We have been receiving many new MacBooks with the M1 processor and bigSur. After getting the device setup and bound to our AD network we have been noticing an issue. When the user logs into the machine with their AD account the permissions of the users home directory is not correct. The user has no rights to the Desktop, KeyChain folder, Documents, and others. This has been the case on every new M1 MacBook that we have received. I have manually gone through and corrected the rights to all the files and directories, but surely this should not be happening. Has anyone came across this issue? How can this be corrected?
- Home
- Community
- Get Support
- General Discussions
- AD user directory permissions wrong
12 replies

- Valued Contributor
- 90 replies
- March 3, 2021
We have this issue with non M1 MacsBook Pros that are not AD bound running Catalina. I believe it is one of our Policies or Configuration Profiles that is breaking the Home folder for new users post enrollment. We create a local admin in the Prestage and that user is fine, it is the subsequent users created that have the issues. We use Jamf Connect and Okta. It takes about 2 minutes to fix and we do have that many new users so we have not delved into it deeper. I would like to know what you come up with if anything, and will report my findings as well.
- Valued Contributor
- 72 replies
- May 12, 2021
I have bee seeing this too, one of the symptoms is outlook can't create it's preferences in the users library. I ended up putting in self service a script that set ownership of the home directory using chown and running diskutil command resetting user permissions using the user's UID.
chown -R $loggedInUser:staff /Users/$loggedInUser
diskutil resetUserPermissions / $loggedInUser_UID
Would like to find the source of this issue, this been a problems with mobil account in Catalina & Big Sur. For now I would like to figure out how to use extension atribute and a smart group to run this when the users logged in after upgrading to Catalina & Big Sur.

- New Contributor
- 7 replies
- July 8, 2021
I'm seeing this issue with Macs with local, non-admin accounts as well. This only seems to happen to managed Macs AD or not.

- New Contributor
- 7 replies
- August 11, 2021
I have bee seeing this too, one of the symptoms is outlook can't create it's preferences in the users library. I ended up putting in self service a script that set ownership of the home directory using chown and running diskutil command resetting user permissions using the user's UID.
chown -R $loggedInUser:staff /Users/$loggedInUser
diskutil resetUserPermissions / $loggedInUser_UID
Would like to find the source of this issue, this been a problems with mobil account in Catalina & Big Sur. For now I would like to figure out how to use extension atribute and a smart group to run this when the users logged in after upgrading to Catalina & Big Sur.
Hi,
Just wondering if you have since discovered any additional info about this and if you could maybe share the full script that you referred to?
Thanks!

