macOS Admin

Create admin user for recovery access

Practical Mac guide: create admin user for recovery access without the usual guesswork.

10 min read Beginner Updated 9 Jun 2026
macOS library Start the guide

Step-by-step guide

Work through each section in order. Stop when your issue is resolved — you do not need every step for every situation.

What you will achieve

Add a separate admin account for troubleshooting when your main account cannot log in or migrate.

A second administrator account is disaster recovery insurance when your daily account cannot log in, keychain is corrupt, or permissions break after migration. Create it before crisis on FileVault systems — recovery admin needs secure token on modern Macs.

1) When to create

Before crisis — or from Recovery if single admin account is corrupt. Second admin lets you repair home folder permissions and login keychain without Fusion Drive tricks.

2) Create while logged in as admin

  1. System Settings → Users & Groups → Add Account.
  2. Account type Administrator; strong unique password.
  3. Do not use daily — keep for recovery.

3) From Recovery if locked out

  1. Boot Recovery.
  2. Utilities → Terminal: resetpassword (utility availability varies by macOS — Apple documents current tool).
  3. Or reinstall macOS without erase, then add user in Users & Groups.

4) Fix main account from recovery admin

Log into recovery admin → Disk Utility First Aid → fix home folder ACLs with chflags -R nouchg only if directed by Apple support — avoid random chown on system folders.

5) FileVault

Recovery admin must be enabled for FileVault — add before encryption if possible. Store password offline.

6) Hidden admin naming

Name recovery admin distinctly e.g. “MacAdminRecover” — not “Admin” that looks like generic attack target in logs. Disable fast user switching confusion by using separate avatar colour.

7) Secure Token and FileVault

On FileVault Macs, first user gets secure token — additional admins need token escrowed. Add recovery admin before enabling FileVault or use fdesetup in Terminal per Apple enterprise docs.

8) Remove after crisis

Delete recovery admin once main account stable — reduces attack surface. Or keep but with 20+ character password stored offline.

Verify

Can log into recovery admin; see other user home in /Users; main account login restored after fix.

Additional troubleshooting notes

If steps above do not resolve the issue on the first attempt, reboot once, confirm System Settings → General → Software Update is current, and retry with a second administrator account to rule out profile or keychain corruption in your daily user. Document exact error text from Console.app with timestamp — vague “it still fails” without logs wastes support time. On Apple Silicon, re-test after full shutdown (not just restart) because firmware and Thunderbolt controllers reset only on cold boot. Intel Macs should repeat test in Safe Mode to bypass third-party login items. Before erase or keychain reset, verify Time Machine or clone backup completed — batch 3 guides assume Monterey/Ventura/Sonoma/Sequoia paths in System Settings; search Spotlight for renamed panes if your macOS version labels differ slightly.

Related guides

admin create macos recovery user

Related guides

Continue with these next if you are building a fuller setup or troubleshooting path.

Admin
MDM-managed vs personal Mac
Practical Mac guide: mDM-managed vs personal Mac without the usual guesswork.
Read guide
Admin
Screen Sharing securely on Mac
Practical Mac guide: screen Sharing securely on Mac without the usual guesswork.
Read guide