Gain admin rights in OS X Leopard

It’s happened to me more than once that I’ve needed to configure something on a managed Mac laptop at work for which I have no admin access. Normally you can just track down your network administrator, but if it’s after hours or you are traveling, there’s another option: escalate your own account privileges by adding yourself to the admin group.

To add yourself to the admin group, you’ll need to reboot into single user mode and run a couple commands. Here’s how:

First, boot the machine and hold down Command-S until it boots into single user mode. Then, mount the hard disk in read-write mode (and check it for errors) with the following two commands:
/sbin/fsck -fy
/sbin/mount -uw /

We’ll be using the dscl command to add your username to the admin group, but first you need to start directory services or it will return an error:
launchctl load /System/Library/LaunchDaemons/com.apple.DirectoryServices.plist

To list the users in the admin group, use the following dscl command:
dscl . read groups/admin users

You won’t see your username, of course, because you aren’t an admin. To add yourself, run the following:
dscl . append groups/admin users yourusername

You can double check that your username is in the list now, then type reboot to restart the machine. When you log in, you’ll see that you’re now in the admin group, with permission to install apps or change any system settings.

5 Responses to Gain admin rights in OS X Leopard

Mike on February 13th, 2009 at 7:42 am said:

TUAW had a similar, shorter, slightly noisier (the first boot video) version of the same idea:

http://www.tuaw.com/2008/09/01/tuaw-tip-create-an-os-x-admin-user-without-a-disc/%20%5Bhttp://www.tuaw.com/2008/09/01/tuaw-tip-create-an-os-x-admin-user-without-a-disc/

However, it should be noted that there’s a typo in the terminal commands.

It should read
$ mount -uw /
$ rm /var/db/.AppleSetupDone
$ shutdown -h now

Reply ↓
arougthopher on February 13th, 2009 at 9:03 am said:

http://users.ez-net.com/~jasonb/secureit.html

not sure if this works on the latest versions. also check here:

http://www.securemac.com/macosxsingleuser.php

Reply ↓
Beth on February 13th, 2009 at 9:39 am said:

If you have a decent sysadmin, the machine will have a firmware password set, and the machine won’t allow a single-user boot. You can find out if it does have one set by booting holding down the “option” key at startup, and it will prompt for a password if there is one set.

Reply ↓
Charlie Flowers on February 13th, 2009 at 10:18 am said:

Awesome tip Jason! I featured it on The Daily Hack…keep up the great work, man.

Charlie Flowers
DailyHack.net
twitter.com/charlie

Reply ↓
John on April 8th, 2009 at 9:50 am said:

This worked great but people be careful to put all the spaces in where they go or else the command will not be recognized. By the way thanks for putting this up your a life saver!

Reply ↓