Administrator Account

jpilege
New Contributor III

I had an odd scenario happen last week where our local Administrator account on 1 Mac went from being an admin to a standard account and having the password changed.

The employee that uses the Mac as their machine is a standard account as well. I don't have any policies set to change passwords or accounts. I do have 1 account that will create the local admin account if one is not found. The Mas as usual will check in, but isn't able to install any policies from the Self Service and I'm unable to make any changes with Casper Remote due to the admin account change.

Has anyone seen this before or know of a way to get into the Mac to make the changes on the Admin side?

Thanks in advance!

6 REPLIES 6

mm2270
Legendary Contributor III

Unfortunately, if all local admin accounts are now no longer admins, I believe the only way to fix it will be to enable the root account on the Mac and then log in as it, either from a command line or SSH, or just locally, and fix the issue. The root account is never affected by problems with regular admin accounts, because its a unique System Admin account and not in the same groups as others. You can enable root by booting into Recovery HD and using Terminal. Take a look at the dsenableroot command here for more information on that.
I'd almost be willing to bet the local admin group is missing from this Mac, which is why the admin accounts lost their 'admin-ness'.

When you get on this Mac, run this command in Terminal and see if the local admin group shows up:

dscl . list /Groups

It would be in a long list and will show up just as "admin"

jpilege
New Contributor III

Thanks for the quick response @mm2270!

I'll take a look at this and see what I can do. With all the accounts being a standard account, will this effect enabling the root user? The document list commands to use a username and password of an admin account to enable the root user. If I don't put anything in and just run the dsenableroot, will this be enough to enable it?

I'll look for the group while I'm in Terminal.

After all this I'm going to be more curious on how something like this happens.

mm2270
Legendary Contributor III

When you boot into Recovery HD, you are effectively in a root account, so no, you shouldn't need to actually supply any credentials. Its equivalent to opening a root shell on your Mac and then issuing a sudo command. You're not asked for a password because you are already escalated as high as you can go.

As for how it happened, what OS was this Mac running? Do you happen to use McAfee Endpoint Protection for Mac on your systems?

mpermann
Valued Contributor II

@jpilege do you have a hidden Casper admin account that you can log into on the computer to fix the issue from that account?

jpilege
New Contributor III

Ok, I'll check with the user to see when I can have their Mac to make the changes.

The Mac is running 10.11.2. It's an early 2015 model MacBook Pro, but was purchased at the end of December. We don't any McAfee. We have FileVault on all of our Macs.

@mpermann We do have a hidden account, but it reflects the same name and password as the local admin account. Our Casper Remote uses a CasperScreenShare (something like that) as a username, but I have no idea what the password is. I tried to remote into the computer with this user as I have in the past on others, but Casper Remote comes back with a bad configuration.

bradtchapman
Valued Contributor II

This is a very old issue where the "admin.plist" file in Open Directory got corrupted.

There are several ways to fix it. You could try creating this script and running it from a policy. Your local JAMF management account (casperadmin or similar) should still be able to run as root because the jamf and jamfAgent processes were granted root access by launchd.

#!/bin/sh
dscl . append /Groups/admin GroupMembership `last -1 |  awk '{print $1}'`
exit 0

In case you were wondering, the last command shows all previous successful logins on the computer, going all the way back to the beginning.

username  ttys000                   Thu Dec 17 07:14 - 19:06  (11:52)

awk helps us get field $1, the user shortname. Field $2 would be "ttys000," and so forth.

If the above procedure does not work, restart the Mac in Single User mode or use the Recovery Mode.