Best practices for integrating with AD suggest that you keep a local administrator account on your Mac. It's possible to create this local administrator account and keep it hidden from users.
When you unbundle a new Mac, you'll need to create an admin account anyway. You use this to install Centrify and bind to Active Directory.
When you create a local admin account, give it the name ".admin" (with a period in front).
It won't show up in the list of users under System Preferences -> Users and Groups
When the regular AD user logs in, it won't show up in the Users and Groups display.
However, when you log in with the hidden admin account, it will show up in Users and Groups.
Thanks to Steven H for the tip.
Pretty cool, but now I have to know where you've installed these hidden admin accounts. How can I see if the machine has a hidden admin account or not, is there a CLI command to show the account?
from a terminal, you should be able to use:
ls -al /Users
and how to unhidden??
I would like to know as well how to unhidden???
To unhide an account you just need to go into the System Preferences > Users & Groups > Unlock the padlock > Control+Click (aka right-click) on the user's name and go into the Advanced Options.
From there you can just remove the period from the beginning of the Account Name and the user will be visible again.
Note that since only the user can see their own name in this list at first - this means that only the hidden user can unhide themselves.
If you also need to unhide the home folder as well, then make sure to remove the period from the Home Directory path and then also the rename actual home folder itself in the /Users/ folder to match.
Hope that helps,
I want Admin Account
I went in and added a period (.) to the begining of an admin user name, and now that admin account doesn't even show up in the Users & Groups list. How do I unhide the account if it doesn't show up in this list?
There are two ways to do this:
1. The GUI method:
Login as your hidden user and go into the Users & Groups list again.
You can only see the hidden account while logged in as the account itself.
From there you can go into their user Advanced Options as shown above and remove the period from there.
Note: If the system hangs with the rainbow cursor while making this change (since we're changing user properties while logged in as the user itself) - just reboot the Mac and you'll be able to login with the non-hidden username again.
A little bit hinky... so I recommend you go with:
2. The command-line method:
Login as another user with Local Admin privileges.
Open the Terminal and run the command:
sudo dscl . -change /Users/.hiddenadmin RecordName .hiddenadmin hiddenadmin
The syntax for this would be:
sudo dscl . -change /Users/.old_hidden_name RecordName .old_hidden_name new_unhidden_name