Welcome to the MacNN Forums.

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

You are here: MacNN Forums > Software - Troubleshooting and Discussion > macOS > Limited Administrator Account

Limited Administrator Account
Thread Tools
jstrauss
Fresh-Faced Recruit
Join Date: Feb 2007
Status: Offline
Reply With Quote
Dec 20, 2007, 01:56 PM
 
I've heard (and even read) about creating limited administrator accounts for Leopard clients. Where can I read more about it and details on setting up limited admin accounts?

Thanks!
     
larkost
Mac Elite
Join Date: Oct 1999
Location: San Jose, Ca
Status: Offline
Reply With Quote
Dec 25, 2007, 01:59 PM
 
I don't have a direct source of documentation for you, but what you are looking for is means of modifying /etc/authorization. For things that are already setup in that file it is really easy to figure out, for the rest it is a bit more difficult.
     
CatOne
Mac Elite
Join Date: Nov 2001
Status: Offline
Reply With Quote
Dec 25, 2007, 06:07 PM
 
Originally Posted by jstrauss View Post
I've heard (and even read) about creating limited administrator accounts for Leopard clients. Where can I read more about it and details on setting up limited admin accounts?

Thanks!
There's no account called "limited administrator." You can remove functionality from any account (or... add it) by editing the /etc/authorization file.

Search Apple's knowledge base or afp548 for some details on this. A Google search will turn up a fair bit.

Note it's not so hard for a smart person to circumvent this... by default all administrators can sudo so you'd have to edit /etc/sudoers to remove this ability. Also, if they have physical access to the machine they can always boot it in target disk mode and have full access to the disk.

Anyway... you can do this to an extent, but there's no quick equivalent to a Windows "power user." You must do some work, and there's quite a learning curve for /etc/authorization.
     
Dave Pooser
Fresh-Faced Recruit
Join Date: Jan 2008
Status: Offline
Reply With Quote
Jan 5, 2008, 04:36 PM
 
Originally Posted by CatOne View Post
Anyway... you can do this to an extent, but there's no quick equivalent to a Windows "power user." You must do some work, and there's quite a learning curve for /etc/authorization.
Coincidentally, I've been presenting on this very topic for the last few years in the MacWorld IT Conference. Check out the session description for more info.

As a general rule, it's easier to start with a standard user than an admin, and you have to be aware that a lot of admin privileges are very hard to limit (running Installer packages, for instance, allows the user to run any arbitrary script)-- but between /etc/authorization and /etc/sudoers there's a lot you can accomplish.
     
   
Thread Tools
 
Forum Links
Forum Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Top
Privacy Policy
All times are GMT -4. The time now is 09:12 AM.
All contents of these forums © 1995-2017 MacNN. All rights reserved.
Branding + Design: www.gesamtbild.com
vBulletin v.3.8.8 © 2000-2017, Jelsoft Enterprises Ltd.,