How do I downgrade user account to non-admin?
I've been using OS X since its public beta. I've always run my user account with administrative privileges. Now I see that everyone (Apple included) recommends that the user account used for routine daily computer activities should be a non-administrative account.
What's the easiest and safest way to convert my user account to a non-administrative account? I don't want to have to reconfigure my user account and all of its settings from scratch.
John
What's the easiest and safest way to convert my user account to a non-administrative account? I don't want to have to reconfigure my user account and all of its settings from scratch.
John
Comments
Easy as falling off a log.
I was afraid I was asking a stupid question. But the first time I tried that I didn't see the "allow user to administer this computer" checkbox. But there it is as plain as the nose on my face.
John
- That professor dude from South Park
Originally posted by speed_the_collapse
Create a new account, make it the admin, and go back to your account and make your account a standard one.
So I'm logged in as standard user.
I want to install an application.
What happens? Do I have to log out, log back in as admin and then install?
Seems like a pain.
Originally posted by WelshDog
So I'm logged in as standard user.
I want to install an application.
What happens? Do I have to log out, log back in as admin and then install?
Seems like a pain.
No, it will pop up a prompt for admin password, like what happens when you unlock a locked control pannel in system prefs when logged in as admin
Originally posted by admactanium
i don't think there's a significant advantage to using the computer regularly as a regular user rather than admin because you'd have to type in your admin password to install anything. since right now the only way os x gets malware is by voluntarily entering your admin password, it's all up to you to keep track of what you install.
I agree with this. Every mac i've worked on has been run as an administrator. What your not supposed to run under is the root user.
Mac OS X Security Out of the Box
Following the initial install, Mac OS X is fairly secure. A few simple tweaks make it even more secure. But before we get to those changes, there are a few things you should notice during the install process.
Administrative Accounts
The first account created on a Mac OS X system is an administrative account. If possible, this account should not be the account you commonly use; it should be reserved for making changes to the system and installing system-wide applications. After installing Mac OS X, go into the Users item in System Preferences create a new account without administrative access. For your common tasks, log in as that user.
This is an excerpt from the following URL:
http://developer.apple.com/internet/...rityintro.html
If I understand this correctly, Apple encourages the regular use of a non-administrative account for highest level of security.
John
Originally posted by WelshDog
So I'm logged in as standard user.
I want to install an application.
What happens? Do I have to log out, log back in as admin and then install?
Seems like a pain.
You'll be presented with a dialog box to input the admin user name and associated password. If entered correctly the application will install.
Originally posted by icfireball
It's a great security feature that almost all critical changes require a password.
i agree. but the thing is, when you want to install something in your non-admin account you're still going to type in the admin password to install it. so what's the big difference other than you'd have to type in your admin username as well as admin password? as far as i can tell it just doesn't make that much difference for security and it definitely doesn't make any difference for security against trojans, or user-action-required macros. if you're going to make the mistake of installing that trojan, you still have to type in the admin password in both accounts.
YOU DON'T!
You create a new account that has admin access... Then you remove admin power from the account you are currently using! This way you still have all your files, settings, and watever. You just don't have admin access on your primary account anymore. This way when you want to install anything it asks for your administrator password, even for dragging an icon into the applications folder.
Why would you want to transfer all your files and stuff to the new administrator account? It would defeat it's purpose if you use the new administrator account as your primary account.
Originally posted by admactanium
huh. so i guess this trojan doesn't require a password if you're running as admin. i stand corrected. guess i'll make me some admin accounts now.
Yes, correct. I didn't realize this at first. Admin privileges allow some things in the App folder to be modified without asking for password.
This article made it very clear to me:
http://www.chaosmint.com/macintosh/a...rability.shtml
Originally posted by WelshDog
Yes, correct. I didn't realize this at first. Admin privileges allow some things in the App folder to be modified without asking for password.
This article made it very clear to me:
http://www.chaosmint.com/macintosh/a...rability.shtml
Last week if you told me to do this, I would have told you you were crazy since OS X is secure by design.
But after this recent spate of vulnerabilities, I decided it's best not to take any chances.
It makes things more annoying when using the command line. Now I need to su into my admin account and then sudo (with my admin user password) whenever I want to run a command that affects my system or any file/directory under the admin group.
It also has a psychological effect when the prompt asks your for your username AND password. It makes you pause to think instead of blindly entering your password.
Still, it might lead to a sort of crying wolf syndrome, where you're installing a program that you would expect to modify only your Applications directory that tries to modify a critical system directory. If you had access to Applications, this would have raised a red flag that something was seriously wrong, but since all operations require a username/password, it doesn't.
Originally posted by fahlman
What is the command in the terminal that will show the the owner of all the files in the Applications directory?
ls -la /Applications/
The file owner is the third column from the left. Most will say "root". The next column is the group owner. Most will say Admin.