Managing User Accounts and Groups

The system administrator's job includes adding new users to the system and managing the ability of various groups to access different parts of the file system (review Chapter 8).

The easiest way to add a user in Mac OS X is with the Accounts pane in System Preferences (see the following task). This not only adds the user, but it also creates his or her home directory and several files that each user needs.

It is possible to add a user to your system using the command line, but the process is rather complex and is beyond the scope of this book. (If you really must know how, see the sidebar "Adding a User from the Command Line," later in this chapter.)

Adding and deleting users with System Preferences

The Mac OS X System Preferences is a GUI interface for many basic administrative tasks . You access System Preferences from the Apple menu or from the Dock.

To create a new user:

1.	Choose System Preferences from the Apple menu or click its icon in the Dock. The main System Preferences window opens ( Figure 11.3 ). Figure 11.3. The System Preferences window.
2.	Click the Accounts icon. The Accounts pane opens showing the list of users on the left ( Figure 11.4 ). Figure 11.4. The Accounts pane of System Preferences, showing users. All the current regular users are shown (not shown are special system accounts, including the root account).
3.	Click the lock icon. You will get a dialog asking for your user name and password ( Figure 11.5 ). This is basically the Aqua version of using `sudo` you are about to assume root privileges for this task. Fill in the dialog and click OK. Figure 11.5. The Authenticate dialog, asking for your user name and password.
4.	Back in the Accounts pane, click the plus (+) button, just above the lock icon. A dialog slides down with fields for the new user's information ( Figure 11.6 ). Figure 11.6. The dialog that appears when you click the plus button on the Accounts pane.
5.	Fill in the Name and Short Name fields for the new user. The Name field is just the everyday name, typically including both first and last name. Mac OS X uses the term short name for what all Unix systems call the user name or login name ." On many Unix systems the short name must be eight characters or less and should consist only of lowercase letters and numbers , so you may want to stick with that to be consistent with other Unix systems. But in Mac OS X since 10.2, you can use up to 255 bytes for the short user name. (Note, however, that bytes does not mean characters, because there are multibyte characters, for example, in Japanese.)
6.	Fill in the user's new password. You type the password twice, and it is displayed as a series of bullets (so someone looking over your shoulder won't see it).
7.	If you click the key icon next to the Password field (see Figure 11.6), you get the cool Password Assistant dialog ( Figure 11.7 ), which will help you create a good password. Figure 11.7. The Password Assistant dialog. You may fill in a "password hint" for the user. This will show up in the Aqua Login window if he or she fails three login attempts in a row. (The hint option must also be set in the Login Options pane of the Accounts preferences pane.)
8.	If you want the new user to have root access on the machine, check the box next to "Allow user to administer this computer." Figure 11.8 shows an example of the new-user dialog filled in and ready to save. Figure 11.8. The new user dialog all filled in and ready to save.
9.	Click Create Account. At this point the new user has been added to the system, and that person can log in. The new-user dialog slides away and the Accounts pane shows the new user's name in the list ( Figure 11.9 ). Figure 11.9. The Accounts pane, showing the new user added to the list. The new user's home directory has been created, along with various subdirectories such as his or her Documents folder. Also, a configuration file for the Apache Web server is created for the new user in `/etc/httpd/users/` . Add more users if you like.
10.	Quit System Preferences.

Tip

Passwords are the backbone of system security. If a malicious person obtained a user's password, he or she could cause serious harm to that person's system: disabling it altogether, obtaining root privileges, or copying any information on the system. Be very careful about giving users the ability to "administer this computer," since that essentially gives them root access and the ability to take complete control of the machine.

Occasionally you'll need to remove a user, and you can use System Preferences to do that as well. It gives you a choice about whether or not to completely delete the user's home directory; the default behavior is to create a disk-image file (a .dmg file) of the user's home directory and place that file in the /Users/Deleted Users directory.

To remove a user:

1.	Open System Preferences.
2.	Click the Accounts icon.
3.	Select the user from the list.
4.	Click the minus () button at the bottom of the list of users (see Figure 11.9). You will get a dialog asking if you want to delete the user's home directory immediately or allow a disk image to be placed in `/Users/Deleted Users` .
5.	Choose either OK or Delete Immediately. If you allow the disk image to be created, you can always remove it later.
6.	Quit System Preferences.

