Help me, please, set up a General user account in addition to the Admin account

There is no point. Some people believe your system is more secure from hackers if you only use the admin account to install software or do system maintenance. The "operating" account is instead configured as a Standard account. However, if you are the only user or you don't need to "hide" stuff from your husband (or vice-versa) then it makes sense to operate from the admin account.

Since I think I know a little about your setup I would not bother with this multiple accounts thing. Surely, you and your hubby can have separate accounts, but they can both be admin accounts unless one of you shouldn't be able to mess with system setups. Then that person should have a Managed account.

Yes, definitely keep life simple if you can. Yes, I did see your last comment regarding the MM. Still puzzled by the problem.

The best ways to protect your home system from hackers is to have a hardware router connected to your DSL/cable modem and avoid the use of wireless unless your wireless system is password protected with a strong password. Ethernet is more inconvenient but more secure than wireless. Also, unless you really have something of major value stored on your computer no one is likely to try hacking into it. You're at greater risk clicking on an unknown link on a strange website.

Kappy, no need to run as standard? Sandboxing or not, you don't think "the principle of least privilege" makes any sense at all? Not worth it if only for the "slight" edge -- as it is sometimes perceived on Macs -- it might give?

Under some circumstances it does. I've run as admin since the onset of OS X. Never had any problems. I'm behind an AEBS. My wireless is WPA2 password protected. My wife's computers are similarly configured.

I don't know what hackers would want with most people's systems since there is little of value to get and the "cost" of getting it is high. Besides, most people are at greater risk from phisers of which there are many rather than hackers of which there are much less.

I've been running as standard for a while on my 10.4, which hasn't been supported in a few years. Even though the PPC code probably limits it as a target, there are still cross version vulnerabilities. Never gave much of a thought to the possible risks of running as admin on my 10.6 until the recent Mac Defender episode. I forget now which variant of that it was or exactly why, but at one point running as admin seemed to increase the risk it could self-install.

Not that I thought I was in any danger of downloading Mac Defender or any other Trojan. In fact, running NoScript on Firefox, I was all over Google images and never once encountered it. What it did make me realize was that Macs were becoming a much more appealing target and that's, principally, why I switched to standard on my 10.6

>I don't know what hackers would want with most people's systems since there is little of value to get and the "cost" of getting it is high.

Passwords, credit card numbers, personal data like SS #s for ID theft, banking information, including bank account numbers etc.

Of course, as you point out, there are other easier ways of getting this kind of information, through phishing and other social engineering exploits, but as Macs gain market share and become more attractive targets, direct exploits (sure, much harder to write) into the kernel could be on the way. It's only a relatively small inconvenience -- e.g. annoying to have to run as su in the shell sometimes to do some things -- to run as standard.

Maybe nothing will ever happnen running as admin, but it can't hurt to be a little over-cautious. Just thought I'd propose a different take on this, so it can be considered.

Each to their own. I certainly don't disapprove of anyone choosing to take whatever protective measures they feel will make them comfortable. I guess I've just not been scared into them as yet. I'm more concerned about the risk of giving a waiter or waitress my credit card in a restaurant. There's no security there.

Here in Canada you can get a credit or debit card that requires you to enter a PIN number into a machine before the charge is made. The servers bring you a portable machine that has an encrypted wireless connection to the cash register/computer.

I think if one is truly hacked it's because of running on an unprotected home network or using simple to crack passwords or not using a router that provides its own firewall.

The MacDefender issue was a trojan. Easily avoided by being careful what you click on when surfing. Having a standard operating account can't stop you from clicking on the link that downloaded MacDefender nor opening the application.

>The MacDefender issue was a trojan. Easily avoided by being careful what you click on when surfing. Having a standard operating account can't stop you from clicking on the link that downloaded MacDefender nor opening the application.

Absolutely. Using ones brains is the first, best defense.

I don't understand the point or logic of turning the first Admin user Account into the General user and making the new Admin Account be thereal/working Admin account.

The point of that is that you don't have to transfer your files from the old home folder to the new one. However, I'm not sure you can demote the original user that you create when you first set up the Mac to a standard user.

And, once I am set up logging into the General User account, if I do need to do something that involves (say) installing software, or doing a SuperDuper backup, do I just log out of the General User account and log back into the Admin Account to do it ...

No. You activate Fast User Switching in the "Login Options" section of the Accounts preference pane. Then you can switch between accounts without logging out.

Do both accounts have access to the same stuff?

The same public files, such as applications, yes. Not the same home folders.

