Best practice says that your everyday user account should not be an administrative user. The solution? Creating an alternate administrative user and then using those credentials when needed. Deploying in such a scenario to many computers can be confusing for users - in particular having to remember an alternate username and password combination that often will not fall under traditional password age policies. To this end, linking a local administrator account to a users password can simplify password management for users, while maintaining password age policies. Creating a symlink to the localadmin users password hash will make the regular users password the same as a local administrators.

First you need to know both the regular and local administrators GUID as the password hash file is the user GUID. In this example our local administrator account is “localadmin”.

dscl . -read /Users/localadmin GeneratedUID

Repeat the command replacing localadmin with the regular username.

You will need to remove the existing localadmin password hash. In this example localadmin’s GUID is “ABAE7944-FBDD-4FA6-8419-B24AC0293B0D”

sudo rm -R /var/db/shadow/hash/ABAE7944-FBDD-4FA6-8419-B24AC0293B0D

Finally put a symlink in place that points from the regular users password hash to localadmin’s hash. In this example the regular user password hash is “513B539B-7DB2-48C3-93B8-0C33C7B39722″.

sudo ln -s /var/db/shadow/hash/513B539B-7DB2-48C3-93B8-0C33C7B39722 /var/db/shadow/hash/ABAE7944-FBDD-4FA6-8419-B24AC0293B0D

In other words:  ln -s /var/db/shadow/hash/regular_user_GUID /var/db/shadow/hash/localadmin_GUID

This entry was posted on Saturday, October 10th, 2009 at 4:18 pm and is filed under Mac OS X. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.