One of the commonly recommended safe-computing practices is to run your day-to-day activities in a standard user account and reserve administrative accounts purely for installing applications, adjusting system settings, and otherwise reconfiguring the system. This setup helps prevent mishaps performed in a standard account from affecting global system resources. For instance, a malware attack or bug in an application will have easier access to the Applications folder, global Library folders, and other resources open to admin accounts. Therefore, by using an account with standard permissions you will help prevent problems or dangers from affecting system resources without your explicit permission.
Some people may have reservations about using the more restrictive standard accounts for fear of not being able to make changes to the system when needed; however, in OS X this should not be a problem. In most cases if a task requires administrative privileges, the system will prompt for the proper credentials, even when these tasks are invoked from a standard account. Therefore you can continue working in your standard account to prevent automatic changes to system settings and resources, and then be prepared to authenticate whenever needed.
This is easy to do when you first set up your system, where you can use the setup assistant to create the default admin account followed by specifying standard user accounts for everyone who uses the system. However, if you have been running in an admin account, then creating and migrating to a new standard account will be a bit of a burden since you will have to reconfigure all of your settings, programs, and online services in addition to migrating your data to the new system.
However, instead of troubling yourself with migrating to a new account, you can switch your current account from admin to a standard account and thereby impose the same restrictions on it. To do this, you will first need to create the new admin account in the Accounts (or Users & Groups) system preferences, and then log out of your current account and log into the new admin account. Once logged into in the new account, go back to the Accounts system preferences, select your old admin account, and then uncheck the "Allow user to administer this computer" option to demote it.
In some rare instances people may find that all accounts on the system are standard ones, with no admin option available. These situations usually happen because of faults during a system migration or restoration, and because of the lack of an admin account will require special attention to recreate one.
There are a couple of approaches you can take if your system is missing an admin account. The first is to use create a new administrative account using the Terminal in Single User mode. Single User mode will bypass the accounts on the system and load the system in a terminal-only environment with root privileges. This allows for complete access to the system using the command-line, and will allow you to modify the system directory and create a new admin account.
To do this, first reboot the system while holding the Command and S keys simultaneously until you see the command prompt, and then run the following command to allow writing to the boot drive (this is off by default for security purposes):
mount -uw /
When you have run this command, then follow this procedure to create a new admin account:
- Check for the presence of the admin group with the following command:
dscl . -read /Groups/admin GroupMembership
- If the admin group does not exist, then you will get a DS Error as the output that claims in part that the record is not found. In this case you will need to create the admin group by running the following commands; however, if it does exist, then proceed to step 3 below:
dscl . -create /Groups/admin
dscl . -create /Groups/admin RealName Administrators
dscl . -create /Groups/admin PrimaryGroupID 80
dscl . -create /Groups/admin Password \*
dscl . -create /Groups/admin GroupMembership root
These commands will create the group, followed by giving it the proper full name, and then set the group ID to be that which is used by the admin group in OS X. This number is assigned to all the resources which the group can access, and assigning it to the newly created admin group will make it a true administrator group since any member will have access to these resources. Lastly we give the group an empty password, so it will require the use of the member passwords to work (requires authentication), and then assign the root account to the group.
- Assign a user account to the admin group by running the following command. In this command, replace USERNAME with the short name of the account you wish to be admin. This can be any account for now:
dscl . -create /Groups/admin GroupMembership USERNAME
This procedure does require you to type a fair number of commands, and because typos in Terminal commands can lead to unwanted or confusing results, you can alternatively use the OS X setup assistant for recreating the admin account. To do so, after booting to Single User mode and setting the file system for write access (see above), then run the following command:
This will remove an invisible file in the system that indicates the Setup Assistant has already been run. Therefore, by removing this file and restarting you will invoke the setup assistant and have the system run you through the steps for creating a new admin account, using a user-friendly interface.