Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

How to change user from "Staff" to Standard or Managed?

sparkie7

sparkie7

macrumors 68020
Original poster
Oct 17, 2008
2,430
202
KALLT said:
If not, I suppose you could manually add your primary user account with this (might have to use this with sudo):
sysadminctl -secureTokenOn <username> -password - interactive (note the whitespace between the dash and “interactive”)
Click to expand...

you mean:

sudo sysadminctl -secureTokenOn <username> -password - -interactive

Update, I tried that command and got this:

2022-03-19 23:38:17.259 sysadminctl[7050:120302] Operation is not permitted without secure token unlock.
 
K

KALLT

macrumors 603
Sep 23, 2008
5,380
3,415
sparkie7 said:
No, it doesn't
Click to expand...
How do you log into your Mac at all when you start the computer? Are you not using the primary user account?

I have only seen this when macOS is installed on an already encrypted file system. In that case, FileVault won’t be configured properly, unlike when you enable it after installation manually in System Preferences.

sparkie7 said:
you mean:

sudo sysadminctl -secureTokenOn <username> -password - -interactive
Click to expand...
The help you posted says this:
-secureTokenOn <user name> -password <password> (interactive || -adminUser <administrator user name> -adminPassword <administrator password>)
...
Pass '-' instead of password in commands above to request prompt.
Click to expand...

I am presuming that you use - as a substitute for your password, so that you are prompted. The keyword interactive (without a dash) is a substitute for the admin user and admin password arguments.
 
sparkie7

sparkie7

macrumors 68020
Original poster
Oct 17, 2008
2,430
202
KALLT said:
How do you log into your Mac at all when you start the computer? Are you not using the primary user account?
Click to expand...

Yes, I'm using the primary account . It says Admin under that user account

KALLT said:
I have only seen this when macOS is installed on an already encrypted file system. In that case, FileVault won’t be configured properly, unlike when you enable it after installation manually in System Preferences.
Click to expand...

I think my drive is encrypted. I formatted it using encryption

KALLT said:
The help you posted says this:


I am presuming that you use - as a substitute for your password, so that you are prompted. The keyword interactive (without a dash) is a substitute for the admin user and admin password arguments.
Click to expand...

Sorry you lost me
 
K

KALLT

macrumors 603
Sep 23, 2008
5,380
3,415
sparkie7 said:
you mean:

sudo sysadminctl -secureTokenOn <username> -password - -interactive

Update, I tried that command and got this:

2022-03-19 23:38:17.259 sysadminctl[7050:120302] Operation is not permitted without secure token unlock.
Click to expand...

Just to clarify: which account credentials did you use as “admin”? As I understand it, you have to supply both account credentials to make this work. So you enter sysadminctl -secureTokenOn <primary user> -password - interactive and then it should ask you for that user’s password and then ask for the admin user and admin password, in which case you would enter the credentials of the other user, the one that you want to delete.
 
sparkie7

sparkie7

macrumors 68020
Original poster
Oct 17, 2008
2,430
202
KALLT said:
So you enter sysadminctl -secureTokenOn <primary user> -password - interactive
Click to expand...

I tried that, where <primary user> is John, confused about the rest of "-password - interactive[/icode]". What do I type there, the password for user John?

Sorry if I'm not getting it
 
Mr. Awesome

Mr. Awesome

macrumors 65816
Feb 24, 2016
1,243
2,881
Idaho, USA
sparkie7 said:
I tried that, where <primary user> is John, confused about the rest of "-password - interactive[/icode]". What do I type there, the password for user John?

Sorry if I'm not getting it
Click to expand...
Just leave the rest of it as is (but I think you need to make sure the hyphen and “interactive” don’t have a space between them.)
 
sparkie7

sparkie7

macrumors 68020
Original poster
Oct 17, 2008
2,430
202
Mr. Awesome said:
Just leave the rest of it as is (but I think you need to make sure the hyphen and “interactive” don’t have a space between them.)
Click to expand...

Got this back in Terminal:

2022-03-20 00:15:07.590 sysadminctl[8536:146187] Operation is not permitted without secure token unlock.
 
Mr. Awesome

Mr. Awesome

macrumors 65816
Feb 24, 2016
1,243
2,881
Idaho, USA
sparkie7 said:
Got this back in Terminal:

2022-03-20 00:15:07.590 sysadminctl[8536:146187] Operation is not permitted without secure token unlock.
Click to expand...
I have an idea. Log into the account that does have a secure token (yodel, I think? Could be remembering that wrong), and try to give your account (John) a secure token from there using that same command.
 
