About making Mac user account

Discussion in 'Mac Basics and Help' started by Resmarohs, Dec 11, 2016.

  1. Resmarohs, Dec 11, 2016
    Last edited: Dec 11, 2016

    Resmarohs macrumors newbie

    Joined:
    Dec 11, 2016
    #1
    New guy here and heard that it is safe to make user account and not use administrator account for every day dealings.


    I got few questions:


    1) If I use user account, it is harder for me to accidentally muck something up?

    2) If I use user account, it is harder for malicious files to take control over Mac?

    3) So should I use different passwords in case malicious files get in and infect user account?

    4) If I move all my files, pictures etc, to user account, are they accessible from administrator account too?

    5) If I delete my user account, will this delete also all the files I added to Mac as user? Or will they survive under administrator account until I make new user account?

    6) Which account would be best for everyday use? Standard user?

    7) So if I want to change something while using user account, like install new app, should I log into Administrator one first or does it just ask my admin password to make a change?
     
  2. Kissmyne macrumors 6502

    Kissmyne

    Joined:
    Apr 21, 2015
    #2
    1) Yes, harder.
    2) Yes, harder is still the key word.
    3) I would recommend using different passwords for your two separate accts. IF one acct is compromised and they use the same password... you can imagine where the issue is.
    4)Yes, search "setting file permissions on mac" after you have done this.
    5)Anything in the user acct or moved to it will be deleted and not retained for the admin acct if the user acct is deleted.
     
  3. Resmarohs thread starter macrumors newbie

    Joined:
    Dec 11, 2016
    #3
    Thank you! Sorry, I just added two more questions:

    6) Which account would be best for everyday use? Standard user?

    7) So if I want to change something while using user account, like install new app, should I log into Administrator one first or does it just ask my admin password to make a change?
     
  4. Kissmyne macrumors 6502

    Kissmyne

    Joined:
    Apr 21, 2015
    #4
    6)I would suggest a Standard User.
    7)You will be prompted for admin user and password whenever you try to do a task requiring admin priviliges
     
  5. Resmarohs thread starter macrumors newbie

    Joined:
    Dec 11, 2016
    #5
    Thank you!
    Before I found out about admin/user account thing, I had already installed some apps like Libreoffice, VLC Player, printer/scanner software, GIMP, Firefox, Opera.
    Is there any security risk I installed them while using Admin account? Like, when app is installed under Admin account, it is more vulnerable?
     
  6. Kissmyne macrumors 6502

    Kissmyne

    Joined:
    Apr 21, 2015
  7. Resmarohs thread starter macrumors newbie

    Joined:
    Dec 11, 2016
    #7
    Okay then, thank you! I got a bit scared after hearing about user account being safer and understanding I had pretty much filled my Mac with apps and already used it while Admin. :)
     
  8. Resmarohs, Dec 11, 2016
    Last edited: Dec 11, 2016

    Resmarohs thread starter macrumors newbie

    Joined:
    Dec 11, 2016
    #8
    Sorry, I started thinking about something and can't find answer (you don't have to even reply if I'm too bothersome :) )
    1) If I scan using Malwarebytes while in User Account, does it detect all threats in entire Mac or only those under User Account?
    Let's say that Administrator Account had been already infected when I made User Account, would the infection there stay hidden from Malwarebytes if scan is done in User Account? And can infected Administrator account influence User Account? (This is theoretical question, but I'd like to know in case I get some paranoias in future)

    Or if I do scan in Administrator account, does it scan also threats in User Account? Or should I do scans while logged into both?

    2) Disk Utility shows disk's S.M.A.R.T. status for health - but does it work properly in User Account or do I have to be logged into Admin Account to check it?

    3) Would etrecheck give full results in User Account? I think it doesn't ask password so would it be limited in User Account?

    4) When updating from App Shop, should I use Administrator Account or User Account?
    If I install apps on User Account, does it mean they only exist in User Account? Would it be safer to keep apps in Administrator Account to minimum?
     
