I believe in order for a user to be able to do su - root, he or she has to be in the wheel group. Does dscl . -read /groups/wheel GroupMembership contain the person who is trying to do su - root ? Best, Paul