What Accounts do I need?

Discussion in 'Mac Basics and Help' started by doubledee, Jun 10, 2013.

Most Liked Posts
  1. doubledee, Jun 10, 2013

    doubledee macrumors 6502

    doubledee

    Joined:
    May 14, 2012
    Location:
    Arizona
    #1
    This may be another "religious battle", but...

    What User Accounts should I create when I set up my new cMBP??


    View #1:
    Mac's are secure enough, just create a "DoubleDee" Admin account and be done with it?!


    View #2:
    You need to segment things.

    Create an "Admin" account for maintaining your MacBook and installing Software and what-not, and then create a stripped down "DoubleDee" account from which you do your day-to-day activities.


    View #3:
    Something else??


    I am the only person who will ever be using my using my cMBP, and security is *very* important to me, but I also don't want to turn my life into a maintenance hell.

    Probably my evil Windows past, but it seems like a drag to have to log-out and log-in to another account every time you want to patch FireFox or install an app or change computer settings...

    Then again, considering that I am getting neurotic about hings like FDE and EFI Passwords and so on, maybe I need to be consistentlu paranoid about User Accounts?? :confused:

    Sincerely,


    Debbie
     
    share
    + Quote Reply
  2. simsaladimbamba, Jun 10, 2013

    simsaladimbamba Guest

    simsaladimbamba

    Joined:
    Nov 28, 2010
    Location:
    located
    #2
    An admin account is just fine, no need for a standard account for daily tasks.

    I run an admin account on my Macs for daily tasks, my data has not been compromised, my Macs have not been infected with any kind of malware, and that for the past nine years using Mac OS X.
     
    share
    + Quote Reply
  3. doubledee, Jun 11, 2013

    doubledee thread starter macrumors 6502

    doubledee

    Joined:
    May 14, 2012
    Location:
    Arizona
    #3
    What does everyone else think?

    Based on my upbringing, it still seems like you should have a dedicated "Admin" account and then a "Day-to-Day" account? :confused:

    Sincerely,


    Debbie
     
    share
    + Quote Reply
  4. smokeyrabbit, Jun 11, 2013

    smokeyrabbit macrumors 6502

    Joined:
    May 19, 2005
    Location:
    Escape from New England
    #4
    Exactly. Why needlessly introduce another level of complexity. I've been a Mac OS X user since 10.0 twelve years ago. Also, you already have the root user if you want a super secret invisible admin account.
     
    share
    + Quote Reply
  5. doubledee, Jun 11, 2013

    doubledee thread starter macrumors 6502

    doubledee

    Joined:
    May 14, 2012
    Location:
    Arizona
    #5
    Because conventional wisdom says, "If you always run as Admin, and somehow your system is compromised, then you have just given the hacker *complete* control to your computer!!"

    By contrast, if I was working on a daily basis as a "Standard User", then it - in theory - would be much harder for a hacker (or malware) to take over my machine.


    Side topic: On my new cMBP, is the "Root User" account enabled or disabled?

    From what I have read - which isn't much on this topic - you should DISABLE this account unless you have a really really good reason to use it!!!

    (I'm trying to be very methodical here s I set up my new cMBP, so I can rest assured that all of my business data is safe and sound, and that I don't have any gaping holes like how I just discovered that you can hack into any MacBook in under 60 seconds by having physical access unless it has File Vault turned on?!)

    Sincerely,


    Debbie
     
    share
    + Quote Reply
  6. smokeyrabbit, Jun 11, 2013

    smokeyrabbit macrumors 6502

    Joined:
    May 19, 2005
    Location:
    Escape from New England
    #6
    No. Anyone who knows any admin password can "take over" your machine, whether you're using an admin account or not. You seem unusually convinced that someone is out to get your information. I suggest keeping your machine under lock and key will do more to "protect" you than anything else.

    Also, the "hacking your MacBook under 60 seconds" thing was from 2006.
     
    share
    + Quote Reply
  7. doubledee, Jun 11, 2013

    doubledee thread starter macrumors 6502

    doubledee

    Joined:
    May 14, 2012
    Location:
    Arizona
    #7
    You're talking about something completely unrelated...

    (I'm not talking about anyone getting my Password.)


    If I am logged is an Admin, and I download malware or whatever, then if OS-X is like any other operating system, more damage can be done than under a non-Admin account. (Unless someone can show me differently.)