  9. KALLT, Dec 11, 2016
    Last edited: Dec 11, 2016

    KALLT macrumors 601

    Joined:
    Sep 23, 2008
    #9
    It is a lot easier if you just create a second administrator account and then demote your first account. That way you can also test how this works and get comfortable with the restrictions. Files are kept separate for each user account, your administrator account will, for the most part, not have access to your files in the user directory.

    I wrote a small section about this in this guide: https://github.com/drduh/macOS-Security-and-Privacy-Guide#admin-and-standard-user-accounts. Generally, you don’t need to log into the administrator account in the login screen, as macOS handles the authentication on the fly with password prompts.

    1. Perhaps @thomasareed can answer this. However, Malwarebytes can be used by standard users.
    2. Disk Utility does show the verification status to standard accounts. Disk-related actions usually require administrator credentials, but you do not need to be logged into the administrator account for this.
    3. EtreCheck is designed to be used by both types of accounts. The only difference is that it cannot show you whether there are diagnostic reports for system applications.
    4. You can use the App Store from any user account. System and app updates are downloaded and installed automatically.
     
  10. Resmarohs thread starter macrumors newbie

    Joined:
    Dec 11, 2016
    #10
    You answered all of my questions! There is a new one that came from reading Your advice of demoting first adminsitrator account. This is purely out of curiosity and from my nerdy desire to understand more:

    If I make second Administrator account, it would be identical to first, with access to same apps? And if my Mac had some sort of malware/trojan/anything bad, it would carry on to this new Administrator account too?
    Sorry if this is worded weird, but I just have to ask when question pops up.
     
  11. KALLT macrumors 601

    Joined:
    Sep 23, 2008
    #11
    Applications that are installed into the local applications directory (/Applications) are available to any account. Most applications will save their user data in the user’s directory, where only that user will be able to access them. So when another account opens the same application, it will be as if the application was just installed. If you install a malware in that directory, it could be executed by other accounts as well.

    The idea of using a separate administrator account is to take away the responsibility of installing such applications. However, it does not absolve you from making sure that you are not installing malware.
     
  12. Fishrrman macrumors G4

    Joined:
    Feb 20, 2009
    #12
    I started with OS X (was a "Classic Mac OS" user for many years before) in 2004 with 10.3.

    I've always set up my Macs with my "regular" account in administrative mode.

    I've NEVER had ANY problems with viruses, trojans, malware, etc.

    I see no reason to change.
     
  13. KALLT macrumors 601

    Joined:
    Sep 23, 2008
    #13
    Perhaps, but you are still running Snow Leopard. You are not exactly the benchmark for safe computing. ;)

    Having separate accounts is good advice and it does not have to be complicated. If there are some security benefits without almost no practical downsides, then why not.
     
  14. Ilbabgui macrumors newbie

    Joined:
    Dec 11, 2016
    #14
    I also use Administrator account... oh dear. I'd like to ask, how often should one upgrade OS then? I use El Capitan as Sierra ruined something and I had to downgrade. I saw several posts with people with similar issues with monitors/display. I definitely do not want to try Sierra again. What is the limit to wait until upgrading to new OS - like, 3 OS behind the current is already too much?
     
  15. KALLT macrumors 601

    Joined:
    Sep 23, 2008
    #15
    El Capitan is fine, it is still supported by Apple. They support three OS releases at a time, currently Yosemite, El Capitan and Sierra. Next year, they will drop Yosemite in favour of the new release. You can use any of the three.
     
  16. Ilbabgui macrumors newbie

    Joined:
    Dec 11, 2016
    #16

    Thank you! By support, it means all apps, but does this rule also cover security updates or are those also dropped for older OS?
     
  17. KALLT macrumors 601

    Joined:
    Sep 23, 2008
    #17
    It just means security updates.
     
  18. Ilbabgui macrumors newbie

    Joined:
    Dec 11, 2016
    #18
    So no more security updates when OS is too old?
     
  19. KALLT macrumors 601

    Joined:
    Sep 23, 2008
    #19
    Yep. Only Yosemite and El Capitan receive security updates, Sierra receives normal updates that have the security updates baked in.
     