- Author
- New Contributor
- 1 reply
- August 11, 2021
This has been a non-stop battle as I have been seeing in on ANY MacBook with Big Sur whenever a new account from AD is created on the machine. The permissions are not correct and the user can not save to Downloads and Documents without us having to correct the permissions. This permission issue also messes up the Keychain because when the user account is created the /Library/Keychain inside the user directory is a file not a directory. We have to delete this file and create a directory, and then make sure the user is the owner and such. This has been an absolute nightmare and we are about to have 250+ new MacBooks coming in sometime over the next few months.
- Valued Contributor
- 72 replies
- August 12, 2021
Here is the full script I use.
#!/bin/sh###################################################################################################### ABOUT THIS PROGRAM## NAME# reset_user_permission.sh -- Reset user's home folder permissions## SYNOPSIS# sudo reset_user_permission.sh####################################################################################################### HISTORY## Version: 1.1# Michael A. Burdett# 2019/03/05## Reference####################################################################################################### variables#get current loged in userloggedInUser=`/bin/ls -l /dev/console | /usr/bin/awk '{ print $3 }'`loggedInUser_UID=`id -u $loggedInUser`#set log Filelogfile="/Library/Logs/reset_user_permission_for_$loggedInUser.log"#get os Versionos_ver=$(sw_vers -productVersion)#Take Local time machine snapshotif [[ "$os_ver" -ge 10.13.* ]]; then/bin/echo "--" >> ${logfile}/bin/echo "`date`: Takeing a Time Machine Snapshot" >> ${logfile}osascript -e 'display notification "Takeing a Time Machine Snapshot" with title "JAMF Management" sound name "Tink"'sleep 1tmutil snapshotfi#set permissions using chown/bin/echo "--" >> ${logfile}/bin/echo "`date`: set user permission for $loggedInUser using chown" >> ${logfile}echo display notification \\"Setting permission for $loggedInUser home folder\\" with title \\"JAMF Management\\" sound name \\"default\\" | osascriptsleep 1chown -R $loggedInUser:staff /Users/$loggedInUser#reset permissions using diskutil/bin/echo "--" >> ${logfile}/bin/echo "`date`: set user permission for $loggedInUser using disk utility reset User Permissions" >> ${logfile}echo display notification \\"Setting permission for $loggedInUser home folder using Apple Disk Utility\\" with title \\"JAMF Management\\" sound name \\"default\\" | osascriptsleep 1diskutil resetUserPermissions / $loggedInUser_UID#restart messsagejamfHelper="/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper"windowType="hud"description="Your computer needs to be restarted to finish the permission repairs. To restart, select 'Restart' below. Applications will Quit and a restart will begin immediately. If you are unable to restart at the moment, please select 'Cancel.'*Please save all working documents before selecting 'Restart.'If you require assistance, please contact the Service Desk"button1="Restart"button2="Cancel"icon="/Library/Application\\ Support/JAMF/bin/TECHdesklogoWhitebox.png"title="Restart required"alignDescription="left"alignHeading="center"defaultButton="2"cancelButton="2"timeout="300"userChoice=$("$jamfHelper" -windowType "$windowType" -lockHUD -title "$title" -timeout "$timeout" -defaultButton "$defaultButton" -cancelButton "$cancelButton" -icon "$icon" -description "$description" -alignDescription "$alignDescription" -alignHeading "$alignHeading" -button1 "$button1" -button2 "$button2")if [ "$userChoice" == "0" ]; thenecho "User clicked Restart; Quiting applications"osascript -e 'display notification "Restarting Computer" with title "JAMF Management" sound name "Tink"'osascript -e 'tell application "System Events"' -e 'restart' -e 'end tell'elif [ "$userChoice" == "2" ]; thenecho "User clicked Cancel or timeout was reached; now exiting."osascript -e 'display notification "You clicked Cancel or timeout was reached. Please restart as soon as possible." with title "JAMF Management" sound name "Tink"'exit 0fi
- Valued Contributor
- 72 replies
- August 12, 2021
This has been so problematic I set a policy to run this script on login, once per computer per user. It annoying to have all users login and then be asked to restart but it seem to take care of the issue until the underlining issue if found.

