No admin accounts, how to add one?

znilsson
Contributor II

I know, there are a lot of ways normally, but hear me out. I'm working on a Mac Mini that is having issues. After enrolling it in Casper and bringing it up to El Cap, at some point during this process, all admin rights were removed from all the accounts on the machine, including the administrator account that Casper installed. They're all standard accounts now.

My casper management account may have admin rights, but I don't know what the password is for it, because it's not taking the password I assigned to it, and it's hidden. This is kind of a separate frustration, don't know why the management password is something other than what I assigned, and why the JSS doesn't know what it is either. Could be related to everything else that happened on this box though.

So there are zero accounts on this mini with admin rights. To compound this problem:

  • Jamf management account not taking the password it's supposed to have so I cannot do anything on it from Casper as all attempts fail with a bad password error. I have a script that elevates from standard to admin but Casper can't authenticate and can't do it locally on the Mac because no admin accounts.

  • There is no recovery partition on this Mac Mini. Don't know why, but regardless, it's not there. This prevents me from booting to recovery and using the resetpassword tool.

  • Can't run the dsedit command from terminal to elevate a standard user account to admin because it requires an admin account to do that. Catch 22.

  • Can't run dsedit command from single user mode because it fails

  • Can't enable root because it requires admin credentials to unlock the Users & Groups panel, and also Directory Utility.

And finally, just assume for now that we can't format the drive and start over. I know this isn't strictly Casper related, but was hoping somebody here might have an idea for what I could try next. The googling I've done just keeps bringing up solutions involving the recovery partition and/or dsedit. Am I just out of options?

9 REPLIES 9

AVmcclint
Honored Contributor

Sounds to me like you should focus your efforts on why all this happened in the first place. No usable admin accounts, no recovery partition, jamf management acct not working.... You've got something serious going on OR, this was a one time fluke that will never happen again. In either case, I'd delete the computer from JSS, format the drive, and re-image to verify all your processes and policies are valid.

if you are hell-bent on fixing it as it is, you can boot up from an OSX installer USB stick (lots of instructions out there on how to make one) - make sure it's the same major version installer that is installed on the Mac - and then you can go to the Utilities menu > Terminal and run commands to promote a local user to Administrator (instructions are out there for that). Then use that one admin account to try and fix the multitude of problems that Mac has.

roiegat
Contributor III

If you can get an outside connection maybe try booting up with CMD-R and it'll download a recovery partition that should help. It needs a direct connection to the internet so it can download everything it needs.

I know we had some issues with the El Capitan update, but it wasn't as bad as everyone losing admin. Almost sounds like your admin group got wacked.

znilsson
Contributor II

@AVmcclint Yeah, reformatting is a last resort, I'm trying to find a solution before having to do that. We do have El Cap on USB sticks, I'll try one of those with terminal to see how far I can get.

@roiegat We've done over 100 Macs so far, this is the only one that has had this problem so I'm extremely confident that this is a one-time fluke. It does sound like the admin group got whacked, not sure what I can do about that either, due to the kind of catch-22 nature of this problem.

If I have to I'll wipe and start over which I'm sure will fix everything, but I'm just looking for other options before I do that.

mm2270
Legendary Contributor III

The suggestions from both @AVmcclint and @roiegat should help. Booting to either an external OS X install media or an Internet Recovery partition should let you do some repairs to at least get an admin account back on the system to work with.
It does sound like the local admin group is missing or got whacked, which would make all accounts non-admin, except for the root account.

One other possible option would be to create a policy in your JSS targeted to this one Mac that could run the dseditgroup commands, or dscl commands to reinstate the local admin group and make sure it runs on the check-in trigger. Since the check-in gets called by the LaunchDaemon, its running as root, which actually should not be affected by this issue I would think. Meaning, even if the local admin group goes missing, the root account still has 'sudo' privileges if I'm not mistaken.

I'm not 100% certain the above would work, but I think it will, again, since the policy should get called by the LaunchDaemon (running as root).

znilsson
Contributor II

@mm2270 Thanks, unfortunately I can't do anything via casper because the management account does not recognize the password it's supposed to have. Also FWIW I have confirmed the admin group is gone on this Mac, which explains why none of the accounts can have admin rights.

znilsson
Contributor II

I tried adding the admin group via dscl in single user mode, and it can't find the DirectoryServicesLocal.plist file. That kind of says "really hosed" to me, so I'm just going to reformat it. Thanks for your responses, I had to at least try to find another way.

dmw3
Contributor III

We had a couple of computers lose the Admin group, this discussion helped sot it out: https://jamfnation.jamfsoftware.com/discussion.html?id=2068

DanielMa
New Contributor III
New Contributor III

@znilsson have you been able to book into single user mode? if so you can remove the SetupDone file and reboot and that will then run the setup wizard prompting for the creation of a local account that will be local admin
Slightly nicer than reformatting the entire machine, instructions to remove the said file can be found at:
http://www.theinstructional.com/guides/how-to-re-run-the-os-x-setup-assistant

good luck

znilsson
Contributor II

@dmaclaughlin Yeah I did boot into single user mode and delete the setupdone file. Then what happened is that it went into a loop of booting to the login screen, logging in, rebooting, going to the initial setup screen, logging in at the filevault login screen, rebooting, login screen etc. Never got to the account creation screen.

it was pretty messed up.