Mac OS X: How to manage user access to applications, system preferences, and disc burning via "Capabilities," "Limitations," or "Parental Controls"

Learn how to manage, or restrict, the access of non-admin users.

This article has been archived and is no longer updated by Apple.

Background information

"Local user management" is the control that you may exercise over users of your computer without the use of a separate server. The history of local user management of the Mac OS includes software such as At Ease. Local user management saw the introduction of its modern feature set with the Multiple Users control panel of Mac OS 9 (which also facilitates but does not require the server-based Macintosh Manager). Mac OS X 10.2 reintroduced this level of Admin user control over local users via the "Capabilities" function of the Accounts preference pane. In Mac OS X 10.3, Capabilities has been renamed to "Limitations", and in Mac OS X 10.4 it's "Parental Controls." Similarly, the Capabilities function facilitates but does not require Workgroup Manager, a client management feature for Mac OS X Server 10.2 or later.

With Capabilities or Limitations you may allow/deny a non-Admin user the ability to:

  • open all System Preferences panes
  • change password
  • burn discs
  • remove items from the Dock
  • open individual applications
  • use the Simple Finder

How to set user Capabilities

    1. Open System Preferences.
    2. Choose Accounts from the View menu.
    3. Select any non-Admin user. See Note 1.
    4. Click Capabilities (10.2), Limitations (10.3), or Parental Controls (10.4).
    5. Set the checkboxes as desired. See Note 2.
    6. Click OK (10.2 only)
    7. Repeat for any other non-Admin user, as desired.


    This feature may only be set for non-Admin users. If desired, edit a user's account to deselect the "Allow user to administrate this computer" checkbox. You are required to have at least one Admin user at all times, so you could create a user named "Guest" if you want everyone to use the computer via one restricted account. Such a setup might be useful in a lobby or kiosk environment, for example. By leaving the password for the "Guest" account blank, guest users may log in without a password.

    2. When restricting user access to applications, note that all applications are selected by default. Click the disclosure triangles next to folder names to individually select or deselect applications. To restrict applications stored outside these folders, such as on a secondary hard disk, click Locate, and make a selection with the navigation dialog. Any other applications you add will appear in the "Other" list.


For advanced troubleshooting purposes, you may wish to know that the Capabilities settings are stored in the "mcx_settings" attribute of each user's record. This is visible via NetInfo Manager or NetInfo command line tools, such as nicl and niutil (or, in Mac OS X 10.5, via the dscl command).

Published Date: