How to create a hidden admin account in macOS

Keep local administrative accounts from being a malicious user's target by creating an invisible account.

istock-901609212datasecurity.jpg
Image: Sarayut Tanerus, Getty Images/iStockphoto

Being in IT it's natural to be concerned with the state of our network and the devices on them, but also the proverbial "weakest link in the chain" —the end-user's account and access. Unfortunately, there is yet to be an effective stop-gap measure to solve all of an organization's security woes.

The best bet is still to layer on different types of security so that the weaknesses of one are caught and successfully mitigated by the next one in line. Concepts like security through obscurity, or hiding things seldom work well to sway a determined threat actor, but it's not to say that when used in conjunction with other policies it won't add to the security posture of your environment.

SEE: Information security policy template download (Tech Pro Research)

Create a hidden administrative account in macOS

That's the essence of this pro tip—creating a hidden administrative account in macOS. It's not intended to single-handedly thwart anyone looking to gain access to or attempt to compromise the local admin account on your Macs. When used alongside other security best practices, such as hardening the OS, applying firmware passwords, and implementing Profile Manager policies, end-users are further limited in what they can do and the avenues available for casual users to gain access to administrative-level accounts is significantly reduced.

Note: For the process to work, the hidden account to be created cannot previously exist.

First, log in to the computer with an admin-level account. Launch Terminal and enter the following command, authenticating when prompted to do so:

sudo defaults write /Library/Preferences/com.apple.loginwindow Hide500Users -bool YES

Go to the Users & Groups preferences pane and create the admin account as you normally would. Right-click on the newly created user account and select Advanced Options...from the context menu (Figure A).

201905-figure-b.jpg

Figure A: Advanced Options.

From the advanced menu, we will modify two bits of information: UserID and Home directory. For UserID, enter a number under 500. Bear in mind that this number must be unique for each user. Under Home directory, enter new path to store the user's home directory that is not located in the usual location "/Users". Once these have both been changed, click the OK button to save (Figure B).

201905-figure-c.jpg

Figure B

The account has successfully been created. However, we must make one more change to the system by clicking on Login Options and ticking the radio button next to Name and password under the Display login window as section (Figure C).

201905-figure-d.jpg

Figure C

To verify that the new account is hidden, close System Preferences and go back to the Users & Groups preference after relaunching it. The account should now be hidden from view and from the login window, as well.

Also see

By Jesus Vigo

Jesus Vigo is a Network Administrator by day and owner of Mac|Jesus, LLC, specializing in Mac and Windows integration and providing solutions to small- and medium-size businesses. He brings 19 years of experience and multiple certifications from seve...