Mac machine admin accounts and their ability to remove other admins
May 13, 2011 3:42 PM   Subscribe

I would like to keep one admin account on a Mac from stripping admin privileges from other admin accounts.

Rant begin*
After waiting three months for my hyper-controlling and technically-challenged boss to set up my new Mac, I took matters into my own hands and did it myself. Now he wants the admin of the computer. I told him more than one account can have admin but I know what he is really saying is he wants to have total control. Considering how long I have been waiting for him to do updates on my old machine, the likelihood that updates would be done, even on a yearly basis, is poor.
*rant finished

I have set up another admin account for him but, by all appearances, any admin can come in and strip admin rights from the other admin accounts. Is there a way I can stop this?
posted by Foam Pants to Computers & Internet (6 answers total) 2 users marked this as a favorite
Macs don't wait for you to get around to it - they check every two weeks or so and pop up a dialog.

I have set up another admin account for him but, by all appearances, any admin can come in and strip admin rights from the other admin accounts. Is there a way I can stop this?

Reboot the computer, and hold down command-S. That will boot you into single-user mode, where you're unfettered root on the machine and can do basically whatever you want including making adding users to the admin group.
posted by mhoye at 4:56 PM on May 13, 2011

If you boot from CD you can change any user's password, including root. (Even so, you should set root's password, and probably firmware password as well.)

How much will he be on it? Would he notice if you changed his password? Would he shrug it off as forgetfulness or be suspicious?

Physical access is root access, with the caveat that one has to be aware of that fact. I'm guessing he isn't.
posted by supercres at 5:01 PM on May 13, 2011

Oh, I get the notices for updates, I just can't make them. It sucks donkey balls. I can totally boot from CD or do mhoye's suggestion. He will never be on my machine. All I need to do is reinstate my admin rights should he take them away, he'll never even notice something has happened. I don't think he even realizes that you can do such things. I didn't realize and, if I don't know, he certainly doesn't.

If I could kiss you people through the screen, I would.
posted by Foam Pants at 5:10 PM on May 13, 2011

If you have physical access to the machine, you can give yourself admin access anytime you want by resetting the password. The only way to stop that is to set a firmware password, which requires downloading a special utility and is a very desperate measure. If the firmware password is lost, the only recourse involves partly disassembling the machine and/or taking it to Apple for service.

In other words, you can do whatever you want as long as your boss doesn't know how to set a firmware password (and it sounds like that's not going to happen anytime soon) or you set a firmware password first. He, of course, is free to fire you for violating whatever computing rules he has established (IANAL, your employment situation may vary), but that's an entirely different problem than the technical one you've asked here.
posted by zachlipton at 8:49 PM on May 13, 2011

The instructions to reset any password from the boot CD are on Apple's support site, if that helps.
posted by joeycoleman at 5:28 AM on May 14, 2011

As a follow up, I used mhoye's suggestion and, with this as a guide, I was able to give myself admin access to the computer. I am now in the process of doing two year's worth of updates on the old machine and my mind has been put at ease that I can keep maintaining my new machine no matter what my boss gets up his butt. Excellent advice, everybody!
posted by Foam Pants at 11:08 AM on July 1, 2011

« Older How can I learn more about the technology of my...   |   From Seriously Uncool to Subzero! Newer »
This thread is closed to new comments.