Skip to content

Broken Admin Account

Text I type is green, computer replies are purple.

I had a weird issue this morning. A teacher brought in her school Mac. She was unable to authorize the computer to allow screen sharing in Zoom.

Everything in our MDM was set properly. Standard users were allowed to make their own decisions for screen capture1. I clicked on the lock icon to authenticate there. It wouldn’t accept my credentials as the admin user.

A bit about our workflow.

  1. Device in Apple School Manager and assigned to our MDM (Mosyle)
  2. Computer turns on and goes through Automated Device Enrollment (ADE) and hands off to Mosyle
  3. Authenticate to Mosyle via Google
  4. Mosyle installs profiles, Rosetta (on Apple Silicon Macs), skips all of Apple’s setup screens
  5. Creates local admin user
  6. Sets up Google Authentication for user (when user first logs in it creates the user as a Standard User)

So in theory that admin user is setup by Mosyle on first boot.

I check in Users and I see the local admin user there.

The teacher had to leave at this point. I rebooted and decided to run resetpassword in Recovery Mode. It’s changed since I last used it. It asks me to authenticate as a user who I know the password to. I choose the only account there, the admin account. It recognizes the password, but then the only password I can change is the standard user and not the admin user.

Now I don’t have my users passwords, because that’s a really really bad idea. So now I can’t log into the account.

When logging into the admin account, I was getting this error: Error: Credential verification failed because account is disabled.

I tried running pwpolicy disableuser -u admin via Mosyle and got Getting account policies for user <admin>

Well, that’s not helpful.

Let’s try pwpolicy enableuser -u admin.

Enabling account for user <admin>

Not a very useful reply, but okay.

Still cannot log in. Whomp whomp.

Let’s try our old friend dscl

dscl . passwd /Users/admin password

Permission denied. Please enter user's old password:<dscl_cmd> DS Error: -14090 (eDSAuthFailed)
passwd: DS error: eDSAuthFailed

This was fun! Okay, let’s log into the computer. Since I can’t get into the user account and I can’t get into the admin account, I need to create a new account. I tried using Mosyle to install a local account, but it didn’t seem to work. Instead I created a new Google Auth profile. Removed the user from the old one and added her to the new one.

Now I can log in with my Google account. I did. I also went into MunkiAdmin, found that computer and added SAP’s great app Privileges.

I opened up Managed Software Update on the computer, installed Privileges, and elevated my privileges to an admin account.

It was then that I saw a couple of things. /Users/admin didn’t exist. I set the admin account to a standard user and tried to change its password. I was told I cannot. I tried to delete the account and was told I could not.

So instead I renamed the account to “adminFUUUUUUUUUU”. I created a new admin account. Lowered my privileges, went into Zoom and I was able to activate Screen Recording. I tested authenticating as the new admin account and it worked. I removed Privileges and revoked access to the app from Munki.

I tested logging in as admin and all was good.

  1. which is called Screen Recording in System Preferences, why are you making everything harder than it needs to be, Apple? []

2 thoughts on “Broken Admin Account”

  1. I had a quick question about this. In your Mosyle setup, in step 5, Do you create an admin user or a local user with administrator rights? I have found this matters when setting things up. Mosyle’s admin user is essentially a superuser in apple terms. The initial admin user that gets created with Apples setup assistant is a local user with admin rights. Mosyle allows for both types of account creation. – But you probably already knew this.

Leave a Reply