    Don't follow the news much, eh? ;)

    In case you haven't noticed *security* is much more important than in the 1980's...


    I don't know when it was, but I Googled the topic last night, and was floored to see the multiple ways anyone can get access to your Mac even though it is *supposed* to be protected by a User Account and Password.

    (That has to be the single stupiest engineering design of the millennium... Make users create a Username and Password, but don't actually enforce it?!)

    Sincerely,


    Debbie
     
    share
    + Quote Reply
  8. benwiggy, Jun 11, 2013

    benwiggy macrumors 68020

    Joined:
    Jun 15, 2012
    #8
    Logging in as the root user is disabled by default. Plenty of processes run as root, but you can't log in as root user unless you deliberately enable it.

    I would perhaps suggest having a spare admin account, just in case your regular admin account gets fubarred, which, if it is your day-to-day account, is a possibility.

    I do have to say, though, doubledee: the amount of time you spend on researching security and "double-locking" your Mac, it's a wonder that you have any time at all for creating any confidential material worth stealing. :D
     
    share
    + Quote Reply
  9. doubledee, Jun 11, 2013

    doubledee thread starter macrumors 6502

    doubledee

    Joined:
    May 14, 2012
    Location:
    Arizona
    #9
    Good!


    I think most security experts would say "Administer using an Admin account, and do day-to-day things with a Standard Account."

    However one thing that has made me leery of having an Admin and a Standard account is this issue...

    In the past - on both Windows and this Mac - when I set up an Admin and a Standard account, it seemed like I had to configure two separate computers?!


    (I know when I used to rebuild my Windows machines - usually every 6 to 9 months - it took me 12 hours to go from blank HDD to completely customized machine, with all data transferred, Application and Op Sys Preferences exactly like I wanted, etc?!) :eek:

    The last thing I want to do is have to do all of that under a new Admin account, and then have to do it again for my Standard account?!

    I'm not sure where I fall on the continuum, but I consider myself a "Power User".

    I have lots of Development Apps, Customized App Settings, Customized System Settings, and so on that take an enormous amount of time to get "just right".

    So I don't want to install and tweak things as Admin and then have to do it again as Standard if possible.

    -----
    One other thing that I just thought of...

    If I start using File Vault 2, how does having an Admin and a Standard account play into the FDE??



    Ha ha!! :p

    Well, that is exactly why I am giving things such a serious look up front...

    Here I have a "virgin" cMBP still in the box, and I have a chance to "build it up from the ground" and make it as secure (or not) as I choose.

    And, if I invest the time up front, then down the road things should run smoothly (and securely) in the background for a long time!!

    My new cMBP will have *my* Business Data on it, and that is of value at least as great as any of my day client's have on their systems (e.g. Banks, Health Insurance, Gov't, etc.)... :cool:

    So am I taking this very seriously?! Damn right!!!

    Sincerely,


    Debbie
     
    share
    + Quote Reply
  10. Apple fanboy, Jun 11, 2013

    Apple fanboy macrumors Penryn

    Apple fanboy

    Joined:
    Feb 21, 2012
    Location:
    Behind the Lens, UK
    #10
    I use my admin account for my day to day tasks and have no issues. My daughter & wife both have an account with out admin rights, and I really don't want (or apparently need) another.
    I feel safe enough using this set up. I don't worry too much about people wanting to get on my system. Thats what firewalls and passwords are for.
     
    share
    + Quote Reply
  11. chown33, Jun 11, 2013
    Last edited: Jun 11, 2013

    chown33 macrumors 604

    Joined:
    Aug 9, 2009
    Location:
    Sailing beyond the sunset
    #11
    Then don't.

    After the initial admin user is created, do only a tiny amount of customization, such as adding Terminal.app to the Dock. Then use the initial admin user to create a non-admin everyday user account. Immediately log out of the admin user, and go setup all your preferences and whatnot from the everyday user. DO NOT login using the admin user ever again, unless it's absolutely necessary.

    You should be able to use various System Preferences panes that require unlocking simply by entering the name/password of the admin user. Same applies to installing apps. But do all this while logged in as the everyday user, NOT while logged in as the admin user.

    If you are intent on using the everyday account, then make that one pleasant, and leave the admin account unpleasant to use. If you keep the admin user preferences uncustomized and "ugly", you'll be less likely to spend time there, and it will be harder to use because it's intentionally NOT customized. This will tend to keep you in the everyday user account, except when there are admin activities that require multiple actions and repeatedly entering the admin name/password is more hassle than working from a deliberately uncustomized and unpleasant admin account.



