We image our Macs with a partition for the System data & another for the User data.
That, in turn, allows us to image the Macs preserving the user data.
Except the permissions will be incorrect on the home folders, for our solution to this, see below.
The solution is the below linked script.
It will loop through /Users/ & attempts to get the UniqueID (locally then from the domain) for each user account it finds, if a User Account is found then the home folders permissions are propagated correctly. Else the permissions are set to read write for all.
12 thoughts on “Correct AD Users Home Mobile Home Folder Permissions”
You’ve succeeded in getting PHDs on an 2nd partition working under 10.9??
Have you succeeded in getting ProfileManager to push the Mobility settings out for LEGACY accounts (pre-existing network homes) when they are *NEWLY ADDED* to a profile manager group (ie. a PHDUSERS group with the Mobility settings configured)? I can only get pushes happening for virgin accounts that haven’t previously logged in and that are initially part of the PHDUSERS group.
Perhaps you are not using ProfileManager at all.. but doing this the 10.6.8 way of WGM (which does work for me off my other server btw) ?
And please tell,.. how are you handling the users’ Library/ folder ? Are you totally excluding it ?
What have you done for >10Gig accounts (and 100Gig) so that 1st login is fast & successful.?
Are you using an external syncing solution (external to HomeSyncing)(like Chronosync or Rsync) to sync when the user is not logged in?).
Thanks for any help. 😎
I’ll take you out for beer if you come to Switzerland.
p.s. I have successfully used HomeSync and PHD for years under 10.6.8.. But am having a heck-of-a-time under 10.9, far from the ‘it just works’ joy that I would wish.
ps. Why do you think accounts (on the client) don’t show up in SystemPreferences>Accounts?
As admin, I often don’t see any of the PHD accounts.
Sometimes I see an account as ‘Mobile’..
Sometimes I see an account as ‘External’..
As the user.. I see see the account as ‘External’.
Should I be worried?
Am I blind or was the link deleted? Can’t see the Link but would really appreciate it 🙂
Is it showing now? I had some issues with the plugin I use to show GitHub code.
yes, it’s showing now. Thanks!
Likewise either I’m blind or this script link is no longer showing… I was about to write my own but saw this linked over at Jamfnation thanks to bentoms!
Never mind it magically appeared AFTER I posted the last comment. Putting link inline just in case some other unfortunate comes along: https://github.com/macmule/CorrectADUsersHomeFolderPermissions/blob/master/CorrectADUsersHomeFolderPermissions.sh
I am trying to use this in Mojave 10.14.5. Appears to find the user I am testing and is successful on a lot of the commands, but afterward, I cannot log into that user.
Getting some failures:
/Library/Application Support/JAMF/tmp/CorrectADUsersHomeFolderPermissions.sh: line 28: grep: command not found
Account is not on this mac…
User s15000006’s UniqueID = 146018084…
Removing all ACL’s from /Users/s15000006/ Account…
Clearing locks on any locked files/folder found in /Users/s15000006/…
User s15000006 is a Domain account…
467371908 is the ID for the Domain Users group…
As domain account, setting Owners to 146018084:275178933
chown: 467371908: No such file or directory
Setting rwxr–r– permission for Owner, Read for Everyone for everything under /Users/s15000006…
Setting rwx permission for Owner, None for Everyone for /Users/s15000006/Desktop…
Setting rwx permission for Owner, None for Everyone for /Users/s15000006/Documents…
Setting rwx permission for Owner, None for Everyone for /Users/s15000006/Downloads…
Setting rwx permission for Owner, None for Everyone for /Users/s15000006/Library…
Setting rwx permission for Owner, None for Everyone for /Users/s15000006/Movies…
Setting rwx permission for Owner, None for Everyone for /Users/s15000006/Music…
Setting rwx permission for Owner, None for Everyone for /Users/s15000006/Pictures…
Setting Read only access for Everyone to /Users/s15000006/Public/…
Drop Box folder found, setting Write only access for Everyone to /Users/s15000006/Public/Drop Box/…
Sites folder not found @ /Users/s15000006/Sites/…
JAMF support noted these issues:
As with the script, It appears that there is an issue with line 28 – “/Library/Application Support/JAMF/tmp/CorrectADUsersHomeFolderPermissions.sh: line 28: grep: command not found ”
And also an issue with the chown command “chown: 467371908: No such file or directory ”
Line 28 appears to have a gremlin between the pipe symbol ( ” | ” ) and the grep command.
If you copy and paste into a text editor and backspace from the g to the pipe you’ll see what i mean.
The second issue is the parameter. $1 is old. $3 is the script parameter in Jamf Pro for username
Erm.. the script needs to be reviewed by jamf again. $1 is used to in a bash function to grab the first variable passed.
Anyone has a working script or method, please ping me. We have a domain switch happening soon and so far in my testing, changing domain and maintaining user’s data is a hug pain point.
I am getting an error when the script gets to this line… Says the grep command not found…
# Attempt to query the local directory for the users UniqueID
accountUniqueID=`dscl . -read /Users/$1 2>/dev/null | grep UniqueID | cut -c 11-`
I am not sure what is wrong with the command. Ideas? Should the UNiqueID be in quotes?