[fixed] Mac OS X users lost administrator access
So several people are reporting trouble with Leopard when after upgrading or e.g. shutting down by just holding the power button all users have lost administrator access they might have had before.
A very quick fix helps most people:
– Restart
– Hold down Apple + S when the first blue/greyish screen appears to boot into single user mode
– The hard drive is mounted read-only so we have to do
$ /sbin/fsck -fy
$ /sbin/mount -uw /
– Now the system’s standard root user (whom we are at the moment) gets a password (any will do) so we can log in with it
$ passwd
$ exit
– Click on “Other” in the Login Window and login as user “root” with the password you have just assigned to him
– Use “System Preferences” -> “Accounts” to give administrator access back to the users whom you want to have it
– Log out
– Log in with your newly re-appointed administrator, launch Directory Utility, authenticate by clicking on the lock icon and disable the root user via “Edit” -> “Disable Root User”
Most users live happily ever after but for some this simply doesn’t work. Specifically System Preferences seems to immediately “forget” that you want a specific user to be an administrator. You tick the box, you click on another user or click the lock and then when you click on your desired administrator again the box is unchecked once more.
The more curious among us will at this time already have checked the system logs where most likely the message “mbr_group_name_to_uuid failed with err=2” sticks out. At the usual places (discussions.apple.com, et al) people will want you to insert your installation disk, use a password utility, reboot repeatedly, even reinstall your OS X or just pray.
Well, welcome to panoramification where everything is different ;)
What we’ll do is the following:
– back to single user mode as described above, also do the fsck and mounting
1. load directory services:
$ launchctl load /System/Library/LaunchDaemons/com.apple.DirectoryServices.plist
2. Try to add a user to the admin group, use the shortname of the user for this
$ dscl . append /groups/admin GroupMembership myuser
– If this works: congratulations. Reboot and you’re done! If however it fails with
=> <dscl_cmd> DS Error: -14009 (eDSUnknownNodeName)
4. then try to create this group with its standard id of 80
$ dseditgroup -o create -i 80 admin
– if it works, skip to 9. If it fails with
=> ERROR: A Directory Service error occured.
14135: eDSRecordAlreadyExists
5. then try to delete the (apparently corrupted) group first
$ dseditgroup -o delete admin
– if this works, skip to 8. If it fails with the mind-blowing
=> ERROR: A Directory Service error occured.
14136: eDSRecordNotFound
6. we should check out the admin.plist file
$ cat /var/db/dslocal/nodes/Default/groups/admin.plist
7. if this file does not contain anything meaningful (should be an xml file) then the system is fooled into believing the group exists but can’t actually “initialize” it. We’ll remove the empty/corrupted file
$ rm /var/db/dslocal/nodes/Default/groups/admin.plist
8. … create a new group “from scratch”
$ dseditgroup -o create -i 80 admin
9. … and add our user to it
$ dscl . append /groups/admin GroupMembership myuser
10. All is done now, reboot and enjoy!
$ reboot
Of course an empty group.plist is a fairly trivial problem that any system created after the year 1996 should take care of automatically but well.. Apple can’t always be on the bleeding edge *cough*.
I’ve posted some more detail on this in the apple.com forums.
Feel free to leave a comment if any of this doesn’t help you out and I’ll look into it some more.
pan.o.ra.ma development notes 
works great, thanks!
bluenote79
15/09/2008
Excellent! Thank you much for taking the time to write up this fix.
Nate
17/09/2008
This is awesome thank you so much! best fix i’ve found.
one side note, this works fine if you’ve already enabled the root user without launching single user mode.
dzero
12/03/2009
hey, so im having some trouble. I am at the step to “create this group with its standard id of 80” I get an error but not the 14135 warned about. I get “-14270 eServerNotRunning” I then tried
$ rm /var/db/dslocal/nodes/Default/groups/admin.plist but got the same error. What do I do? (p.s. this is my first time working with this stuff so simple explanations are probably needed.
Stuart
11/06/2009
YOU SAVED MY DAY…..JOB!!!!
Keenan
24/09/2009
This saved my ass!!! Apple XServe OS X has this problem too when the HD gets low due to enormous Apple updates downloading.
KD
11/12/2009
Wow, Amazing!
Thanks for this … I’ve been trying to solve this problem for some time and none of the other fixes I’ve come across have worked.
This worked straight off. Will be visiting your site from now on …
Cheers!
Jason Fretwell
10/12/2010
Hi, I’ve left this unresolved for the past year and finally took the time to go through your methods. Thank you so much!
Giang
01/07/2012
Someone necessarily assist to make critically articles I would state.
That is the very first time I frequented your web page and thus far?
I surprised with the analysis you made to create this actual publish extraordinary.
Great task!
anti aging cream
20/06/2013
This is still a concise and detailed process document that still works (after 6 years)—very nice.
The only minor revision I have is in step “8. … create a new group ‘from scratch'” –you can copy a fresh admin.plist into the current (“broken”) plist. The revised step 8 would be…
8. … copy a fresh admin group .plist into active path (mind the spaces in command below)
$ cp /System/Library/DirectoryServices/DefaultLocalDB/Default/groups/admin.plist /private/var/db/dslocal/nodes/Default/groups/
seabash
03/06/2014
I feel like an idiot as I’m looped in:
It’s an older, small iMac (white)
Any idea to fix this?
Would be very kind of you.
Best wishes,
Ivo
Ivo Stadelmann
02/05/2015
oups… actually I’ve written $ passwd: Unable to change the password for record root . eDSRecordNotFound
I used
Ivo Stadelmann
02/05/2015