As you learned in Chapter 1, Mac OS X is truly a multiuser operating system. This offers many benefits to you, but it also means that when you use the OS, you have to log in as a particular user. When you do so, what you can see and do depends on the settings for the account that you use to log on to the system.
When you first start up Mac OS X after installing it, it uses the automatic login mode because there is only one user account created for it. This means that you are logged into the Administrator account automatically and so you might not even realize that you have logged in. After your Mac starts up, the desktop appears as it has under previous versions of the OS. However, the machine has gone through the login process?it just entered all the required information for you automatically.
Each user account can have its own set of preferences and system resources that are tailored to that user. Many preferences are stored individually for each user account and so that aspect of the OS will be unique to each user. A simple example is the desktop picture, which can be different for each user account. Other customizable aspects of the desktop, such as the Dock, are also specific to user accounts. And, many applications also store preferences specific to each user account.
To disable automatic login without creating additional user accounts, open the System Preferences utility, select the Accounts icon, and uncheck the "Log in automatically as" check box.
User accounts also provide system security and they control what parts of the machine a particular user can access.
One of the most important aspects of a user account is its Home directory.
Under Mac OS X, the terms directory and folder are basically synonymous. Typically, non-GUI operating systems use the term directory while GUI operating systems use the term folder. Because Mac OS X has Unix as its foundation and the term directory is used under Unix, I tend to also use directory under Mac OS X as well. The reason for this is that you can access the Unix command line; when you access your Mac's files using the command line, the concept of folder doesn't really apply (because there is no graphical element to the user interface). Practically speaking, however, the terms are equivalent and are interchangeable.
Each user account on your Mac has a Home directory. This directory contains folders that are used to store private files, public files, and system resources (such as preferences and Keychains) for that user account. With two exceptions (the Public and Site folders), only someone logged in under a user account can access the folders in that user account's Home directory.
The exception to the general rule about accessing the folders in another user's Home directory is the root account. The root user account can access everything on your Mac and is outside the normal security provided by user accounts. You should use the root account only in special situations, and you really need to understand it before you use it.
To learn about the root account, see "Logging In As Root," p. 206.
To learn more about Mac OS X directories, see "Understanding Mac OS X Directories," p. 80.
A user's Home directory contains the folders shown in Figure 2.1.
Most of these folders are easy to understand. For example, the Documents folder is the default location in which the user will store documents he creates. The Desktop folder contains items that are stored on that user's desktop (which means that each user account can have a unique desktop), and so on.
You can quickly tell which user account is active by looking at the Home directory icon. It looks like a house for the current user's Home directory; the other Home directory icons are plain folders.
Only someone logged in as the user can access the contents of these folders, except for the Public and Sites folders that can be accessed by anyone using your Mac. Locked folders have an icon that includes a red circle with a minus sign (see Figure 2.2); this means that the folder is locked and that you can't open it to view its contents. If another user attempts to open one of these protected folders, it will appear to be empty and any files it contains will be invisible (and thus they can't be opened). Unlocked folders in another user's directory have the plain folder icon, which means their contents are accessible. Unlocked folders in the current user's Home directory have the decorative Mac OS X icons (see Figure 2.1).
The Public folder is accessible by users logged in under any account. Its purpose is to enable users to share documents and other resources. The items to be shared can be stored in this folder and other users can open the folder to get to them. The Public folder also contains a Drop Box folder. This folder can be seen by other users and they can place files in it, but it can't be opened by anyone except the owner of the user account under which that drop box is stored.
The Sites folder contains files for that user's Web site.
To learn how to create and serve a Web site from the Sites folder, see "Using Mac OS X to Serve Web Pages," p. 389.
The Library folder is the only one in the Home directory that is not intended for document storage. It contains items related to the configuration of the user account, and all the system-related files for that user account are stored in the Library directory as well. For example, user preferences are stored here as are font collections, addresses, keychains, and so on. Basically, any file that affects how the system works or looks that is specific to a user account is stored in the Library directory. You will be learning more about the Library folder elsewhere in this book.
When you installed Mac OS X, you created the first user account. The account that you created was actually an Administrator account. Administrator accounts are special because they provide wide access to the system and are one of only two accounts that can control virtually every aspect of Mac OS X (the other being the root account). A user who logs in as an Administrator for your Mac can do the following:
Create other user accounts An Administrator for your Mac can create additional user accounts. By default, these user accounts have more limited access to the Mac than does an Administrator account, but you can allow other accounts to administer the Mac as well (in effect creating multiple Administrator accounts).
