How to quickly restore a missing admin account in OS X
If you find that you cannot access your OS X administrator account, there is a relatively quick way to get it back.
All Mac systems should by default have at least one administrator account for installing programs and otherwise changing the system configuration and settings. However, there may be times, when after an OS upgrade or other major system configuration change, that the administrator privileges of an account might get stripped, leaving you with no way to change a number of system settings.
This occurs quite rarely, but if it does happen, one quick but well-known and convenient trick for recovering administrative status on a system is to activate Apple's OS X setup assistant again. This assistant is generally only used once when you install OS X, where it shows a basic interface while running with root privileges to set some core system features, including the first administrator account.
The Setup Assistant is always present on your computer, but only loads once because when it is finished it creates a small file called ".AppleSetupDone" in a hidden folder on the system. When your computer boots it will check for the presence of this file, and then bypass the setup assistant if the file is found.
The convenience of this setup means that you can reactivate the setup assistant to create an administrative account on the computer simply by removing this hidden file and then restarting the computer, which by default should take three steps:
- Reboot into Single User Mode
Restart your computer while holding the Command and S keys, which will drop you to a terminal command prompt. This mode loads you as the "root" user, which gives you full and unrestricted access to every aspect of the system via a command-line interface. This is a very powerful mode to work in, but is very convenient for troubleshooting.
- Set the file system to be writable
By default, when booting to Single User Mode the hard drive is set to a read-only state, which ensures that you do not make changes unless you explicitly tell the system to do so. To allow writing to the drive, run the following command:
mount -uw /
- Remove the hidden flag file
The next step is to remove the hidden ".AppleSetupDone" file, which can be done by running the single command below. This command should be typed in exactly as it appears here, with no spaces in it except for a single one right after the "rm" component. When run you should not see any output and should simply see another command prompt appear below where you ran the command.
After this is done, type "reboot" at the command prompt to restart the system, and you will be greeted by the setup assistant when the system starts up. Run through this assistant to create a new admin account, and then log in to this account.
Once loaded in the new Admin account, you can then go to the Users & Groups (or Accounts) system preferences and manage your previous accounts' administrative status. Usually if this account is no longer an administrator, you simply have to check the box to allow the user to administer the computer, but if this does not work, then your best bet is to try clearing the account's database entry and recreating it exactly as-is. To do this, first be sure you have a full backup of your system (e.g., with Time Machine) and then use the following steps:
- Delete the account, keeping all data and settings
Select the account and click the minus button to remove it. When you do this the system will prompt you with some options for how to handle the account's data and settings. At this prompt choose the option to not change the home folder and have it remain in the Users folder.
- Check for the home folder
When the account has been deleted, go to the Macintosh HD > Users folder to ensure the home folder was left intact in the Users directory.
- Recreate the account The last step is to go back to the Users & Groups system preferences and create a new account but use the same user name as the previous account (ensure that the "short" name of the account matches the abandoned home folder in the /Users directory). When you do this, the system will detect the old abandoned home folder of the previously deleted account and inform you that a home folder already exists. You can then set the account to access this one so all of the previous accounts' settings and data are applied to the new account.
This method can be used to reset any administrative account status on any Mac system, and as a result you might be concerned that anyone can make these changes to your system. By default OS X does allow for this; however, there is a quick security measure you can take to prevent it and ensure that only you can perform these actions.
To prevent booting to alternative boot modes (e.g., Single User Mode), you simply have to enable a firmware password on your system. To do this, reboot to the OS X installation drive (be it a DVD or the Recovery HD partition in OS X Lion or later), choose your language when prompted, and then choose "Firmware Password" option in the Utilities menu. Use this tool to set a firmware password, and then nobody will be able to reset PRAM, boot to Safe Mode, Single User Mode, or to alternative boot drives unless they either disable the password or supply it when prompted.