Here is a script I’ve pieced together to create a hidden user on OS X as a Standard user then set that user with ARD privileges. Not giving the user admin privileges really doesn’t protect from an ARD hack or someone with the password to that user because the ARD agent on the client machine will run remote commands as root. It would prevent a “Screen Sharing” user from doing anything as an admin.
#!/bin/sh # This script will let you create a hidden standard user with any short name you want # to get a username and password prompt use Option + down arrow then Command + Return # This script is based on several sources: # http://support.apple.com/kb/HT5017?viewlocale=en_US # http://apple.stackexchange.com/questions/82472/what-steps-are-needed-to-create-a-new-user-from-the-command-line-on-mountain-lio # http://www.tonymacx86.com/mac-os-x-support/87058-guide-how-make-hidden-admin-account-mac-osx.html # http://support.apple.com/kb/ht2370 # This standard user is given Apple Remote Desktop access. # For interactivity use the following # Set the variable USERNAME echo "Enter the Username of the account you want to create." read USERNAME echo "Enter the Pass Phrase of the account you want to create." # Get settings for terminal then disable echo to hide typing of the password oldmodes=`stty -g` stty -echo #This will make the variable PASSWORD read PASSWORD #sets term back to its original settings stty $oldmodes # If you dont' want interactivity comment out the previous and use these commands # USERNAME="username" # PASSWORD="User a passphrase" #This makes the account and puts it into the admin group dscl . create /Users/$USERNAME dscl . create /Users/$USERNAME UniqueID 405 dscl . create /Users/$USERNAME PrimaryGroupID 20 dscl . create /Users/$USERNAME NFSHomeDirectory /private/var/$USERNAME dscl . create /Users/$USERNAME UserShell /bin/bash # because we are using a passphrase the variable needs to be in quotes. dscl . passwd /Users/$USERNAME "$PASSWORD" ### Enable ARD # Set ARD for a specific user with specific access privileges /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart \ -activate -configure -access -on -users $USERNAME \ -privs -DeleteFiles -TextMessages -OpenQuitApps -GenerateReports -RestartShutDown -SendFiles -ChangeSettings # you must also set the specifiedUsers option to limit access to the individual user /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart \ -configure -allowAccessFor -specifiedUsers -restart -agent -menu # Users with a UID less than 500 will be hidden with this defaults write /Library/Preferences/com.apple.loginwindow Hide500Users -bool TRUE # This makes the account hidden defaults write /Library/Preferences/com.apple.loginwindow HiddenUsersList -array $USERNAME # This makes the Other in the login window dissapear defaults write /Library/Preferences/com.apple.loginwindow SHOWOTHERUSERS_MANAGED -bool FALSE # Create the users home directory createhomedir -c -u $USERNAME exit 0