Used in conjunction with a modular disk imaging solution this guide explains the basics to create a new user from the command line. The code can be used as a first run script, distributed through Apple Remote Desktop etc.

The “Directory Service command line utility” dscl allows creation and management of user records in Mac OS X. The example below creates a user called “Local Administrator” with a short name of “ladmin”. To set a secure password via a hash file is outlined at the end of the guide.

Create the user (via the short name)
dscl . -create /Users/ladmin

Set the user shell
dscl . -create /Users/ladmin UserShell /bin/bash

Set the user real name
dscl . -create /Users/ladmin RealName "Local Administrator"

Set the user unique ID remembering it must be unique. If you set an ID below 500 and use the “hide 500 users” login window default (defaults write /Library/Preferences/com.apple.loginwindow Hide500Users -bool TRUE) you can create hidden - to the average person - users.
dscl . -create /Users/ladmin UniqueID 510

Set group ID (20 is “Staff”)
dscl . -create /Users/ladmin PrimaryGroupID 20

Set home directory
dscl . -create /Users/ladmin NFSHomeDirectory /Users/edadmin

Set a password temporarily (as an encrypted password will be put in place so it is not stored in plain text)
dscl . -passwd /Users/ladmin temppassword

Set a password hint
dscl . -append /Users/ladmin AuthenticationHint "No hints!"

Finally add the user to admin group (or not in the case of a standard user)
dscl . -append /Groups/admin GroupMembership ladmin

and the _lpadmin group (so that printers can be controlled)
dscl . -append /Groups/_lpadmin GroupMembership ladmin

If a default home directory has been copied in place the  ownership will need to be changed to the newly created user. To use this script in a modular disk image solution such as InstaDMG the home directory could be “installed” via a package. If you want a default home folder from the machine do not worry about this step.
chown -R ladmin "/Users/ladmin/"

Setting the password

To keep the password secure as the script is stored in plain text, copying an encrypted password hash file from /var/db/shadow/hash/ of a user on another computer with the desired password will keep it out of plain sight. Once copied to the new computer the hash needs to be renamed to the GUID of the new user.

To find the GUID of the new user
dscl . -read /Users/ladmin GeneratedUID

This will output the GUID that can then be used to remove the existing temporary hash and move the real password hash in place. The following example assumes the the hash file is located in /tmp/usercreate/ as ladmin_hash).

rm /var/db/shadow/hash/GUID_NUMBER_HERE
mv /tmp/usercreate/ladmin_hash /var/db/shadow/hash/GUID_NUMBER_HERE

Alternatively as a simple script the GUID can be stored in a variable to then copy the new hash into place.

#!/bin/sh
ladminGUID=`/usr/bin/dscl . -read /Users/ladmin GeneratedUID | cut -f2 -d " "`
#remove and place new password hash
rm /var/db/shadow/hash/"$ladminGUID"
mv /tmp/usercreate/ladmin_hash /var/db/shadow/hash/"$ladminGUID"

File permissions for the password hash

-rw------- root wheel

This entry was posted on Thursday, May 14th, 2009 at 9:08 am and is filed under Mac OS X. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.