There is this thing that happens from time to time where a Mac on our network will get confused about the local administrator account. For whatever reason it thinks it’s a domain administrator account. If you were to run id as that user you would see a bunch of domain related information which should not be there.
Perhaps the reason for this relates to the fact that we use a name for the local administrator account which is the same as a name we use for a domain-level account. I didn’t set it up this way, and I’m advocating for a change. We shall see.
Regardless, usually when this happens (and it’s pretty easy to notice since the dock is reverted to default and the user doesn’t have write permissions to even their desktop) I can get the correct administrative account back by a restart. Today for one machine this was not working.
Also, while it is in this state the administrator account can’t open the System Preferences.
The only other administrative account was a domain user (mobile account). Unfortunately I was not able to log into that account at all as log in would hang at each attempt.
Tough situation: can’t log in as a real local administrator so I can’t fix any of this mess.
I found this article which offered a solution for creating and elevating an account from the command line. This article uses a slash as the location identifier (/), but that was not working for me. Others said localhost would work, but I couldn’t get that to work either. In the end I used the dot (.) and that allowed these commands to do their jobs. Also, the article neglects to mention that you must use sudo to run these commands successfully. Without using sudo you will likely get this error:
<dscl_cmd> DS Error: -14009 (eDSUnknownNodeName)
Obscure, you say? This is why I write these articles.
## ## ## first I tried just running this trio but (though I could su into that user account) the account didn't exist outside the shell sudo dscl . -create /Users/deleteme sudo dscl . -passwd /Users/deleteme D3leteme sudo dscl . -append /Groups/admin GroupMembership deleteme ## so then I ran the rest of them sudo dscl . -create /Users/deleteme UserShell /bin/bash sudo dscl . -create /Users/deleteme RealName "Delete Me" sudo dscl . -create /Users/deleteme UniqueID 503 sudo dscl . -create /Users/deleteme PrimaryGroupID 1000 sudo dscl . -create /Users/deleteme NFSHomeDirectory /Local/Users/deleteme
This allowed me to log in as the deleteme user and to enable the root account. Once I was able to log in as the root user I was able to delete and re-create the local administrator account.
Then it was smooth sailing. Logged into the newly (re-)created administrator account, deleted the old domain user account, and made sure everything was up to date. I did have to remove this Mac from the domain so that I could re-add the user using their mobile account (that was stuck), but that wasn’t so bad as the rest.
Hope this helps you. Have a great time.
(If it ain’t broke, why’d you put in a ticket?)
Hi there, I came across your article after experiencing the same issue in our network environment. Out of interest I thought I would add that you can still access the local administrator account if you start the Mac up without the network cable connected. After doing this I was able to rename the administrator account to something else (i.e. localadmin) and use the newly re-named account instead.
Regards
Anthony
Yeah, I’m advocating for renaming our local administrator accounts (both on the Mac and Windows sides). That’s a tough sell because there are many machines, but it has its rewards. We shall see.
my server died weirdly, and now even this doesn’t work 10.9.4
i get this sequence:
launchctl load /System/Library/LaunchDaemons/com.apple.opendirectoryd.plist
-> nothing found to load
dscl . create /Users/deleteme
-> launchctl: Couldn’t stat(“/System/Library/LaunchDaemons/com.apple.DirectoryServicesLocal.plist”): No such file or directoy
-> Operation failed with error: eServerError
do you know anyway of forcing the entire local directory to rebuild? i’ve tried removing .Applesetupdone and i still can’t get a login.
flow – You could use rsync to synchronize the files from a known-good Mac.