MacOS Ventura – Reauthorize Admin Account After Update

administratorfilevaultmacos-venturapasswordspermissions

My Mac Mini updated to Ventura 13.2. Afterwards, the Admin account lost its admin privileges. The system had (and still has) FileVault enabled. It has two user accounts, one previously had Administrator privs. Both now show "Standard" user privileges.

How can I recover admin privs on an existing account, or create a new admin for this machine?

I've tried (or attempted to try):

  • Reinstalling, by rebooting in Recovery mode. That initially only offers password reset for the two (standard) accounts. After resetting one password I was able to get to recovery tools. I reinstalled Ventura. No change.
  • Removing .AppleSetupDone file. Again, Recovery mode forces a password reset before I could get to terminal. Then rm -f /var/db/.AppleSetupDone fails, requiring Sudo. sudo rm -f /var/db/.AppleSetupDone prompts for the password, but then says account is not a member of Sudoers.
  • I created a bootable thumb drive, but can't change the boot disk because of FileVault protection.
  • Turning off FileVault requires Admin privs.
  • Changing directory permissions to allow a network access also requires Admin privs.
  • Bringing the machine up in Disk Target Mode – with the hope of deleting .AppleSetUpdone from a different host – I can't successfully mount at my other machine. (Purportedly because of firewire cable issues.)

I appreciate the protection against unauthorized usage, but I have the account passwords, the owning AppleID and its password, successful two factor authentication – so I should be able to administer my own system.

How to proceed?

Best Answer

I finally resolved this SNAFU.

  1. It may not have been necessary, but with Terminal, I was able to decrypt the FileVault protection See this online article using these commands:

    diskutil apfs list # get <devID> with FileVault YES, e.g "disk3s2"
diskutil apfs unlockVolume /dev/<devID>
diskutil apfs listcryptousers /dev/<devID> # capture the <UUID> (very long)
diskutil apfs decryptVolume /dev/<devID> -user <UUID>
diskutil apfs list # See FileVault is now NO

  2. Then I could use the Recovery Security utility - turning off protections. Also, this may not have been necessary.

  3. The actual fix was to remove the .AppleSetUpdone file from the correct location. Lots of previous posts show /var/db/.AppleSetUpdone. But it was moved when the system and data were placed on separate volumes! It's now on the "Macintosh HD - Data" volume. Here's the command that worked:

    rm -i "/Volumes/Macintosh HD - Data/private/var/db/.AppleSetupDone"

Here is an Apple discussion page showing correct location.

Then I was able to reboot, and be prompted to create a new Admin user. Whew.

Related Question