The admin account still has restrictions of things at the system level, that only the root account can access. However, and admin can access these said resources via the sudo command and with authentication.

I would suggest making new user accounts via the system preferences accounts pane. You can actually create an admin account and never log into it, and just use that admin account for authentication for installing things.

So it's time consuming to "clone" another account's preferences etc. What is the best way to replicate the "admin" account's settings (without admin access of course)?

I don't recommend copying any preferences across user accounts, I think it could cause some unwanted issues. It isn't that time consuming unless you have an extremely large home directory, plus permissions would be screwy since your original account would own everything.

I think I would need to understand your higher goal, ie what you are trying to accomplish, to fully answer your question. Creating accounts is easy and is done through system preferences.

If you want certain things to replicate across all user accounts there is a way to do so, but it depends on what you are trying to do.

Not being aware, upon buying this new Mac, I just made the one account and customized it with settings and some applications. It is set as "admin". Just want to create a user account without "admin" access, with all my original settings and applications. Is there a way to do that without the time consuming chore of starting over? I have used the system preferences panel to create another account.

Well all users have access to all the applications under /Applications, so no need to copy all of that. Basically you will want to probably just grab your documents and toss them on a thumb drive or a shared folder and just create the new account.

The only thing a home directory really holds is that user's data and preferences. Most other things are in the system and all users can access them, but the ones that require admin will prompt you for a password, but you can still access them.

The preferences is not that hard, but some things may be a bit screwy if you copy them. Everything is stored under ~/Library/Preferences under each user account. You could just toss all of those into a shared folder and then drag them into your new user's account in the same place. I am not sure exactly what would happen since I always make fresh accounts.

Just create a second account - this will be the one that you will use only for "admin" duties, so the preferences etc are not important. Make this new account an admin account.

Then logout of your current user account and login as the new account. Go to the Accounts preferences and remove the "admin" status from your regular account. Log out and then login using your regular account which will no longer be an admin account.

That makes it clear, and sounds much simpler. Thanks for the advice, to both of you.

One of the privileges that an admin user has is the ability to create and modify just about anything in /Applications and /Library. An admin, or any program an admin runs, has free rein to install new applications or rewrite existing applications. A malicious program that can trick an admin into running it could, for example, replace Safari with a program that behaved the same in every respect, except that it would also forward to its author a copy of every password you entered. All Apple applications and most third-party applications installed into /Applications grant write access to admins. No password required!

That's probably the most important reason for not running routinely as admin. We all make mistakes. We all accidentally click on links that we instantly realize we shouldn't have clicked on. If you're running as admin, and you've just launched a malicious app, you're infected. If you're a non-admin, at least the stuff in /Applications and /Library is (mostly) safe from harm.

But, if you're just now getting around to creating a separate admin account, all the third-party software you've already installed is probably still owned and writable by your non-admin user. It's still vulnerable.

From this point onward, if you download an application using your non-admin account and try to install it, you'll get an authentication dialog asking for an admin password. That's because only an admin can add new things to /Applications.

If this is a drag-and-drop install (the most common kind), and you go ahead and type in your admin password, the new application will be installed but it will still be owned and writable by the non-admin user. That is, it's still vulnerable.

The risk here isn't that the new application might be malicious. I assume you wouldn't install a new application from a source you didn't trust. (And if you would, then abandon all hope.) The risk here is that you're leaving the new application vulnerable to attack, even when you're not running as admin.

For that reason, you should consider application-installing to be one of your admin-only duties. Never install applications from your non-admin account. I know that authentication dialog seems to promise that it'll Do The Right Thing™, but it won't. Shun it.

To fix up permissions on any third-party apps you've already installed, log in as admin, open Terminal (in /Applications/Utilities) and run the following commands, supplying your admin password when asked:
This leaves your third-party apps owned by your admin (same as any apps you drag-install later). You can use this to distinguish Apple apps from third-party apps. (If you don't care, you can replace the second command with the simpler:but you should still do the first command to keep from promoting any suid apps to suid root. (Never mind what that means; it's just something you don't want to do.)

So is this one command: sudo find /Applications -perm +6000 -not -user root -exec chmod ug-s {} \;ADMIN=$(id -u)
And this another: sudo find /Applications -not -user root -print0 | sudo xargs -0
chown $ADMIN:admin
Enter the 1st and then the second? Not being familar with terminal, I never go there. Thanks for the clear explanation, and the help.

Knowing how important it is to get terminal commands right, could someone look at these and tell me if they are correct as to spacing of the words and etc? Are they 2 distinct commands?
sudo find /Applications -perm +6000 -not -user root -exec chmod ug-s {} \; ADMIN=$(id -u)

sudo find /Applications -not -user root -print0 | sudo xargs -0 chown $ADMIN:admin

Should they be entered as one unbroken line?
Should there be a space between the semicolon and ADMIN in the first line?
Should there be a space between chown and $ in the second?

No 3.
Enter them like this:
This should be right for copy/paste.

I ran this command a few days ago and I just noticed that Firefox and Flock browsers have the "check for updates" greyed out.

I'm guessing this command disables my Standard account from updating any 3rd party software?

If I download and install any app using my Standard account, I will only have "Read only" privileges from now on then?

alright thanks guys it helped a lot !!!

Any 3rd party apps that I have installed while logged into my Standard account all show that I have Read & Write privileges after running the code. Did I do something wrong?