MarcK

Lets try this blog thing again…

Create hidden users on OS X with ARD access

without comments

Here is a script I’ve pieced together to create a hidden user on OS X as a Standard user then set that user with ARD privileges. Not giving the user admin privileges really doesn’t protect from an ARD hack or someone with the password to that user because the ARD agent on the client machine will run remote commands as root. It would prevent a “Screen Sharing” user from doing anything as an admin.

#!/bin/sh

# This script will let you create a hidden standard user with any short name you want
# to get a username and password prompt use Option + down arrow then Command + Return
# This script is based on several sources:
# http://support.apple.com/kb/HT5017?viewlocale=en_US
# http://apple.stackexchange.com/questions/82472/what-steps-are-needed-to-create-a-new-user-from-the-command-line-on-mountain-lio
# http://www.tonymacx86.com/mac-os-x-support/87058-guide-how-make-hidden-admin-account-mac-osx.html
# http://support.apple.com/kb/ht2370
# This standard user is given Apple Remote Desktop access. 


# For interactivity use the following
# Set the variable USERNAME
echo "Enter the Username of the account you want to create."
read USERNAME

echo "Enter the Pass Phrase of the account you want to create."

# Get settings for terminal then disable echo to hide typing of the password
oldmodes=`stty -g`
stty -echo

#This will make the variable PASSWORD
read PASSWORD

#sets term back to its original settings
stty $oldmodes

# If you dont' want interactivity comment out the previous and use these commands
# USERNAME="username"
# PASSWORD="User a passphrase"

#This makes the account and puts it into the admin group
dscl . create /Users/$USERNAME 
dscl . create /Users/$USERNAME UniqueID 405
dscl . create /Users/$USERNAME PrimaryGroupID 20
dscl . create /Users/$USERNAME NFSHomeDirectory /private/var/$USERNAME
dscl . create /Users/$USERNAME UserShell /bin/bash
# because we are using a passphrase the variable needs to be in quotes.
dscl . passwd /Users/$USERNAME "$PASSWORD"
	

### Enable ARD
# Set ARD for a specific user with specific access privileges
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart \
-activate -configure -access -on -users $USERNAME \
-privs -DeleteFiles -TextMessages -OpenQuitApps -GenerateReports -RestartShutDown -SendFiles -ChangeSettings

# you must also set the specifiedUsers option to limit access to the individual user
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart \
-configure -allowAccessFor -specifiedUsers -restart -agent -menu

 
# Users with a UID less than 500 will be hidden with this
 defaults write /Library/Preferences/com.apple.loginwindow Hide500Users -bool TRUE

# This makes the account hidden
 defaults write /Library/Preferences/com.apple.loginwindow HiddenUsersList -array $USERNAME

# This makes the Other in the login window dissapear
 defaults write /Library/Preferences/com.apple.loginwindow SHOWOTHERUSERS_MANAGED -bool FALSE

# Create the users home directory 
 createhomedir -c -u $USERNAME

exit 0 

Written by Marc Kerr

May 17th, 2013 at 4:52 pm

Posted in Apple,Shell Scripts,Work

Tagged with ,