Managing Mac admin user accounts with CreateUserPkg

A lot of Mac admins are ditching "the golden image" (or "monolithic image") for more thin-imaging + scripting, managing accounts with scripts and packages. Frankly, though, even if you aren't using AutoDMG (here at SI, we use a combination of "silver image" or "bronze image" that gets subsequently updated with Munki), you may still want to manage accounts through scripts and packages.

A helpful tool for creating and updating user accounts is CreateUserPkg. If you download the latest .dmg (not .zip of the GitHub source code), it has an .app that's basically a one-window wizard to create a user account. Most of it is straightforward.

Some things to keep in mind, though:

  1. If you want to create multiple user accounts, close out CreateUserPkg and re-launch it for the subsequent user accounts. Otherwise, the same UUID will be assigned to each user. Alternatively, if you're too lazy to re-launch the app and yet still have enough energy to launch up a Terminal.app instance, then you can use the /usr/bin/uuidgen command to generate new UUIDs and then paste them in.
  2. By default, CreateUserPkg will make the User ID 499. If you want to use the Hide500Users option (scroll to the bottom of the link page) to hide users with User IDs under 500, that may be handy (and then you can also use 498, 497, etc.). Just keep in mind that if you're using a Guest account, that (by default) also has a User ID under 500, so that also would be hidden if you choose to hide accounts that way instead of using the IsHidden option (same page but at the top).
  3. If you want to check if User ID already exist before creating them, you may want to run something like dscl . -list /Users UniqueID | grep -e '499' -e '498' to check first.
  4. If you want to update a password, create a new .pkg with CreateUserPkg, but make sure the User ID remains the same.
  5. If you want to deploy this with Munki on computers that had accounts set up not with CreateUserPkg, you may want to use this preinstall_script with your Munki item.
  6. CreateUserPkg comes with a warning about encryption (it uses a SHA1 hash, which later gets "converted to PBKDF2 upon first login"), so you may want to make sure those .pkg files you create a safely guarded when not being deployed.

Leave a Reply

Your email address will not be published. Required fields are marked *