In a number of Mac environments, it’s advantageous for Mac admins to hide the IT administrator account so that it can’t be deleted or altered by other users on those Macs. In other cases, like Jamf’s Casper, the system management tool needs an account in order to do its work. In both cases, hiding the affected account and its associated home folder is a good strategy to keep unwanted attention from noticing the account.
One way you can hide the account is to create it using a UID that’s lower than 500. Apple uses UIDs of 501 and higher for its accounts. UIDs of 500 and lower are assumed to be system-only accounts and should not show up at either the login window or in the Accounts or Users & Groups listing in System Preferences.
The downside to this is that these hidden accounts may not be migrated when upgrading your Mac to a new OS, which may leave you without your usual administrator account following the upgrade. I first noticed this with 10.7.x, but I’ve heard that it also affects hidden accounts when migrating from 10.5.x to 10.6.x.
How can you tell if your hidden account will be migrated? Here’s what works and doesn’t as of Mac OS X 10.7.x:
Note: In the description below, Visible refers to a user account that shows up and is editable in the Accounts or Users & Groups listing in System Preferences. Hidden refers to an account with a UID that’s lower than 500.
Visible user account, where the home folder is stored in /Users
Hidden user account, where the home folder is stored in /Users
Visible user account, where the home folder is stored somewhere other than /Users
Does not successfully migrate:
Hidden user account, where the home folder is stored somewhere other than /Users
If you have a hidden user account with a home folder stored outside of /Users, there’s a couple of solutions that you may be able to leverage as part of the upgrade process to get those hidden admin accounts back.
1. If you’re upgrading to 10.7.x, use CreateLionUser to build installer packages that recreate your hidden user accounts following the upgrade. These installer packages should be incorporated into your upgrade workflow and set to run after the main 10.7 upgrade process has finished.
2. If the hidden user is needed by your system management tool, check to see if the needed user is created by the agent installer. If it is, then re-running the agent installer should put back the needed hidden user account.