macOS: Cannot change local admin to Standard because it is the only administrator accountSolved

Participant
Discussion
3 days ago Jul 03, 2026

We are trying to remove local admin rights from macOS users and make their primary accounts Standard users. I tested Hexnode’s Change User Role action on my own local account, but it failed with: “Cannot change the role since it is the only administrator account on the device.”

What is the recommended way to handle this? Should we create a separate local admin account on every Mac and then demote the user account? Also, where does LAPS fit into this setup? We are also considering temporary admin elevation through Self Service so users can still perform admin tasks when needed.

Replies (6)

Marked SolutionPending Review
Hexnode Expert
3 days ago Jul 03, 2026
Marked SolutionPending Review

Hi @juan_garcia,

This error is expected on macOS. The operating system requires at least one active local administrator account on the device at all times. Hexnode cannot demote the only administrator account because doing so could leave the Mac without any local admin account for recovery or administrative tasks.

The recommended approach is:

  1. Create or maintain a dedicated local administrator account on each Mac.
  2. Manage that admin account using LAPS, so the password is unique per device, securely stored, and rotated automatically.
  3. Change the employee’s day-to-day account from Administrator to Standard.
  4. Use Self Service privilege elevation when a Standard user needs temporary administrator access.

For existing devices, the user role change can be done manually from the device’s Local Accounts section or automated with a script deployed through Hexnode. For new macOS enrollments, the preferred approach is to configure the enrollment flow so the primary user account is created as a Standard account from the beginning.

LAPS is useful here because it removes the need to manually create, document, and rotate shared local admin passwords. Instead, a dedicated admin account can be managed centrally, with password rotation handled by Hexnode.

Best Regards,
Isabel Lora
Hexnode UEM

Marked SolutionPending Review
Participant
3 days ago Jul 03, 2026
Marked SolutionPending Review

That makes sense. If users are Standard users, will they still be able to connect to home Wi-Fi, hotel Wi-Fi, or other networks? Also wondering how much this affects developers who install packages and tools frequently.

Marked SolutionPending Review
Hexnode Expert
3 days ago Jul 03, 2026
Marked SolutionPending Review

Standard users can still connect to regular Wi-Fi networks. They should be able to join home, office, hotel, or public Wi-Fi networks through the normal macOS Wi-Fi menu.

The restrictions mainly apply to deeper system-level network changes, such as manually changing DNS settings, configuring static IP settings, modifying firewall behavior, or creating certain system-wide VPN or virtual network interfaces.

For developers, the impact depends on the tools they use:

  • User-level tools or apps installed inside the user profile may work without admin rights.
  • Apps that install to /Applications, use .pkg installers, add system extensions, install drivers, modify protected directories, or change system services will usually require administrator privileges.

For those cases, Self Service privilege elevation can be used to temporarily elevate the Standard account. Once the configured time limit expires, Hexnode reverts the account back to Standard.

Best Regards,
Isabel Lora
Hexnode UEM

Marked SolutionPending Review
Participant
3 days ago Jul 03, 2026
Marked SolutionPending Review

We had a similar rollout. The cleanest method was to keep a separate managed admin account on every Mac and then move employees to Standard accounts. Without that separate admin account, macOS blocks the demotion just like the error says.

Marked SolutionPending Review
Participant
3 days ago Jul 03, 2026
Marked SolutionPending Review

One more thing: if Basic LAPS is included in the subscription but appears disabled while creating a policy, is that the wrong place to enable it?

Marked SolutionPending Review
Hexnode Expert
3 days ago Jul 03, 2026
Marked SolutionPending Review

If Basic LAPS is included in your plan but appears disabled in the policy creation menu, it may still need to be activated for the portal before it can be configured in policies.

Once available, LAPS can be used to manage the dedicated local administrator account by rotating and storing the password securely. Some deployments also support rotating the password after it is viewed, which helps ensure that any exposed admin password is replaced shortly after use.

Best Regards,
Isabel Lora
Hexnode UEM

Save