Creating User Accounts from the Command Line

Note: this procedure does not work in Mac OS X 10.5, Leopard. I’ll be updating this article soon to reflect the new procedure.
While the System Preferences, and the Accounts pane, let you easily create user accounts in Mac OS X, you may need to do so, at times, from the command line. Doing so requires several steps, but in Panther, this is relatively easy to do. Read on to find out more about doing this with Terminal.
This article is adapted from my book
The Mac OS X Command Line: Unix Under the Hood.
Creating user accounts from the command line uses the niload (NetInfo load) command together with a few other commands to create the new user’s account and all necessary settings. Here is how to do it, creating a new user named Henry James, with a short name of henry.
(In this article, the commands you type are in bold code font. The output from the commands is in code font but not in bold.)
First, you need to run a command to populate the NetInfo database with the appropriate information for a user account. The following command uses the niload command to load information directly into NetInfo. It uses the format of a standard passwrd file, which is that of a series of fields separated by colons (this command must all be on one line):
echo 'henry::512:512::0:0:Henry James:/Users/henry:/bin/bash'
| sudo niload -v passwd /
The shell asks for your password, since the second part of the command contains the sudo command, then displays information regarding the additions it has made to the NetInfo database:
1 items read from input
Netinfo /users contains 22 items
Processing input item:
_writers_passwd: henry
change: 0
class:
expire: 0
gid: 512
home: /Users/henry
name: test3
passwd:
realname: Henry James
shell: /bin/bash
uid: 512
writing new directory /users/henry
Let’s look at the different information you need to enter in the command shown in the example. Each “field” is a bit of text separated by colons. The command contains ten fields:
henry::512:512::0:0:Henry James:/Users/henry:/bin/bash
These fields correspond to the following template:
1:2:3:4:5:6:7:8:9:10
- Field 1: The user’s short name—in this case, emerson.
- Field 2: The user’s password; we’ll set this later with another command.
- Field 3: The user ID number.
- Field 4: The group ID number. For Panther, this is the same as the user ID number.
- Field 5: A comment field; you don’t need to enter anything here.
- Field 6: The user’s class; not used by NetInfo.
- Field 7: The user’s password change time; not used by NetInfo.
- Field 8: The user’s full name.
- Field 9: The user’s home directory path.
- Field 10: The user’s default shell.
In field 3 above, you need to find a user ID to give to your new user. Run this command to find out which user IDs are used: nireport . /users name uid, and choose an ID above 500.
You can use this same procedure to create multiple users with similarly formatted data in a single text file. Instead of running the first echo command shown above, run the command that follows – the file should contain user information in the same 10 fields as shown above, and should contain one user per line. You can import as many users as you want from a single file.
sudo niload -v file.txt /
After you’ve run the command to create the new user, you need to set the user’s password. Run this command, then enter the password twice when prompted:
sudo passwd henry
Changing password for henry.
New password:
Retype new password:
Finally, you need to create a group for the user; Panther uses individual groups for each user, which have the same GID as the user’s UID:
echo 'henry:*:512:henry' | sudo niload -v group /
This command creates the group named henry, gives it the GID of 512, and adds the user henry to the group, all in one step.
Finally, you may want to make the user a member of the admin group so they have administrative access. Run this command to add the user to the admin group:
sudo niutil -appendprop / /groups/admin users henry
If you do this, your new user is an administrator and has all administrative rights. You can always change this later in the Accounts preference pane.
Note that after you have created the new account, the new user does not yet have a home directory. All you need to do is log in under the user’s account, and the system creates the actual home directory at first login. This directory is created from a directory template found in /System/Library/User Template.
See man niload for more on using this command.
Read more articles in this category: Mac OS X Command Line


Is it possible to use group IDs the way they are used on ‘normal’ UNIX systems? You say above that Mac OS X uses the same GID as UID, is this just default or required? What would happen if one were to assign different GID’s?
ThanX!
—
==>> This Space For Rent
Probably nothing would happen – at least nothing would go wrong.
Remember, OS X is Free BSD. I’d assume that anything that works with Free
BSD would work with OS X.
Is it possible to do this with a shell script that runs post Net-Restore off a
server? I wish to create an account based upon the "computerName" variable
that is set in the "set-names.sh" script that runs post-restore.
Kirk:
Thanks so much for your site! I’ve never liked using a gui to do unix when the command line is so much faster. Wondering if it’s possible to delete user accounts in OS X via command line?