Change global system preferences The Administrator can change global system settings for your Mac; other user accounts can't. For example, to change the network settings on your Mac, you must be logged in as the Administrator (or you must authenticate yourself as an Administrator).
Configure access to files and folders An Administrator can configure the security settings of files and folders to determine who can access those items and what type of access is permitted.
Install applications Applications that you install under Mac OS X require that you be logged in as an Administrator or that you authenticate yourself as one.
When you attempt to perform an action, such as those listed in the previous list, that requires an Administrator, you will see an Authentication dialog box. To authenticate yourself, you enter a valid Administrator account username and password and click OK (if you are currently logged in as an Administrator, the username will be filled in automatically). This enables you to perform that action.
When you need to be authenticated, you will see the Lock icon. When the Lock is "open," you are authenticated. When the Lock is "closed," you can click it to open the Authentication dialog box.
You should control who has access to the Administrator accounts for your machine. If someone who doesn't understand Mac OS X?or who wants to cause you trouble?logs on with your Administrator account, you might be in for all kinds of problems. You also need to make sure either that you can remember the username and password for an Administrator account that you set up or that you write them down. If you forget this vital information, you could have trouble later.
Administrator accounts are a fundamentally different concept for many Mac users. Traditionally, all areas of the operating system (such as control panels) were easily accessed by anyone who used the Mac. Unless you have used the Multiple Users feature of Mac OS 9, this is likely to be your experience. Although you can use the automatic login mode so that you don't have to log in to your Mac, the fact remains that Mac OS X is a multiuser system. To get the most out of it, you need to get comfortable with user accounts because whether you have to log in or not, you will always be using user accounts under Mac OS X (unlike under previous versions of the OS in which user accounts were optional).
If you share your Mac with other people, you should create a user account for each person who will be using your machine. In addition to protecting your Mac from tampering, user accounts also provide specific folders for the other users in which they can store information (such as application preferences) and documents and other files that are specific to them.
You can also customize the environment of each user account in several ways; for example, you can have a different set of applications start up for each user account and each user can have her own Dock and desktop configuration.
Rather than creating a single user account for each person, you can create a user account that several people share. This can be useful if there are people who use your Mac, but who don't necessarily need private directories. For example, if you share your Mac with children, you might want to create a single user account for them to use.
You use the System Preferences utility to create additional user accounts for your Mac.
The System Preferences utility is somewhat analogous to the control panels in previous versions of the Mac OS. It enables you to make changes to various system settings. You will be using it throughout this book.
Open the System Preferences utility by clicking its icon on the Dock or by choosing Apple menu, System Preferences. The System Preferences utility window has two panes; the upper pane is the toolbar on which you can store icons that you access frequently. In the lower pane, you see the areas of the OS for which you can set system preferences (those being Personal, Hardware, Internet & Network, and System). Within each section are the icons for each area of the OS that you can configure. When you click an icon, the lower pane is replaced by the controls for the area to which the icon is related.
Click the Accounts icon in the System area to open the Accounts pane of the System Preferences utility (see Figure 2.3). The Account tools will appear in the lower pane of the window.
Click the New User button to open the New User sheet (see Figure 2.4).
Many Mac OS X dialog boxes feature sheets. Sheets are dialog boxes that drop down from the top of the window you are working with. Sheets, unlike dialog boxes, are attached to the window and move with it, such as when you minimize a window.
Only an Administrator can create new user accounts. If you aren't logged in as an Administrator for your Mac, you have to authenticate yourself as being an Administrator before you can create an account. To do so, click the Lock icon located in the lower-left corner of the window, enter the username and password for an Administrator account, and click OK. This will identify you as an Administrator temporarily so that you can make your changes.
Enter the Name for the user account. Name is the "full" name for the user account; it doesn't have to be a real full name?this is one name that the user can use to log on to this user account. The Name can be pretty much whatever you want it to be.
Press Tab to move to the Short Name box. The short name is a name used for specific areas under that user account (such as the name of the user's Home directory) and for access to services provided under that account (such as the account's FTP site). The Short Name is limited to eight characters or fewer. The Short Name can be used instead of the Name to cut down on the number of characters that you have to type in specific situations, such as when you log in to the account (in which case the Short Name and Name are interchangeable). However, the Home directory is always identified by the short name only.
Mac OS X automatically creates a short name for the account. You can choose to use this one or you can change it to be something else.