  • Like
Reactions: sparkie7
K

KALLT

macrumors 603
Sep 23, 2008
5,380
3,415
I have done a bit of digging on the web and perhaps the command was not used correctly.

Try it like this without sudo:
sysadminctl -secureTokenOn John -password -

then enter the credentials of the other account. You should also try it while being logged into the other account, perhaps that makes a difference here. The key thing is that the other account holds the secure token and it is needed for this to work.

Otherwise it seems that there is some deeper issue that needs more specific solutions.

Further reading:
derflounder.wordpress.com

Secure Token and FileVault on Apple File System

As part of Apple File System’s FileVault encryption on mac OS High Sierra, Apple introduced Secure Token. This is a new and undocumented account attribute, which is now required to be added t…
derflounder.wordpress.com derflounder.wordpress.com
apple.stackexchange.com

What is a Secure Token and how do I get an admin users that has one

I have an iMac 2017 with a FusionDrive on which FileVault cannot not be enabled. The situation is summed up in this reddit post. The problem boils down to: I have no admin user who has a secure t...
apple.stackexchange.com apple.stackexchange.com
 
  • Like
  • Love
Reactions: sparkie7 and Reggaenald
sparkie7

sparkie7

macrumors 68020
Original poster
Oct 17, 2008
2,430
202
KALLT said:
I have done a bit of digging on the web and perhaps the command was not used correctly.

Try it like this without sudo:
sysadminctl -secureTokenOn John -password -
Click to expand...

Do I need to enter my actual password for John user? or just leave it as "-password -" ?
 
sparkie7

sparkie7

macrumors 68020
Original poster
Oct 17, 2008
2,430
202
Mr. Awesome said:
I have an idea. Log into the account that does have a secure token (yodel, I think? Could be remembering that wrong), and try to give your account (John) a secure token from there using that same command.
Click to expand...

What's the exact command I should be using?
 
sparkie7

sparkie7

macrumors 68020
Original poster
Oct 17, 2008
2,430
202
KALLT said:
I have done a bit of digging on the web and perhaps the command was not used correctly.

Try it like this without sudo:
sysadminctl -secureTokenOn John -password -

then enter the credentials of the other account. You should also try it while being logged into the other account, perhaps that makes a difference here. The key thing is that the other account holds the secure token and it is needed for this to work.
Click to expand...

It's giving me the same:

2022-03-20 00:48:02.919 sysadminctl[10741:179733] Operation is not permitted without secure token unlock.


It's letting me enter the credentials of the other account Todel (that I want to delete)

I'll try logging out and log into Todel and try from there
 
sparkie7

sparkie7

macrumors 68020
Original poster
Oct 17, 2008
2,430
202
KALLT said:
Further reading:
derflounder.wordpress.com

Secure Token and FileVault on Apple File System

As part of Apple File System’s FileVault encryption on mac OS High Sierra, Apple introduced Secure Token. This is a new and undocumented account attribute, which is now required to be added t…
derflounder.wordpress.com derflounder.wordpress.com
apple.stackexchange.com

What is a Secure Token and how do I get an admin users that has one

I have an iMac 2017 with a FusionDrive on which FileVault cannot not be enabled. The situation is summed up in this reddit post. The problem boils down to: I have no admin user who has a secure t...
apple.stackexchange.com apple.stackexchange.com
Click to expand...


Thank you for all the help and info. I need to read through this and try to figure it out, not used to using Terminal and all the commands

Thank you to everyone else also, much appreciated
 
  • Like
Reactions: Reggaenald
sparkie7

sparkie7

macrumors 68020
Original poster
Oct 17, 2008
2,430
202
SimonTheSoundMa said:
So, you've deleted the only account with the secure token?
Click to expand...

Yep. I think I'll back my files up. Completely wipe the drive and start a new Monterey install. I don't like messing around in Terminal


SimonTheSoundMa said:
I think I see the error in your ways. Did you format Macintosh HD as APFS encrypted, the install macOS?
Click to expand...

What's the error?

I formatted the SSD as APFS encrypted 4-5 years ago. And I turned on FileVault soon after.

I installed Monterey OS just yesterday. But that extraneous user has been on my MacBook Pro for like 2-3 years, just wanted to get rid of it as it doesn't have any data/files on it
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom