New To Mac-Forums?

Welcome to our community! Join the discussion today by registering your FREE account. If you have any problems with the registration process, please contact us!

Get your questions answered by community gurus Advice and insight from world-class Apple enthusiasts Exclusive access to members-only contests, giveaways and deals

Join today!

 
Start a Discussion
 

Mac-Forums Brief

Subscribe to Mac-Forums Brief to receive special offers from Mac-Forums partners and sponsors

Join the conversation RSS
OS X - Operating System General OS operation information and support

Create super admin user


Post Reply New Thread Subscribe

 
Thread Tools
babyface2059

 
Member Since: Nov 29, 2010
Posts: 8
babyface2059 is on a distinguished road

babyface2059 is offline
Hi everyone,

On our mac, we have two admin accounts. Yes --- I know in certain ways that defies the whole point of an admin account and is not generally suggested, but that's the way things are gonna be so deal with it

I know in Ubuntu one can create groups, and thus declare a sort of "super admin" group: i.e., one that controls the users in the admin group and can't be controlled by them. I'd like to accomplish the same thing in Mac OS 10.5.8.

If it helps, the primary thing I want to control is to prevent the normal admin from disabling the super admin's admin status. As it stands now, any admin can disable any other admin's admin privileges simply by unchecking the box "Allow user to administer this computer" in System Preferences -> Accounts. This makes me gravely unhappy.

Lastly, I should point out that I've done some stuff in Workgroup Manager, so is there a way to edit groups using that?

Any help is appreciated! Thanks in advance!
QUOTE Thanks
chas_m

 
chas_m's Avatar
 
Member Since: Jan 22, 2010
Location: Victoria, BC
Posts: 15,733
chas_m has a reputation beyond reputechas_m has a reputation beyond reputechas_m has a reputation beyond reputechas_m has a reputation beyond reputechas_m has a reputation beyond reputechas_m has a reputation beyond reputechas_m has a reputation beyond reputechas_m has a reputation beyond reputechas_m has a reputation beyond reputechas_m has a reputation beyond reputechas_m has a reputation beyond repute
Mac Specs: 2009 MBP, Black speakers, Black Benq second monitor, black(ish) iPhone 5s, Black 2012 iPad, etc.

chas_m is offline
You're not just begging for trouble -- you're asking it out to dinner with flowers and candy and cash bribes!

If you don't trust the other person NOT to unplug your admin privileges, they shouldn't be using your computer. Or you shouldn't be using their computer.

That's the best advice I'm willing to part with on this.
QUOTE Thanks
babyface2059

 
Member Since: Nov 29, 2010
Posts: 8
babyface2059 is on a distinguished road

babyface2059 is offline
Thanks for taking the time to respond chas_m, but that's not really helpful. Has anyone read past the first sentence?
QUOTE Thanks
phantomlakeelem

 
Member Since: Dec 11, 2010
Posts: 1
phantomlakeelem is on a distinguished road

phantomlakeelem is offline
This isn't helpful per se (sorry babyface2059!) but I wanted to say I'd like to know the answer to this as well. We use a similar set up on the staff computers at our elementary school. It's not negotiable to change the set up from having multiple admins since only the heads of departments and the Principal are admins; the Principal sets up the computer. There must be a simple, legitimate way to make one computer administrator the supreme computer administrator. Right? Thanks everyone for the help.
QUOTE Thanks
harryb2448

 
harryb2448's Avatar
 
Member Since: Nov 28, 2007
Location: Nambucca Heads Australia
Posts: 16,030
harryb2448 has a reputation beyond reputeharryb2448 has a reputation beyond reputeharryb2448 has a reputation beyond reputeharryb2448 has a reputation beyond reputeharryb2448 has a reputation beyond reputeharryb2448 has a reputation beyond reputeharryb2448 has a reputation beyond reputeharryb2448 has a reputation beyond reputeharryb2448 has a reputation beyond reputeharryb2448 has a reputation beyond reputeharryb2448 has a reputation beyond repute
Mac Specs: iMac i5 2.7GHz OS X.9.2

harryb2448 is offline
Would it help to maintain your admin account, delete the second admin account and establish a Guest account with password etc?


http://www.macobserver.com/tmo/artic..._User_Account/

Hang on to those original install discs like grim death! Using OS X.7 or later make a bootable USB thumb drive before running Installer!
QUOTE Thanks
DarkestRitual

 
Member Since: Apr 09, 2009
Location: Ithaca NY
Posts: 2,073
DarkestRitual is just really niceDarkestRitual is just really niceDarkestRitual is just really niceDarkestRitual is just really nice
Mac Specs: 13 inch alMacBook 2GHz C2D 4G DDR3, 1.25GHz G4 eMac

DarkestRitual is offline
What chas was saying relied on reading the entirety of your post. If you know about super admin groups, shouldn't you know how to set them in the command line? Your Mac does speak bash, you know. You could also always be the "super admin user" because you have access to the machine, and could log in as root and re-enable your admin privs.
QUOTE Thanks
McBie

