Creating Custom Guest Users on OS X
If you want others to be able to temporarily use your computer, but you don’t want to create an account for each user, Mac OS X allows you to create a guest account. This guest account allows a person to log in to the Mac without entering a password, but the account type has the following limitations:
- Guest users can’t make changes to other user accounts.
- Guest users can’t change setting on the computer.
- Guest users can’t log in remotely.
- Files created by guest users are deleted when the user logs out. As part of this, a temporary home folder is created for the guest’s files but this folder and its contents are deleted when the user logs out.
By default, OS X only allows the creation of a single guest account with the name of Guest. That said, it is possible to create custom guest accounts with names that are different from Guest. This would allow Mac admins to create multiple guest accounts if needed. See below the jump for more details.
I’ve built a script for creating a custom guest account, based on earlier work by Noel B. Alonso. The script is available below and has been tested on Mac OS X 10.6.8 – 10.9.1.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Original script by Noel B. Alonso: https://gist.github.com/nbalonso/5696340 | |
| #variables | |
| DSCL="/usr/bin/dscl" | |
| SECURITY="/usr/bin/security" | |
| LOGGER="/usr/bin/logger" | |
| # Determine OS version | |
| OSVERS=$(sw_vers -productVersion | awk -F. '{print $2}') | |
| # Set the account shortname | |
| USERNAME="kiosk" | |
| # Set the name which is displayed in System Preferences for the account | |
| DISPLAYNAME="Kiosk User" | |
| # Set the account's UID | |
| GUESTUID="600" | |
| # Set the account's GID | |
| GUESTGROUPID="600" | |
| if [[ ${OSVERS} -lt 6 ]]; then | |
| ${LOGGER} -s -t create"${USERNAME}".sh "ERROR: The version of OS X running on this Mac is not supported by this script. User account not created." | |
| fi | |
| if [[ ${OSVERS} -eq 6 ]]; then | |
| ${LOGGER} -s -t create"${USERNAME}".sh "INFO: Creating the "${USERNAME}" user account on Mac OS X 10.${OSVERS}.x" | |
| ${DSCL} . -create /Users/"${USERNAME}" | |
| ${DSCL} . -create /Users/"${USERNAME}" UserShell /bin/bash | |
| ${DSCL} . -create /Users/"${USERNAME}" RealName "${DISPLAYNAME}" | |
| ${DSCL} . -create /Users/"${USERNAME}" UniqueID "${GUESTUID}" | |
| ${DSCL} . -create /Users/"${USERNAME}" PrimaryGroupID "${GUESTGROUPID}" | |
| ${DSCL} . -create /Users/"${USERNAME}" NFSHomeDirectory /Users/"${USERNAME}" | |
| ${DSCL} . -create /Users/"${USERNAME}" RecordType dsRecTypeStandard:Users | |
| ${DSCL} . -create /Users/"${USERNAME}" dsAttrTypeNative:_defaultLanguage en | |
| ${DSCL} . -create /Users/"${USERNAME}" dsAttrTypeNative:_guest true | |
| ${DSCL} . -create /Users/"${USERNAME}" dsAttrTypeNative:_writers__defaultLanguage "${USERNAME}" | |
| ${DSCL} . -create /Users/"${USERNAME}" dsAttrTypeNative:_writers_jpegphoto "${USERNAME}" | |
| ${DSCL} . -create /Users/"${USERNAME}" dsAttrTypeNative:_writers_LinkedIdentity "${USERNAME}" | |
| ${DSCL} . -create /Users/"${USERNAME}" dsAttrTypeNative:_writers_picture "${USERNAME}" | |
| ${DSCL} . -create /Users/"${USERNAME}" dsAttrTypeNative:_writers_UserCertificate "${USERNAME}" | |
| ${DSCL} . -create /Users/"${USERNAME}" AppleMetaNodeLocation /Local/Default | |
