You need an administrator account on your server to create user accounts, create groups, change server settings, and perform other tasks using the Server app. With an administrator account, you can also make changes to locked preferences in System Preferences, install software on the server, and perform other tasks that standard users can’t.
Initially, your server has a primary administrator account but no other administrator accounts. If you enable a network account server (also known as a directory server) on the server, your server will have a primary administrator account and a directory administrator account.
Primary administrator account
The server always has a primary administrator account, whose name and password you entered while setting up the server. The primary administrator account is stored in the server’s local directory with user accounts you create in Users & Groups preferences. You can use this administrator account on the server, and also manage your server over the network from another Mac.
Directory administrator account
By default, OS X includes a local directory, but doesn’t enable a network account server to manage network accounts. In the Server app, you can enable a network account server.
If your server has a network account server, the server also has a directory administrator account. This account is created when you set up and configure Open Directory in the Server app. By default, its full name is Directory Administrator and its short name is diradmin.
The directory administrator account is stored in the network account server, along with user accounts you create in the Users pane of the Server app. If a malfunction makes the primary administrator account unusable, you can use the server’s directory administrator account to authenticate in the Server app and manage the server locally or remotely.
By default, the directory administrator account isn’t shown in the Users pane of the Server app. You can view the directory administrator and all other administrator and system accounts by choosing View > Show System Accounts.
The following table compares the primary administrator account and the directory administrator account.
Feature | Primary administrator | Directory administrator |
|---|---|---|
Name and short name | Specified during setup | Directory administrator and diradmin |
Stored in the server’s local directory | Yes | No |
Stored in the server’s network account server | No | Yes |
Can be used from an administrator computer | Yes | Yes |
Add administrators
You can create new administrators when you make new user accounts, or you can change existing accounts.
When you create a new user, select “Allow user to administer this server.”
When you promote an existing user to administrator, select “Administer this server” after double-clicking the user.
Administrator account security
To keep your server secure:
Don’t share an administrator name or password with anyone.
Log out when you leave your server, or set up a locked screen saver in Security preferences. If you leave your server while you’re logged in and the screen is unlocked, someone could make changes using your administrator privileges.
Turn off Automatic login in the Login Options pane of Users & Groups preferences. If the server logs in as an administrator, someone can restart the server to gain access as an administrator.
For added security, routinely log in to the server using a standard user account. Use your administrator name and password when you open the Server app or another app that requires administrator privileges.