Give Non Admin Account The Right To Install Software Mac

Give Non Admin Account The Right To Install Software Mac Average ratng: 4,7/5 3327 reviews

Whether your IT department locked down your Mac or you grabbed one from eBay that the seller forgot to “clean up”, you may encounter a big problem when trying to install software as a non-admin.

An “Administrator” account is a member of a special group, that can access some files and do other things even without your entering your password. A normal account does not have this problem. Well-defined software such as installers should be able to prompt for both Admin account -name. The Mac OS X Terminal allows you to control your computer without a graphical interface. This includes creating new users, changing passwords and even granting permissions on any of your office Macs. You can change a colleague's user account - or your own - to an administrator account that allows more control over the computer. On your Mac, select an item, then choose File Get Info. Click the lock icon to unlock it. Enter an administrator name and password. In the Sharing & Permissions section, do any of the following: Add a user or group: Click the Add button below the list, select a user or group, then click Select. Remove a user or group: Select the user or group, then click the Remove button below the list. Nov 03, 2011  1. Right click program and run as administrator. Disable your antivirus and firewall temporarily, perform clean boot to check the result. Modify the following registry. Click start - type regedit in the search box and press Enter b. Navigate to HKEYLOCALMACHINESoftwarePoliciesMicrosoftWindowsInstaller c.

Here’s a possible workaround.

If you’re trying to install software on your Mac the first thing you should do is simply contact your IT department. They can use login to your computer remotely and installed the software for you. You may not like having to wait for IT but it’s not you’re computer so you shouldn’t install stuff on it. Also, you could unwittingly end up installing something that looks benign but is actually nefarious.

That being said, in an emergency there are two possible solutions:

  1. Drag and Drop
  2. Single User Mode

When you see the application installation login window you can either beg for the admin password or try a little workaround that I’m about to show you.

First see if you can just drag the app icon into the Applications folder.

If that fails, you could try Control clicking the app and choosing Open Package Details to see if you can modify the info.plist file or whatevever.

There was on old hack that worked on older versions of Mac OS X that let you modify a string in info.plist which effectively disabled authentication. Well I haven’t found a way to get this work in Mac OS X Yosemite so I’m going to assume it doesn’t work anymore.

One other possibility is to boot the Mac to Single User Mode and use the Directory Services Command Line tool to join your non-admin account to the administrator group.

Reboot and hold down Command + s until you see a black screen appear with a bunch of white text.

After a few seconds you’ll at something that resembles a Unix prompt.

First we need to mount the root file system so type

This mounts the root file system for read-write access.

Then type:


Replace <usernameToBeGivenRoot> with your non-admin username.

If you need to list the users and groups you can type:

Press Enter, type reboot and login with your non-admin account.

Ultimately, you shouldn’t try to “hack around” the password security mechanisms that prevent you from installing software. These features are here for a reason and unless you really know what you’re doing some of the tutorials out there can leave you with a broken PC and a chagrined look on your face when you call IT and they ask you what happened.

Posted in Apple, Mac OS X 10.9 Mavericks Tagged with: Tricks

Are you the designated IT person for your family, or maybe for your small business? If you are, then perhaps you’re getting a bit tired of everyone asking you to provide your administrator name and password every time a printer jams, an app needs updating, or Time Machine throws an error code.

The Mac has a pretty straightforward model for assigning privileges to a user’s account, and in many cases, only the administrator has the right to stop, start, or pause services, such as pausing the print server when a printer jams. Only a user with administrator privileges can get the print server running again.

(The print server always seems to enter a paused state when an administrator isn’t around to kick start it.)

If you’re tired of running over to a user’s Mac just to enter a password so the print server can restart after a paper jam, then you may be thinking it’s time to give everyone admin privileges. And believe it or not, that may be a valid solution to the problem, depending on the competence and trustworthiness of your users.

It is, in fact, the method we use; all users at our home and office are set up as administrators, relieving us of the more mundane tasks of Mac administration. But if you’re inclined to use the standard, managed, and administrator user models to ensure a bit tighter security, then this tip can help you keep your personal workload low, while allowing other users to perform routine tasks, such as resetting printers, without needing the local overlord to make an appearance.

Mac User Accounts
The first account created during the original setup of your Mac is an administrator account that includes elevated privilege levels that allow the account holder to manage the basic system. The Mac’s administrator account isn’t an all-powerful tyrant; it has a number of restrictions, including the inability to access another user’s data. It does, however, have power over all of the Mac’s system preferences, including the ability to add new apps, add new users, assign user groups, manage parental controls, set up accessibility options, and manage printers. You get the idea. If there’s a system preference pane for a service, users holding an administrator account can make changes as they see fit.

(Some system preferences are restricted to those with administrator accounts, which can prevent Standard users from fixing common problems.)

While the administrator is one type of account, the Mac OS supports additional types, including:

Give Non Admin Account The Right To Install Software Mac Download

Standard: Standard user accounts can install apps and change settings that affect only their own accounts. So, standard users can pick their own desktop wallpaper, customize the Dock, and set their own preference for how a mouse or track pad works. They can’t add or delete users, or change settings that would affect anyone else.

Managed: Managed users are bound by the restrictions set up by Parental Controls. With Parental Controls, you can restrict the apps available, the websites that can be visited, and the contacts available to the user through various apps, such as Messages and Mail. Managed users can also have usage restrictions based on time, to ensure kids aren’t using their Macs when they should be sleeping.

Sharing Only: Allows users to log in remotely and access their own files. It doesn’t allow general access to the Mac, or the ability to change any settings.

