Configuring Account Preferences

As noted, during the installation of Mac OS X or when first starting a Mac with a factory preinstallation of Mac OS X, the Setup Assistant creates the first account, which is an admin account. Subsequently, within Mac OS X’s GUI, day-to-day user account administration is done through the Accounts preferences pane depicted in Figure 14-1. The Accounts preferences pane can create and delete user accounts; it is also the location where you can configure home folder encryption, select items to open automatically at startup, restrict system access for a given user account, grant admin privileges, and specify system login options. Depending on the type of account being administered and the current user account that is logged-in, the Accounts preference pane can present up to six panels: Password, Login Options, Picture, Security Startup Items, and Limitations. The Limitations panel contains three additional panels: No Limits, Some Limits, and Simple Finder.

Figure 14-1: The Accounts preferences pane.

When opening the Accounts preferences pane for the first time, you will notice that the admin account that is generated by the Setup Assistant during the Mac OS X install process is present. By default, Mac OS X is configured to automatically log in utilizing this admin account. Once an additional user account is created, you are queried as to whether you want to turn off automatic login. If automatic login is disabled, on the next restart you will be presented with a list of user accounts to choose from for logging in. Figure 14-2 shows the Login window with a list of user accounts.

Figure 14-2: The Login window.

As previously stated, you can have more than one admin account on the same machine. Conversely, you can delete an admin account, but you will be prevented from deleting all admin accounts. Every OS X system must have at least one admin account at all times.

When you create a new user account, you also simultaneously create a home directory folder for that user. However, when you delete a user account, that user’s home directory is automatically archived into a single file incorporating that user’s name with a suffix of .dmg. This file is deposited in a folder titled Deleted Users located inside of the Users folder, as shown in Figure 14-3.

Figure 14-3: The Deleted Users folder.

If, by chance, you change your mind and decide to reinstate a deleted user account, you must first re-create the user’s account from scratch. Next, using the account that was assigned ownership of the deleted user’s data, manually drag the contents from the deleted user’s folder into the new user’s folder. An accidental deletion of a user account does not translate into data loss. The deleted user’s data still exists. If you decide to reinstate the user account, you will need to manually transfer the data from the archive of the deleted user’s home directory to the newly created directory for that account.

Password panel

You create user accounts using the Password panel. Here you assign the user account two unique names: name and a short name. You also give the account a password. Users account holders can use either the full name or short name to login. When assigning full names and short names, use any naming system that you like, but keep in mind these names are case sensitive. When tabbing from the Name field to the Short Name field, a short name is automatically generated. But don’t worry; at this point, it still can be changed. A short name has a maximum of eight characters, and cannot contain any spaces or the following characters:

< > ‘ “ * { } [ ] ( ) ^ ! \ # | & $ ? ~

At any time, the full name and password can be changed, but once the account is created, the short name is permanent. After you have chosen your short name, you will need to provide a password. Although OS X will accept more than eight characters for this field, it only checks the first eight. Finally, the last field allows you to provide yourself an optional password hint if desired.

Besides the full name and short name, each account has a password. The password can be left blank, but in practice should not be. Although a password can be greater than eight characters, Mac OS X only requires the first eight to be recognized. Passwords may contain upper and lower case letters, blank spaces, and extended characters, but colons should be avoided. Mac OS X does not consistently recognize passwords that contain colons.

Creating a user account

You create a user account in the Accounts pane of the System Preferences application. You do not need to log in using an administrator account. If you log in as an ordinary user, you can unlock the settings in the Accounts pane of System Preferences with an administrator’s name and password. To create a user account, follow these steps:

1. Open System Preferences and choose View Accounts or click the Accounts button.

2. To Unlock the user account settings if they are locked, click the Lock button. In the dialog that appears, enter an administrator’s name, the correct password, and then click OK. If you entered a valid name and the correct password, you return to the Users window with all settings unlocked.

3. Click the plus button located below the unlabeled column on the left-hand side of the Accounts preferences pane to add a new user account, as shown in Figure 14-1.

4. Enter a name and a short name.

5. Click in the New Password field and enter a password. Optionally, you may also enter a password hint.

   The password hint is displayed if the user enters the password incorrectly three times in a row during login. If you enter a hint, make it a hint not the actual password! As you enter the password in the New User dialog, you will notice that Mac OS X keeps it secret by displaying dots (Lock Font) instead of what you actually type. Because you can’t visually check what you have entered, you have to enter it twice consistently to verify it. If the two entries are not consistent, Mac OS X will prompt you to reenter them.

Subsequently, after the account is created, users can log in and change their password on their own. If at a later date a user’s password is changed, a dialog appears stating that the user’s Keychain password can’t be changed to the new account password that you just entered. The existing Keychain password remains in effect until the user logs in (using the new account password) and runs the Keychain Access application to update the Keychain password. You can find information on using the Keychain Access application in Chapter 15.

To delete a user account, follow Steps 1 and 2, but instead of clicking the plus button in step three, select the account to be deleted from the unlabeled column on the left-hand side of the Accounts preferences pane and click the minus button to the right of the plus button. Before an account can be deleted, make sure it is not encrypted with FileVault.

Login Options panel

At the bottom of the list of accounts in the unlabeled column on the left-hand side of the Accounts preferences pane there is a Login Options button. Use this button to configure additional system login options, as shown in Figure 14-4.

Figure 14-4: Login Options offers additional customization of the login process.

• Display Login Window as: This option changes the login window from a list of users, shown in Figure 14-2, to name and password field.