The short name is used in several places, such as in the Web site address for the user account. Because of this, you should choose a meaningful short name, preferably some variation of the account Name.
Edit the short name as needed, such as by replacing it if you don't like the one that Mac OS X created for you automatically.
The short name must be eight characters or fewer and can't contain any spaces, dashes, or other special characters (Mac OS X won't let you enter any characters that are unacceptable). Underscores are acceptable. You should adopt a general rule about the short name for an account, such as using the first initial of the first name and as much of the last name as will "fit" in the allotted number of characters. Keeping the short name consistent will help you deal with other user accounts more easily.
After it's created, you can't change the short name for a user account, so be deliberate when you create it.
You can use a user account for any purpose you desire. For example, because each user account has its own Web site, you might want to create a user account simply to create another Web site on your machine. For example, you might want to create a user called "Group Site" to serve a Web page to a workgroup of which you are a member.
Enter the Password for the user account. A password is what you expect?the password that must be used to access the user account. The password must be at least four characters long. For better security, use a password that is eight characters long and contains both letters and numbers (this makes the password harder to "crack"). Passwords are case sensitive; for example, mypassword is not the same as MyPassword.
If you leave the Password field empty, a password will not be required in order to log on to the account. When you choose to do this, you will see a warning dialog box when you attempt to save the account. If you ignore this warning, the account will be created. When the user logs into the account, he can select it and log in without entering a password. Obviously, this is not a secure thing to do, but it can be useful nonetheless. For example, you might choose to create an account for children whom you don't want to have to use a password. When you create such "unprotected" accounts, you should use the Capabilities tools to limit access to your Mac, such as by using the Simple Finder option. (Under version 10.2, you can remove a password from an existing account even though the system tells you this can't be done. Just remove the password, save the account changes, click Ignore in the warning dialog box, and then click OK in the dialog box that tells you this change won't be accepted. It is actually accepted and the account will no longer require a password.)
To learn how to configure an account's capabilities, see "Configuring User Accounts," p. 26.
Press Tab and retype the password in the Verify box.
Press Tab and enter a hint to remind the user what the password is. This reminder is optional; if a user fails to log in successfully after three attempts, this hint can appear to help her remember her password.
Choose a login picture for the account. The login picture appears in the login dialog box; you can click the picture to choose an account to log in to. To choose a picture, you can select one from those shown at the bottom of the sheet (use the scroll tool to see all available images), click the Choose Another button and select an image, or drag an image from the Finder onto the Login Picture well. The image you select will replace the default image shown in the dialog box.
The image you use as the login picture can be a jpeg or tiff. However, you can't use a gif as a login picture.
The default login pictures (those shown on the scrolling list) are stored in the directory Mac OS X/Library/User Pictures, where Mac OS X is the name of your Mac OS X startup volume. You can install additional images in this directory to make them available on the Accounts pane of the System Preferences utility.
If you want this account to be an Administrator account, check the "Allow user to administer this computer" check box.
It is good practice to have only one Administrator account for a machine. You can give the account information for this account to more than one person if you need to. Or, you might want to create one "master" Administrator account and a secondary Administration account. You can keep the "master" account's information to yourself and give the information for the secondary account to other users. Then, you can disable the secondary account without affecting your primary Administrator account.
If you want Windows users to be able to log in to this machine, check the "Allow user to log in from Windows" check box. This is useful when your Mac is on a mixed network (one that includes Macs, Windows machines, or computers running other operating systems) and you want Windows users to be able to share files that are stored on your Mac.
The 10.2 release of Mac OS X added excellent Windows networking support to the system. You can interact with Windows networks and machines, and those using Windows machines can interact with your Mac.
Click Save to create the account (or press Return).
If you have not turned off the Automatic Login mode, you will see a dialog box asking whether you want that mode to be turned off. The account that is logged in automatically is also shown in this dialog box. (If you have disabled the Automatic Login mode already, you won't see this dialog box.)
Click Turn Off Automatic Login to disable automatic login; this is the default option. You will probably want it off because you have at least two user accounts. Click Keep Automatic Login if you want to leave that mode active. You will see the new user account in the Users pane of the System Preferences utility.
Repeat the previous steps to create other user accounts that you need.
Quit System Preferences.
Under Mac OS X, the default button in a dialog box is indicated by the pulsing (also called throbbing) action. As under previous versions of the Mac OS, you can activate the default button by pressing the Return or Enter key (as with the OK button in the authentication dialog box).
