Create a Local admin account on macOS using Intune

A local administrator account on a macOS device can manage other users, Install applications, and change macOS settings.

I recently discussed creating a local admin on Windows devices using Intune. I also covered an alternative method involving using Intune device remediations to create a local admin account on Windows. This is an essential requirement for configuring Windows LAPS.

In this blog post, we will learn about creating a local admin account on macOS devices. On a Mac, you can locate standard and administrator user accounts by navigating to Settings > Users & Groups. A standard user account will be labeled Standard next to its name, while the Admin label distinguishes an Administrator account. It’s important to note that the Guest user account is typically disabled by default.

For example, we will create a local admin account called CloudInfraAdmin. However, you can create a local admin account by providing your name.

Creating a local admin account CloudInfraAdmin on a macOS device using Intune
End goal: Create a local admin account called CloudInfraAdmin on a macOS device using Intune

To create the account called cloudInfraAdmin on macOS, we will use a shell script to deploy to the target devices to set up this account.

A shell script is a text file containing a series of UNIX commands. It starts with the character #! followed by a reference to the shell with which the script should be executed. For instance, #!/bin/sh specifies that the script should be run using the Bourne shell.

For newer macOS devices (Catalina and later) the default shell configured is Zsh (Z shell) and for older Mac devices (Mojave and earlier), the default shell is bash.

I will use the Directory Service command line utility (dscl) to create a local admin account on the macOS device. Below is the script code that will be used:

STEP 1 – Create a Shell script

The initial step is creating a shell script using the code below. While I’ve explained the code line by line, you can also jump to the final script code ( and copy it into a file, saving it with a .sh extension.

Script header (System shell)


Modify accountname and password variables as per your requirement


Create a new user account

dscl . -create /Users/$accountname

Set the default shell for this user as /bin/bash

dscl . -create /Users/$accountname UserShell /bin/bash

Add full name or display name for this user

dscl . -create /Users/$accountname RealName "CloudInfra Admin Account"

Provide a Unique ID for this user account

dscl . -create /Users/$accountname UniqueID "2001"

Set PrimaryGroup ID to 20 for admin accounts and 80 is for Standard accounts

dscl . -create /Users/$accountname PrimaryGroupID 20

Set the Home directory for the user

dscl . -create /Users/$accountname NFSHomeDirectory /Users/$accountname

Set User account password

dscl . -passwd /Users/$accountname $password

Add the user to the admin group

dscl . -append /Groups/admin GroupMembership $accountname

Add the user’s profile picture (Optional)

dscl . -create /Users/$accountname picture “/profilepic.png”  

Add a Password hint for the user (Optional)

dscl . -create /Users/$accountname hint “Provide Password hint” 

Hide the user on the macOS login window (Optional)

dscl . -create /Users/$accountname IsHidden 1

Below is the complete script code. Please copy the code into a text file and save it as file. [Final Script]

dscl . -create /Users/$accountname
dscl . -create /Users/$accountname UserShell /bin/bash
dscl . -create /Users/$accountname RealName "CloudInfra Admin Account"
dscl . -create /Users/$accountname UniqueID "2001"
dscl . -create /Users/$accountname PrimaryGroupID 20
dscl . -create /Users/$accountname NFSHomeDirectory /Users/$accountname
dscl . -passwd /Users/$accountname $password
dscl . -create /Users/$accountname hint "computer"
dscl . -append /Groups/admin GroupMembership $accountname

STEP 2 – Deploy the Shell script

The next step is to deploy the shell script we created in the previous section. Our task is to create a local administrator account called cloudinfraAdmin on target macOS devices. Let’s check the steps:

  • Sign in to the Intune admin center.
  • Devices macOS.
  • Click on Shell scripts under macOS policies.
  • Click on + Add to Add the script for deployment.


Provide a name and description of this deployment. Click on Next to proceed.

  • Name: Create cloudinfraAdmin local administrator account
  • Description: Provide a useful description.

Script settings

On the Upload script field, browse to file.

  • Run script as signed-in user: No
  • Hide script notifications on devices: Yes
  • Script frequency: Every 15 minutes (While currently testing on a test macOS device, I’ve set the script frequency to 15 minutes. Once the test completes successfully, you can change the script frequency to every day or every week).
  • Number of times to retry if script fails : 3
Deploy this shell script on mac devices
Deploy this shell script on mac devices


Click on Add group to add an Entra security group containing macOS devices.

Assign shell script to macOS devices
Assign shell script to macOS devices

Review + add

Review the deployment and click on Create to start the deployment process.

Sync Intune Policies

The device check-in process might not begin immediately. If you’re testing this policy on a test device, you can manually kickstart Intune sync from the device itself or remotely through the Intune admin center.

Alternatively, you can use PowerShell to force the Intune sync on Windows devices. Restarting the device is another way to trigger the Intune device check-in process.

Monitor Deployment Progress

To monitor app deployment, access the Intune admin center. Navigate to Devices > macOS > Shell scripts. Click on a shell script to check its status, then go to the Overview page to view the shell script deployment status. To check the deployment status on a per-device or per-user basis, select Device status or User status under the Monitor section.