Choosing a Safer Password

Good passwords always have a combination of letters, numbers, punctuation marks, and symbols (!@#$%^&*_+-=":;'><,.?/\), and never contain a dictionary word. For example, secret23 would be a terrible password, far too easy for a computerized guessing program to figure out.

One way to make a good password is to use the first letter from each word in a song lyric or poem, and change some of the characters to numbers and punctuation. For example, the lyric "Sporting 50-dollar sneakers and all the money's spent" (from Grandmaster Flash's "All Wrapped Up") might become the password S50$s&atm .

In addition to the root password, all user passwords, especially those for admin users, must also be excellent in order for your system to have good security. In Mac OS X, having an admin user's password is equivalent to having the root password. (We'll go into more about choosing good passwords in Chapter 12, "Security.")

Tip

There may be files outside the user's home directory that were owned by that user. For example, if you are running a Web server, you may have allowed users to put HTML files in /Library/WebServer/Documents . You can create a list of all the files in a directory that are owned by unknown users with the -nouser option to the find command:
```
 sudo find /Library/WebServer/Documents  -nouser > orphanlist.txt 
```
You can then look at the resulting list and decide which files to delete and which to change the ownership of (so that they are owned by a user still on the system).

Adding a User from the Command Line

OK, you want to be a hotshot Unix sysadmin. At the end of this sidebar we provide a list of things you have to do to add a user from the command line. Each of these steps has several substeps .

Before trying this, download the Apple documentation for Mac OS X Server Command-Line Administration: http://images.apple.com/server/ pdfs /Command_Line_v10.4.pdfand please , experiment on a noncritical machine.

The documentation in the PDF file mentioned above refers to some command-line tools ( serversetup , dsimport , createhomedir , and so on). One of them, serversetup , is not installed in the non-Server version of Mac OS X. So unless you are working on the Server version, you will not be able to create new admin users from the command line or perform some of the tests that the documentation describes. The tools are installed in different places on the Server and non-Server versions of Mac OS X. In the non-Server version these commands are installed in /usr/bin and /usr/sbin , so they are already in your PATH . (See Chapter 7 for more about your PATH .)

Here is the basic process:

1.	Create a text file containing the required information for the user(s) you are adding. The PDF file mentioned above has examples of this file.
2.	Use the `dsimport` command to import the file. See `man dsimport` .
3.	Use the `createhomedir` command to create home directories for the user(s). This will also populate the directories with the appropriate files. See `man createhomedir` .

Note: There is a command-line tool called dsidentity that can be used to create a limited type of user account at the command line. The dsidentity tool is intended for creating accounts that are used only for remote file sharing and similar purposes. See man dsidentity for more.

Managing passwords

Perhaps the most common task for a system administrator is to help users who have forgotten their password. While there is no easy way to find a user's current password, it can be changed easily. You can use System Preferences, but you can also do this easily from the command line. Refer to Figure 11.10 throughout the following task.

Figure 11.10. Changing a user's password with the `passwd` command.

To change a user's password:

1.	`sudo passwd` `user nam` `e` The `user name` argument is the same as the short name that was entered when the user's account was created. For example, `sudo passwd sarafina` If you haven't used `sudo` in the last 5 minutes, you are prompted for your password, with just `Password:` After you enter your password, or if you have recently used `sudo` , you will see a prompt from the `passwd` command.
2.	Enter the user's new password.
3.	Reenter the new password. Because the passwords are not displayed, you have to enter them twice to make sure you have it right. If the entries don't match, you'll be prompted to enter them again.

Tips

Use a secure method to tell the user his or her new passwordthat is, in person or on a phone line you trust. Never send an (unencrypted) password over e-mail or leave it on a voice-mail system.
The Mac OS X keychain knows when you've changed your password and will prompt you to update your keychain the next time you use it.

Changing a user's login shell

Although it's not as common an activity as changing passwords, system administrators occasionally are asked (or decide) to change a user's login shell. For example, a user might want to use the tcsh shell as his or her login shell instead of the Mac OS X default (which is bash ).

