MacAdmin 101: Creating local user accounts with CreateUserPkg
As part of the process of deploying Macs, Mac admins may want to add one or more local user accounts with a pre-determined password. The reasons for this may include the following:
- Setting up a local administrator account.
- Setting up a “loaner” user account for a pool of loaner laptops.
- Setting up a local user account that automatically logs in at startup for a Mac used as a kiosk.
- Setting up a generic “student” account for use in a school’s computer lab.
These accounts can be set up using a script, but that usually means having the password for the local account stored in the script in a way that anyone with access to the script can easily read the password. An alternative to this approach is to use CreateUserPkg.app, a open source utility written by Per Olofsson. CreateUserPkg.app generates installer packages which can be used on Mac OS X 10.5.x and later to create local user accounts and securely set the associated account’s password. For more information, see below the jump.
1. Install CreateUserPkg.app from one of the following sources:
2. Launch CreateUserPkg.app
3. Set up the local account information as desired. Once all the desired settings are chosen, click the Save Package button.
Note: The User ID number should be set to a numeric value not used by any other account’s UID on the Mac at the time of installation.
5. Choose where to save the package and click the Save button.
Testing CreateUserPkg-generated installers
Once the package has been built, test it by taking the CreateUserPkg-generated installer package and install it on a Mac which does not have the local account set up on it. The end result should be that the local account is set up on the Mac with the desired password and configured with the specified settings and account rights.
How CreateUserPkg.app works
CreateUserPkg.app creates two files for the local user account, which allows the account information to work on Mac OS X 10.5.x and later. The local account’s information is written to a plist file named with the account’s username and stored in the directory listed below:
An example account plist is shown below:
For compatibility with Mac OS X 10.5.x and 10.6.x, the account’s password is stored in encrypted format in files named with the Generated UID of the account. These files are then stored in the directory listed below:
Note: These files were only needed for Mac OS X 10.5.x and 10.6.x; on later versions of OS X and macOS, the passwords were stored in the account’s plist file in /private/var/db/dslocal/nodes/Default/users. On Mac OS X 10.7.x and later, the password information is automatically converted to the proper format when the user account is logged into for the first time.
Once the two files are generated by CreateUserPkg.app, the utility then generates an installer package and post-installation script to install the two files into their proper places. Once the CreateUserPkg-generated package is installed, the account’s files are put into the necessary places and the installer’s postinstall script handles any necessary granting of admin rights or auto-login settings.
An example postinstall script from a CreateUserPkg-generated installer package is shown below: