To list all the groups to which a user belongs, type: id username username argument is optional. By default, the logged in user is assumed. The output will include the numeric user id uid, and the list of all the groups along with their group id gid, of which the user is member of.The first group in the output is the user's primary group. On your Mac, choose Apple menu System Preferences, then click Users & Groups. Open Users & Groups preferences for me. Click the lock icon to unlock it. Enter an administrator name and password. Click the Add button below the list of users. Click the New Account pop-up menu, then choose a type of user.
User groups are easy, right? A user is either a member or they are not.
Once you start thinking about the details and want or need to automate some of the aspects of user and group management on macOS, there is a lot of devil in those details.
User Membership
You can easily list all groups a given user is a member of. The
id
command will show all the groups the current user is a member of. id -Gn
will list just the groups. Add a username to the id
command to see the information for a different user. The groups
command does the same as id -Gn
.You can also run a command to check if a given user is a member of a group:
Mac Os List Names
Group Membership
So far, so good.
A user is a member of a group when one of these applies:
- the user’s
PrimaryGroupID
attribute matches thePrimaryGroupID
of the group - the user’s UUID is listed in the group’s
GroupMembers
attribute and the user’s shortname is listed in the group’sGroupMembership
- the user is a member of a group nested in the group
Note: you should not attempt to manipulate the
GroupMembers
or GroupMembership
attributes directly. Use the dseditgroup -o edit
command to manage group membership instead. dseditgroup
syntax is weird, but it is a really useful tool. Study its man
page.Listing Group Members
Sometimes (mainly for security audits) you need to list all the members of a group. With the above information, it is easy enough to build a script that checks the
PrimaryGroupID
, the GroupMembership
attribute and the recursively loops through the NestedGroups
.This is confused by the fact that
PrimaryGroupID
stores the numeric User ID, GroupMembership
uses the shortname and NestedGroups
uses UUIDs. Nevertheless, you can sort through it.I have written exactly such a script here:
View the code on Gist.
In most cases this script will work fine. But, (and you knew there would be a “but”) macOS has a very nasty wrench to throw in our wheels.
Mac Os X List Groups For User List
Calculated Groups
There are a few groups on macOS, that have neither
GroupMembers
, GroupMembership
, nor NestedGroups
, but still have members. This is because the system calculates membership dynamically. This is similar to Smart Playlists in iTunes, Smart Folders in Finder, or Smart Groups in Jamf Pro.You can list all calculated groups on macOS with:
The most interesting calculated groups are
everyone
, localaccounts
, and netaccounts
.These groups can be very useful in certain environments. For example in a DEP setup you could add
localaccounts
or everyone
to the _lpadmin
and _developer
groups, before the user has even created their standard account. That way any user created on that Mac will can manage printers and use the developer tools.However, since these groups are calculated magically, a script cannot list all the members of any of these groups. (My script above will show a warning, when it encounters one of these groups.)
Apple Mac Os X
While it would probably not be wise to nest the
everybody
group in the admin
group, a malicious user could do that and hide from detection with the above script (or similar methods).Other Solution
Instead of recursively listing all users, we can loop through all user accounts and check their member status with
dseditgroup -checkmember
. This script is actually much simpler and dseditgroup
can deal with calculated groups.View the code on Gist.
This works well enough when run against all local users.
I strongly recommend against running this for all users in a large directory infrastructure. It’ll be very slow and generate a lot of requests to the directory server. Because of this the script above runs only on the local directory node by default.
Summary
- on macOS users can be assigned to groups thorugh different means
- you can check membership with
dseditgroup -o checkmember
- you can edit group membership with
dseditgroup -o edit
- macOS has a few groups which are dynamically calculated and difficult to process in scripts
Macintosh file sharing (and indeed, OS X Mountain Lion as well) is based on the concept of users. You can share items — such as drives or folders — with no users, one user, or many users, depending on your needs.
- Users: People who share folders and drives (or your Mac) are users. A user’s access to items on your local hard drive is entirely at your discretion. You can configure your Mac so only you can access its folders and drives, or so only one other person or group — or everyone — can share its folders and drives.When you first set up your Mac, you created your first user. This user automatically has administrative powers, such as adding more users, changing preferences, and having the clearance to see all folders on the hard drive.For most intents and purposes, a remote user and a local user are the same. Here’s why: After you create an account for a user, that user can log in to your Mac while sitting in your chair in your office; from anywhere on your local area network via Ethernet; or anywhere in the world via the Internet if you give him or her an Administrator, Standard, or Managed account.
- Administrative users: Although a complete discussion of the special permissions that a user with administrator permissions has on a Mac running OS X is far beyond the scope of this article, note two important things:
- The first user created (usually when you install OS X for the first time) is automatically granted administrator (Admin) powers.
- Only an administrator account can create new users, delete some (but not all) files from folders that aren’t in his or her Home folder, lock and unlock System Preferences panes, and a bunch of other stuff. If you try something and it doesn’t work, make sure you’re logged in as an Administrator or can provide an Administrator username and password when prompted.
You can give any user administrator permissions by selecting that user’s account in the Users & Groups System Preferences pane and selecting the Allow User to Administer This Computer check box. You can select this check box when you’re creating the user account or subsequently, if that works for you. - Groups: Groups are Unix-level designations for privilege consolidation. For example, there are groups named staff and wheel (as well as a bunch of others). A user can be a member of multiple groups. For example, your main account is in the wheel and Admin groups (and others, too). Don’t worry — you find out more about groups shortly.
- Guests: Two kinds of guests exist. The first kind lets your friends log into your Mac while sitting at your desk without user accounts or passwords. When they log out, all information and files in the guest account’s Home folder are deleted automatically.If you want this kind of guest account, you need to enable the Guest Account in the Users & Groups System Preferences pane. To do so, click the Guest Account in the list of accounts on the left and select the Allow Guests to Log In to This Computer check box.The second kind of guest is people who access Public folders on your Mac via file sharing over your local area network or the Internet. They don’t need usernames or passwords. If they’re on your local network, they can see and use your Public folder(s), unless you or the Public folder’s owner has altered the permissions.If they’re on the Internet and know your IP address, they can see and use your Public folder(s) if you don’t have a firewall blocking such access. Public folders are all that guests can access, luckily. You don’t have to do anything to enable this type of guest account.