The command-line tool for changing a user's shell in Darwin and Mac OS X is quite different from that used in other versions of Unix (in which you would probably use either usermod or chsh ). Darwin and thus Mac OS X use a different system than other flavors of Unix to store and access all the system-configuration information, such as users, groups, and mounted disks. See the sidebar "About lookupd , Open Directory, and Directory Service."

The main command-line tool for dealing with the Directory Services system is dscl ( Directory Service command line ), and that's what you'll use in the following task ( Figure 11.11 )

Figure 11.11. Using `dscl` to change a user's login shell from `/bin/bash` to `/bin/tcsh` .

 localhost:~ vanilla$  sudo dscl . -change /users/name=puffball UserShell /bin/bash /bin/tcsh  Password: localhost:~ vanilla$  dscl . -read /users/name=puffball UserShell  UserShell: /bin/tcsh localhost:~ vanilla$

About lookupd, Open Directory, and Directory Service

All Unix systems need a way to store and retrieve system-configuration information about users, groups, networks, and disks. On many other Unix systems, this data is stored (primarily) in text files in the /etc directory. For example, /etc/passwd usually has all the user accounts, and /etc/ group has the list of groups.

While Mac OS X/Darwin is able to use the traditional /etc files (which it calls BSD Flat Files) to manage system-configuration information, at a more fundamental level it uses a system called Open Directory, which uses the DirectoryService and lookupd daemons. Apple has rewritten the low-level software libraries ( get_pw for you C hackers) so that they use lookupd . The lookupd daemon can use a variety of data sources, including BSD Flat Files, Apple's legacy NetInfo database (see the sidebar "Deeper into NetInfo"), an LDAP server, and more. For more on lookupd , see man lookupd . For more on Directory Services, see man DirectoryService and http://developer.apple.com/darwin/projects/opendirectory/.

To change a user's login shell:

1.	`sudo dscl . -change /users/` `user` `UserShell` `oldshell newshell` For example, to change the shell for user `puffball` from `/bin/bash` to `/bin/tcsh` the command line is sudo dscl . -change /users/puffball UserShell /bin/bash /bin/tcsh If `sudo` prompts you for your password, enter it. Now you can check that the change took place:
2.	`dscl . -read /users/` `user` `UserShell` For example: `dscl . -read /users/puffball`

Tips

The dscl utility provides man tools for reading and changing system-configuration settings. See man dscl for the complete story.
An interesting feature of dscl is that it offers an interactive shell-like interface. If you run

sudo dscl .

you will get a prompt (just a > ) from which you can navigate around the data hierarchy using cd and ls , and issue all of the various dscl commands, such as read , change , search , and so on. Again, see man dscl for more. Using dscl in interactive mode to change a user's shell could look like this:
```
 localhost:~ vanilla$  sudo dscl .  >  change /users/puffball    UserShell /bin/bash /bin/tcsh  >  read /users/puffball    UserShell  Usershell: /bin/tcsh >  quit  localhost:~ vanilla$ 
```

Tracking who uses the system

Every time a user logs in, entries are made in three log files. These files enable you to see who is currently using the system and a history of logins to the system.

Table 11.2 lists these files and the commands used to view them.

Table 11.2. Files Used to Track User Logins

F ILE	P URPOSE AND C OMMANDS
`var/run/utmp`	Shows who is logged in right now ( `tmp` stands for temporary ). Used by the `users` , `w` , and `who` commands.
`/var/log/wtmp`	Records each login and logout. A binary file, not human-readable . Used by the `last` and `ac` commands. This file is "rolled over" every month by the script `/etc /monthly` . See "Running Regularly Scheduled Commands," later in this chapter.
`/var/log/lastlog`	Records the date and time of each user's last login. The date of the last login is displayed when logging in via a command-line interface (for example, when you open a new Terminal window).

Using the commands listed in Table 11.2, you can see a good deal of information about who was and is using your system.

To see a list of users logged in right now:

users

The users command simply lists the user name of anyone who is currently logged in. The output looks like this:

vanilla matisse puffball

To see a list of users and where they logged in from:

who

The who command shows you one line for each login shell each user is running. So if you had three Terminal windows open and another user was logged in over the Internet, who would show five entries ( Figure 11.12 ).

Figure 11.12. Annotated output from the who command.

