PSA: Delete One File To Recover Admin On Any Mac

2 minute read
| Quick Tip

I’m about to show you how you can recover admin on any Mac by deleting one file. Are you frightened yet? You probably should be. I was, when I first learned of this trick. It works on almost any version of OS X and macOS, including the High Sierra beta.

Recover admin on a Mac

It’s amazingly easy to recover admin control over a Mac. There’s a way to make it harder, though.

Reasons to Know This Trick

If you’ve ever found yourself forgetting the administrator’s password on a Mac, this trick is a good thing. It resets OS X or macOS to the state it was in right after installation. You’ll go through all of the normal steps you would take when installing a Mac. It will ask for your time zone, to enable Find My Mac, etc.

Then it will guide you through creating a new user, with administrative privileges. Once that’s complete, you’ll be able to log into macOS or OS X as that user. Even better, you’ll be able to recover admin on that Mac.

How to Recover Admin On a Mac by Deleting One File

The first thing you need to do for this is boot into single-user mode. This means rebooting the Mac, and pressing Command-S at the startup chime. Keep the keys pressed until you see a black screen with white text. This is single-user mode.

Next, you need to mount the file system and make it accessible. Type in this command:

/sbin/mount -uw /

Once that’s done, you can delete the file that tells your operating system the initial setup process is complete. Type this command:

rm /var/db/.AppleSetupDone

Now, when you reboot your Mac, it will run the Setup Assistant all over again. Rebooting is easy. Type this.

reboot

Your Mac will restart and boot normally, running the Setup Assistant before it reaches the login screen. You’ll be able to set up a new user account with admin privileges

Now That I’ve got You Freaked Out …

It’s time to tell you how to prevent someone from doing this to you. The key here is to turn on FileVault. Go to System Preferences -> Security & Privacy -> FileVault. Once that’s done, estimates are it would take 34 years of brute force attacks to crack the encryption.

Once you’re in the correct System Preferences pane, click the lock icon to make changes. Then click Turn On FileFault, and you’ll be asked to provide a way to unlock your disk and reset your password. You can use your iCloud account, or create a recovery key.

Physical Security Matters, Too

If there ever was a reason to turn on FileVault, this is it. If you ever lose your Mac or it’s stolen, it’s all too easy for the thief to delete that file and get your Mac back into the Setup Assistant.

5
Leave a Reply

Please Login to comment
5 Comment threads
0 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
5 Comment authors
brett_xJeff Buttsibuck Recent comment authors

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  Subscribe  
newest oldest most voted
Notify of
Member
Jerry Bernard

Does this retain the current user accounts?

brett_x
Member
brett_x

I agree that this sounds scary, but if you have physical possession of the machine, unless it’s fully encrypted, all bets are off. You can mount a drive via target disk mode and copy the entire drive if it’s not encrypted and (as Anna pointed out) there is no firmware password set.
I guess the real issue is that someone (a roommate etc) could do this, and you would continue using the machine without knowing.

Member
Anna Lamont

Or far simpler – set a firmware password:

https://support.apple.com/en-gb/HT204455

ibuck
Member
ibuck

Can this exploit be done over the Internet?
Or only when in physical possession of the Mac?