I notice that in System Preferences > Users & Groups, I can remove the check for "Allow user to administer". Then I become a "Standard" user. Why is this allowed? Why would I want the computer to have no admin? It seems in older versions of OS X, this could not have happened. Is this a glitch or intentional design?
Mac mini, OS X Mountain Lion (10.8.5)
You would do that, as I have, to run standard in the main day-to-day account and only use the admin account for authenticating. Running standard makes it more difficult for any kind of infection, should that happen, to gain elevated privileges.
If you want to do this for security purposes, first create a new admin account with a password--to be used only for authenticating--and then set the main account to standard (restart needed).
In addition, Apple makes this possible because you may have any number of other users on this machine, who as admin, you don't want to be able to have system wide privileges, such as installing applications to /Applications or moving or changing items in the non-user Libraries.
Perhaps I did not explain correctly. There is no other account, so once I change myself to Standard, that's the end, no more admin. A Standard account cannot admin itself.
Never tried, but if there's no other admin account, it may not be permitted. After a restart, it might just revert back to the admin, or you might get some message that it's not allowed--don't know. Would test this myself, but can't, since, beside my std, I have two admin accounts for testing and authenticating--and not about to delete those to try this.
I think it will totally allow you to have zero admins. There have been more than a few posts about people doing just that, unless they have added a protection against that.
You could always clone the system, boot from the clone and see if you can remove the admin privs
BobHarris wrote:
I think it will totally allow you to have zero admins. There have been more than a few posts about people doing just that, unless they have added a protection against that.
You could always clone the system, boot from the clone and see if you can remove the admin privs
Thought about that, but I'll leave that to the OP. It's not anything I really care about. If anyone tries this without a clone, think there's a way to get an admin back from single user.
WZZZ wrote:
BobHarris wrote:
You could always clone the system, boot from the clone and see if you can remove the admin privs
Thought about that, but I'll leave that to the OP. It's not anything I really care about. If anyone tries this without a clone, think there's a way to get an admin back from single user.
You could enable the 'root' account from single user mode ("mount -uw /" first, then "passwd root" should do it), then boot normally, login to 'root', add admin back to the user account, then disable 'root' via the "Directory Utility -> Edit -> Disable root"
There is most likely an OS X 'dscl' command that will do this, I'm just not a 'dscl' kind-of-guy 🙂
I'm also not sure what tricks can be done from the Recovery Partition menu bar.
Yeah, there's usually always something you can do from single user to get out of a bad jam.
Root isn't really needed. In single user, rm /var/db/.applesetupdone
That will cause the Setup app to launch at reboot, and then you create a new admin. As for "It may not be permitted", it absolutely is, and plenty of folks have gotten themselves into such a mess, for example, their kids remove the check mark. Most casual users never heard of single user mode. A few versions ago, un-adminning the only admin was not permitted, but now it is. I don't know exactly which version removed the "last admin standing" protection. This seems a new "feature", along with the not-so-well hidden feature of allowing one to change the shortname of the home account. Maybe the engineers at Apple are having a few laughs over these two oddities. "Hey, let's allow them to remove all admins. That should cause some hair pulling, eh?"
I didn't really ask for a debate on whether it is possible to un-admin oneself when there is no other admin, because I already know for certain it is possible. I also didn't ask how to get out of that pickle, since I also already know that. I'm really asking why this is now allowed / is it a useful feature. I think from these replies, neither of you know. If no one knows why it is allowed, I'm done. I suspect with Apple's tremendous success in recent years, they don't care much if the system has a few idiotic "features".
I'm really asking why this is now allowed / is it a useful feature.
Speculation. A classroom situation where the Macs are managed via Apple Remote Desktop.
A Network booted Mac from an OS X Server system.
If those sound like possibilities, maybe ask this question in the OS X Server forum and/or Apple Remote Desktop forum
Again, all guessing on my part.
I'm really asking why this is now allowed / is it a useful feature. I think from these replies, neither of you know. If no one knows why it is allowed, I'm done. I suspect with Apple's tremendous success in recent years, they don't care much if the system has a few idiotic "features".
Since you already knew the answer to this, you basically asked a time wasting rhetorical question, or the beginning of a rant. We are not Apple, we are only other users here and have no idea why Apple does inscrutable things like this, or like hiding the user Library, while allowing access to the upper level Libraries, where much more damage, including easily making the system unbootable, can be done.
This would have been better sent to Apple Feedback, not as a question, but as a request.
I did not already know the answer to the title question, "Why am I allowed to un-admin myself?" This feature allows one to remove the privilege of having an admin, and the Standard account cannot resolve this delima in the OS X interface.
Why am I allowed to un-admin myself?