That's one entry for your Aqua login (the console entry), the three Terminal windows (the ttyp1 , ttyp3 , and ttyp4 entries), and an entry for a user logged in over the Internet. The entry for the remote user shows where he or she is logged in from (the host well.com).

ttyp means teletypewriter, pseudo . In the old days, people used electromechanical teletypewriters (TTYs) to log in to computers; now those TTYs are emulated in software, hence the pseudo .

Using the -H option adds a line of headings to the output.

The -u option adds the idle time for each entry (in hours:minutes).

Figure 11.13 shows the output with the -Hu options.

Figure 11.13. Output from the who command with -Hu options.
```
 localhost:~ vanilla$  who -Hu  NAME        LINE          TIME          IDLE     FROM vanilla     console       Jul 9 16:55   22:32 vanilla     ttyp1         Jul 9 12:55   .        (g5-imac.matisse.) matisse     ttyp2         Jul 9 10:36   .        (well.com) vanilla     ttyp3         Jul 6 12:39   00:09 vanilla     ttyp4         Jul 9 10:37   00:09 localhost:~ vanilla$ 
```

Deeper into NetInfo

The NetInfo system is being phased out of Mac OS X/Darwin but is still in use as of Mac OS X 10.4 and probably will be for a while. NetInfo was originally a hierarchical directory service system like LDAP or Active Directory, but it is now used solely for storing local configuration information. The data stored in NetInfo is mostly data that is stored on other Unix systems in plain-text files: The file /etc/passwd has the list of all users, their home directories, and their login shells . In Darwin, /etc/passwd is used only when the machine is in single-user mode, but on most Unix systems, /etc/passwd is the only database of users.

The official Apple overview of the NetInfo system is available as a PDF document at www.apple.com/server/pdfs/UnderstandingUsingNetInfo.pdf.

To see who is logged in and what they are doing:

w

The w command shows output similar to who -Hu but adds a line of information reporting system uptime and load (actually, it is the output from the uptime command; see "Monitoring System Usage," later in this chapter). It also tries to show the last command that each user executed. Figure 11.14 shows output from w on a Mac OS X system, and Figure 11.15 shows partial output from w on another Unix system (running Sun's Solaris 2.6 operating system). Notice that that system had 152 users logged in at the time the command was run. Also notice the customized shell prompt ( Love ya babe 34: ) at the top of the code listing.

Figure 11.14. Output of `w` on Mac OS X.

 localhost:~ vanilla$  w  11:15AM     up 3 days, 11:53, 5 users, load averages: 0.39, 0.48, 0.60 USER        TTY FROM      LOGIN@            IDLE WHAT vanilla     co -          Sat08AM 21:38     - vanilla     p1 -          10:31AM           - bash matisse     p2 well.com   10:36AM           - find vanilla     p3 -          Sat12PM           - mail vanilla     p4 -          10:37AM           - w localhost:~ vanilla$

Figure 11.15. Abbreviated output from `w` on a machine running Sun's Solaris 2.6 version of Unix.

 Love ya babe 34:  w  11:20am     up 20 day(s), 5:08,   152 users,    load average: 5.98, 6.62, 6.74 User        tty      login@    idle JCPU  PCPU  what java        pts/3    5:49am    41   22    16    -bash swede       pts/8    10:49am   5    5     4     /usr/local/lib/mailwrapper/pine fluffer     pts/15   11:04am   4    4     more maxie       pts/35   6:14am    1:32 55    -picospan flute       pts/58   11:06am   7    2     2     extract -g -f weblog -J -k web / bottle      pts/44   10:36am              2     ped -t -z /home/b/o/bottle/.muse risc        pts/19   11:11am   3          more artgrrl     pts/41   8:35am    1    1     1     ssh -l artgrrl artgrrl.net omni23      pts/100  11:14am                    lynx villagevoice starboy     pts/13   11:14am        2           -bash bunch       pts/60   10:26am   39   8     5     -picospan bloomsb     pts/162  10:07am        1:08  38    irc NihiAtWrk irc.wagill.com libre       pts/134  10:48am   2    2     2     /usr/bin/vi /home/l/i/libre/cf.buf pwolf       pts/90   9:53am    1:28             /usr/bin/ksh ....output abbreviated....

To see a history of logins for all users:

last

The last command shows a history of all sessions (login/logout pairs) for the current month ( Figure 11.16 ).

