I’m working with a friend remotely to get her moved from Windows to macOS. She’s purchased a new M4 MBP but has started setting up with Mail prefs and such…but she did it with the only account she created on the machine. I never recommend using an admin account as daily driver so want to essentially start over with macOS setup, create an admin account, delete the previous admin account and then create daily driver non admin for her.
I could do this easily myself if she was here…but she’s not and isn’t very familiar with macOS yet. So…I’m wondering if there is a way to do this without nuking the drive and starting over with a reinstall. I vaguely remember there’s some invisible file that you can erase to do that but don’t remember the name and a quick google search didn’t get it for me…and I’m not sure what following that process does with the previously created admin account.
Am I misremembering or is a nuke and pave the best option here? She hasn’t done any real work with setup yet other than playing with things…so starting over isn’t too bad. Another option is to just create another admin account and then demote the existing one to standard…but I’m also recommending she not use anything like admin or administrator or her actual name for accounts and while it’s possible to rename accounts and user folders again she’s not all that macOS friendly yet so I”m hesitant to try that approach remotely…but don’t really want to get into building a bootable installer USB stick or walking her through an internet reinstall either.
Some things I would think about if I were in a similar situation are:
How is the Mac going to be used (personal, business, email/social media, stock trading, video editing, etc)?
Are any sensitive or irreplacable files going to be stored on the Mac?
Technology comfort level of new Mac user
How much time I would be willing to spend helping the new user.
Now, having said that, I think the sealed system volume has reduced the need for a non-Admin user account for daily use for many people. My Mac remains set up to only access Admin accounts when updating or troubleshooting but I’ve become more open to the one-user-account-does-it-all approach.
Good article from Eclectic Light…but as a long time sysadmin I’m used to not being admin all the time…and while she’s not macOS smart yet she is an experienced Windows user. I will discuss both options with her and let her decide. The other recs in the article I was already going to recommend to her anyway. She’s comfortable with computers but not macOS yet…she’s been playing with her new MBP while she’s working on consolidating her images in Lightroom on Windows. I’m still going to recommend a non admin daily driver…old dog new tricks I guess…although with FileVault enabled and mo auto login even admin probably would be fine…but non admin is finer IMO. She’s understands the occasional need for admin even when logged in as non admin…but if she wants admin all the time I can handle that. Her biggest problem is she’s using an underpowered Windows Surface laptop and slow USB spinning externals for images…she’s got backup drives already but the i7 laptop chip she’s got and the godawful slow WD Passport drives for images are an issue with high megapixel images she is doing. I tried convincing her to keep Lightroom catalog and current project images on internal and older projects on an external SSDs and then backups…but she’s so far unwilling to do that. I told her that upgrading to a regular Windows laptop and external SSDs for images would also solve her problems…but she’s decided to switch even after trying a high end Asus laptop. As a photo guy and ex sysadmin I can help her with either platform…I told her I think she will be happier on the macOS side of the fence but that plenty of Windows people use Lightroom just fine and that the slow drives are the biggest contributor to her issues.
She’s a pro dog and pet photographer but it’s both her work and personal laptop…I’m helping her with moving Lightroom from Windows. The original photos are irreplaceable but they will all be on external SSDs that get backed up with CCC and TM as well as the Lightroom catalog and Data drive on the internal.
If she decides on non admin daily driver we will just create new accounts as needed if I can’t figure out how to reset the setup without a nuke and pave.
I think trying to transition her to another account is likely to cause more trouble than any risk she incurs running as “admin”. That was great advice back in the day, but these days with the way modern macOS works, I see no reason to worry about it. I have been running for many years this way and have never had an issue because of it. And I note that Apple does not recommend it either — likely, because they have the designed the system for the owner to be the admin and run as “admin” too. Relax and enjoy would be my mantra here. Just my 2¢.
I’d just add that you seem to be much more technically aware and adept than a lot of users. So a person who, say, is very trusting and doesn’t really understand how computers work might not be a good candidate for always-on Admin status.
Perhaps, but when that user is prompted to enter their admin password it’s no different from when I’m prompted to enter mine. If you fall for a bad actor, you’re in trouble.
I’d also submit that precisely because a person is a more novice user, it makes sense to go with the design Apple foresees for “the average Joe” rather than trying to migrate accounts, modify setups, and create some alternate path they perhaps do not fully grasp.
Again, not saying it’s a bad idea per se. But I’m not convinced it’s actually worth the trouble.
