Administer system user accounts. sysadminctl can be used to change user passwords, create new users (including automatically provisioning the user home folder) or to check the status of a user's SecureToken.

      sysadminctl -deleteUser user_name [-secure || -keepHome]
         (interactive || -adminUser administrator_user_name -adminPassword administrator_password)
	        -newPassword new_password -oldPassword old_password> [-passwordHint password_hint]
	           -resetPasswordFor local_user_name -newPassword new_password
                  [-passwordHint password_hint] (interactive] || -adminUser administrator_user_name -adminPassword administrator_password)
	    -addUser user_name [-fullName full_name] [-UID user_ID] [-GID group_ID] [-shell path_to_shell]
           [-password user_password] [-hint userhint] [-home full path_to_home] [-admin] [-roleAccount]
              [-picture full_path to_user_image] (interactive] || -adminUser administrator_user_name -adminPassword administrator_password)
	    -secureTokenStatus user_name
	    -secureTokenOn user_name -password password (interactive || -adminUser administrator_user_name -adminPassword administrator_password)
	    -secureTokenOff user_name -password password (interactive || -adminUser administrator_user_name -adminPassword administrator_password)
	    -guestAccount {on | off | status}
	    -afpGuestAccess {on | off | status}
	    -smbGuestAccess {on | off | status}
	    -automaticTime {on | off | status}
	    -filesystem status
	    -screenLock {status | immediate | off | seconds} -password password

        -h   Display help

Pass '-' instead of password in commands above to request prompt.
'-adminPassword' used mostly for scripted operation. Use '-' or 'interactive' to get the authentication string interactively. This is preferred for security reasons

*Role accounts require name starting with _ and UID in 200-400 range.

In 10.13, sysadminctl is Apple's recommended tool for working with user accounts in the CLI, replacing functionality that has long been provided by dscl and adds new features available only in 10.13.

Both sysadminctl and System Preferences prevent the deletion of the last administrator or secure token-enabled user on a Mac. If the creation of additional local users is scripted using sysadminctl, for those users to be enabled for secure token, current secure token-enabled administrator credentials are required to be supplied either using the interactive option or directly with the -adminUser and -adminPassword flags.

Having SecureToken set signifies that a user can unlock a FileVault-encrypted volume. If not granted a secure token at time of creation, in macOS 11 or later, a local user logging in to a Mac computer is granted a secure token during login if a bootstrap token is available from MDM.


Check of the encryption state of the boot volume:
$ sysadminctl -filesystem status

Create a new user account, user64:
$ sysadminctl -addUser user64 -fullName "Akai Gurley" -password "nvoJ0CtI0Dal6mN" -hint

Check the SecureToken Status for user64:
$ sysadminctl -secureTokenStatus user64

Grant SecureToken to the user User64 (must be run on the local machine using the GUI to authenticate)
This will allow the account to login after a reboot on a FileVaulted Mac:
$ sudo sysadminctl interactive -secureTokenOn user64 -password newpassword

Grant SecureToken to the user User64 (command line):
$ sudo sysadminctl -adminUser adminuser -adminPassword adminPassword -secureTokenOn user64

Disable the guest account:
$ sysadminctl -guestAccount Off

Reset the password for user64, adding a password Hint:
$ sysadminctl -resetPasswordFor user64 -newPassword p0h~32deOpUaQp -passwordHint "Keepass"

Use sysadminctl interactive for the above to be prompted for the password in a GUI.

“My relationship to power and authority is that I'm all for it. People need somebody to watch over them. Ninety-five percent of the people in the world need to be told what to do and how to behave” ~ Arnold Schwarzenegger

Related macOS commands

dscl - Directory Service command line utility.
diskutil - Disk utilities.
profiles - Profiles Tool.
wait - Wait for a process to complete.

Copyright © 1999-2023
Some rights reserved