 
McBie's Avatar
 
Member Since: Apr 26, 2008
Location: Belgium
Posts: 2,228
McBie is a name known to allMcBie is a name known to allMcBie is a name known to allMcBie is a name known to allMcBie is a name known to allMcBie is a name known to allMcBie is a name known to all
Mac Specs: 2013 MBA 13" - 10.9.2 & iPad - iOS 5.1

McBie is offline
Believe me .... ( as Chas_m said above ) you are asking for trouble, no matter how you look at it. You are starting on the basis of ' not trusting the other party ' and even if you find a technical solution ...... trouble it is.

Let's forget the solution space for a minute, what are you actually trying to protect ... if you are trying to protect data there are other ways.

You can't have 2 chef's in the same kitchen.

Cheers ... McBie

A computer lets you make more mistakes faster than any invention in human history - with the possible exceptions of handguns and tequila.
The problem is not the problem. The problem is your attitude towards the problem. You understand ?
QUOTE Thanks
louishen

 
louishen's Avatar
 
Member Since: Oct 22, 2007
Location: London
Posts: 8,892
louishen has a brilliant futurelouishen has a brilliant futurelouishen has a brilliant futurelouishen has a brilliant futurelouishen has a brilliant futurelouishen has a brilliant futurelouishen has a brilliant futurelouishen has a brilliant futurelouishen has a brilliant futurelouishen has a brilliant futurelouishen has a brilliant future
Mac Specs: Mac Mini Core i7 2012 | White 2009 MacBook 2 Ghz | 733 Mhz G4 Quicksilver

louishen is offline
Why cant you just give non trusted users normal accounts and reserve admin accounts for admin users

After all, that's what Unix and its derivatives are set up to do

If you give a user admin status, them by its very nature they have admin status

Member of the Month September 2008 & August 2012 | Found advice useful? use the rep system
QUOTE Thanks
Slydude

 
Member Since: Nov 15, 2009
Location: North Louisiana, USA
Posts: 5,420
Slydude has a brilliant futureSlydude has a brilliant futureSlydude has a brilliant futureSlydude has a brilliant futureSlydude has a brilliant futureSlydude has a brilliant futureSlydude has a brilliant futureSlydude has a brilliant futureSlydude has a brilliant futureSlydude has a brilliant futureSlydude has a brilliant future
Mac Specs: 2.8 GHz MacBook Pro 10.8,3 8 GB mem, 2.66 GHz Mac Pro - Dead, iPhone 4

Slydude is offline
Let's assume you find a way to do this. You're still left with one problem: If you can find directions for doing this so can they. You could find yourself going in circles.

Sylvester Roque Former Contributing Editor About This Particular Macintosh

Don't blame me if following this advice causes loss of data, a rip in space time allowing dinosaurs to roam free, or your significant other to leave.
QUOTE Thanks
babyface2059

 
Member Since: Nov 29, 2010
Posts: 8
babyface2059 is on a distinguished road

babyface2059 is offline
Hey everyone,

To avoid riling up anyone further, I feel like I should give more info. This isn't a trust issue --- I'm sitting right next to the person that is the second admin. We both know I will be the super dooper admin.

Thanks harryb2448 for the suggestion --- that's the way we typically do things (1 admin, lots of guests) --- but having 2 admins on the same comp is the way it's going to be.

And sorry DarkestRitual, I don't know how to set admin groups via the command line. Could you give me a link to more info about that? Because I think that's what I'm after.

I usually use Ubuntu and when I posted a question about super admin groups there (this was ages ago) they gave a response that involved using GUI stuff (and not shell stuff) --- it was pretty easy to follow, but that's why I don't know the unix commands for doing the same thing on a mac.

On a side note, I really do appreciate the help. There's nothing suspicious or underhanded going on here, so while I do appreciate the info about security risks and whatnot, it would be nice to have some help as to the actual task I want to accomplish.

Thanks!
QUOTE Thanks
vansmith

 
vansmith's Avatar
 
Member Since: Oct 19, 2008
Location: Ottawa
Posts: 17,103
vansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond repute
Mac Specs: 2012 13" MBP (2.5 i5, 8GB)

vansmith is offline
I'm going to go out on a limb here and say that the instructions you received for Ubuntu enabled the root user since it is disabled by default. The same thing is done in OS X. If you want to enable the root user, open up /System/Library/CoreServices/Directory Utility.app > click the lock > authenticate > Edit > Enable Root User. I'm not sure if this will meet your needs though.

As a word of warning, I'd suggest you use the root account with extreme caution. I know others have said the same thing so I may sounds unnecessarily repetitive but it's worth repeating.

