eXtensions

eXtensions - Tuesday 18 October 2016

System Preferences in macOS, Sierra: Users & Groups

By Graham K. Rogers

Users & Groups

Several panels in System Preferences remain unchanged with the update to macOS, Sierra. Users & Groups is used to create and control accounts used in OS X on a Mac including several security aspects as well as control of login items. The Users & Groups preferences have minor changes to the panel.

When a user opens the Users & Groups preference panel, the pane shows two main sections. To the left is basic information of the user account (or accounts). Below the list of users there are further controls: Login Options; Add/Delete account controls; and Set Master Password. As with other preferences, a padlock icon (bottom left) restricts access and an Admin username and password are needed to open this.

At the bottom of the left panel below the Login Options selector are plus (+) and the item: Set Master Password. This is an overarching password for FileVault which is turned on in Security & Privacy Preferences. It allows access to FileVault if a user has lost or forgotten the password. If the Master Password is forgotten all data encrypted by FileVault will be inaccessible.

To the right is a panel containing information about the highlighted account, with buttons for additional account information. The display will differ, depending on whether the account highlighted is Admin, current User, other User account or Guest.

Users (1)

If there is a single user account in macOS, by default that will have Administrator privileges. This is created when the Mac is first set up.

A user may click on the Add icon (+) to create a new account. This displays a panel with the type of account selected by a button and pull down menu. Options are Administrator, Standard, Managed with Parental Controls or Sharing only. A further item is available to create (or add) a group. It is also possible to create a managed account directly within Parental Controls.

Text boxes are available for Full Name and Account name. The full name may be anything the user wants. The Account name was formerly called the Short name. It is important that, once entered and the account created, this is not changed.

Users & Groups The Account name affects the behavior of the Home directory and any related functions, including access to data. This is the name the system will use. It will appear as the name beside the Home icon.

A password is entered at this time and needs to be verified. The option to use an iCloud Password is no longer shown. Setting up a computer to use the iCloud password is done when macOS is first installed.

If the new account is to use a separate password, there are two panels for the characters to be entered (password and confirmation). To the right of this sub-panel is a small key icon, which brings up a utility that can help a user select a password from the simple to highly complex (see below). A color bar indicates a security rating from red (poor) to green.

Below the password boxes is a text panel that allows a hint to be entered should the user forget the password. The hint appears if the wrong password is entered three consecutive times. A Support Document (PH25720) is available for help in ways to reset the password if it has been forgotten. There are several changes to the ways this may be done.

Users & Groups The Password Assistant panel helps a user to choose a password that is somewhat stronger than ABC123 (a common choice). There are five types of password (as well as Manual): Memorable, Letters & Numbers, Numbers Only, Random and FIPS 181 Compliant. This last creates a password that is to an acceptable Federal Information Processing Standard.

FIPS 181 paswords are all lower-case characters (no numbers) while Random introduces a number of numerical and other characters to the mix. The "Memorable" selection uses word-mixes that have some suggestions that may be easier to remember (e.g. causeways45440/antibiotic) although not too easy to crack.

A slider allows the length of the password to be adjusted, from 8 to 31 characters. Below is a color indicator that runs from red through yellow then green. Red is a weak password, while green is good. As the password is being created in the Assistant, so the data is entered in the Account password box.

Unfortunately some users try to use the Enter/Return key instead of a password. This is a dangerous way to try and avoid password use: a warning is given if this is used. I am aware that some users here, for whatever reason, have asked retail outlets to set up their computers. I am not sure if this practice still continues. When this is done, the store used the account name, Apple (or the User's first name) and the Enter/Return key instead of a password.
This weak account/password was used by a retail outlet here when my iMac had a hard disk replaced. However, I updated OS X immediately, set up two proper accounts and deleted the one named Apple. Many users do not change either of these, leaving their machines vulnerable.

Once a password is entered and verified - the two entries must match - we may either press Cancel or Create User: macOS will make a new user account which takes a few minutes.

At the bottom of the New Account type panel is the option, Group. If this is selected, the panel for creating a new account is reduced to Full Name only. Once created, a new panel is available with the accounts on the computer listed. Checkboxes beside each of these allow them to be added to membership of the group (see Notes - below). A new group panel shows any groups that already exist, so a group could itself be added to a new group.

