niutil -appendprop / /groups/$groupname users $usernameSimilarly, a user can be removed from a group with a command like
niutil -destroyval / /groups/$groupname users $usernameIn my configuration, I've decided to follow Red Hat's convention of having a group for each user, and making that the user's primary group.
Other groups of interest include the admin group, and the appserveradm and appserverusr groups. The admin group is important because it's (by default) listed in the /etc/sudoers file. Out of the box, this file contains only the lines:
root ALL=(ALL) ALL(except for comments). The second line allows anyone who's a member of the admin group to use sudo to run any command as the superuser.
%admin ALL=(ALL) ALL
The second two groups contain users who are allowed to manage WebObjects, a Java web application server thingy. By default, the first user you create while setting up a new Mac will be made a member of these two groups.
In my case, I've chosen to allow root to log in directly and remove all other users from the admin group. To accomplish this, just log in as a still-privileged user and type "sudo passwd root" to set a password for the root account. Then use the "niutil -destroyval" command above to remove users from the admin group (after testing to make sure you can log in as root!).