -create /Users/$userName NFSHomeDirectory /Users/$userName
sudo dscl . -create /Users/$userName PrimaryGroupID 20
sudo dscl . -passwd /Users/$userName $passord
sudo cp -R /System/Library/User\ Template/no.lproj /Users/$userName
sudo chown -R $userName:staff /Users/$userName
I have checked and the /Users/ exist and all the folders are created.
What can be wrong?
Thanks
OS X discovery every day!
More like OSX change and become less standard every day…
Give me usermod or give me Microsoft 🙁
i like to ask if it’s possible to change user in the script and continue the next steps with the changed user?
In the script, I write : su – example and the program stops to process following codes
Once I get this script working for creating the hidden user, how do I log in as him/her if their name does not appear anywhere.
I am having difficulty with David Koff’s solution. I keep getting errors with the niutil stating that I do not have enough arguments. Everything I have tried has failed. Can anyone help?
oops, i meant to add that this is what what i refer to:
defaults write /Library/Preferences/com.apple.loginwindow Hide500Users -bool YES
oops wrong website!
all this did for me in 10.5.1 is make the Leopard style “Guest Account” into “Other…”
run it again using NO and it comes back.
How to change user and group numbers for an existing user to a non-existing group
– Change user liontooth group staff to user liontooth UID 1000 group liontooth UID 1000
– dscl . create /Groups/liontooth PrimaryGroupID 1000 GroupMembership liontooth
– next log in and in System Prefs, Users, Advanced settings (right-click), set UID and GID to 1000
– as root, cd /Users ; chown -R 1000:1000 liontooth
– reboot — should all be working
That’s a useful addition — could you integrate it into the script and show the whole thing? I’m feeling lazy this morning. Why define it as a function in the first place?
What I’m really looking for is how to create a new user group from the command line ….
this ended up working for me, if anybody has a more elegant way I’d love to learn. I’m just a humble padawan after all…
function checkusername <
local test=$(dscl . -list /Users | grep $SHORTNAME)
if [ “$test” = “$SHORTNAME” ]; then
echo the the username $SHORTNAME already exists
exit
else
echo This would continue the script
fi
>
this ended up working for me, if anybody has a more elegant way I’d love to learn. I’m just a humble padawan after all…
function checkusername <
local test=$(dscl . -list /Users | grep $SHORTNAME)
if [ “$test” = “$SHORTNAME” ]; then
echo the the username $SHORTNAME already exists
exit
else
echo This would continue the script
fi
>
Reply to Rusty’s script.
I am writing a similar script and have done pretty much all of the steps you have except I set functions so I can use the code over again easily. Also, in my script I am writing a function that compares the entered information against preexisting keys so that a user cannot get errors by creating users/UniqueIDs/PrimaryGroupIDs etc that already are assigned to other users I’m attempting to use dscl . -list but am having problems setting my variables (UniqueID etc) since the list command always wants to list the /Users as well as any other info you parse… any suggestions would be greatly appreciate.
Here’s my script using all of your guys suggestions. I’m going to be using it in my work environment at the university. It’s working on 10.5.1
You need to run it as sudo like this:
sudo ./makeuser.sh
Copy this into the makeuser.sh file:
echo “This script will create a user on Leopard”
echo “”
echo “Enter Fullname”
read fullname
echo “Enter username”
read username
echo “Enter usernumber”
read usernumber
echo “Enter Password”
read password
echo “Enter Password again”
read password2
echo “”
if [ $password != $password2 ]
then
echo “Passwords do not match. Exiting…”
exit 0
else
echo “Passwords Match!”
fi
echo “”
echo “Full Name”$fullname
echo “Username:”$username
echo “UID:” $usernumber
echo “Password:” $password
echo “Are these details correct? Y or N?”
read test
echo “”
if [ $test = Y -o $test = y ]
then
echo “Creating User “$username
dscl . -create /Users/$username
dscl . -create /Users/$username UserShell /bin/bash
dscl . -create /Users/$username RealName $fullname
dscl . -create /Users/$username UniqueID $usernumber
dscl . -create /Users/$username PrimaryGroupID 80
dscl . -create /Users/$username NFSHomeDirectory /Users/$username
dscl . -passwd /Users/$username $password
dscl . -append /Groups/admin GroupMembership $username
echo “”
echo $username” created! Enjoy!”
else
echo “Please run script again with correct information.”
fi
That should be it, enjoy! Email me with problems or suggestions. Thanks!
On Leopard 10.5 final, substituting “.” for the “/” works. I needed to perform software updates and other admin functions on a Mac with Leopard that I didn’t have the admin password for. Adapting the above steps allowed me to do so (thanks!). What I did:
[boot into single-user mode (hold down cmd-S during early startup)]/sbin/fsck -fy (to verify integrity of the filesystem)
/sbin/mount -uw / (to be able to make changes to the disk)
launchctl load /System/Library/LaunchDaemons/com.apple.DirectoryServices.plist (to be able to use dscl)
dscl . -create /Users/testuser
dscl . -create /Users/testuser UserShell /bin/bash
dscl . -create /Users/testuser RealName “Test User”
dscl . -create /Users/testuser UniqueID 502 (see notes below about this)
dscl . -create /Users/testuser PrimaryGroupID 80 (I chose to make the user a member of the admin group)
dscl . -create /Users/testuser NFSHomeDirectory /Users/testuser (note this is changed from above)
dscl . -passwd /Users/testuser PASSWORD
dscl . -append /Groups/admin GroupMembership testuser
exit
[restart after Mac OS X loads or login window appears]
[log out if Mac OS X loads straight into a user rather than a login window]
[log in as testuser]
[update software, enable root user, do whatever you like]
And then, when I’m ready to delete the user:
[boot into single-user mode]
/sbin/fsck -fy (to verify integrity of the filesystem)
/sbin/mount -uw / (to be able to make changes to the disk)
launchctl load /System/Library/LaunchDaemons/com.apple.DirectoryServices.plist (to be able to use dscl)
dscl . -delete /Groups/admin GroupMembership testuser
dscl . -delete /Users/testuser
cd Users
rm -rf testuser (warning: will delete any files in user home folder)
exit
[restart or shut down after Mac OS X loads]
I chose the UniqueID (502) in a way consistent with the OS: the number 5xx where xx is one greater than the number of users ever created. To figure out the best available number, before issuing the dscl commands to create the user (but after the launchctl command), I typed:
dsexport users.out /Local/Default dsRecTypeStandard:Users
more users
I then scanned the list of users to see any 5xx users and then chose the next highest one available. There was only one user on this system, so that meant 502. I then deleted the export user info file (rm users.out). (I imagine it probably doesn’t really matter what UniqueID you choose as long as it is unassigned, but I am not enough of a Unix guru to know for certain.)
on Leopard I’ve had to use:
> sudo dscl localhost -create /Local/Default/Users/username