How to use the command line for user (Group) management under macOS? dscl you need to know!

Command-line interface to Directory Services.

In linux system, we are used to using useradd,userdel,usermod and other instructions for user management, and groupadd,groupdel,groupmod and other instructions for user group management.

But these instructions are not available in macOS.

So today's topic is how to manage user groups and users on the command line under macOS?

What command line tools can be used for user group and user management under macOS? It is today's protagonist dscl.

1, Introduction to dscl

dscl is a command line of directory service, which is used to create, read and manage directory service data. It also provides basic editor commands such as list, search, create, read, append, merge, change, and delete.

We can think of it as a tool for storing and accessing OS X user authorization data.

When called without any commands, dscl will run in interactive mode and read commands from standard input.

Enter dscl

Enter dscl in the terminal You can enter the dscl of this machine.

$ dscl .
>

Exit dscl

After entering dscl, enter q or exit to exit dscl.

$ dscl .
 > q
Goodbye
$ dscl .
 > exit
Goodbye

Instruction set supported by dscl

$ dscl .
> help
dscl (v11.2)
usage: dscl [options] [<datasource> [<command>]]
datasource:
    localhost    (default)                                    or
    localonly    (activates a DirectoryService daemon process
                  with Local node only - daemon quits after use
    <hostname>   (requires DS proxy support, >= DS-158)       or
    <nodename>   (Directory Service style node name)          or
    <domainname> (NetInfo style domain name)
options:
    -u <user>      authenticate as user (required when using DS Proxy)
    -P <password>  authentication password
    -p             prompt for password
    -f <filepath>  targeted file path for DS daemon running in localonly mode
                   (example: /Volumes/Build100/var/db/dslocal/nodes/Default)
                   (NOTE: Nodename to use is fixed at /Local/Target)
    -raw           don't strip off prefix from DS constants
    -plist         print out record(s) or attribute(s) in XML plist format
    -url           print record attribute values in URL-style encoding
    -q             quiet - no interactive prompt
commands:
    -read      <path> [<key>...]
    -readall   <path> [<key>...]
    -readpl    <path> <key> <plist path>
    -readpli   <path> <key> <value index> <plist path>
    -create    <record path> [<key> [<val>...]]
    -createpl  <record path> <key> <plist path> <val1> [<val2>...]
    -createpli <record path> <key> <value index> <plist path> <val1> [<val2>...]
    -delete    <path> [<key> [<val>...]]
    -deletepl  <record path> <key> <plist path> [<val>...]
    -deletepli <record path> <key> <value index> <plist path> [<val>...]
    -list      <path> [<key>]
    -append    <record path> <key> <val>...
    -merge     <record path> <key> <val>...
    -change    <record path> <key> <old value> <new value>
    -changei   <record path> <key> <value index> <new value>
    -diff      <first path> <second path>
    -search    <path> <key> <val>
    -auth      [<user> [<password>]]
    -authonly  [<user> [<password>]]
    -passwd    <user path> [<new password> | <old password> <new password>]

MCX Extensions:
    -mcxread      <record path> [optArgs] [<appDomain> [<keyName>]]
    -mcxset       <record path> [optArgs] <appDomain> <keyName> [<mcxDomain> [<keyValue>]]
    -mcxedit      <record path> [optArgs] <appDomain> <keyPath> [<keyValue>]
    -mcxdelete    <record path> [optArgs] [<appDomain> [<keyName>]]
    -mcxdeleteall <record path> [optArgs] [<appDomain> [<keyName>]]
    -mcxexport    <record path> [optArgs] [<appDomain> [<keyName>]]
    -mcximport    <record path> [optArgs] <file path>
    -mcxhelp
 >

List all data directories in dscl

$ dscl .
> ls
AFPUserAliases
Aliases
Automount
AutomountMap
ComputerGroups
ComputerLists
Computers
Config
Ethernets
Groups
Hosts
Mounts
NetGroups
Networks
People
PresetComputerGroups
PresetComputerLists
PresetComputers
PresetGroups
PresetUsers
Protocols
Services
SharePoints
Users

2, Manage users

Get a list of all users

$ dscl .
# Enter the user's data directory
> cd Users/
/Users >ls
...
yeah
nobody
root
...

You can also use the following instructions directly

$ dscl . -ls /Users

The "-" before ls can be omitted. Similarly, other instructions are the same. In the following demonstration, the "-" before specific instructions will not be given.

Create a user

Use dscl to create a user instance in the / Users data directory. We can set its uid, gid, shell, realname and home directories.

Create a user named year and set the user's uid to 8888.

# sudo dscl . create /Users/yeah UniqueID 8888
$ sudo dscl . create /Users/yeah uid 8888

gid this field must be set. If it is not set, an illegal user name error will be reported when changing the file host to this user.

Therefore, you need to skip to the "manage user groups" section and create a user group by referring to the command of user group creation. Here, we have created a user group with gid 6666 and name year in advance.

After the user group is ready, let's set the user's gid.

# sudo dscl . create /Users/yeah PrimaryGroupID 6666
$ sudo dscl . create /Users/yeah gid 6666

Create and set the shell used by the user. If the shell is not set, the user will not be able to use it in the terminal.

# sudo dscl . create /Users/yeah UserShell  /bin/bash
$ sudo dscl . create /Users/yeah shell /bin/bash

Create and set the user's realname

$ sudo dscl . create /Users/yeah realname "coding yeah"

Set the initial password of the user to null

# '*' indicates an empty password
# sudo dscl . create /Groups/yeah passwd \*
$ sudo dscl . create /Groups/yeah passwd '*'

Change the user's password

$ sudo passwd yeah
Changing password for yeah.
New password: ********
Retype new password: ********

Create or specify the user's home directory

dscl does not automatically create a home directory for users when creating users, so we need to create a home directory for users.

