While never technically required (though often politically desirable), hiding local administrative accounts on Leopard workstations and laptops is one of the most popular requests we receive from IT personnel. The most common scenario is removing a pre-existing administrative account from view. This is a typical approach when building a disk image for manual cloning or installation via NetInstall, and in this article we’ll take a look at the steps it requires.

In a stock Mac OS X installation, the first account created during the installation process always has administrative privileges. That first account is also always assigned the UniqueID (the number by which the operating system identifies users) of 501. Since there’s a built-in preference setting that will hide accounts with a UID below 500, changing that number with the dscl command is a good place to start.

It’s advisable to do this from the root account (where you won’t need to use sudo for the following commands), or from another administrative account created for this purpose. Open the Terminal, and type:

sudo dscl . -change /Users/ADMIN UniqueID 501 NEWUID

Change ADMIN to the name of your actual administrative user, and NEWUID to the new UniqueID number you’d like to use. While many numbers below 500 are used by the operating system, 490-499 are left unused by default.

Because we’ve changed the UID, which is used to determine ownership of files, we’ll need to make sure that any files owned by that user (especially their home directory) have their ownership changed to the new UID as well. This can be accomplished by searching for those files with the Unix find command, then changing their ownership with chown to the new UID:

sudo find / -user 501 -exec chown NEWUID {} \;

With file ownership now matching the new administrative UID, the last task is to tell the system not to display the administrative user at login or in the Fast User Switching menu. This is accomplished by editing the LoginWindow preferences file, by typing:

sudo defaults write /Library/Preferences/com.apple.loginwindow \
Hide500Users -bool TRUE

With this command, the initial administrative account will be hidden entirely, but it’s home directory will still be visible in the /Users directory. This is fine for most environments, but if you want that home directory hidden, you can move it to a hidden location and tell the OS to look there with the dscl command.

OS X keeps the root home directory in the hidden /var directory. That’s unusual for Unix, but it sets a precedent you might as well follow. To hide your administrative account’s home directory in the same manner, move it by typing:

sudo mv /Users/ADMIN /var/ADMIN

With the directory now hidden from the Finder, set its new location with:

sudo dscl . -change /Users/ADMIN NFSHomeDirectory \
/Users/ADMIN /var/ADMIN

In both these cases, change ADMIN to the name of your actual administrative user account. With this method, your administrative account should be entirely hidden from view, allowing you to keep both it’s name and it’s existence a secret from typical users.