AD Migration & Application Ownership rights

sysadmins
New Contributor

We are currently in the process of migrating our staff to AD from local accounts. I am using the script from here

The issue that is coming up is that the local user loses rights to update applications and applications break as well and need to be reinstalled. After migrating a user, I found that the applications installed by the previous user is now owned by a UID (502). I tried to chown all the 502 applications to the AD account, however, the applications are still breaking.

Has anyone experienced this issue while doing AD migrations? If so, how did you tackle this issue? We are trying not to reinstall every broken app from updates.

1 ACCEPTED SOLUTION

rtrouton
Release Candidate Programs Tester

I went through a domain migration a couple of years ago and wrote a post on how to fix these permissions issues. It's available from here:

https://derflounder.wordpress.com/2013/11/20/fixing-permissions-after-changing-directory-services/

View solution in original post

4 REPLIES 4

thoule
Valued Contributor II

Are you using a -R on your chown command?

rtrouton
Release Candidate Programs Tester

I went through a domain migration a couple of years ago and wrote a post on how to fix these permissions issues. It's available from here:

https://derflounder.wordpress.com/2013/11/20/fixing-permissions-after-changing-directory-services/

sysadmins
New Contributor

I actually did this as well, however, apps were still unable to update. Just out of curiosity, do your AD users have local admin rights still?

I don't know if this is possible, but we want our users to be able to update their installed applications sitting in the /Applications folder without giving them admin rights.

sysadmins
New Contributor

I just want to put a note that the following code does work.

find / -uid old_uid -exec chown -v username {} ; > logfile.txt

However, it does not chown items that have symbolic links. I was able to bypass this by doing

find / -uid old_uid -exec chown -Rv username {} ; > logfile.txt