    Customized app and system settings (preferences) are usually visible to shell scripting using the 'defaults' command. Some system settings are only visible or settable by the 'scutil' command. Other settings may also have a dedicated utility, such as 'tmutil' for Time Machine settings. Read their man pages.

    Some settings are ONLY settable through the 'defaults' command, such as:
    Code:
      defaults write NSGlobalDomain [U]NSDocumentSaveNewDocumentsToCloud[/U] -bool false
  defaults write com.apple.TimeMachine [U]DoNotOfferNewDisksForBackup[/U] -bool YES
  defaults write -g [U]NSDisableAutomaticTermination[/U] -bool yes
    You can google the underlined name in each of those command lines to learn what it does.

    When I bought a MacBook Pro last fall, I spent some time before the purchase making a written list of settings or preferences I wanted to change, and researching exactly how to establish the setting I wanted. After I got the MBP, I spent some time setting it up, tweaking things, and writing down the changes. Over time, I made additional changes which I also wrote down, so if I had to I could reverse them or reapply them to a clean OS. For the past several months I haven't altered the written list, and only my regular backups are preserving the state of the configured system.
     
    share
    + Quote Reply
  12. doubledee, Jun 11, 2013

    doubledee thread starter macrumors 6502

    doubledee

    Joined:
    May 14, 2012
    Location:
    Arizona
    #12
    Nice post, chown33!! :apple:


    Before going on, can you please straighten out some confusion that I am having?

    Scenario #1:
    Let's say that I have an "Admin" and a "Standard" account. And let's say that - different from your advice above - I am logged in as "Admin" and I download, install, and customize some apps like MAMP, NetBeans, Audacity, OpenOffice, etc.

    In that scenario, what would happen in my "Standard" account?

    Would the apps and the app customizations just appear in the "Admin" account?

    Would I have both the apps and the customizations in both the "Admin" and "Standard" accounts?

    Or some other combination?


    Scenario #2:

    Now lets say I follow your advice above...

    I create an "Admin" and a "Standard" account, and then log in as "Standard" and try to download, install, and customize some apps like MAMP, NetBeans, Audacity, OpenOffice, etc.

    Mountain Lion would supposedly prompt me to enter my "Admin" credentials but while logged in under the "Standard" account, right?

    So, would I be then able to completely download, install, and customize things while logged in as a "Standard" user?

    Presumably the installs and customizations would appear as expected in the "Standard" account, right?

    But what - if anything - would I see in the "Admin" account?


    Scenario #3:

    Is there any reason why I would want to have the apps and the customizations in *both* the "Admin" and "Standard" account?

    Based on what I hear you saying, I would say "No, because you use your Admin account to administer your MacBook, and you use your Standard account to run your apps and do day-to-day things..."

    Am I close?

    And - in general terms - would there be any apps that I would want to install while logged in as "Admin" and not necessarily have in my "Standard" account?

    For instance, let's say I broke down and bought "Kaspersky Lab US".

    Where would I install that?!


    Or what about my "Personal VPN", WiTopia?? (I fear that is a tricky one?! I would say I need that in *all* User Accounts, because I always need a way to access the Internet in a safe, and encrypted way!) :confused:


    I like your thinking!!


    I'm not really understanding what you mean here. (I have no Linux/Command-Line background...) :eek:

    In practical terms, what I would want to know is this...

    If I take your advice above, and install apps from my "Standard" account while entering my "Admin Credentials", will I be able to customize settings, preferences, and the general environment in apps like:

    - MAMP (webserver)
    - NetBeans (IDE)
    - Audacity (audio recorder/editor)
    - OpenOffice
    - WiTopia (Personal VPN)


    **Those are some of the key apps I use every day!!



    Again, that is a little over my head, but you imply that you have to do it that way via Command Line versus being able to log in as the "Admin" and do it there? :confused:


    Very smart approach!!

    I think I am making progress... Just need some help understanding all of the "details"!! ;)

    Sincerely,


    Debbie
     
    share
    + Quote Reply
  13. simsaladimbamba, Jun 11, 2013

    simsaladimbamba Guest

    simsaladimbamba

    Joined:
    Nov 28, 2010
    Location:
    located
    #13
    Just out of spite, isn't this all a bit too much and probably a bit more cumbersome to maintain?