• Automatically log in as: Configures Mac OS X for automatic login with a specified user account that is selected within the pop-up menu to the right of this label.

• Hide the Sleep, Restart, and Shut Down buttons: Determines whether people can restart or shut down the computer by clicking buttons in the login window.

• Enable fast user switching: Permits more than one user to stay logged in to a computer at the same time without having to quit applications or close documents.

  When fast user switching is enabled, the name of the currently logged in user appears in the upper-right corner of the Finder’s menu bar as seen in Figure 14-5. To switch between user accounts, click on the menu and select the name of user account you want to switch to. If the selected user account requires a password you will be prompted to enter it as depicted in Figure 14-6, if not, Mac OS X will automatically make the switch. When the transition of user accounts occurs on a Mac that supports Quarts Extreme, the effect will appear as a rotation of a 3-D cube, otherwise the screen will momentarily turn black, before the new account can be used. In order to restart or shutdown a computer that has multiple users logged in utilizing fast user switching, all user accounts must be logged out. If not, you will be prompted with a dialog requesting admin authentication in order to do so. This will result in the loss of unsaved changes in all user accounts that are currently logged in at the time of restart or shutdown.

  
  Figure 14-5: Using fast user switching alleviates the need for a logged in user to log out, so another user account can be utilized.

  
  Figure 14-6: Switching to user account that requires the entry of a password will prompt you with a dialog similar in appearance to Mac OS X’s initial login screen.

Picture panel

Use the Picture panel, depicted in Figure 14-7, to select a picture or a graphic that will be used as a visual representation of a user account. By default, Mac OS X selects a random picture for each user account. These pictures are used by Mac OS X’s login window, as well as by Address Book and iChat applications. Login pictures can be manually chosen as well. By default, Mac OS X provides 30 unsightly selections to choose from. If these do not meet your aesthetic sensibility, use the Edit button as shown in Figure 14-8 to customize your own.

Figure 14-7: Apple provides supplied pictures in the Picture panel.

Figure 14-8: Create your own picture selections by taking a video snap shot or using a preexisting image.

Security panel

Use the Security panel to enable home folder encryption and to assign admin privileges to user accounts. FileVault is the name for Mac OS X’s on-the-fly home folder encryption mechanism. When enabled, FileVault automatically encodes the data in the home directory into a format that can be accessed by authorized users only. FileVault can be administered via the Security panel as well as the Security preferences pane which is reviewed in Chapter 27.

To set the option to grant a user admin privileges:

1. Open System Preferences and choose View Accounts or click the Accounts button.

2. Select an account to be administered from the unlabeled column on the left-hand side of the preference pane.

3. Click on the Security button at the top of the preference pane.

4. Select the Allow user to administer this machine option, as shown in Figure 14-9.

   
   Figure 14-9: Select Allow user to administer this machine, only if you want to grant the account being administered admin privileges; otherwise, makes sure that this option is turned off

Limitations panel

Use the Limitations panel to dictate what users have access to. Limitations can be set for user accounts only. Use the limitations panel as an aid to further enhance Mac OS X’s security model. There are three levels of access that a normal user account can be granted: No Limits, Some Limits, and Simple Finder.

• No Limits, as the name implies, is a user account without any further restrictions other than that of a normal user.

• Some Limits, as depicted in Figure 14-10, can restrict a user from opening System Preferences, modifying the Dock, changing their password, and burning CDs and DVDs. Access to applications can be restricted on an item-by-item basis.

  
  Figure 14-10: Use the Limitations panel to limit the actions of a user account on a Mac OS X system.

• Simple Finder provides a simplified version of the Dock and access to applications solely provided via a My Applications folder in the Dock. As with Some Limits, access to applications can be granted on an item-by-item basis.

Before employing the features of the limitations panel, make sure that are no incompatibilities with any installed third-party applications. To limit a user’s capabilities:

1. Open System Preferences and choose View Accounts or click the Accounts button.

2. Select an account to be administered from the unlabeled column on the left-hand side of the preference pane.

3. Click on the Limitations button at the top of the preference pane.

4. Grant the user No Limits, Some Limits, Simple Finder by clicking on the corresponding button.

5. Select options and capabilities. You can prevent users from changing their password, from removing items from the Dock, from burning CDs and DVDs, and from opening System Preferences; you can limit users to running specific applications.

6. Click OK to accept your changes or click Cancel to void them.

Startup Items panel

The Startup Items panel, shown in Figure 14-11, enables the selection of items that are to be started automatically at the time of login. You can set up a list of documents and applications that you want to open automatically when you log in. You can also designate the order of those items and whether or not they should be hidden. Each user account has its own private list of login items.

Figure 14-11: Change the list of items opened during login by clicking the Startup Items tab in the Login Preferences window.

Adding login items

To have an item to open automatically during login, follow these steps:

1. Open the Accounts preferences pane inside of the System Preferences application.

2. Click on the Startup Items button.

3. Click the plus button located below the list of items that will open automatically when you log in. You can also add items to the Login Items list by dragging their icons from Finder windows or the Desktop to the Login Items list.

4. In the dialog that appears, select one or more items and click the Open button. Click once to select one item; Shift-click to select adjacent items; and z-click to select nonadjacent items.

   • To remove an item: Select it in the list and click the Remove button.

   • To rearrange the order in which listed items open during login: Drag items up or down in the list.

   • To hide an item automatically when it opens during login: Click the Hide checkbox next to the application name in the list. A hidden item stays open but doesn’t take up any screen space.