Figure 11.16. Output from the `last` command showing all login sessions, reboots, shutdowns, and crashes for the current month.

 localhost:~ vanilla$  last  vanillattyp4                             Tue Jul 9 10:37     still logged in matissettyp2    well.com                 Tue Jul 9 10:36 -   11:20      (00:43) vanillattyp1                             Tue Jul 9 10:31     still logged in vanillattyp2                             Tue Jul 9 10:31 -   10:36      (00:05) vanillattyp3                             Sat Jul 6 12:39     still logged in vanillattyp2                             Sat Jul 6 10:29 -   10:31      (3+00:02) puffball ttyp2                           Sat Jul 6 08:43 -   10:29      (01:45) vanillattyp1                             Sat Jul 6 08:34 -   10:09      (01:35) matisseconsole  user-112uhed.biz         Sat Jul 6 08:32     still logged in root console                             Fri Jul 5 12:30 -   12:32      (00:01) vanillaconsole  user-112uhed.biz         Fri Jul 5 12:29 -   12:30      (00:00) puffball ttyp1  playroom.matisse         Thu Jul 4 11:00 -   12:36      (1+01:35) vanillattyp2                             Tue Jul 2 16:45 -   14:21      (2+21:36) vanillattyp1                             Tue Jul 2 16:35 -   11:00      (1+18:24) vanillaconsole  user-112uhed.biz         Tue Jul 2 16:23 -   12:29      (2+20:05) reboot ~                                 Tue Jul 2 16:20 shutdown ~                               Tue Jul 2 16:14 root            console user-112uhed.biz Tue Jul 2 16:14 -   16:14      (00:00) vanillattyp2                             Tue Jul 2 15:06 -   shutdown   (01:08) puffball ttyp1                           Tue Jul 2 15:04 -   shutdown   (01:09) vanillattyp1                             Tue Jul 2 15:04 -   15:04      (00:00) vanillattyp3                             Tue Jul 2 11:53 -   shutdown   (04:20) matissettyp1                             Tue Jul 2 10:10 -   15:04      (04:53) vanillattyp2                             Mon Jul 1 21:43 -   15:06      (17:22) vanillattyp1                             Mon Jul 1 21:42 -   10:10      (12:27) wtmp begins Mon Jul  1 09:18 localhost:~ vanilla$

Besides showing user sessions, the last log also shows entries for shutdowns, reboots, and crashes.

The information is taken from the /var/log/wtmp file, which is emptied out and started again each month by the /etc/month script. Last month's file is /var/log/wtmp.0.gz , the prior month is wtmp.1.gz , and so on up to wtmp.4.gz . You can uncompress the older files and supply the filename as an argument with the -f option to last to look at a previous month's data:

 cd /var/log sudo gunzip wtmp.2.gz last -f wtmp.2

To see a history of all logins for one user:

last username

If you supply a user name as an argument to last , it limits the output to the sessions for that user. For example,

last puffball

gives output like that in Figure 11.17 .

Figure 11.17. Output from `last` showing only one user.

 localhost:~ vanilla$  last puffball  puffball    ttyp2                       Sat Jul 6 08:43 - 10:29       (01:45) puffball    ttyp1     playroom.matisse  Thu Jul 4 11:00 - 12:36       (1+01:35) puffball    ttyp1                       Tue Jul 2 15:04 - shutdown    (01:09) wtmp begins Mon Jul  1 09:18 localhost:~ vanilla$

Tip

You can use last with the pseudouser names reboot, shutdown, and crash to see all the corresponding entries in the last log. For example,

last reboot

shows all the reboots this month.

To see a summary of login times:

ac

Short for connect time accounting , this shows the total of all sessions since the start of this month (the data comes from /var/log/wtmp ).

For example, the output could be

total 197.15

You can supply a list of one or more user names to get a total for the selected users only. For example,

ac puffball

shows a total (in hours:minutes) of all of puffball's sessions for the current month, and

ac puffball vanilla

shows the total for the two users.

You may use the -p option to get a per-user breakdown of the time, or the -d option to get a daily subtotal , but not both.

Figure 11.18 shows several different results for the ac command with different arguments and options.

