Create super admin user

Joined
Nov 29, 2010
Messages
8
Reaction score
0
Points
1
Hi everyone,

On our mac, we have two admin accounts. Yes --- I know in certain ways that defies the whole point of an admin account and is not generally suggested, but that's the way things are gonna be so deal with it :)

I know in Ubuntu one can create groups, and thus declare a sort of "super admin" group: i.e., one that controls the users in the admin group and can't be controlled by them. I'd like to accomplish the same thing in Mac OS 10.5.8.

If it helps, the primary thing I want to control is to prevent the normal admin from disabling the super admin's admin status. As it stands now, any admin can disable any other admin's admin privileges simply by unchecking the box "Allow user to administer this computer" in System Preferences -> Accounts. This makes me gravely unhappy.

Lastly, I should point out that I've done some stuff in Workgroup Manager, so is there a way to edit groups using that?

Any help is appreciated! Thanks in advance!
 
C

chas_m

Guest
You're not just begging for trouble -- you're asking it out to dinner with flowers and candy and cash bribes!

If you don't trust the other person NOT to unplug your admin privileges, they shouldn't be using your computer. Or you shouldn't be using their computer.

That's the best advice I'm willing to part with on this.
 
OP
B
Joined
Nov 29, 2010
Messages
8
Reaction score
0
Points
1
Thanks for taking the time to respond chas_m, but that's not really helpful. Has anyone read past the first sentence?
 
Joined
Dec 11, 2010
Messages
1
Reaction score
0
Points
1
This isn't helpful per se (sorry babyface2059!) but I wanted to say I'd like to know the answer to this as well. We use a similar set up on the staff computers at our elementary school. It's not negotiable to change the set up from having multiple admins since only the heads of departments and the Principal are admins; the Principal sets up the computer. There must be a simple, legitimate way to make one computer administrator the supreme computer administrator. Right? Thanks everyone for the help.
 
Joined
Apr 9, 2009
Messages
2,073
Reaction score
68
Points
48
Location
Ithaca NY
Your Mac's Specs
13 inch alMacBook 2GHz C2D 4G DDR3, 1.25GHz G4 eMac
What chas was saying relied on reading the entirety of your post. If you know about super admin groups, shouldn't you know how to set them in the command line? Your Mac does speak bash, you know. You could also always be the "super admin user" because you have access to the machine, and could log in as root and re-enable your admin privs.
 
Joined
Apr 26, 2008
Messages
2,963
Reaction score
120
Points
63
Location
Belgium
Your Mac's Specs
iPad Pro 12.9 latest iOS
Believe me .... ( as Chas_m said above ) you are asking for trouble, no matter how you look at it. You are starting on the basis of ' not trusting the other party ' and even if you find a technical solution ...... trouble it is.

Let's forget the solution space for a minute, what are you actually trying to protect ... if you are trying to protect data there are other ways.

You can't have 2 chef's in the same kitchen.

Cheers ... McBie
 
Joined
Oct 22, 2007
Messages
8,967
Reaction score
287
Points
83
Location
London
Your Mac's Specs
Mac Mini Core i7 2012 | White 2009 MacBook 2 Ghz | 733 Mhz G4 Quicksilver
Why cant you just give non trusted users normal accounts and reserve admin accounts for admin users

After all, that's what Unix and its derivatives are set up to do

If you give a user admin status, them by its very nature they have admin status
 

Slydude

Well-known member
Staff member
Moderator
Joined
Nov 15, 2009
Messages
17,596
Reaction score
1,072
Points
113
Location
North Louisiana, USA
Your Mac's Specs
M1 MacMini 16 GB - Ventura, iPhone 14 Pro Max, 2015 iMac 16 GB Monterey
Let's assume you find a way to do this. You're still left with one problem: If you can find directions for doing this so can they. You could find yourself going in circles.
 
OP
B
Joined
Nov 29, 2010
Messages
8
Reaction score
0
Points
1
Hey everyone,

To avoid riling up anyone further, I feel like I should give more info. This isn't a trust issue --- I'm sitting right next to the person that is the second admin. We both know I will be the super dooper admin.

Thanks harryb2448 for the suggestion --- that's the way we typically do things (1 admin, lots of guests) --- but having 2 admins on the same comp is the way it's going to be.

And sorry DarkestRitual, I don't know how to set admin groups via the command line. Could you give me a link to more info about that? Because I think that's what I'm after.

I usually use Ubuntu and when I posted a question about super admin groups there (this was ages ago) they gave a response that involved using GUI stuff (and not shell stuff) --- it was pretty easy to follow, but that's why I don't know the unix commands for doing the same thing on a mac.

On a side note, I really do appreciate the help. There's nothing suspicious or underhanded going on here, so while I do appreciate the info about security risks and whatnot, it would be nice to have some help as to the actual task I want to accomplish.

Thanks!
 

vansmith

Senior Member
Joined
Oct 19, 2008
Messages
19,924
Reaction score
559
Points
113
Location
Queensland
Your Mac's Specs
Mini (2014, 2018, 2020), MBA (2020), iPad Pro (2018), iPhone 13 Pro Max, Watch (S6)
I'm going to go out on a limb here and say that the instructions you received for Ubuntu enabled the root user since it is disabled by default. The same thing is done in OS X. If you want to enable the root user, open up /System/Library/CoreServices/Directory Utility.app > click the lock > authenticate > Edit > Enable Root User. I'm not sure if this will meet your needs though.