Sure – deleting is always easier. :-)
To delete a user account named emerson:
Then remove their home directory, if you want:
The usual caveats apply to removing the home directory: make sure you really
want to do it since there’s no way to get it back.
I create this user in single user mode fine on my powerbook G4, but when i restart it is not there to log into? is there anything i have to do to save it or something?
When you say "not there to log in to", what do you mean? Do you mean that it
doesn’t show up in the login window? Or that you try to log in in single user
mode?
after creating a user in single user mode, i can log in to that user in single user mode, but after a reboot the account is not on the login screen that would usually list the accounts that there are, the screen is just blank. I can also not log in to the account again on single user mode, which leads me to believe that the account is being deleted auto. any help?
I am hoping to create a script to make new users from an internal web page
using PHP. Your script makes it painfully easy to create the actual user, but
try as I might, I can’t seem to figure out if there is any way to give the user a
password without resorting to "password user", which denies most of the
savings from automation.
I’ve tried the simple idea of just adding a password to the area you
mentioned, i’ve tried combinations of nicl and niutil, etc, but, the password is
never created – at least not properly. If I log out, the new user shows up at
the login screen, but the passwords I’ve chosen never seem to work, with the
exception of no password.
It might not be possible. That strikes me as odd, but I would accept it.
I am ordering your book in another window, so if the answer lies within I
guess I’ll know soon enough :-)
Nate
I’ve found your command line account creation article invaluable. I was just wondering if there was any way to set the password as the user asked, other than using the command line passwd command?
You could leave blank passwords and allow users to set their passwords later.
Other than that, I don’t see any way to do it, other than to whip up something in
PHP (for a web site).
On my system (10.3.9), the command "nireport . /users name UID" will list an overview of all users, yet does not tell the user ID. For every user listed, the command reports "no value".
Everything else worked, and I’ve found the article very useful in showing how to assign specific user IDs when creating user accounts, something the GUI does not provide for. I’d guess that more than 95 percent of OS-X installations out there have a user "501" — not really my idea of the widely lauded user account separation and protection in OS-X. Assigning user accounts some higher numbered user IDs than OS-X defaults to has just enabled me to add yet another layer of security. Thank you, Kirk, for making this available as a free read!
PS: While *creating* user accounts with specific IDs is just as straightforward as described above, *changing* IDs is a totally different animal. Some part of the OS-X GUI seems to allow for that, but does only half of the job; and even on the command line, trying to change UIDs can yield very messy system states.
Have yet to try it but am first interested to know if it’ll work in Tiger. I need to
add a user account to many computers using the Send Unix Command in
Remote Desktop. Very cool article.
Have you been able to successfully add users via ARD with UNIX shell scripts?
Please share as I am very interested!
Thanks.
I tried this on Tiger and it worked – but only if "uid" appeared in lower case. So
"nireport . /users name uid" worked but "nireport . /users name UID" didn’t.
As mentioned in the text…
Most Unix commands are case-sensitive.
Awesome article. Thanks! Running into one minor problem with this in Tiger. User creation goes just fine, but when they login, their directory isn’t created automatically as described, and they just get a
Could not chdir to home directory /Users/212346: No such file or directorymessage. Any ideas?Ah…I wonder if by login, you meant via the GUI? These users will only be logging in by SSH. Just to clarify… Thanks!
Yeah, they’ll need to log in via the GUI at least once to create the home
directory.
found this on Top Ten Mac OS X Tips for Unix Geeks
for creating home directory.
Thank you
Created the following shell script for the user creation process…
Thanks for the lead!
I think you have the command line wrong for taking input from a file.
Instead of sudo niload -v file.txt /
I think you meant sudo niload -v passwd / <file.txt
Hi Kirk
Thanks for all the help. I’m curious though, what is the relationship between the
asterisk format in the password field and the command. In other words, I’ve
seen one asterisk used when creating a new user or group, but sometimes none
(still seems to work). When I use nidump passwd, Tiger shows some accounts
with no asterisk, some with one, and some with 8. I can’t seem to find any
information on the differences.
Thanks in advance
Rik
i have an orange mac shell.
and i’ve started with the fisrt step you gave and it just won’t work.
i have no idea of what else i can do.
please help?
thanks
Have you updated for OS/x 10.5 yet? My admin account was deleted and I have no startup disks with me. I need to create an admin account so I can update my programs… Help!
No, sorry.