Figure 11.18. Output from using the `ac` command with a variety of arguments and options.

 localhost:~ vanilla$  ac  total               197.22 localhost:~ vanilla$  ac -p  vanilla             196.20        root                0.29        puffball            0.73        total               197.22 localhost:~ vanilla$  ac -d  Jul    3    total          62.19 Jul    4    total          24.00 Jul    5    total          23.97 Jul    8    total          72.00 Jul    9    total          15.06 localhost:~ vanilla$  ac vanilla  total               196.20 localhost:~ vanilla$  ac puffball vanilla  total               196.94 localhost:~ vanilla$  ac -p puffball vanilla  vanilla             196.21        puffball            0.73        total               196.94 localhost:~ vanilla$  ac -d vanilla  Jul    1    total          14.35 Jul    3    total          47.84 Jul    4    total          24.00 Jul    5    total          23.69 Jul    8    total          72.00 Jul    9    total          14.34 localhost:~ vanilla$

Tip

You can use the -w option for ac to have it read a different file from the default.

For example,
```
 cd /var/log sudo gunzip wtmp.0.gz ac -w wtmp.0 -p 
```
shows a per-day summary for the month whose data is in the file.

Managing groups

In Chapter 8, you learned about how Unix uses groups to grant permission for various file operations (read, write, execute) to groups of users. And earlier in this chapter, you learned that Mac OS X allows any user in the admin group to use sudo to execute commands as root.

In this section we're going to show you how to change a user's group assignment, and how to add and remove groups. A common reason to create a new group is if you have several people using your computer and want to allow some of them to have write permission in a directory where the other users do not. You would create a new group and put each of the team members into that group. Users can be members of many groups.

You will be using a Darwin-only tool called dseditgroup to manage group information, as well as the Darwin-only nireport and dscl .

To see all the groups a user belongs to:

groups username

For example,

groups puffball

lists all the groups that puffball is a member offor example,

puffball www

Tip

Supposedly, the groups command is being made obsolete by the id command, which has several options and can show more information about a user. Unfortunately, the id command is quite different on different Unix systems. In Mac OS X,

id -Gn username

behaves the same as

groups username

See man id for more.

To see a list of all the groups:

dscl . -list /groups PrimaryGroupID

This shows a list of all the groups on your system. Each line has the group name and its group ID number as shown in Figure 11.19 . If you omit PrimaryGroupID , then the gid numbers are omitted from the output.

Figure 11.19. Using `dscl` to see a list of all the groups. Your output will differ .

 localhost:~ vanilla$ localhost:~ vanilla$   dscl . -list /groups PrimaryGroupID  accessibility             90 admin                     80 amavisd                   83 appowner                  87 appserveradm              81 appserverusr              79 authedusers               50 bin                       7 clamav                    82 consoleusers              53 daemon                    1 dancers                   500 dialer                    68 everyone                  12 group                     11 16 interactusers             51 jabber                    84 kmem                      2 lp                        26 mail                      6 mailman                   78 matisse                   501 mysql                     74 netusers                  52 network                   69 nobody                    -2 nogroup                   -1 operator                  5 owner                     10 postdrop                  28 postfix                   27 qtss                      76 remote                    503 securityagent             92 smmsp                     25 sshd                      75 staff                     20 sys                       3 tokend                    91 tty                       4 unknown                   99 utmp                      45 uucp                      66 vanilla                   502 wheel                     0 windowserver              88 www                       70 xgridagent                86 xgridcontroller           85 localhost:~ vanilla$

To see all the attributes of one group:

dscl . -read /groups/ groupname

For example:

Dscl . -read /groups/admin

This produces a list of all the attributes for the admin group, as shown in Figure 11.20 .

Figure 11.20. Using `dscl` to see all the attributes for one group (the admin group in this example).

 localhost:~ vanilla$  dscl . -read /groups/admin  AppleMetaNodeLocation: /NetInfo/DefaultLocalNode GeneratedUID: FFFFEEEE-DDDD-CCCC-BBBB-AAAA00000050 ABCDEFAB-CDEF-ABCD-EFAB-CDEF00000050 GroupMembership: root matisse vanilla remote Password: * PrimaryGroupID: 80 RealName: Administrators RecordName: admin RecordType: dsRecTypeNative:groups SMBSID: S-1-5-32-544 localhost:~ vanilla$

To see all the users who belong to a group:

There isn't any easy way to do this. Yes, we know it seems strange , but it's true.