After you have created a user account, you can configure the actions that a user logged in under that account can perform. You do this through the Permissions sheet for that user account.
Open the System Preferences utility and click the Accounts icon to open the Accounts pane.
Select the user account that you want to configure on the list of accounts, and click the Capabilities button. The Capabilities sheet will appear (see Figure 2.5).
The Capabilities button is disabled for an Administrator account because that account can perform all possible actions by default.
Check the "Use Simple Finder" check box if you want the Simple Finder to be used when this account is logged in.
As you might expect from its name, the Simple Finder provides a less complex interface for a user and greatly restricts what that user can do. When a user is logged in with the Simple Finder, the Dock contains only five icons: Finder, My Applications, Documents, Shared, and Trash. These are the only areas that the user can access. For example, under the Simple Finder, a user can store documents only in their Documents folder and can't open other folders. The only Finder commands that the user can access are Sleep, Log Out, About Finder, the Hide/Show Finder commands, and Close Window. The Simple Finder makes your machine more secure because it limits the actions of a user so severely. Using the Simple Finder can be a good choice if the user for whom you are creating an account has minimal computer skills, such as for very young children or someone who is totally new to the Mac.
Use the "This user can" check boxes to configure the following aspects of the user's access:
Remove items from the Dock. When this box is checked, the users will be able to remove items from the Dock. When it isn't checked, the user won't be able to remove items from the Dock; however, the user can still add items to the Dock.
Open all System Preferences. With this box checked, the user will be able to open all the system preference panes. However, some preferences are global and can be changed only by an Administrator. In this case, the user would be able to see the preference, but not be able to change it (unless the user can authenticate himself). If this check box is unchecked, the user can see all the icons in the System Preferences utility, but can open only those that the account can use, such as the Personal panes, including Desktop, Dock, and so on.
Change password. This option enables a user to change her own password by using the My Account pane.
Burn CDs or DVDs. This option controls the Finder's built-in burning feature. With this box checked, users will be able to burn discs. With it unchecked, they won't be able to do so.
To limit the user to specific applications, check the "Use only these applications" check box. When you do so, the application selection tools in the lower part of the sheet will become active. This window will show all the applications installed on your Mac; the applications will be organized by the folder in which they are installed. For example, the Applications folder is the default location for all applications installed under Mac OS X.
Check the "Allow" check box for the folder containing applications that you want to make available to the user. If the "Allow" check box is not checked, the user will not be able to access any applications in this location.
For a location that you have allowed, click the expand triangle to reveal all the applications within that folder.
Uncheck the check box for those applications that you don't want the user to be able to access (see Figure 2.6).
Continue unselecting applications until you have limited the user to the set of applications you desire.
Click OK. The capabilities you selected will be set for that user account.
Quit the System Preferences utility.
Following are a few more points about setting a user account's capabilities:
Some settings are dependent on others. For example, if you uncheck the "Open all System Preferences" check box, the "Change password" check box will become disabled. This is because if the user can't access the System Preferences utility, she won't be able to access the My Account pane that contains the tools needed to be able to change the password. Similarly, if you choose the Simple Finder option, all the others are configured automatically. The other check boxes are disabled, but you can use the application selection tools to choose the applications the user will be able to work with.
You can use the Check All or Uncheck All buttons to select or deselect all applications at the same time.
The Locate button enables you to choose applications that don't appear on the list of applications by default. When you click this button, an Open dialog box will appear. You can use this dialog box to move to and select an application.
The last entry on the list of application folders is Others. If your machine can access applications that aren't stored in one of the standard Mac OS X application folders, they will appear under the Others category.
After you create a new user account, you should test it by logging in under that account to make sure it works.
Choose Apple menu, Log Out (or press Shift++Q).
When the logout confirmation dialog box appears, press Return (or click the Log Out button). You will return to the Mac OS X login window. At the top of the Login window, you see the computer name. In the center part of the window, you see the login picture and name of each user account on the machine. If there are several user accounts, this will be a scrolling pane. At the bottom of the window, you will see the Restart and Shut Down buttons.
Under version 10.2, the system will automatically log you out two minutes after you choose the Log Out command, even if you don't click the Log Out button.
Click the User account under which you want to log in. The dialog box will contract and you will see the selected user account and an empty Password box.
If the user account does not have a password, you will be logged in as soon as you select that account's icon.
You can return to the full login window by clicking the Back button.