Users (2)

The main panel, right of the users list, displays information about the current user (or a highlighted user when the padlock icon is open). At the top is the users icon - also displayed in the list of users at login and when the computer is started.

When the cursor is passed over the picture, the word, "edit" appears. Clicking on that allows the selection of another image in a redesigned panel that appears.

The panel for selection of an image or icon is now in several sections, starting Current, Defaults, Camera and Photos. These are followed by links to the different applications libraries, such as Photos and more. Defaults will display a panel of Apple installed images. At the bottom of the panel are Cancel and Save buttons.

To the right of the user icon in the active account is a button marked Change Password. This brings down a panel that allows a change to be made. To create a new password with this panel, the Old password must be entered first. When accessing other accounts, there is a Reset Password button instead.

A button below is "Contacts Card". When pressed this opens at the user's card in the Contacts application.

Finally in the Password panel there are three checkboxes:

Allow user to reset password using Apple ID
Allow user to administer this computer (see Notes - below)
Enable parental controls. A button alongside allows access to the Parental Controls preference panel.

Login Items

The Login Items section displays a panel with a list of those items that a user requires to be available at startup (see Notes, below). The list is in three sections: a checkbox to allow the application to be hidden; the name of the application; and the kind (usually, Application).

Below are + and - icons to add or delete items. Pressing + brings up a Finder window and we may select an application or file (e.g. mp3) to open at startup. Selecting a music file will also open a suitable application (e.g. iTunes).

Examples of Applications set to load at Login

Login Options

At the bottom of the user panel (on the left) there is a house icon marked Login Options. Clicking on this opens a panel for more fine-tuning of the account. At the top is the Automatic Login button. This is ON by default (when the computer is new). Many commentators on using Macs suggest that this should be disabled (OFF) for improved security: users must enter passwords to access their accounts.

It may be selected for specific accounts, so that when a computer is turned on, that account is always opened. This could be a useful strategy for preventing access to accounts with sensitive or private data and drawing others to a safe account: a honeypot.

Two radio buttons are available for the choice of account information when the computer is started:

List of users (names and user icons)
Name and password (simple text boxes).

The latter is more secure.

Below are five check boxes:

Show the Sleep, Restart and shot Down buttons (This is for the display on the login panel)
Show input menu in login window (allows selection of different language keyboards);
Show password hints (if a password is forgotten);
Show fast user switching menu as
- Full Name
- Account Name
- Icon
Use VoiceOver in the Login window

With fast user switching it is possible to switch between accounts without logging out or closing applications each time. A menu to effect the switch to another account is on the menu bar.

At the bottom of the panel, next to the words, Network Account Server, is a button marked, "Join". Pressing this opens a panel in which the user may specify either the address of an Open Directory Server or Active Directory Domain. When Server details are entered we press OK (or Cancel).

A button to the left of this panel opens Directory Utility, revealing panels with Services, Search Policy and a Directory Editor. Users should be careful of adding, altering or deleting any information in Directory Services unless they are fully aware of what they are doing. It is suggested that this is only used under the guidance of a System Administrator. Also see Notes, below.

Notes

A group account gives the same privileges to two or more members and when specific file access privileges are assigned, all group members share those privileges. This is intended to help when sharing files or using shared folders.

We may add a group (once it has been created) by highlighting a file and choosing Get Info (Command + i). File permissions are at the bottom of the panel revealed and when the padlock icon is unlocked, users may press the + icon to add a user or group and set permissions for the added user/ group.

When adding accounts, users should not usually have more than one Admin account to avoid confusion. However a second Admin account can easily be setup temporarily for trouble-shooting. It may be removed after the problem is solved.

When installing some applications, a user is given the option to make them open at login. This may also be selected by highlighting an icon in the Dock and selecting Options. Users should be aware that too many items, or items with a large CPU/memory requirement (such as some suites) may be a drag on resources.

Login items may also be the cause of conflicts that are not easy to track down. Starting a computer in Safe mode (with the Shift key pressed) does not load these items and this may be a way to track down problems that are being caused this way.

Users are strongly urged to use a password - and preferably one that is strong - with random characters. Using Password Utility (above) can create a strong password but this may be hard to remember. In this situation I write the password on a piece of paper which is locked away in a drawer. An easy to remember password is also easy to break or guess.

The Open Directory Server "stores and organizes information about a computer network's users and network resources and which allows network administrators to manage users' access to the resources" (Wikipedia) and is an Apple solution.