I don’t know anyone who has a non-admin account on their Mac, including several very non-technical people. It has never been a source of issues or confusion (though other things have!). If anything, I think a non-technical person using a non-admin account is more likely to run into issues as there are certain things that will prompt for an admin username and password. This will likely lead to confusion and frustration.
Millions and millions of people run their Macs with a single login that is also an admin. Professional paranoia is one thing, but so is “it just works.” Concentrate on getting her to fall in love with her new computer, and as others have noted, don’t make her experience more complicated than it needs to be.
A non-admin account can be quite helpful in some situations, though.
I’ve set up my elderly parents and in-laws with non-admin accounts and “trained” them to ask me for help when something unusual occurs, such as a request for a password. I can assess the situation and deal with it accordingly before any lasting damage is done.
That’s only happened a few times, and it once prevented my mother-in-law from installing remote control software which was part of a “virus removal” scam. In a similar situation, one of their friends (who uses an admin account) did install the software, had their computer taken over and loaded with porn, and then were blackmailed about the porn. Luckily they asked for help from a relative who immediately recognized what had happened and was able to deal with it (and they didn’t pay any blackmail). Restoring their computer was painful, though.
Thanks all…I will recommend using a non admin but offer her the option of a single account and go with her wishes. And thanks for the Erase content and settings suggestion, will use that if needed.
Not to drag this out, but an unused administrative account in addition to the primary User account should be mandatory for most systems and especially for any you must support. This applies regardless of the Primary account type.
Without trying to second guess @james.cutler, I would say that it doesn’t have to strictly be “unused”, but it should be an account that is rarely, if ever, used.
Why?
If something catastrophically fails on your main user account, you should have another, mostly-pristine account to log in as. Hopefully, the condition causing the user account to fail won’t exist from that one. From there, you can (hopefully) repair whatever broke the user account.
If you get into a situation where you need an admin account, you might not be able to create one at that time.
Yes, you could accomplish much of this using safe mode or booting to Recovery mode, but it’s often easier to simply have another account that you can log-in to or remote-log-in to without taking down the entire system.
Many problems in User accounts, especially those preventing User login, can be corrected from another Administrative account. Use cases range from trivial as in resetting a forgotten password, to very complex where good User data is transplanted to a new account instance to correct a failure to open Network Preferences. (In this case some obscure error in the User/Library was the problem.)
So a secondary Admin account is a good place for system updates as well as diagnosing and hardware and software problems as well as EBCAK and ID10T instances. This is especially helpful to remote support.
=== apologies to @ace ===
Since submittimg the above, I stumbled on a discussion on use of acronyms. My use herein of EBCAK and ID10T is OS agnostic and an integral part of my experience in customer support over three decades.
I think there is very good reason to have admin and user accounts as others have enumerated above but I would like to point out that Apple’s default behavior for decades has been to setup up new computers with an Admin account and that’s it. This indicates to me they have found that for tens of millions of people it’s the best way and they haven’t encountered enough problems to change that.
When you’re working with a controlled environment an admin account and user account just makes the most sense. 20 graphic designers are in fact a herd of cats and when you’re trying to control font usage, etc. a user account is heaven-sent even though you’re going to be called regularly.
Outside of controlled environments I’m not convinced it’s necessary. 99% of users have no idea what an account even means and when you set-up an admin & user account they accept your stern instructions, promptly forget about them, and are confused when they want to install the latest journaling app du jour and their password doesn’t work. (No, they never notice that they’re being asked for the admin account and password.)
So, if you want to set-up an additional admin account just-in-case, great. Just don’t tell them about it.
The trouble with waiting is if for whatever reason the first account won’t let you log in or can’t successfully get to the desktop…you’re screwed. All of my machines have the first created admin account, another admin similarly named, user accounts and then another admin similarly named to my daily driver non admin. Back when I was a Windows sysadmin I had way more admin accounts than that and some of them were squirreled away in non obvious OUs in Active Directory so they couldn’t get accidentally or deliberately deleted.most sysadmins kept them selves a not necessarily backdoor from the outside but a hidden door…just in case.
Having a single admin account and nothing else on any computer goes against everything a sysadmin knows.
It indicates to me that the first account has to be admin by definition…and that not having to explain admin and non admin to computer neophytes lowers their support call load. From a security standpoint…operating all the time as admin or root makes exactly zero sense.