Imaging a Mac witho...
Clear all

Imaging a Mac without an administrator account

3 Posts
2 Users
0 Reactions
Posts: 7
Active Member
Topic starter

I recently have come across some Macs (2019-2021ish Intel MacBook Pros) without administrator accounts. It's not supposed to be possible, but I am in the middle of dealing with three of them that do not have an admin accounts. Maybe the upgrade pushed to them via JAMF was no bueno. Some of them have the accounts that were previously admin accounts. Apparently some people have experienced an error (not one they notice until later) when upgrading their MacOS. I think the guilty upgrades that I have heard of have all been to maybe Catalina, and Big Sur. The three I'm dealing with are all on Big Sur. After multiple tries, I was able to use Terminal in Recovery Mode to delete the .AppleSetupDone file and get two of them to reboot to the setup screen. On one of them, I was able to create a new admin account and then use that account to restore admin rights to the one that was supposed to have them. One the other Mac however, perhaps because it is FileVault encrypted, it will let me create a new account, but it is only a standard account. I have the FileVault Recovery Key and needed that to get in and delete the .AppleSetupDone file. Without having an admin account, it is not letting me get into the Startup Security Utility to be able to boot to Digital Collector / MacQuisition (which is my end goal ~ I need to get them imaged). It's also not letting me unlock the drive in Target Disk Mode. Since I have the FV recovery key, I was able to use the reset password technique to reset the users password, but signing into the users account that cannot give full disk access to MacQ hasn't really helped me.

Has anybody had any success in creating a new admin account or restoring the admin rights to an account on a FileVault encrypted Mac? 

I did see one post on regarding fixing a Mac with no admin access, suggesting that it was necessary to go through the "Forgot my password" procedure in Recovery Mode and sign in with the Apple ID, which I don't think we will be able to get those creds from this former employee.

As far as a possible fix through JAMF, I looked down that road. They said they were in a state where the only thing they can do with them through JAMF is to wipe I reinstall the OS. Thanks in advance for any suggestions

Posted : 24/07/2021 11:51 pm
Topic Tags
Posts: 7
Active Member
Topic starter

As an update, there's still no solution for these machines. I have been able to create accounts and reset passwords both for my created accounts and the ones that were on there previously. I've also been able to unhide the hidden "admin" account that's also a standard user now. The head IT guy recalled having the SAP Privileges app (avail via GitHub) as part of their install. I was able to use that to bump the currently logged in account to admin temporarily. Right after doing so it notified me that a restart is required for the change to go into effect. I tried both after a restart and without restarting and it made no difference. Once it was bumped to an admin, I was able to then go into System Preferences > Users and Groups, select the other accounts and change their passwords and also tick the box to allow those accounts to administer the machine. Once some of those accounts were admins, I tried both live and via TDM to image the computer with MacQ/Digital Collector. Even when it showed the accounts as admins, the account password failed to unlock the FileVault disk. I also tried using those credentials to simply turn off FileVault, both through System Preferences and via Terminal in Recovery Mode, all to no avail.  

Still stuck like Chuck (no offense Charles) 

Posted : 03/09/2021 9:34 pm
Posts: 577
Honorable Member

This tool is not a "forensic tool" but it can create an image of Mac drives including Big Sur:

Backing up to a disk image | Carbon Copy Cloner | Bombich Software


Posted : 30/09/2021 10:15 pm