Identifying which admin changed another admin's privileges

macos security administrator logs

Have a bit of a people issue and one user who has admin has changed another's privileges from admin to standard. This is a university setting, but the student association not the university's network; I am the parent of the user who was (temporarily) demoted; some experience as a user but not admin using Linux and Apple systems (as well as Windows)...

The root user did not do it and privileges have been restored; current root user is not experienced as a sysadmin though. Does OS X keep log files which would show who made this change? assuming so, which log file(s) would need to be examined to get this information (I take it one needs to look at the asl logs through Console - but which logs?) I do not have access to the system and need to describe this to those who will do it...

Any help would be appreciated.


You may also be able to glean some info from the BSM audit logs. The log files are in /var/audit and are viewed with praudit(8). I don't know the format of the audit record for changing an account, but there should be some clues. You can check the date range and look for privilege escalations. The text section may have mentions of the '/Local/Default' node.

Related

Select different credit card for work related App store purchase
Restoring Fusion Drive after error on partition erase
Repeated keystroke "w" for Agar.io
Mac OS X is not starting anymore
Can I pair and use two microphones with my iPhone 6+?
Music missing from storage management
bug with rsync changing modification dates even with the -a option
Mac Pro ATI 5770 with 3 monitors - what active adapters needed?
Mac Outlook 15.11 2015 "connection to the server failed or was dropped" (Error # -3253)
Upgrade svn on OS X 10.9
What information is accessible through iCloud? Can the administrator on my home PC access these files?
Different UI for same version of YouTube official iOS app