Guest: Guest user accounts are for visiting family, friends, or clients who may need to use your Mac for a brief time, perhaps to check messages or access a website. All of a guest user’s data stored on the Mac is deleted automatically when the user signs out.

Add Additional Administrators
One method to help resolve the burden of administration is to spread the task around, allowing other trusted users to share the work. In general, this is a good idea; having a single administrator can cause problems if the administrator isn’t available when some task comes up that needs the admin password.

(Standard and Managed users can have their privilege levels elevated to allow them to administer the computer.)

The first step is to use the Mac OS Users & Groups preference pane to change the account type for the selected individual. In this example, you can change a standard user to an administrator.

Of course, you must already be an administrator for this to work.

If you’re not currently logged in to your administrator account, log out, and then log back in with the appropriate account.

Launch System Preferences by clicking its Dock icon, or by selecting System Preferences from the Apple menu.

In the System Preferences window, open the Users & Groups preference pane.

Click the padlock icon in the lower left corner, and then enter your administrator password. Click the Unlock button.

Select the user account you wish to elevate to an administrator account from the sidebar list.

Place a checkmark in the “Allow user to administer this computer” box.

Note: If the account you wish to elevate is a managed user account, all parental control settings will be removed when the user is elevated to an administrator account.

Provide Admin Privileges for Specific Tasks
A slightly different approach is to provide admin-like capabilities to standard users, but restrict them to certain tasks. This is the way we fixed one of our headaches: clearing printer jams that cause the print server to pause. By giving all standard users admin rights to the Printer preference pane and print server, they can be their own printer administrator.

This same concept of limited administrator rights works for a number of system preference panes, including:

  • Printers & Scanners
  • Date & Time
  • Energy Saver
  • Startup Disk
  • Time Machine
  • Network

The Mac OS doesn’t currently have a method to selectively apply administrator privileges using the GUI, but there are a number of ways to elevate user privileges using the Terminal app. In this example, we’re going to raise the privilege levels of every user (except the guest account) to manage the printer system. This same technique can be used for any of the preference panes listed above.

This method should work for any Mac running OS X Mavericks or later. It makes use of the authorization database that Apple introduced with Mavericks. This database is used to control the access rights for many different processes, such as printing, Time Machine, and networking. You’ll need to be logged in with your administrator account to make these changes.

The process works by exporting the preference’s rules to a temporary property list file, then using the default write command to make changes to the file, and finally, reimporting the altered rights list back into the authorization database. This means you’ll need to execute three Terminal commands for each preference pane to which you wish to give non-admin access.

Before you make changes to the authorization database, it’s a good idea to create a current backup of your Mac. Errors in making changes to the database can produce unexpected results; a current backup will let you recover to a known good state.

If you’re ready, let’s begin:

Launch Terminal, located at /Applications/Utilities.

The following three commands allow general access to the System Preferences. They do not, however, give unrestricted access to every individual preference pane; it’s just the first step in the process.

(The security command responds with YES or NO if the security change can be implemented.)

Enter the following at the Terminal prompt. After each line is entered, hit Return or Enter on your keyboard.

Note: Each command is a single line of text, but your browser may show them as multiple lines. You can copy/paste each line for easy entry into Terminal.

/usr/bin/security authorizationdb read system.preferences > /tmp/system.preferences.plist

/usr/bin/defaults write /tmp/system.preferences.plist group everyone

/usr/bin/security authorizationdb write system.preferences < /tmp/system.preferences.plist

Note: After the first and third lines are executed, Terminal will respond with the word YES if the command was carried out successfully or NO if there was a problem.

To enable anyone to access the printer preferences as well as the print server, enter the following three lines:

/usr/bin/security authorizationdb read system.preferences.printing > /tmp/system.preferences.printing.plist

/usr/bin/defaults write /tmp/system.preferences.printing.plist group everyone

/usr/bin/security authorizationdb write system.preferences.printing < /tmp/system.preferences.printing.plist

The print server on your Mac uses its own special group to control access, so we need to enter the following command in Terminal:

/usr/sbin/dseditgroup -o edit -n /Local/Default -a “everyone” -t group lpadmin

The above example should allow anyone to manage printer issues that may come up, with one caveat: depending on the version of the Mac OS you’re using, an administrator account may still be needed to add printers.

(After entering the Terminal commands above, the Printer & Scanner preference pane is unlocked for all users.)

If you would like to add non-admin access to other preference panes that are usually restricted to an administrator, you should only need to change the word “printing” in the above example to the name of the appropriate preference pane. For instance, to allow everyone to access the Time Machine preference pane, the three commands would be changed to:

/usr/bin/security authorizationdb read system.preferences.timemachine > /tmp/system.preferences.printing.plist

I want to update my mac software. /usr/bin/defaults write /tmp/system.preferences.timemachine.plist group everyone

/usr/bin/security authorizationdb write system.preferences.timemachine < /tmp/system.preferences.timemachine.plist

Give Non Admin Account The Right To Install Software Mac Free

When granting access to a preference pane, the name you need to use in the Terminal commands is usually easy enough to figure out; in the example above, the Time Machine preference pane becomes just timemachine with no spaces or capitalization.

The general rule for guessing the preference pane’s name in the authorization database is to remove any spaces in the name, provide the name in all lowercase, and remove the word “and” if present in the name.

Additional references: Security command, authorizationdb, defaults

Be Sociable, Share This!

Prices, terms, and availability subject to change without notice. Not responsible for typographical, technical, or descriptive errors of products herein.
OWC is on-site wind turbine powered at 8 Galaxy Way, Woodstock, IL 60098 1-800-275-4576 +1-815-338-8685 (International)
All Rights Reserved, Copyright 2018, OWC – Since 1988