One partial solution is with
```
 dscl . -read /groups/  group name   GroupMembership 
```
That command reads the Directory Service data and shows the users who have been directly added to the group. If there are no users associated with that group, the message "No such key:GroupMembership" will appear. The problem is that there is more than one place where a user can be included in a group. One is in Directory Service data for groups, in which each group has a list of users that belong to it. The command line above will read that for you. But when a user is created, he or she is assigned one group as his or her "primary" group, and that information is stored in the record for the user , not for the group.

In Mac OS X 10.4, new users have a private group as their primary groupa group with the same name as the user name. Prior to 10.4, a user's primary group was set to "staff." In either case their user names do not appear in the Directory Service database record for the group itself, so the dscl . -read command shown above won't find it.

In order to really find out who all the members of a group are, you would have to examine every user on the system, as well as the group entry in Directory Services. You could write a script to do this, but there's no single command to do it. Sorry.

Compare with Aqua: NetInfo Manager

You can use the GUI application NetInfo Manager to see who is a member of a group, as well as to add and remove groups. Even though NetInfo Manager is a GUI application, it is far less easy to use than most Mac applications. This is one case where the command-line tools are probably easier than the GUI equivalent.

To create a new group:

1.	First get the list of all groups as described in the task "To see a list of all the groups": `dscl . -list /groups PrimaryGroupID`
2.	Make up a group name that is not in use. Group names should be all lowercase and should contain only letters and numbers.
3.	`sudo dseditgroup -o create` `groupname` You must be root to modify the data sources used by Directory Service, hence the use of `sudo` . For example, to create a group called "dancers": `sudo dseditgroup -o create dancers` Enter your password if `sudo` prompts you for it. If a group already exists with the name you chose, you will be asked if you want to overwrite the existing record.

Tips

Instead of using sudo , you can use the -p option and you will be prompted for your password:

dseditgroup -p -o create groupname

Or if you are not logged in as an admin user, you may use the -p and -u options to supply an admin user name:
```
 dseditgroup -u  user name  -p -o  create  groupname  
```
You'll still need the password, of course.
There are several more options for creating a group with dseditgroup for example, you can add a comment with the -c option. See man dseditgroup for the complete list.

To add a user to an existing group:

sudo dseditgroup -o edit -a username

-t user groupname

This adds the user username to the group groupname . For example, to add user "fireboy" to group "dancers":
```
 sudo dseditgroup -o edit -a fireboy  -t user dancers 
```
The change takes effect the next time fireboy logs in.

Be sure to check your addition with
```
 dscl . read /groups/dancers  GroupMembership 
```
to ensure that the user fireboy is added, since dseditgroups provides little feedback on failure or success

Starting in Mac OS X 10.4, you can have groups be members of other groups. Any user who is a member of a subgroup is automatically a member of the higher-level group(s). You may only add groups to groups that were created using the new 10.4 tools, such as dseditgroup , described above. (That is, you will get an error if you try to add a group to a "legacy-style" group.)

To display information about a group:

dseditgroup group name

This will display all the known attributes of the group. Figure 11.21 shows an annotated example.

Figure 11.21. Annotated output from dseditgroup group name .

To add a group to another group:

sudo dseditgroup -o edit -a subgroup

-t group parentgroup

This adds the group subgroup to parent group . All users who are in the subgroup are now also members of the parent group. Note that while you can remove subgroups (see below), there is currently no easy way to see a list of subgroups for a particular group.

To remove a user from a group:

sudo dseditgroup -o edit -d username

-t group groupname

This removes the user username from group groupname .

To remove a subgroup from a group:

sudo dseditgroup -o edit -d subgroup

-t group groupname

This removes the subgroup subgroup from group groupname .

To remove a group:

1.	`sudo dseditgroup -o delete` `groupname` For example, to delete a group called "tango": `sudo dseditgroup -o delete tango` You will get a prompt telling you the group already exists and asking if you really want to delete it: Delete called on existing record - do you really want to delete, y or n :
2.	`y` Typing `y` confirms the request to delete the group. It's gone as soon as you press .

Adding and deleting users with System Preferences

Figure 11.3. The System Preferences window.

Figure 11.4. The Accounts pane of System Preferences, showing users.

