Table of contents
  1. Users
    1. Get User List
    2. List existing group
      1. Create the new group ‘newgroup’ and assign it an ID
        1. View the new group
    3. Add user to group
    4. Create new user
      1. View the new user
    5. Change Password
    6. Root
      1. Enable Root User
        1. Use Directory Utility
          1. To enable or disable the root user
          2. To change the root password
          3. Log in as the root user
      2. add user to SUDO
  2. Groups
    1. Root user group
    2. Admin
      1. default admin account is not in these groups that root is in:




Users

Get User List

dscl . list /Users | grep -v "^_"

List existing group

  • IDs in numerical order

      dscl . -list /Groups PrimaryGroupID | awk '{print $2}' | sort -n
    
  • List sorted by group name:

     dscl . list /Groups PrimaryGroupID
    
  • List sorted by group gid

     dscl . list /Groups PrimaryGroupID | tr -s ' ' | sort -n -t ' ' -k2,2
    
  • List groups with members

      dscl . list /Groups GroupMembership
    
Note: neither dscacheutil nor dscl list members of the group staff other than root. Use dsmemberutil to confirm a member belongs to the group staff.

Example a user with uid 501:

 dsmemberutil checkmembership -u 501 -g 20

Create the new group ‘newgroup’ and assign it an ID

One thing you have to take care when choosing a group id is that the id is not already used by another group. In order to list the existing group ids in numerical order, you can do:

dscl . -list /groups PrimaryGroupID | awk '{print $2}' | sort -n

sudo dscl . -create /Groups/newgroup
sudo dscl . -create /Groups/newgroup PrimaryGroupID 1000

View the new group

dscl . -read /Groups/newgroup

output

 AppleMetaNodeLocation: /Local/Default
 GeneratedUID: 423AF02C-F053-41E0-ABCD-33127EF9A9CA
 PrimaryGroupID: 1000
 RecordName: newgroup
 RecordType: dsRecTypeStandard:Groups
OS X conventionally uses different ID ranges for different types of accounts. Here's the current layout as I understand it: up to 100: Reserved for static system-defined (built in) groups 101 - 199: Used by the OS for dynamically created groups (e.g., share point access groups) 200—?: More static system groups (apparently 100 wasn't enough) 400 - 500: More dynamic system groups 501 and up: Local admin-created groups 1024 and up: Domain-based admin-created groups

Add user to group

sudo dseditgroup -o edit -a john -t user admin
sudo dseditgroup -o edit -a john -t user wheel

Create new user

sudo dscl . -create /Users/newuser
sudo dscl . -create /Users/newuser UserShell /bin/bash
sudo dscl . -create /Users/newuser RealName "New User"
sudo dscl . -create /Users/newuser UniqueID "1000"
sudo dscl . -create /Users/newuser PrimaryGroupID 1000
sudo dscl . -create /Users/username NFSHomeDirectory /Local/Users/username
sudo dscl . -passwd /Users/username password
sudo dscl . -append /Groups/admin GroupMembership username

View the new user

dscl . -read /Users/newuser

output

AppleMetaNodeLocation: /Local/Default
GeneratedUID: 47D6D841-C7F1-4962-9F7E-167E8BFC3A91
PrimaryGroupID: 1000
RealName:
Application
RecordName: newuser
RecordType: dsRecTypeStandard:Users
UniqueID: 1000
UserShell: /usr/bash

Change Password

sudo dscl . -passwd /Users/username password

Root

Enable Root User

Use Directory Utility

Use Spotlight to find and open Directory Utility, or follow these steps:

  1. From the menu bar in the Finder, choose Go > Go to Folder.
  2. Type or paste /System/Library/CoreServices/Applications/, then press Return.
  3. Open Directory Utility from the window that opens.
To enable or disable the root user

In the Directory Utility window, click the lock icon, then enter an administrator name and password.

  • To enable the root user, choose Edit > Enable Root User from the menu bar. Then enter the password that you want to
    use. You can then log in as the
    root user.
  • To disable the root user, choose Edit > Disable Root User.
To change the root password

In the Directory Utility window, click the lock icon, then enter an administrator name and password. From the menu
bar, choose Edit > Change Root
Password.

Log in as the root user

When the root user is enabled, you have its privileges only while logged in as the root user.

  1. Choose an Apple menu  > Log Out to log out of your current user account.
  2. At the login window, log in with the username “root” and the password you created for the root user.
  • If the login window is a list of users, click Other, then log in.

add user to SUDO

su AdminUser
authentication, and then:

Now, as Adminuser, use the visudo command to edit the sudoers file:

sudo visudo
# Add the following line to the sudoers file:
username ALL = (ALL) ALL

If you want to be able to use sudo without typing a password:

username        ALL = (ALL) NOPASSWD:ALL

Groups

get group permissions

dscacheutil -q group -a name wheel
  • WHEEL:
    As previously mentioned, the wheel group has more permissions than any other group. I don't know a quick way to have the system show whether being a member of the wheel group provides ALL the permissions that the root user has, but I can tell you that on my mac, the only member of WHEEL is root.

  • SYSTEM:
    My installation of macOS Sierra has no group and no user named system.
  • ADMIN: users in this group are:
  • STAFF: members of this group can do most but not all the things unix can do . members of the staff group are:

Root user group

The root user is a member of the following groups (this information is listed as a result of typing this into the
command line: groups root):

  • wheel
  • daemon
  • kmem
  • sys
  • tty
  • operator
  • procview
  • procmod
  • everyone
  • staff
  • certusers
  • localaccounts
  • admin
  • com.apple.sharepoint.group.2
  • _appstore
  • _lpadmin
  • _lpoperator
  • _developer
  • com.apple.access_ftp
  • com.apple.access_screensharing
  • com.apple.access_ssh
  • com.apple.sharepoint.group.1

Admin

administrator on a mac, the account setup when the is first setup, is in these groups this information is listed as a
result of typing this into the command line: groups ): This basically is the mac owner's account

  • staff
  • com.apple.sharepoint.group.2
  • everyone
  • localaccounts
  • _appserverusr
  • admin
  • _appserveradm
  • _lpadmin
  • _appstore
  • _lpoperator
  • _developer
  • com.apple.access_ftp
  • com.apple.access_screensharing
  • com.apple.access_ssh
  • com.apple.sharepoint.group.1

default admin account is not in these groups that root is in:

  • wheel
  • daemon
  • kmem
  • sys
  • tty
  • operator
  • procview
  • procmod