- New Contributor
- 7 replies
- August 17, 2021
Here is the full script I use.
#!/bin/sh###################################################################################################### ABOUT THIS PROGRAM## NAME# reset_user_permission.sh -- Reset user's home folder permissions## SYNOPSIS# sudo reset_user_permission.sh####################################################################################################### HISTORY## Version: 1.1# Michael A. Burdett# 2019/03/05## Reference####################################################################################################### variables#get current loged in userloggedInUser=`/bin/ls -l /dev/console | /usr/bin/awk '{ print $3 }'`loggedInUser_UID=`id -u $loggedInUser`#set log Filelogfile="/Library/Logs/reset_user_permission_for_$loggedInUser.log"#get os Versionos_ver=$(sw_vers -productVersion)#Take Local time machine snapshotif [[ "$os_ver" -ge 10.13.* ]]; then/bin/echo "--" >> ${logfile}/bin/echo "`date`: Takeing a Time Machine Snapshot" >> ${logfile}osascript -e 'display notification "Takeing a Time Machine Snapshot" with title "JAMF Management" sound name "Tink"'sleep 1tmutil snapshotfi#set permissions using chown/bin/echo "--" >> ${logfile}/bin/echo "`date`: set user permission for $loggedInUser using chown" >> ${logfile}echo display notification \\"Setting permission for $loggedInUser home folder\\" with title \\"JAMF Management\\" sound name \\"default\\" | osascriptsleep 1chown -R $loggedInUser:staff /Users/$loggedInUser#reset permissions using diskutil/bin/echo "--" >> ${logfile}/bin/echo "`date`: set user permission for $loggedInUser using disk utility reset User Permissions" >> ${logfile}echo display notification \\"Setting permission for $loggedInUser home folder using Apple Disk Utility\\" with title \\"JAMF Management\\" sound name \\"default\\" | osascriptsleep 1diskutil resetUserPermissions / $loggedInUser_UID#restart messsagejamfHelper="/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper"windowType="hud"description="Your computer needs to be restarted to finish the permission repairs. To restart, select 'Restart' below. Applications will Quit and a restart will begin immediately. If you are unable to restart at the moment, please select 'Cancel.'*Please save all working documents before selecting 'Restart.'If you require assistance, please contact the Service Desk"button1="Restart"button2="Cancel"icon="/Library/Application\\ Support/JAMF/bin/TECHdesklogoWhitebox.png"title="Restart required"alignDescription="left"alignHeading="center"defaultButton="2"cancelButton="2"timeout="300"userChoice=$("$jamfHelper" -windowType "$windowType" -lockHUD -title "$title" -timeout "$timeout" -defaultButton "$defaultButton" -cancelButton "$cancelButton" -icon "$icon" -description "$description" -alignDescription "$alignDescription" -alignHeading "$alignHeading" -button1 "$button1" -button2 "$button2")if [ "$userChoice" == "0" ]; thenecho "User clicked Restart; Quiting applications"osascript -e 'display notification "Restarting Computer" with title "JAMF Management" sound name "Tink"'osascript -e 'tell application "System Events"' -e 'restart' -e 'end tell'elif [ "$userChoice" == "2" ]; thenecho "User clicked Cancel or timeout was reached; now exiting."osascript -e 'display notification "You clicked Cancel or timeout was reached. Please restart as soon as possible." with title "JAMF Management" sound name "Tink"'exit 0fi
Hi, thanks for posting this!
I can't seem to chown most of these directories, even as root. Do you disable SIP first?
Thanks again!
- Valued Contributor
- 72 replies
- August 17, 2021
Hi, thanks for posting this!
I can't seem to chown most of these directories, even as root. Do you disable SIP first?
Thanks again!
SIP is the issue but I wouldn't disable it. As I look in on this and see that chown is showing that the operation is not allowed. To get around this I create a configuration profile to allow full disk access to terminal. This seems to be working I my initial test.
- Valued Contributor
- 72 replies
- August 19, 2021
Hi, thanks for posting this!
I can't seem to chown most of these directories, even as root. Do you disable SIP first?
Thanks again!
The configuration profile will allow terminal full disk access on all managed systems. On a single system you can give access in system preferences.
If you go into system preferences -> security and privacy -> Privacy -> highlight full disk access -> unlock -> put a check next to terminal.
This will allow terminal commands to make changes to all files on the computer.
You will need to use sudo chown to elevate to make changes in other home folders.
Example; while I'm logged in my admin account I can to set the owner of my standard account home folder with
sudo chown burdett:staff /Users/burdett
- Valued Contributor
- 72 replies
- November 16, 2021
Another way to Repair Permissions in Home Folder
- Start up in Recovery mode by holding Command-R.
- Once in Recovery mode, open Terminal from the Utilities menu.
- There type repairHomePermissions and press Return.
- That should launch the Repair Home app. Select the correct user account from those offered, and enter the admin password for that account. If that isnโt an admin account, Apple doesnโt explain what you should do.
- Then click on the Next button.
- Once that has completed, click on the Exit button.
- In the main Recovery mode window, select Reinstall macOS, and click on Continue to reinstall macOS in its entirety.
- Once that is complete, restart in normal mode.
- Valued Contributor
- 72 replies
- November 16, 2021
The configuration profile will allow terminal full disk access on all managed systems. On a single system you can give access in system preferences.
If you go into system preferences -> security and privacy -> Privacy -> highlight full disk access -> unlock -> put a check next to terminal.
This will allow terminal commands to make changes to all files on the computer.
You will need to use sudo chown to elevate to make changes in other home folders.
Example; while I'm logged in my admin account I can to set the owner of my standard account home folder with
sudo chown burdett:staff /Users/burdett
sorry the correct change owner command for a user name burdett is;
sudo chown -R burdett:staff /Users/burdett
Reply
Related topics
Getting Started with ONE DG: Search for Data Assets ๐๐ต๏ธ
Data Quality & Catalog โ๏ธFollow this Journey to Data Governance ๐ฃ
Data Quality & Catalog โ๏ธGetting Started with ONE DG: Share Access ๐
Data Quality & Catalog โ๏ธGetting Started with ONE DG: Collaboration & Tasks ๐ค
Data Quality & Catalog โ๏ธA Beginner's Guide to Data Quality: Introduction 101 - Part 1 ๐
Data Quality & Catalog โ๏ธ
Most helpful members this week
- mvu
16 likes
- Chubs
15 likes
- dan-snelson
15 likes
- ThomM
10 likes
- tommypatzius
9 likes
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
Scanning file for viruses.
Sorry, we're still checking this file's contents to make sure it's safe to download. Please try again in a few minutes.
OKThis file cannot be downloaded
Sorry, our virus scanner detected that this file isn't safe to download.
OKCookie policy
We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.
Cookie settings
We use 3 different kinds of cookies. You can choose which cookies you want to accept. We need basic cookies to make this site work, therefore these are the minimum you can select. Learn more about our cookies.