As a word of warning, I'd suggest you use the root account with extreme caution. I know others have said the same thing so I may sounds unnecessarily repetitive but it's worth repeating.
 
Joined
Sep 9, 2009
Messages
5,473
Reaction score
201
Points
63
Location
Down Under :D
Your Mac's Specs
Back to my old 2.2GHz C2D MB after selling my MBP and wondering what my next Mac will be :)
I'm going to go out on a limb here and say that the instructions you received for Ubuntu enabled the root user since it is disabled by default. The same thing is done in OS X. If you want to enable the root user, open up /System/Library/CoreServices/Directory Utility.app > click the lock > authenticate > Edit > Enable Root User. I'm not sure if this will meet your needs though.

As a word of warning, I'd suggest you use the root account with extreme caution. I know others have said the same thing so I may sounds unnecessarily repetitive but it's worth repeating.

....and if you take that route (pardon the pun) be extra vigilant with time machine backups!
 
OP
B
Joined
Nov 29, 2010
Messages
8
Reaction score
0
Points
1
Thanks for the info vansmith, but I think I'd rather not enable the root user. The ubuntu GUI solution involved making a new group (called "superadmin") and then making the usual admin group unable to disable other admins.

And I might be stupid enough to want 2 admins but I'm not so foolish as to want the root user --- at least that's what I tell myself :)

Thanks for the help, though!

Here's an idea --- is there a way to grant some admin capabilities to a normal user (e.g., installing new applications)? That way I would have a single admin and then a semi-admin, the latter of which being able to install updates and games and whatnot. Or is that more wishful thinking?
 

vansmith

Senior Member
Joined
Oct 19, 2008
Messages
19,924
Reaction score
559
Points
113
Location
Queensland
Your Mac's Specs
Mini (2014, 2018, 2020), MBA (2020), iPad Pro (2018), iPhone 13 Pro Max, Watch (S6)
A regular user can always install applications themselves. Non-admin users can create Applications folder within their own user folder but these apps will be specific to the user account.
 
OP
B
Joined
Nov 29, 2010
Messages
8
Reaction score
0
Points
1
A regular user can always install applications themselves. Non-admin users can create Applications folder within their own user folder but these apps will be specific to the user account.

I think it's different with game patches. For example, my friend (the other admin) plays a game that regularly gets patched. Every time he wants to install a patch, it requires administrative privileges. Is there something different about patches? It could be because the game is installed for every user so the patch gets put in a shared folder which then requires admin privileges to change. Does that sound right??

Also, I would like the user to be able to change most settings --- just not stuff that's for security reasons only. For example, I know in Workgroup Manager I can disable the link to "Sharing" and "Accounts" in System Preferences. But I'd like to avoid that, and merely to make it so the second account (whether its a semi-admin account or what-have-you) can access those things, still be an admin, but not make changes to any account but their own. So let's say the "second/semi-admin" opens up System Preferences -> Accounts, they can change their password, login items, etc., but they can't check or uncheck the lower 2 boxes for any other user (i.e., check or uncheck the box for "allow to administer this computer" or the box for "enable parental controls").

Sorry if that last paragraph puts us back at square one. I've probably annoyed or scared away most people who have looked at this thread.

Thanks again for the help everyone
 
Joined
Mar 9, 2004
Messages
9,065
Reaction score
331
Points
83
Location
Munich
Your Mac's Specs
Aluminium Macbook 2.4 Ghz 4GB RAM, SSD 24" Samsung Display, iPhone 4, iPad 2
I think it's different with game patches.

It all depends where the files are stored, as others have said. Basically, the Admin account has full read/write access to most locations, including the Macintosh HD/Applications folder. A non admin user will need the admin's username and password to add an application to that folder.

But since OS X doesn't really care where you place most applications, you can also create a Macintosh HD/Users/nonadminusersname/Applications folder. If a game update is required, the user should be perfectly able to install it themselves, since they won't need an admin password to write to that folder.

I think the long and the short of it is that OS X isn't really designed for "super-admin" users (I know, I know - it's *nix, but OS X itself wasn't designed with it in mind).

You may be able to hack together a workable solution, but creating an Applications folder in the user's home directory is the way everyone else would deal with this issue.
 

vansmith

Senior Member
Joined
Oct 19, 2008
Messages
19,924
Reaction score
559
Points
113
Location
Queensland
Your Mac's Specs
Mini (2014, 2018, 2020), MBA (2020), iPad Pro (2018), iPhone 13 Pro Max, Watch (S6)
As for the game with patches, do that which has been suggested - install it to the user Application folder.

I think you're asking for find grained user access privileges that just don't exist with OS X, unless you manually traversed the filesystem and granted privileges to certain users which is not recommended and unnecessarily tedious.
 
OP
B
Joined
Nov 29, 2010
Messages
8
Reaction score
0
Points
1
Alright I give in --- I think the simple solution of installing into the user (and not global) applications folder is best. Thanks for the help vansmith and Aptmunich.
 

Shop Amazon


Shop for your Apple, Mac, iPhone and other computer products on Amazon.
We are a participant in the Amazon Services LLC Associates Program, an affiliate program designed to provide a means for us to earn fees by linking to Amazon and affiliated sites.
Top