How can I stop someone from changing the admin password on my mac by using fsck?

There isn't an OS in the world that can be locked down against a knowledgable person with direct access to a computer. Even a firmware password can be worked around. If necessary, lock your computer away in a separate room, safe, or if it's a Mac tower, even consider removing the hard drive at the end of the day. But basically, you need to find out who has access to your Mac, keeps changing it and fire them (or have them fired), or kicked out if they're a roommate.

Yup, but the reality is you can't fully lock down any computer against a person sitting in front of one. At least not a person who knows how to get around your attempts to block them.

It isn't fsk that re-sets the password, by the way. It is Single User Mode where you enter the commands, and that's easy to enter.

An open firmware password makes it a lot more difficult for somebody to re-set the password. I'm not how sure how things are with new computers but with older Macs you would have to remove memory chips to re-set it. I guess you have to figure out if in your business you anticipate people bringing a screwdriver to work and disassembling their computer.

To expand a bit on Limno' comment. If you do set a firmware password, then IT would have to be the ones at the start of each day (or any restart) to enter the password and allow the Mac to finish booting while standing there and waiting until it was at the desktop. If you were to give the firmware password to each employee, you'd gain nothing. All they'd have to do is enter the password and then go right into Single User Mode.

Setting up a firmware password is explained here. Also note it tells you three ways to remove the password.

Not sure if that would help. They note it works with build 4K78, which is 12 years back to OS X 10.0, which would be era of PowerPC Macs and Open Firmware, which doesn't exist on Intel based Macs. OS X has also changed drastically since then.

Kurt Lang: I don't have firsthand experience with firmware passwords but my understanding (and supported by comments in the document you linked) is that it would not prevent normal booting of the machine for a regular user. It does, however, prohibit the actions (see list in the link) that would enable a person to override regular login. You could not, for example, start up in Single User Mode to reset the admin password, or use a separate startup volume to get access to the system files from the "outside". You would not have to have an IT person sitting there at startup every day ready to login at the base level before the user could then get into their account.

Guys let me know if what you think. Thanks.

It looks like the links to that item are all dead.

It does, however, prohibit the actions (see list in the link) that would enable a person to override regular login.

As Limnos noted, those links appear to be long dead. They were also created for the very first version of OS X. I think it would be pretty much a guarantee they wouldn't work on any newer Mac, even if you could download them.

You would not have to have an IT person sitting there at startup every day ready to login at the base level before the user could then get into their account.

Yes, you are correct. My mistake above. However, it would be imperative that the user not know the Admin account name and password for that Mac so they couldn't disable the firmware password.

I believe the only direct way to remove the firmware password would be for a person to do it in the firmware password setup, and for that you need to know the firmware password. Even if you know the admin. password that will not bypass firmware password level restrictions. The firmware password operates at a much lower level than any of the OSX features. You wouldn't even need to have OSX installed and the firmware password features would still be active if you set them up. That's why you really have to start taking apart the computer in order to reset them, and I am not sure if even that will work with all Mac models and you may have to take it into an Apple Store.

If you set a firmware password, do not forget it or you are really in a mess.

According to Apple's article, the Admin user can remove or change a firmware password:

Warning: The Open Firmware Password can be reset and changed by any one of the following (except MacBook Air):

By any administrator user, as designated in the Accounts preferences (or in Server Admin).

So if you knew the Admin name and password, you could login to the Admin account and change or remove the password in the Account settings of the System Preferences. While a firmware password blocks a variety of ways to startup your Mac, or boot to another drive, it doesn't appear to block logging out of an account and switching over to the Admin account.

Really bad if you have a disgruntled employee who then changes the firmware password so only they know it.

Interesting, thanks. Still, if a person does not trust an employee sufficiently to provide them with admininstrator access in the first place, and there is a firmware password set so they cannot hack admin. access, they will not be able to get into the administrator features. If you trust them enough to provide them with admin. access then they already have open access to the computer and it doesn't matter if you set a firmware password they can remove. So the firmware password does provide a reasonable level of security against unauthorized admin. status unless you're worried about somebody walking off with the computer, but that's a whole different level of security concern.

Haha! Yes, it's kind of a Catch-22. Somebody has to be able to reset the firmware password, or the Mac would be locked in its current state essentially forever since no one would be able to install a new OS (on a bootable disk or flash drive). So the Admin is the only account which can do that.

But there's still other ways around it. The second way Apple's article notes is:

Via physical access to the inside of the computer.

It doesn't elaborate what you would do (good thing!). Apple was smart enough there not to be too verbose. 🙂

Yes, but if you search on the web you will find about a million links telling you how to do it so it is a very open secret you will even find on ASC. 🙂 The thing is, in your linked article it also indicates how you do it varies with model and for the at least some MacBook Air models you have to take it into the store.

I think the OP needs to assess the situation. Frankly I don't think somebody is going to sit at their desk and take the computer apart (a very noticeable activity in itself!) in order to hack their way into being able to check their Hotmail on work time. If they are hacking their way into credit card numbers on another account and have to take apart the computer to do so then the whole security setup should be changed so valuable data are generally more secure. If the employer thinks a person is that untrustworthy and/or the security of the data dictates it, do something like removing the internal drive, only booting from an external, and lock the drive in a safe at night. Even a safe can be broken into. I recall reading a story where they said safes are not guaranteed unbreakable, they are rated by the time it takes to get into them. This is similar. Setting a firmware password adds another layer to deter casual hacking. If it isn't enough then there are more serious concerns with the work environment or general data security.