Figure 11.5. The Authenticate dialog, asking for your user name and password.

Figure 11.6. The dialog that appears when you click the plus button on the Accounts pane.

Figure 11.7. The Password Assistant dialog.

Figure 11.8. The new user dialog all filled in and ready to save.

Figure 11.9. The Accounts pane, showing the new user added to the list.

Choosing a Safer Password

Adding a User from the Command Line

Managing passwords

Figure 11.10. Changing a user's password with the `passwd` command.

Changing a user's login shell

Figure 11.11. Using `dscl` to change a user's login shell from `/bin/bash` to `/bin/tcsh` .

About lookupd, Open Directory, and Directory Service

Tracking who uses the system

Table 11.2. Files Used to Track User Logins

Figure 11.12. Annotated output from the `who` command.

Figure 11.13. Output from the `who` command with `-Hu` options.

Deeper into NetInfo

Figure 11.14. Output of `w` on Mac OS X.

Figure 11.15. Abbreviated output from `w` on a machine running Sun's Solaris 2.6 version of Unix.

Figure 11.16. Output from the `last` command showing all login sessions, reboots, shutdowns, and crashes for the current month.

Figure 11.17. Output from `last` showing only one user.

Figure 11.18. Output from using the `ac` command with a variety of arguments and options.

Managing groups

Figure 11.19. Using `dscl` to see a list of all the groups. Your output will differ .

Figure 11.20. Using `dscl` to see all the attributes for one group (the admin group in this example).

Compare with Aqua: NetInfo Manager

Figure 11.21. Annotated output from `dseditgroup` `group name` .

Managing User Accounts and Groups

Adding and deleting users with System Preferences

Figure 11.3. The System Preferences window.

Figure 11.4. The Accounts pane of System Preferences, showing users.

Figure 11.5. The Authenticate dialog, asking for your user name and password.

Figure 11.6. The dialog that appears when you click the plus button on the Accounts pane.

Figure 11.7. The Password Assistant dialog.

Figure 11.8. The new user dialog all filled in and ready to save.

Figure 11.9. The Accounts pane, showing the new user added to the list.

Choosing a Safer Password

Adding a User from the Command Line

Managing passwords

Figure 11.10. Changing a user's password with the passwd command.

Changing a user's login shell

Figure 11.11. Using dscl to change a user's login shell from /bin/bash to /bin/tcsh .

About lookupd, Open Directory, and Directory Service

Tracking who uses the system

Table 11.2. Files Used to Track User Logins

Figure 11.12. Annotated output from the who command.

Figure 11.13. Output from the who command with -Hu options.

Deeper into NetInfo

Figure 11.14. Output of w on Mac OS X.

Figure 11.15. Abbreviated output from w on a machine running Sun's Solaris 2.6 version of Unix.

Figure 11.16. Output from the last command showing all login sessions, reboots, shutdowns, and crashes for the current month.

Figure 11.17. Output from last showing only one user.

Figure 11.18. Output from using the ac command with a variety of arguments and options.

Managing groups

Figure 11.19. Using dscl to see a list of all the groups. Your output will differ .

Figure 11.20. Using dscl to see all the attributes for one group (the admin group in this example).

Compare with Aqua: NetInfo Manager

Figure 11.21. Annotated output from dseditgroup group name .

Figure 11.10. Changing a user's password with the `passwd` command.

Figure 11.11. Using `dscl` to change a user's login shell from `/bin/bash` to `/bin/tcsh` .

Figure 11.12. Annotated output from the `who` command.

Figure 11.13. Output from the `who` command with `-Hu` options.

Figure 11.14. Output of `w` on Mac OS X.

Figure 11.15. Abbreviated output from `w` on a machine running Sun's Solaris 2.6 version of Unix.

Figure 11.16. Output from the `last` command showing all login sessions, reboots, shutdowns, and crashes for the current month.

Figure 11.17. Output from `last` showing only one user.

Figure 11.18. Output from using the `ac` command with a variety of arguments and options.

Figure 11.19. Using `dscl` to see a list of all the groups. Your output will differ .

Figure 11.20. Using `dscl` to see all the attributes for one group (the admin group in this example).

Figure 11.21. Annotated output from `dseditgroup` `group name` .