    While I might not have any secret data to protect on my Mac and rarely use web services besides Dropbox to share files, I am fairly confident, that my data and my Macs running admin accounts is pretty safe and I have hardly anything to do to maintain it except some of those security steps and such.

     
    share
    + Quote Reply
  14. chown33, Jun 11, 2013
    Last edited: Jun 11, 2013

    chown33 macrumors 604

    Joined:
    Aug 9, 2009
    Location:
    Sailing beyond the sunset
    #14
    Many of your questions are answered most simply by this maxim:
    Try it; see what happens.​

    Assuming that you currently have a Mac, running some version of Mac OS X, and your current account is an admin account, then create a Standard user account. Then logout of the admin account, login to the new Standard acct, and try using it to do exactly the things you outlined. That is, download an app like Audacity, try installing it, and see what happens.

    When I install apps, I usually put them somewhere they'll be available to every user. Maybe that's the /Applications folder, or maybe it isn't. Maybe it's a folder I created in the root directory of my startup disk, like /Additions or /Customized or whatever. Because what works for me might or might not be what you like.

    When installing an app like Audacity, take notes of what you do along the way. Did you have to enter an admin name/password? Did you have to install it in a particular place? Observe and annotate.

    Next, test whether the app installed from Standard user is available and runnable when logged in as admin. Also check whether it's available and runnable when logged in as a Different standard user.

    I'm suggesting "Try it; see what happens" not because I can't tell you the answers, but because most people learn better by actually doing something, rather than by having someone tell them. If you make backups before doing anything, or you actually make a bootable backup and experiment on the backup, then you can always get back to a safe starting point.

    Personally, I always prefer doing experiments on a bootable backup, which I'm actually booted from. The original stays where it is, and if things go wrong, all I have to do is change the Startup Disk, restart, and erase the Horrible Thing Gone Wrong disk before starting over.


    I don't know what you mean when you say you "customize" some apps.

    Do you modify the actual app bundle? Or do you mean you add plugins or some other components? Or do you mean you simply set some user preferences using the Preferences menu item in each app?
     
    share
    + Quote Reply
  15. doubledee, Jun 11, 2013

    doubledee thread starter macrumors 6502

    doubledee

    Joined:
    May 14, 2012
    Location:
    Arizona
    #15
    That is what I am trying to figure out...

    On my current MacBook - which will be replaced shortly - I only have one account and it is an Admin account.

    And the thought occurred to me that *maybe* that isn't so smart. (In the Windows world that would be considered stupid!)




    Could be.

    But better to be safe than sorry!

    Sincerely,


    Debbie

    ----------
    I guess.


    I will be installing a new Seagate HDD.

    Is it correct that I can "clone" my Factory HDD - using Time Machine - onto the new HDD and then play around with the new HDD installed in my new cMBP?


    Could I also do this from a Bootable USB Drive?


    I just meant customizing Application Preferences, whether that is the audio settings in Audacity, or where I store templates in OpenOffice or how WiTopia is configured to connect to the Internet, or any Add-Ons or things like Bookmarks in FireFox.

    So, no, I'm not doing any "application builds" like you may have thought.

    Sincerely,


    Debbie
     
    share
    + Quote Reply
  16. chown33, Jun 11, 2013

    chown33 macrumors 604

    Joined:
    Aug 9, 2009
    Location:
    Sailing beyond the sunset
    #16
    Time Machine does not make clones. It makes backups.

    You can startup from the Recovery HD partition to restore a Time Machine backup, but there is no cloning involved.

    Specific instructions on cloning an HD can be found in your thread here:
    http://forums.macrumors.com/showthread.php?t=1588887

    Please reread the information given there, especially regarding what tools to use to make clones (Carbon Copy Cloner or SuperDuper).


    See this post, from your "Questions about Bootable Clones":
    http://forums.macrumors.com/showpost.php?p=17333070&postcount=6

    There is additional information in posts after #6 in that thread, so I recommend rereading the entire thread.


    Those settings are stored as preferences, not a customized application. If a different user account runs the same application, then that user has their own preferences. There is no overlap, and the application itself is not customized (altered) when one user sets some preferences.

    Again, I suggest a "Try it; see what happens" approach. Create a standard user account, login with that account, and change some preferences for an app you already know well. Then go back to your original account and observe that no preferences for the app running in that account have changed.
     
    share
    + Quote Reply
(You must log in or sign up to post here.)

Share This Page