It's not like there are suddenly duplicates of every app, doc, photo and everything else in both accounts - is it?

No, there's no duplication. This is the way every Mac should be set up, in my opinion -- with complete separation between administrative and non-administrative tasks.

>However, I'm not sure you can demote the original user that you create when you first set up the Mac to a standard user.

I don't think this is a problem, at least in Snow.

>And, once I am set up logging into the General User account, if I do need to do something that involves (say) installing software, or doing a SuperDuper backup, do I just log out of the General User account and log back into the Admin Account to do it ...

>No. You activate Fast User Switching in the "Login Options" section of the Accounts preference pane. Then you can switch between accounts without logging out.

No real need, in general, to do this. The standard account will be prompted for the name of the admin account and its password, when installing or authenticating. There are a few occasions, such as opening system.log in Console, or running an application like Onyx, which requires running from an admin account, when one might need to run from Terminal or logged in from the admin account. Anything requiring the sudo command will have to be run either from the admin account or by using su - adminusername from Terminal as the admin user and giving the admin password.

This is really simple. (If the following appears complicated, it's only because, knowing you, I'm trying to include and anticipate every possible variable in advance. 😉)

We are getting confused by your introduction of the term "general" user account. The account(s) you are going to make standard will be the one(s) that you use every day, or all along. I suppose this is what you mean by "general." Making them, or it, into standard will not have any affect on the contents of the Home Folder(s).

First, I don't know if you and your husband have separate accounts. But, regardless, create a new user account (if you and your husband have separate accounts, this will be the third account. If not, this will be the second account. If you already have another "independent" account not shared by you or your husband, then no need to create another new one. If it's new, give it a name, select a password and give it admin rights using the password of the admin account (soon to become standard.) If it's an already created account, but with standard privileges only, then give it admin privileges using the password from your admin (soon to become standard) account.

To create the new account, unlock the padlock with the current admin password, if it is locked, and just click on the + button and fill in the required fields.

Next, take the other account (or accounts, plural, if both you and your husband have separate accounts) and make them, if they are not already, into standard accounts by unchecking the "Allow user to...." boxes. These are the "general, everyday" one(s) you have been using all along with your regular Home Folder(s). Don't do this until you have created the new admin account, or given an already established, "independent" one admin rights and created a password. Otherwise you will be locked out.

From now on, you continue using those, now standard, accounts exactly as before, except if you need to install something, or if a password is required to perform some operation, you give the name of the new admin account (new, if you didn't already have a second or third one "independent" one to use for this purpose) and its password when prompted.

You don't worry at all about the Home Folder of the admin account, moving anything over to it or installing anything there. Anything that gets installed in the regular, general account, if it requires the admin password, gets installed there, anyway. It's sole purpose is to provide authentication when needed. (Well, maybe not its sole purpose. It can be useful when testing to see if something, some problem exists there in addition to your regular standard user.)

The standard account(s) will not have their boxes checked for "Allow user to...."

Everything in your Home Folder (s) remains just as it was before. Nothing changes except the accounts no longer have admin privileges. That's it. The admin account will have its "Allow user to...." box checked.

That's it. Bob's your uncle.

... so with the General user account for daily use, will it/we have access to a home folder and what will be in it (what is now in the admin home folder and if not that, what)?

Each account has its own home folder. Initially, nothing will be in it except the few default files that are created automatically. The same as when you set up the Mac for the first time.

... can I do whatever I do in SL on the iMac also be done in the same way in Tiger on the MBP to set up the new user account.

It's been a long time, but as I recall it was pretty much the same.

Is that why the directions I originally quoted from ds store have one go through the steps of creating a second admin account and then making the first one a general user and the new one is the new - only? - admin account now?

If I'm understanding correctly what you want to do, you should create a new, empty admin account, which you'll use only for admin tasks, and then demote your old account to non-admin status. That way, you won't have to transfer much data between accounts, which can be tricky.

1. Simple question first - so with the General user account for daily use, will it/we have access to a home folder and what will be in it (what is now in the admin home folder and if not that, what)?

Summary of the "complicated" version:

The "General" user account will continue to be the one you have been using all along ("all along," assuming it's the one you migrated from Tiger using Setup Assistant), except you will uncheck "Allow user to administer...." Nothing else changes in that account but that. Same Home Folder, same everything.

If you didn't migrate your previous account, then the account you have already started using in Snow Leopard will still be the account you keep using, except it will become standard instead of admin. Same Home Folder, same everything.

You will use the new admin account only for its name and password, just for purposes of authentication when requested.