Tackling missing administrative privileges for all admin accounts
In OS X the first user is by default an administrator account so administrative functions can be run, and adding new administrators is usually as easy as authenticating and checking the appropriate box for the respective user in the Accounts system preferences.
In OS X the first user is by default an administrator account so administrative functions can be run, and adding new administrators is usually as easy as authenticating and checking the appropriate box for the respective user in the Accounts system preferences. We were recently contacted by a reader who found that her system was no longer able to create new administrator accounts and all the previous administrators were now listed as standard users, leaving the root account as the only way to administer the system.
MacFixIt reader "Cindy" writes:
I noticed the other day that the admin privileges for ALL users had disappeared on my PowerPC G5 running 10.5.8. I enabled the root account and have used it to run pretty much any "fix it" routines I could think of: SMART, booted from another drive and checked the disk, reset PRAM, verified and repaired permissions, used Onyx to zap all the caches, ran maintenance routines, etc. Still no dice.
Symptoms:
Using the root account, I open System Prefs and in Accounts choose an account. Click on the checkbox for "Allow user to administer this computer." Whether I reboot right from there or click on another user...or anything else...when I come back to the Accounts pane the box is unchecked and all accounts (even Sys Admin) show as "Standard" with "Allow user to administer..." box unchecked. Only the root account can administer anything--the others insist on a different user and password and only root works.
In this situation it appears the problem may be from some corruption or other fault in the directory (the system that contains account and group information). In OS X administrators are just standard groups that belong to the "admin" group, which grants them default read and write access to a number of system files (i.e., those for modifying system settings) but also allows them to be temporarily promoted to the "root" user for advanced administrative functions. Depending on the nature of corruption in the directory, the system may not be able to grant users administrative access.
To test this, you can run the following commands in the Terminal:
dscl . -read /Groups/wheel GroupMembership
dscl . -read /Groups/admin GroupMembership
These commands will read the "wheel" and "admin" groups in the directory and output the account members who are in the respective groups. The wheel group should contain the root account, and the admin group should contain the usernames of all administrative accounts on the system.
In this case, instead of outputting the admin group members, the command gave the following output:
<dscl_cmd> DS Error: -1436 (eDSRecordNotFound)
This error indicated the admin group was missing, which would explain the problem. If the admin group is not available, then the system cannot add new users to it and therefore not promote any to have administrative functions. While the system preferences may allow you to check the "Admin" box for a user, when the preferences reload the user's credentials they will not show the user as being a member of the admin group.
As a side note, the system preferences may output an error to the system logs (viewable with the "Console" utility) if the admin group is missing. With the console open, check and uncheck the "Allow user to administer this computer" box and you should see a relevant error in the console application that reflects the missing group.
Knowing the problem is from a missing admin group, we proceeded to create a replacement administrator group. The admin group is called "admin" but is identified by the system through its "GID" (Group ID number) which is "80." If we create a new group with this number, the system should then allow this group to access files and resources that are tagged with this number.
To do this, the first step is to enable the root user account (Follow the steps in this article, since using Directory Utility may not work: http://support.apple.com/kb/TS1278) and then log in as root. Be very careful when logged in as root, since there are no restrictions for what files can be accessed and modified. When root is no longer needed, be sure to disable the account again.
When logged in, launch the Terminal application and run the following commands sequentially:
dscl . -create /Groups/admin
dscl . -create /Groups/admin RealName Administrators
dscl . -create /Groups/admin PrimaryGroupID 80
dscl . -create /Groups/admin Password \*
dscl . -create /Groups/admin GroupMembership root
These commands will create the group and give it the default attributes for the administrative account, and after they are run, restart the system and try giving users administrative access through the system preferences again (this may need to be done when logged in as root, at least for the first person).
When you have at least one administrative account added, test the account by log out and log in as that administrator, and then performing some administrative functions (i.e., authenticating by clicking one of the locks in various system preference panes). If all goes as planned, this should have restored the administrative account functionality on the system.
Questions? Comments? Have a fix? Post them below or e-mail us!
Be sure to check us out on Twitter and the CNET Mac forums.