Keychain GUI appears if an account other than the logged-in account is used to authenticate.

[rtrouton]

I'm seeing an issue where, if I'm logged into a user account and click on a lock in System Preferences, then log in using another account's admin credentials, the Keychain Minder GUI pops up.

To reproduce:

1. Set up two accounts, where one has admin rights and the other does not.
2. Log in as the account that does not have admin rights.
3. Open System Preferences
4. Click a lock
5. Log into the authentication dialog using the account with admin rights' credentials.

Expected behavior:

A. Lock unlocks
B. Keychain Minder GUI does not appear

Observed behavior:

1. Lock unlocks
2. Keychain Minder GUI appears.

Note: I was also able to reproduce the behavior when both accounts had admin rights, but I figured the above scenario was the more common of the two.

[tburgin]

You may be able to check the session owner with:

err = mechanism->fPlugin->fCallbacks->GetHintValue(mechanism->fEngine, "suggested-user", &value);

[pleasego2help]

Quick question relating to your above No users with uids under 501...

As of Yosemite we switched from sub-501 accounts due to it causing (migration, ARD) issues, and since Apple updated their support page (removing sub-501 instructions) for Yosemite+, instead using 'dscl... IsHidden'. (I discovered the topic when I started using Yosemite+ 'sysadminctl' when creating local admin in deployment.)

Original dev post (devforum login required, slightly humorous)
Further Details from MagerValp discussion using createuserpkg

(I apologize if this is out of context - please ignore if it is.)

[russellhancox]

This issue was moved to google/macops-keychainminder#2