$ sudo  mkdir /Users/yeah

On the premise that user year already has a user group to which he belongs, use the chown command to set the host of / users / year directory and its subdirectories as user year

$ sudo chown -R yeah:yeah /Users/yeah

In this way, the new directory / users / year and the host of its directory become user year

Declare the user's home directory

# sudo dscl . create /Users/yeah NFSHomeDirectory /Users/yeah
$ sudo dscl . create /Users/yeah home /Users/yeah

In this way, user year can work with / users / year as the home directory.

Grant user administrator privileges

In order to grant the user administrator permission, we only need to add the user to the admin(/Groups/admin) user group, so that the user has sudo permission.

$ sudo dscl . merge /Groups/admin users yeah

Modify user

We can use the create instruction of dscl to add or modify user attributes.

$ sudo dscl . create /Users/yeah shell /bin/zsh

For example, we can use the above instructions to change the user's shell to zsh.

Gets the specified attribute of the user

# View all properties of user year
$ dscl . read /Users/yeah
...
NFSHomeDirectory: /Users/yeah
Password: ********
PrimaryGroupID: 6666
RealName:
 coding yeah
RecordName: yeah
RecordType: dsRecTypeStandard:Users
UniqueID: 8888
UserShell: /bin/zsh

# View the group ID and user ID of user year
$ dscl . read /Users/yeah PrimaryGroupID  UniqueID
PrimaryGroupID: 6666
UniqueID: 8888

# Lists the group ID s of all users
$ dscl . list /Users PrimaryGroupID
# List all user ID s
$ dscl . list /Users UniqueID

delete user

We can use the delete instruction of dscl to delete users.

$ sudo dscl . delete /Users/yeah

The above instructions can delete all attributes of user year. However, it should be noted that the user's home directory needs to be deleted manually, and the group to which the user belongs also needs to be deleted additionally.

3, Manage user groups

Get a list of all user groups

Use dscl to enter the / Groups data directory and list all user Groups.

$ dscl .
> cd /Groups/
/Groups > ls
_amavisd
_appowner
_appserveradm
_appserverusr
...

You can also use the following instructions directly

$ dscl . ls /Groups

Create user group

To create a user group using dscl, we need to create a directory under the / Groups directory of dscl and set its gid attribute at the same time.

# sudo dscl . create /Groups/yeah PrimaryGroupID 6666
$ sudo dscl . create /Groups/yeah gid 6666

Create the user group year and set the user group ID of the user group year to 6666. The above three methods are equivalent.

Add user to user group

# Multiple executions will be added multiple times
# sudo dscl . append /Groups/yeah GroupMembership yeah
# Multiple executions will be added multiple times
$ sudo dscl . merge /Groups/yeah users yeah

Deletes the specified user from the specified group

Delete user year from the year user group

sudo dscl . delete /Groups/yeah GroupMembership yeah

Delete user group

$ sudo dscl . delete /Groups/yeah

Using the above instructions will delete all the information in / groups / year directory in dscl. We should use it with caution.

Gets the specified properties of the user group

# View all properties of user group year
$ dscl . read /Groups/yeah
AppleMetaNodeLocation: /Local/Default
GroupMembership: yeah
PrimaryGroupID: 6666
RecordName: yeah
RecordType: dsRecTypeStandard:Groups

# View the group ID of user year and the users in the group
$ dscl . read /Groups/jenkins PrimaryGroupID GroupMembership
GroupMembership: jenkins
PrimaryGroupID: 6666

# Lists the group ID s of all used groups
$ dscl . list /Groups PrimaryGroupID
# Lists all users in the group
$ dscl . list /Groups GroupMembership

4, Summary

Well, that's all for today's sharing. It mainly shares the knowledge of how macOS manages users and user groups based on the command line. I hope it will be helpful to you.

If you see it and think it's helpful to you, give a compliment to the little ape.

If you don't have time to learn more, you just need to look at the following.

Create user resource

# Create group
sudo dscl . create /Groups/yeah gid 6666
# Create user
sudo dscl . create /Users/yeah uid 8888
sudo dscl . create /Users/yeah gid 6666 
sudo dscl . create /Users/yeah shell /bin/bash
# Change the user's password
sudo passwd yeah
# Create user's home directory
sudo  mkdir /Users/yeah
# User's home directory host
sudo chown -R yeah:yeah /Users/yeah
# Declare the user's home directory
sudo dscl . create /Users/yeah home /Users/yeah
# Add user to user group
sudo dscl . merge /Groups/admin users yeah

View user information

$ dscl . read /Users/yeah
...
AppleMetaNodeLocation: /Local/Default
GeneratedUID: xxxxxx
NFSHomeDirectory: /Users/yeah
Password: ********
PrimaryGroupID: 6666
RecordName: yeah
RecordType: dsRecTypeStandard:Users
UniqueID: 8888
UserShell: /bin/bash

Clear user resources

# Clear user
$ sudo dscl . delete /Groups/yeah
# Clear user group
$ sudo dscl . delete /Users/yeah
# Delete user home directory
$ sudo rm -rf /Users/yeah

If you see it and think it's helpful to you, give it to me@ The little ape came Give it a compliment.

In addition, dscl also supports the management of users and user groups on remote machines, but we basically can't use it, so we won't introduce it here. Interested students can try it by themselves.

Added by Poolie on Sat, 29 Jan 2022 13:20:00 +0200

Programming VIP