How to setup an Administrator account in OS X

The following information is based on OS X 10.10 Yosemite. If you are running an earlier version of OS the information might still useful but you may have to look in different settings.

OS X has three account types – Administrator, Standard, and Managed (with Parental Controls). The Administrator account is the most important.

Administrator: An administrator account user can create, delete, and modify accounts, install software, and change system settings. Since administrators have such broad access, you should limit the number of administrator accounts created.

By default, the OS X Setup Assistant configures the first account on the Mac as an administrator account. This account can do anything to the Mac including installing software and changing system settings and other accounts. It’s a bad idea to use this regularly for day-to-day tasks and Apple recommends that Administrator accounts should only be used for administration. Users should use standard user accounts for day-to-day computer use.

Initial Setup

When you take your Mac out of the box, it is securely configured to meet the needs of most common environments, so you don’t need to be a security expert to set up your computer. When you first setup your Mac, OS X will prompt you to you creates your first user account. To keep things simple Apple set this by default to be an Administrator account.

I disagree with this approach. I would have preferred Apple follow the method used by Linux machines where the user is prompted to create an administrator account and then prompted to create a standard user account.

Operating your Mac with an account with such high-level access leaves you vulnerable to malicious software that may have installed itself when you clicked that innocent looking video link in an email from your friend (except it was a hacker using your friend's email account). The Administrator should be used only when necessary to complete administrative tasks.

It’s most likely that the account you are logged into now on your Mac is an Administrator account. Don’t worry. The steps below will show you how to switch things around and reduce your risk.

Create a new Administrator account

The first step is to create a new Administrator account. You can do this by launching the System Preferences application and then clicking Users & Groups. You will be taken to a preferences pane that looks something like this.

You may have to click the lock in the lower left of the screen to make changes.
Click the + button in the lower left corner to bring up the new account dialogue. Choose Administrator from the drop down and enter a name for the account. Enter a strong password and make sure to write it down and store it somewhere safe.

Simple names like “Administrator” or “Admin”, or even “God” are some of the first accounts hacker try, and potentially make it easier for an attacker to break into a system. I recommend using a difficult-to-guess name for accounts with administration privileges. If you are a fan of the Lord of the Rings then “Gandalf” might be an appropriate name for the Administrator account.
Click Create User and voilà, you have a new Administrator account. To customize the account, clock the image icon and choose and image from the defaults or drag one from your hard drive on to the icon to change it.

[exif id="16332"]

Once the new Administrator account has been created, please logout and log back in with the new account, to test that the password works. Don’t forget to “downgrade” the other administrator account to a standard account. To do this, launch System Preferences and select Users & Groups. Unlock the preferences panes and select the other administrator account from the list. Make sure to uncheck the Allow user to administrate this computer check box.

You may have to restart the computer for the changes to take effect. Log back in with your original OS X account and verify that everything is ok by launching System Preferences and clicking Users & Groups. You should see something like the screen shot below. Note that the original account now has the word Standard indicating that it’s no longer an Administrator account.

Conclusion

I know that using an account with Administrator privileges makes it easier when installing software or making system changes. However, these are activities that the average users have to rarely complete. Performing your day-to-day work using a Standard account reduces the likelihood that you accidentally install a Trojan horse or some other malicious software.

Author: Khürt Williams

A human who works in information security and enjoys photography, Formula 1 and craft ale. #nobridge