Enter the password for the user account and click Log In (or press Return or Enter).
If the user account information is not valid, the login dialog box will "shudder" to indicate that the information that you entered is invalid (remember that this information is case sensitive). After three unsuccessful attempts, the password hint will appear if you have enabled this option (password hints are covered later in this chapter).
Several aspects of the Login dialog box are configurable in the Accounts pane of the System Preferences utility. You will learn how to do this later in this chapter.
When you enter correct information for the user account, the login process will be completed, and you will see the desktop for that user account (which might look quite different from the Administrator's desktop).
After you have logged into the new account, you can make any changes to the configuration of the user account that you want; for example, create a startup configuration by adding items to the Login Items pane or customize the Dock.
To learn about login items, see "Setting Up Startup Processes," p. 37.
To learn about customizing the Dock, see Chapter 5, "Using and Customizing the Dock," p. 105.
From the desktop, press Shift++Q and then press Return to log out of the account.
If you are unable to log in to a user account that you have created, see "I Can't Log In on a User Account" in the Troubleshooting section at the end of this chapter.
Provide the names and passwords for the user accounts that you created to the people who need them. You should explain the limitations of the accounts to the users as well.
You can make changes to an existing user account. To do so, use the following steps:
Open the Accounts pane of the System Preferences utility and click the Users tab if it isn't selected already.
Select the user account that you want to edit and click the Edit User
In the sheet that appears for that user account, make changes to the user's information (such as changing the login picture or password).
Because it is used as the Home directory name for the account as well as for other items (such as in the Web site address for the user account), you can't make any changes to the short name. Once created, the short name never can be changed.
Use the check boxes at the bottom of the sheet to choose administration settings or to allow Windows users to log in to this account.
Click OK to save the changes to the account.
Test the account to make sure it works with the changes you have made.
You can make changes to the account currently logged in through the My Account pane (covered later in this section).
If you are unable to use the buttons in the Accounts pane of the System Preferences utility, see "The Buttons in the Accounts Pane Are Inactive" in the Troubleshooting section at the end of this chapter.
After you have entered a password, you won't be able to see it, even when you edit the user account. The only way to recover from someone forgetting their password is to reset it to a new one by editing the user account.
The My Account pane of the System Preferences utility enables the currently logged in user to make changes to the corresponding user account.
Open the System Preferences utility and click the My Account icon. The My Account pane will appear (see Figure 2.7).
To change the account's password, click the Change button. The Password sheet will appear.
Enter the account's current password to verify it.
Enter the new password in the New Password and Verify fields.
Enter a hint in the Password Hint field if desired.
Choose a login picture for the account. You can select one from those shown at the bottom of the pane (use the scroll tool to see all available images), click the Choose Another button and select an image, or drag an image from the Finder onto the My Picture well. The image you select will replace the image shown currently in the dialog box.
To change the account's entry in the Address Book application, click Edit. The Address Book application will open and you will be able to change the information for the person to whom the user account belongs.
To learn how to use the Address Book, see "Setting Up and Using an Address Book," p. 290.
When you are done making changes to the Address Book entry, move back to the System Preferences utility and quit it (or select another pane). The changes to the user account will be effective the next time it is used.
You don't have to quit the System Preferences utility to save the changes you make. They are saved "as you make them." Sometimes, you will have to apply changes you make by clicking the Apply button.
You can also delete user accounts that you no longer need.
Open the Accounts pane of the System Preferences utility.
Select the account that you want to delete.
Click Delete User. You will see the delete user confirmation dialog box. When you delete a user, the deleted user account's Home directory is moved to the Deleted User folder. You can access the files that were in the account's Home folder by opening the Deleted User folder and then opening the deleted user's Home folder.
The user account that you deleted will no longer be available in the Login window. The Home directory for that account will be converted into a disk image file that is stored in the location Mac OS X/Users/Deleted Users, where Mac OS X is the name of your Mac OS X volume.
The name of the disk image will be shortusername.dmg, where shortusername is the short username of the account that was deleted. To access the files that were in the account's Home directory, open its disk image file. The Home directory for that account will then be a mounted volume on your machine that you can use just like another volume you mount.
The Deleted Users folder is accessible only to those accounts that have Administrative privileges on your Mac. If you want other users to be able to access files that were in the deleted account's Home directory, you will need to change the permissions associated with the disk image.
To learn how to configure permissions, see "Securing Your Mac with Privileges," p. 794.