Correct AD Users Home Mobile Home Folder Permissions

Standard
Home

We image our Macs with a partition for the System data & another for the User data.

That, in turn, allows us to image the Macs preserving the user data.

Except the permissions will be incorrect on the home folders, for our solution to this, see below.

Solution

The solution is the below linked script.

It will loop through /Users/ & attempts to get the UniqueID (locally then from the domain) for each user account it finds, if a User Account is found then the home folders permissions are propagated correctly. Else the permissions are set to read write for all.

Script

13 thoughts on “Correct AD Users Home Mobile Home Folder Permissions

  1. You’ve succeeded in getting PHDs on an 2nd partition working under 10.9??

    Have you succeeded in getting ProfileManager to push the Mobility settings out for LEGACY accounts (pre-existing network homes) when they are *NEWLY ADDED* to a profile manager group (ie. a PHDUSERS group with the Mobility settings configured)? I can only get pushes happening for virgin accounts that haven’t previously logged in and that are initially part of the PHDUSERS group.

    Perhaps you are not using ProfileManager at all.. but doing this the 10.6.8 way of WGM (which does work for me off my other server btw) ?

    And please tell,.. how are you handling the users’ Library/ folder ? Are you totally excluding it ?
    What have you done for >10Gig accounts (and 100Gig) so that 1st login is fast & successful.?
    Are you using an external syncing solution (external to HomeSyncing)(like Chronosync or Rsync) to sync when the user is not logged in?).

    Thanks for any help. 😎
    I’ll take you out for beer if you come to Switzerland.
    /shawn

    p.s. I have successfully used HomeSync and PHD for years under 10.6.8.. But am having a heck-of-a-time under 10.9, far from the ‘it just works’ joy that I would wish.

  2. ps. Why do you think accounts (on the client) don’t show up in SystemPreferences>Accounts?
    As admin, I often don’t see any of the PHD accounts.
    Sometimes I see an account as ‘Mobile’..
    Sometimes I see an account as ‘External’..

    As the user.. I see see the account as ‘External’.
    Should I be worried?

  3. Kev

    Hi there,

    Am I blind or was the link deleted? Can’t see the Link but would really appreciate it 🙂

    Thanks!

  4. Gabe Ster

    Likewise either I’m blind or this script link is no longer showing… I was about to write my own but saw this linked over at Jamfnation thanks to bentoms!

  5. Matthew Hegge

    I am trying to use this in Mojave 10.14.5. Appears to find the user I am testing and is successful on a lot of the commands, but afterward, I cannot log into that user.

  6. Matthew Hegge

    Getting some failures:

    s15000006…
    /Library/Application Support/JAMF/tmp/CorrectADUsersHomeFolderPermissions.sh: line 28: grep: command not found
    Account is not on this mac…
    User s15000006’s UniqueID = 146018084…
    Removing all ACL’s from /Users/s15000006/ Account…
    Clearing locks on any locked files/folder found in /Users/s15000006/…
    User s15000006 is a Domain account…
    275178933
    467371908 is the ID for the Domain Users group…
    As domain account, setting Owners to 146018084:275178933
    467371908…
    chown: 467371908: No such file or directory
    Setting rwxr–r– permission for Owner, Read for Everyone for everything under /Users/s15000006…
    Setting rwx permission for Owner, None for Everyone for /Users/s15000006/Desktop…
    Setting rwx permission for Owner, None for Everyone for /Users/s15000006/Documents…
    Setting rwx permission for Owner, None for Everyone for /Users/s15000006/Downloads…
    Setting rwx permission for Owner, None for Everyone for /Users/s15000006/Library…
    Setting rwx permission for Owner, None for Everyone for /Users/s15000006/Movies…
    Setting rwx permission for Owner, None for Everyone for /Users/s15000006/Music…
    Setting rwx permission for Owner, None for Everyone for /Users/s15000006/Pictures…
    Setting Read only access for Everyone to /Users/s15000006/Public/…
    Drop Box folder found, setting Write only access for Everyone to /Users/s15000006/Public/Drop Box/…
    Sites folder not found @ /Users/s15000006/Sites/…

    JAMF support noted these issues:

    As with the script, It appears that there is an issue with line 28 – “/Library/Application Support/JAMF/tmp/CorrectADUsersHomeFolderPermissions.sh: line 28: grep: command not found ”

    And also an issue with the chown command “chown: 467371908: No such file or directory ”

    Line 28 appears to have a gremlin between the pipe symbol ( ” | ” ) and the grep command.

    If you copy and paste into a text editor and backspace from the g to the pipe you’ll see what i mean.

    The second issue is the parameter. $1 is old. $3 is the script parameter in Jamf Pro for username
    https://www.jamf.com/jamf-nation/articles/146/script-parameters

  7. Matthew Hegge

    Anyone has a working script or method, please ping me. We have a domain switch happening soon and so far in my testing, changing domain and maintaining user’s data is a hug pain point.

  8. Kevin Woodard

    I am getting an error when the script gets to this line… Says the grep command not found…

    # Attempt to query the local directory for the users UniqueID
    accountUniqueID=`dscl . -read /Users/$1 2>/dev/null | grep UniqueID | cut -c 11-`

    I am not sure what is wrong with the command. Ideas? Should the UNiqueID be in quotes?

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.