| #setting up an empty password and giving local Kerberos some time to process it | |
| ${DSCL} . -passwd /Users/"${USERNAME}" '' | |
| sleep 2 | |
| fi | |
| if [[ ${OSVERS} -ge 7 ]]; then | |
| ${LOGGER} -s -t create"${USERNAME}".sh "INFO: Creating the "${USERNAME}" user account on Mac OS X 10.${OSVERS}.x" | |
| ${DSCL} . -create /Users/"${USERNAME}" | |
| ${DSCL} . -create /Users/"${USERNAME}" dsAttrTypeNative:_defaultLanguage en | |
| ${DSCL} . -create /Users/"${USERNAME}" dsAttrTypeNative:_guest true | |
| ${DSCL} . -create /Users/"${USERNAME}" dsAttrTypeNative:_writers__defaultLanguage "${USERNAME}" | |
| # Adding the _writers_LinkedIdentity attribute for Macs running Mac OS X 10.7.x. This | |
| # attribute is not needed on 10.8.x and later. | |
| if [[ ${OSVERS} -eq 7 ]]; then | |
| ${DSCL} . -create /Users/"${USERNAME}" dsAttrTypeNative:_writers_LinkedIdentity "${USERNAME}" | |
| fi | |
| ${DSCL} . -create /Users/"${USERNAME}" dsAttrTypeNative:_writers_UserCertificate "${USERNAME}" | |
| ${DSCL} . -create /Users/"${USERNAME}" AuthenticationHint '' | |
| ${DSCL} . -create /Users/"${USERNAME}" NFSHomeDirectory /Users/"${USERNAME}" | |
| #setting up an empty password and giving local Kerberos some time to process it | |
| ${DSCL} . -passwd /Users/"${USERNAME}" '' | |
| sleep 2 | |
| ${DSCL} . -create /Users/"${USERNAME}" Picture "/Library/User Pictures/Nature/Leaf.tif" | |
| ${DSCL} . -create /Users/"${USERNAME}" PrimaryGroupID "${GUESTGROUPID}" | |
| ${DSCL} . -create /Users/"${USERNAME}" RealName "${DISPLAYNAME}" | |
| ${DSCL} . -create /Users/"${USERNAME}" RecordName "${USERNAME}" | |
| ${DSCL} . -create /Users/"${USERNAME}" UniqueID "${GUESTUID}" | |
| ${DSCL} . -create /Users/"${USERNAME}" UserShell /bin/bash | |
| #Adding the keychain item that allows "${USERNAME}" to login in 10.7 and later. | |
| ${SECURITY} add-generic-password -a "${USERNAME}" -s com.apple.loginwindow.guest-account -D "application password" /Library/Keychains/System.keychain | |
| fi | |
| ${LOGGER} -s -t create"${USERNAME}".sh "INFO: Exiting" | |
| exit 0 |
I also have this script available on my GitHub repo:
One thing to be aware of is that, if the login window is set to show icons instead of the username and password blanks, all guest accounts created will show up with a Guest User account icon regardless of the account’s name.
If you need to have multiple user accounts, I recommend setting the login window to display username and password blanks and then logging in with the relevant username.
Leave a comment
Recent Comments
 | Ben LeRoy on Losing a giant |
 | Peter-Erik on Downloading installer packages… |
 | nathanhaggard on Losing a giant |
 | andras0602 on Disabling login window clock d… |
 | Jeff on Losing a giant |
Der Flounder 
Curious, do the newly created “guest” accounts have the same limitations as the stock “Guest” account. If so, where is the benefit in making these extra accounts. A neater process in making the stock Guest account and also any new account on the machine is to use this – http://www.voelker.com/guestmaster/
Does it work with FileVault on?
When I launch Safari on a 10.8.5 machine, I get a Keychain error. Any reason why?
Hey, I have tried it. It is working with FileVault for me. I have a problem I hope you would know it. I can not see hidden files. Can anyone help me out with the commands in finder or shall I buy show hidden files mac ?
