Require Password after Screen Saver – Command Line

To ensure that your machine is secure, enable a password prompt by typing the following into Terminal

defaults write com.apple.screensaver askForPassword -int 1

To set a delay on it before it becomes active, type the following into Terminal

defaults write com.apple.screensaver askForPasswordDelay -int 300

The delay is in seconds, so the command above sets it to 300 seconds, or 5 minutes

HELP! I’ve forgotten my administrator password – 10.7

If you have forgotten the passwords to any of your accounts on a mac then you can reset them by following these instructions

Reboot your Mac and hold down ALT

When it shows all available drives, choose the Recovery HD, if you have set a firmware password, then you will need to enter that before getting to the available drives

When booted into the Recovery HD, click on Utilities and then choose Terminal

When the Terminal window opens, type the following

resetpassword

A new window will open, click on your System Drive and you will then be able to select any available account on that drive and reset the password for it

Please be aware that you will not gain access to the keychain for that account, so if you are after information saved in that keychain then you won’t be able to get it. 

Create a Hidden Administrator

I like to hide the administrator account from prying eyes, this helps add to the security of your machine by not making it obvious what accounts are on the machine.

To do this you need to do a number of things, first of all log in to the Mac with an admin account.

Go to System Preferences, then Accounts, then click on Login Options & change the following options

Display login window as : Name and password
Disable Automatic Login

Next you can either create a new admin account to hide, or you can edit and hide an existing one

Now, right-click (CTRL Click) on the account you wish to hide and choose Advanced Options

Set the User ID to a number less than 500, I usually do between 490 and 499 as there are a few system accounts that use earlier numbers

Now change the Home directory to something someone wouldn’t think to look, a lot of people use /var/

It’s also a good idea to put a . in front of your home folder to hide it further, so the path would be /var/.admin

Now you need to move and rename your actual home folder, to do this it’s easiest to use the Terminal, so open that up and type the following

sudo mv /Users/admin /var/.admin
sudo chown -R admin /var/.admin

Now you need to remove the Public and Sites folders from your home folder, as you already have a Terminal window open then you can enter the following to remove them

sudo rm -R /var/.admin/Public /var/.admin/Sites

OK, now thats all done you need to make some changes to the loginwindow preferences, this can also be done in the Terminal, so enter the following

sudo defaults write /Library/Preferences/com.apple.loginwindow Hide500Users -bool TRUE
sudo defaults write /Library/Preferences/com.apple.loginwindow HiddenUsersList -array admin

This will hide any account with a User ID under 500 and add your ‘admin’ account to the hidden users list

Test this by rebooting and logging in as a non-admin user, go to System Preferences and then Accounts, if all is well then the admin account will not show up

Now log out and log in as the hidden admin user, I tend to put some applications on the Desktop of this hidden account, just ones that I’d rather the end user of the machine not use as they have the potential to break their machines if not used correctly (I once had a user use OnyX to display hidden files and then they deleted the mach.kernel as they didn’t recognise the file and thought it could be a virus) so I now keep this out of their reach

Firmware Password Utility

As every good System Administrator should, I set firmware passwords on all my macs.

But one of the frustrations caused by this security precaution is when you are trying to boot a mac into Target Disk Mode, you need to first boot from an installation disk and then run the Firmware Password Utility

To get around this, I create a copy of the Firmware Password Utility on all macs (you could put one on a USB if you wish)

This is done by by following these steps

1. Insert a Mac OS X Installation DVD into your Mac

2. Open Terminal and type the following

cp - R "/Volumes/Mac OS X Install DVD/Applications/Utilities/Firmware Password Utility.app" ~/Desktop

3. Now you can run the utility from your desktop

Also, if you are setting up multiple macs and you wish to have them all use the same firmware password, you can do the following to push it to all machines

1. Set it manually on 1 machine using the utility mentioned above

2. Open Terminal and type the following

sudo nvram security password

you will get an output similar to this

security-password %cd%f8f%bd%98%87%c5%

This is your encoded firmware password, you can now deploy this via Apple Remote Desktop, SSH, or a script.

Please note, this will only work on Intel Macs

To deploy it to other Macs, enter the following into Terminal either locally, via SSH, ARD or other deployment solutions

sudo nvram security-password %cd%f8f%bd%98%87%c5%
 sudo nvram security-mode=command

Change passwords from the command line

If you believe that your admin password has been compromised then it is always a good idea to change it, the dilemma is, if you have the same password for hundreds of machines, then it will be quite a hassle to go round to them all and change it, so you have 2 options

1. Invest in Apple Remote Desktop (ARD) to manage your machines.
2. SSH into all machines and change them that way.

I have ARD, so I will guide you through using that, the solution is in essence the same for either option, it’s just a hell of a lot quicker with ARD.

First, you need to select all the machines you wish to make the amendment on, then, you need to select the Send Unix Task option, you will want to run this as root, so select that option, then type the following into the command window

dscl . -passwd /Users/USERNAME PASSWORD

change USERNAME for the short name of the account you wish to change the password of, and swap PASSWORD for the new password, if you don’t set a new password then it will blank the password and then you will need to set a new one the next time you log in

One downside to this timesaving tip is that the next time you log in to the machines, you will need to have knowledge of the old password, so you can unlock the login keychain for that account.

When using this via SSH, you will need to sudo, otherwise it will fail.

And it goes without saying that this should NEVER be attempted on an account that has been filevault encrypted!