  20. Ilbabgui macrumors newbie

    Joined:
    Dec 11, 2016
    #20
    Normal updates like new text document file apps and so on?
    So when next OS comes out, no more security updates for Yosemite? Does Apple send a reminder about this to old OS users too?
     
  21. KALLT macrumors 601

    Joined:
    Sep 23, 2008
    #21
    App updates is something different. Apps can be updated independently from system updates via the App Store or via the developer. Pre-installed Apple applications that are not in the App Store, such as TextEdit, are updated through regular system updates, sometimes also by security updates if there is a vulnerability in them. Apple has a habit of updating their own App Store apps, such as Keynote and Pages, only for the latest release of macOS.

    No reminders, as far as I know.
     
  22. Fishrrman macrumors G4

    Joined:
    Feb 20, 2009
    #22
    Kallt wrote:
    "Perhaps, but you are still running Snow Leopard"

    I've moved up in the world.

    The new (2015) MacBook Pro uses El Capitan (where it will remain, just as the 2010 MBPro used SL all its life).

    The Mac Mini upstairs (main computer) uses 10.8.5 Mountain Lion. Fast, smooth, stable.

    The late 2006 iMac uses either Snow Leopard or Lion (Lion is "as far as this one will go").

    ALL are set up with administrator accounts.
     
  23. thomasareed macrumors member

    thomasareed

    Joined:
    Aug 24, 2015
    #23
    If you're using the latest version of Malwarebytes Anti-Malware for Mac (version 1.2.5), it will scan all user accounts on the machine, regardless of what user you're scanning from. Of course, you have to have admin privileges to install it.

    BTW, I have a different perspective on using a standard user account... for the most part, I don't see enough value in it to be worth the trouble.

    The primary reason that most people give for using a standard account is to minimize the danger if you happen to be infected with malware. However, the true danger of true malware is to your data - either its theft or its intentional destruction. If your data is on your standard user account, using that account with a malware infection is very dangerous.

    Further, it's trivial to infect a standard user account. I could write a piece of malware in less than ten minutes that would infect a Mac with no need for admin access. Some malware does want to have admin access, but in a lot of cases, it will have a "fallback" for cases where it can't get admin access, so that it can still infect the machine. True, such an infection will only affect the infected user, but again... in most cases, that's going to be where your data is, and so the malware will have achieved its goal regardless.

    Now, this doesn't invalidate other reasons you might have for using a standard account for your day-to-day work. For some people, it may be beneficial to use a standard account, knowing that you'll have to jump through extra hoops to do some things. Just be sure to evaluate that for yourself.
     
  24. KALLT macrumors 601

    Joined:
    Sep 23, 2008
    #24
    To the average user (likely also the experienced user), the added trouble is very minimal. The only visible things that are different will be password prompts for tasks that require elevated privileges, such as changing some system-wide settings in System Preferences and starting system services, and that sudo is unavailable without switching to an admin user first. For the most part, these tasks do not usually happen on a regular basis and the added trouble will not be noticeable.

    It is certainly true that this privilege separation does nothing against local, user-targeted attacks, particularly attacks that are after user data, but that is certainly not exhaustive. It also protects the user against some vulnerabilities in Apple’s Security framework (Yosemite had one) and unnecessarily lenient configurations in programs such as sudo (which Apple finally revised for the better in Sierra). Presumably, the possibility to (re)move data from Time Machine will also be unavailable to standard users, which should protect some user backups if the malware is acting solely in the user domain.

    I also think that having separate accounts makes the user more aware of the privilege separation. I suspect that many users do not even know what they are actually authorising when a program asks for their password or when they type sudo, but associating it with a particular admin account can make this purpose clearer.

    All things considered, to me the question is not so much ‘why’, but ‘why not’.
     
  25. Resmarohs thread starter macrumors newbie

    Joined:
    Dec 11, 2016
    #25
    Thank you so much for everyone for all these wonderful comments!
     

Share This Page