Important Links: Community Guidelines : Use the reputation system if you've been helped.
M-F Blog :: Write for the blog
Mac-Forums Investigates MacKeeper - Confused about MacKeeper? Take a look at this review.
QUOTE Thanks
6string

 
Member Since: Sep 09, 2009
Location: Down Under :D
Posts: 5,484
6string is a splendid one to behold6string is a splendid one to behold6string is a splendid one to behold6string is a splendid one to behold6string is a splendid one to behold6string is a splendid one to behold6string is a splendid one to behold6string is a splendid one to behold
Mac Specs: Back to my old 2.2GHz C2D MB after selling my MBP and wondering what my next Mac will be :)

6string is offline
Quote:
Originally Posted by vansmith View Post
I'm going to go out on a limb here and say that the instructions you received for Ubuntu enabled the root user since it is disabled by default. The same thing is done in OS X. If you want to enable the root user, open up /System/Library/CoreServices/Directory Utility.app > click the lock > authenticate > Edit > Enable Root User. I'm not sure if this will meet your needs though.

As a word of warning, I'd suggest you use the root account with extreme caution. I know others have said the same thing so I may sounds unnecessarily repetitive but it's worth repeating.
....and if you take that route (pardon the pun) be extra vigilant with time machine backups!
QUOTE Thanks
babyface2059

 
Member Since: Nov 29, 2010
Posts: 8
babyface2059 is on a distinguished road

babyface2059 is offline
Thanks for the info vansmith, but I think I'd rather not enable the root user. The ubuntu GUI solution involved making a new group (called "superadmin") and then making the usual admin group unable to disable other admins.

And I might be stupid enough to want 2 admins but I'm not so foolish as to want the root user --- at least that's what I tell myself

Thanks for the help, though!

Here's an idea --- is there a way to grant some admin capabilities to a normal user (e.g., installing new applications)? That way I would have a single admin and then a semi-admin, the latter of which being able to install updates and games and whatnot. Or is that more wishful thinking?
QUOTE Thanks
vansmith

 
vansmith's Avatar
 
Member Since: Oct 19, 2008
Location: Ottawa
Posts: 17,103
vansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond repute
Mac Specs: 2012 13" MBP (2.5 i5, 8GB)

vansmith is offline
A regular user can always install applications themselves. Non-admin users can create Applications folder within their own user folder but these apps will be specific to the user account.

Important Links: Community Guidelines : Use the reputation system if you've been helped.
M-F Blog :: Write for the blog
Mac-Forums Investigates MacKeeper - Confused about MacKeeper? Take a look at this review.
QUOTE Thanks
babyface2059

 
Member Since: Nov 29, 2010
Posts: 8
babyface2059 is on a distinguished road

babyface2059 is offline
Quote:
Originally Posted by vansmith View Post
A regular user can always install applications themselves. Non-admin users can create Applications folder within their own user folder but these apps will be specific to the user account.
I think it's different with game patches. For example, my friend (the other admin) plays a game that regularly gets patched. Every time he wants to install a patch, it requires administrative privileges. Is there something different about patches? It could be because the game is installed for every user so the patch gets put in a shared folder which then requires admin privileges to change. Does that sound right??

Also, I would like the user to be able to change most settings --- just not stuff that's for security reasons only. For example, I know in Workgroup Manager I can disable the link to "Sharing" and "Accounts" in System Preferences. But I'd like to avoid that, and merely to make it so the second account (whether its a semi-admin account or what-have-you) can access those things, still be an admin, but not make changes to any account but their own. So let's say the "second/semi-admin" opens up System Preferences -> Accounts, they can change their password, login items, etc., but they can't check or uncheck the lower 2 boxes for any other user (i.e., check or uncheck the box for "allow to administer this computer" or the box for "enable parental controls").

Sorry if that last paragraph puts us back at square one. I've probably annoyed or scared away most people who have looked at this thread.

Thanks again for the help everyone
QUOTE Thanks

Post Reply New Thread Subscribe


« Repairing Permissions - not working | Can anyone help with the Terminal? »
Thread Tools

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off
Forum Jump

Similar Threads
Thread
Thread Starter
Forum
Replies
Last Post
OSX won't recognize my password for admin rights Doug b OS X - Operating System 5 01-21-2011 03:54 PM
Changing Admin account mikedickbek OS X - Operating System 3 10-17-2009 04:18 PM
making everything avail from admin to user link0126 Switcher Hangout 2 06-30-2009 09:04 PM
Setting up a new Mac, admin and user accts? techmonkey OS X - Operating System 15 06-26-2007 07:09 PM
NEED HELP > Admin can't delete user... joelkanning OS X - Operating System 2 02-02-2004 05:55 PM

All times are GMT -4. The time now is 04:25 AM.

Powered by vBulletin
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
X

Welcome to Mac-Forums.com

Create your username to jump into the discussion!

New members like you have made this community the ultimate source for your Mac since 2003!


(4 digit year)

Already a member?