Q: Why am I allowed to un-admin myself?

You would do that, as I have, to run standard in the main day-to-day account and only use the admin account for authenticating. Running standard makes it more difficult for any kind of infection, should that happen, to gain elevated privileges.

If you want to do this for security purposes, first create a new admin account with a password--to be used only for authenticating--and then set the main account to standard (restart needed).

In addition, Apple makes this possible because you may have any number of other users on this machine, who as admin, you don't want to be able to have system wide privileges, such as installing applications to /Applications or moving or changing items in the non-user Libraries.

Never tried, but if there's no other admin account, it may not be permitted. After a restart, it might just revert back to the admin, or you might get some message that it's not allowed--don't know. Would test this myself, but can't, since, beside my std, I have two admin accounts for testing and authenticating--and not about to delete those to try this.

I think it will totally allow you to have zero admins.  There have been more than a few posts about people doing just that, unless they have added a protection against that.

You could always clone the system, boot from the clone and see if you can remove the admin privs

BobHarris wrote:

 

I think it will totally allow you to have zero admins.  There have been more than a few posts about people doing just that, unless they have added a protection against that.

 

You could always clone the system, boot from the clone and see if you can remove the admin privs

Thought about that, but I'll leave that to the OP. It's not anything I really care about. If anyone tries this without a clone, think there's a way to get an admin back from single user.

WZZZ wrote:

BobHarris wrote:

You could always clone the system, boot from the clone and see if you can remove the admin privs

Thought about that, but I'll leave that to the OP. It's not anything I really care about. If anyone tries this without a clone, think there's a way to get an admin back from single user.

You could enable the 'root' account from single user mode ("mount -uw /" first, then "passwd root" should do it), then boot normally, login to 'root', add admin back to the user account, then disable 'root' via the "Directory Utility -> Edit -> Disable root"

There is most likely an OS X 'dscl' command that will do this, I'm just not a 'dscl' kind-of-guy

I'm also not sure what tricks can be done from the Recovery Partition menu bar.

Yeah, there's usually always something you can do from single user to get out of a bad jam.

I'm really asking why this is now allowed / is it a useful feature.

Speculation.  A classroom situation where the Macs are managed via Apple Remote Desktop.

A Network booted Mac from an OS X Server system.

If those sound like possibilities, maybe ask this question in the OS X Server forum and/or Apple Remote Desktop forum

<OS X Server>

<Apple Remote Desktop>

Again, all guessing on my part.

I'm really asking why this is now allowed / is it a useful feature. I think from these replies, neither of you know. If no one knows why it is allowed, I'm done. I suspect with Apple's tremendous success in recent years, they don't care much if the system has a few idiotic "features".

Since you already knew the answer to this, you basically asked a time wasting rhetorical question, or the beginning of a rant. We are not Apple, we are only other users here and have no idea why Apple does inscrutable things like this, or like hiding the user Library, while allowing access to the upper level Libraries, where much more damage, including easily making the system unbootable, can be done.

This would have been better sent to Apple Feedback, not as a question, but as a request.

https://www.apple.com/support/feedback/