End-user Experience

After rebooting your Mac, access Settings > Users & Groups to confirm whether the local admin account has been successfully created. If you can’t find the local admin account you set up using Intune, try rebooting your Mac device once and then checking again or Initiating manual sync.

The screenshot below shows that the CloudInfra Admin Account has been successfully created. It is labeled as Admin under the account name. To access more information about this user, right-click on the account and select Advanced Options.

Local administrator account created on macOS device successfully
Local administrator account created on macOS device successfully

In the Advanced Options pop-up, you will find the following user properties:

  • User: This is the Display name of the user
  • UserID: This is the user’s unique identifier, which we have set in the script.
  • Group: Default group staff.
  • Account Name: User Account name
  • Full name: The user’s Full name as set in the RealName parameter of dscl command.
  • Login shell: This user’s default shell is /bin/bash. You can click on the dropdown menu next to it and choose from options such as /bin/tcsh, /bin/sh, /bin/csh, /bin/zsh, or /bin/ksh.
  • Home directory: This is the NFSHomeDirectory parameter configured in the script. As shown in the screenshot below, it is automatically configured to /users/cloudinfraadmin, which is based on the account name.
macOS local user Advanced Options
macOS local user Advanced Options
  • The shell script has successfully set the password hint to computer. To reveal it, click on the question mark icon next to the password field.
Reveal password hint of a Mac user
Reveal password hint of a Mac user

macOS Intune deployment troubleshooting

If you encounter problems deploying the application, check the IntuneMDMDaemon*.log and IntuneMDMAgent*.log files for more information. For guidance on locating these files on a macOS device, refer to my previous blog post titled How To Collect Intune Logs From a MacOS Device.


How to find the Home Directory of an Intune-created local admin account?

To locate the Home directory path of a local admin user, navigate to Settings > Users & Groups. Right-click on the user, select Advanced Options, and check the Home directory location value.

Once you have obtained the Home directory path of the user, you can proceed to access the user’s home directory by following these steps.

  • Finder > Go > Go to Folder…
  • Type the path /users/cloudinfraadmin.
  • Double-click on the searched path to open the home directory.
Access Users Home directory location on a Mac device
Access Users Home directory location on a Mac device
  • As shown in the below screenshot, the home directory has been successfully created with the default folders. It’s important to note that the home directory is generated for the user when initially signing in on this Mac device. You will find below folders created under the user’s home directory:
    • Desktop
    • Documents
    • Downloads
    • Movies
    • Music
    • Pictures
    • Public
User's home directory folders on a Mac device
New User’s home directory folders on a Mac device

How to hide a local admin user on the Mac login window?

If you wish to prevent the user account from appearing on the Mac login window, you can include the following line of code in the shell script and deploy it to create a hidden user account.

dscl . -create /Users/$accountname IsHidden 1

How to show hidden users using macOS terminal?

When you hide a user account on macOS, it won’t appear on the Mac Login Window or in Settings > Users & Groups. To locate the hidden user, you can utilize the Directory Service cache utility, dscacheutil.

I’ve created a hidden user account named “cloudinfraadmin1.” To search for it using the Mac terminal, you can use the command: dscacheutil -q user -a name cloudinfraadmin1. Replace cloudinfraadmin1 with the hidden user name you intend to search for.

dscacheutil -q user -a name cloudinfraadmin1
dscacheutil -q user -a name cloudinfraadmin1


In this blog post, we’ve learned how to create a local administrator account on a Mac device while using Intune as your Mobile Device Management (MDM) service. It’s important to note that changing the PrimaryGroup ID to 80 in the shell script will create a standard user account instead of an administrator account.

6 thoughts on “Create a Local admin account on macOS using Intune”

  1. Hi!
    macOS Intune – Beginner here 🙂
    I already have a script running through Intune for creating a local admin account.
    I would like to add the enterprise logo as profile picture.
    – where do I have to store that picture?
    – does that picture have to be copied separately or do I have to make a Intune package including script + picture?

    Thank You for the help!

    • You will need to copy profile picture somewhere on the device and provide that location in dscl command to apply profile picture.

      – Store it in Azure blob or a secure storage which is accessible from mac device.
      – Use a command something like: cd ~/library/desktop; curl -O https://azureblogstoragepublicURL/profilepic.jpg
      – Provide the location in dscl command to point it to this profile picture for the user. For example: dscl . -create /Users/$accountname picture “~/library/desktop/profilepic.jpg”

      You don’t need to keep the profile picture in external storage after it has been downloaded on Mac, you can delete it.

  2. Hello.

    I’m also wondering if there is a better way of handling the password than it being displayed in plain text? Or even to auto generate a password so its unique for each device, but then how to have this saved for IT usage (ie LAPS)?
    Lastly, wondering about limitations of creating a user account via script when Filevault is enabled?

  3. im getting an error with intune : passwd : DS error eDs auth passwordQuality CheckFailed.
    the Password i set is 15 length
    and Randomized symbols (!#$)
    what can trigger this error ?


Leave a Comment