Regaining lost admin status on OS X

IMPORTANT NOTE: These instructions are for OS X 10.4 ("Tiger") and earlier. They will not work on 10.5 ("Leopard") or later versions of OS X.

Let's say you've heard that it's not a good idea to use an admin-level account for day-to-day activities on OS X, which is sound advice. So you open up System Preferences, click on Accounts, and remove yourself from the admin group by unchecking "Allow user to administer this computer".

Then it hits you: Yours is the only account on the computer, and you've just removed the only way you had to add software, perform security updates, and a myriad of other necessary tasks! You think you might be able to fix it with the OS X install disk, but that darn thing's been missing for over a year! What do you do?

Well, I'm gonna tell you. This will also serve to reinforce the lesson that physical security is tantamount to real security - if a person has physical access to your computer, they can take it over almost trivially.

Note that this is going to require the use of the bash shell - the text-mode command prompt that you can get at using the Terminal program.

DISCLAIMER: If you do something wrong while in single user mode, it is possible to seriously damage your operating system and files. While all of the information listed below can be found in Apple's documentation, I do not make any guarantee that this will solve the particular problem you are experiencing on your computer. By continuing to read this document, and following the steps listed below, you acknowledge that you understand it is YOUR OWN RESPONSIBILITY if something goes wrong.

In other words: If you break it, you get to keep both parts.

Important notes

Step 1: Reboot into single user mode

If your computer is already running, select "Restart..." from the Apple menu in the upper left corner of your screen. If it isn't, just hit the power button. In either case, you'll want to press and hold the command ("⌘") key and the "s" key immediately afterward.

The computer will boot, and for a few seconds you'll see the gray apple screen. Then the text-based single user mode window will appear.

Step 2: Make the filesystem writeable

By default the filesystem is mounted "read only" when you boot into single user mode. This is to provide a small amount of protection against a person accidentally ending up in single user mode. But of course we want to be there, and can't make any changes unless we have write access to the files.

As of OS X 10.3 "Panther", you do this by typing the following two commands (the first command isn't really necessary if you're using the journaled HFS+ filesystem, but it won't hurt anything):

      /sbin/fsck -y
      /sbin/mount -uw /

Note: If you want to learn about "fsck", "mount", or any other command line tool, just read its man page. To do this just type "man" followed by the name of the particular program; e.g. "man fsck". This can be done in Terminal, or while in single user mode - basically anywhere you have a command prompt.

Step 3: Back up the netinfo database

It's always wise to back up any files you're going to edit. That way, if things go wrong, you can still get back to where you were before.

Think of it as your own personal version of the Hyppocratic Oath: "First, do no harm."

      cp /var/db/netinfo/local.nidb /var/db/netinfo/local.nidb.backup_just_in_case

Step 4: Add your username to the admin group

Now it's time to use the command line tools that give you access to OS X's NetInfo Database. Type the following, all on one line (replace "your_shortname" with your account's actual short name):

      nicl -raw /var/db/netinfo/local.nidb -append /groups/admin users your_shortname

Step 5: You're done!

That's it! When you reboot, your account should appear as part of the admin group. You can power off your computer now; or you can reboot by typing "reboot" (without the quotes).

If you stil want to run your account as a non-admin - and that is considered good security practice - first create a second account and give it administrative capability (do NOT name it "admin" - OS X doesn't like that. Call it "My admin" or "Big Joe" or whatever.). Once you've done that, it will be safe to remove the admin privileges from your own account. Then, on those future occasions when you do need admin access, you can authenticate using the admin account you've created.

[Back to Trav's main page]

All contents © Travis Saling