I also have the keychain problem. Analyzing the system guest account shows all sorts of other keychain and kerberos related stuff. I’ve spent hours pounding my head on my desk fighting with this stuff to no avail 😦
I’m also seeing the keychain problem on Mavericks. I haven’t been able to find a way around it – other than going into System Preferences > Users & Groups and disabling and then re-enabling the Guest account. This kind-of defeats the purpose of creating the guest account with a script though. If anyone else has a resolution for this, I’d love to hear it.
I’ve wrapped this script up into an installer package and am deploying it as part of a DeployStudio workflow to run at first boot. I’m also applying some LocalMCX to the account which seems to work well, it’s just the keychain issue that’s brought everything to a halt.
wanted to know if its possibl to add an app icon on the guest account. wanna managed it forcefully on all our guest account. can this be done?
From what I understand, you can’t customise the picture for the Guest account on the Login Window. If you look in the raw data for the account, there is an picture specified, but it’s ignored.
Bump on keychain issue on Mavericks when logged in via script-created guest user.
Is it possible to create an OD user that functions as a guest on client devices? I tried adding the dsAttrTypeNative:_guest attribute to an OD user, but Directory Utility errors that “An invalid attribute type was provided.” This is on 10.9 ODM.
For anyone interested, I’ve developed a ‘hacky’ workaround for the keychain issue. I’m sure there is a better way to do this, but this seems to be working for me. Only tested on Mavericks.
Leave rtrouton’s script as is.
Add the following file to /System/Library/User Template/Non_localized/Library/LaunchAgents/ (note, you will have to create the LaunchAgents directory).
File: com.example.createKeychain.plist
BEGIN
Label
com.example.createKeychain
ProgramArguments
/usr/local/share/script/createKeychain.sh
RunAtLoad
END
Add the following file at /usr/local/share/script/ (or change path to wherever and modify plist above):
BEGIN
#!/bin/bash
SECURITY=”/usr/bin/security”
${SECURITY} create-keychain -p ${USER} ${HOME}/Library/Keychains/guest.keychain
${SECURITY} unlock-keychain -p ${USER} ${HOME}/Library/Keychains/guest.keychain
${SECURITY} default-keychain -s ${HOME}/Library/Keychains/guest.keychain
END
Obviously, don’t include the BEGIN and END parts.
The way it works:
On login, the guest account creation process pulls from the user template which now includes a launchagent that runs at login. This fires a script which creates a new keychain in the user’s library folder and sets it to be the default. The password for the keychain is simply set to the username – but since this is a guest account that will get deleted on logout, no worries.
Hope this helps others. This script was very useful to me for our lab rollout. (We put script in a .pkg and push out with munki.)
Ugh. WordPress mangled the XML
First file to place in LaunchAgents directory named com.example.createKeychain.plist: http://pastebin.com/YaQpALUQ
Second file to place in /usr/local/share/script/ directory named createKeychain.sh:
http://pastebin.com/5np59dhy
One note: This might completely mess up non-guest, local users that you create after modifying the User Template stuff. But that isn’t a concern for us.
New, ugly version that does same thing all in LaunchAgent. Ie, no external script needed:
http://pastebin.com/ZjsbA8Ky
I took your approach and applied it to my problem. I discovered that I needed to add a line:
security set-keychain-settings guest.keychain
to the script in order to keep the keychain from locking after a few minutes (maybe five?). Thanks for sharing your solution.
I know this script is a bit dated with the new OSX releases, but do you have tested this script or have a script that will create guest accounts on 10.10 or 10.11.
After using this for my 10.10 client, I had a fuss with keychains on 10.11.
Finally managed to modify the script so that it works with 10.11.
Here’s the link to the updated version:http://goo.gl/D7uB8d
I can confirm that this updated version works as expected in OS X 10.11 El Capitan. Thanks a lot!
I’m curious if anyone has a solution for the keychain issues with Catalina? A custom guest account would be a perfect fit for several shared use cases, but the keychain seems to be a roadblock.