AD user directory permissions wrong

sprousew
New Contributor

We have been receiving many new MacBooks with the M1 processor and bigSur. After getting the device setup and bound to our AD network we have been noticing an issue. When the user logs into the machine with their AD account the permissions of the users home directory is not correct. The user has no rights to the Desktop, KeyChain folder, Documents, and others. This has been the case on every new M1 MacBook that we have received. I have manually gone through and corrected the rights to all the files and directories, but surely this should not be happening. Has anyone came across this issue? How can this be corrected?

10 REPLIES 10

erichughes
Contributor II

We have this issue with non M1 MacsBook Pros that are not AD bound running Catalina. I believe it is one of our Policies or Configuration Profiles that is breaking the Home folder for new users post enrollment. We create a local admin in the Prestage and that user is fine, it is the subsequent users created that have the issues. We use Jamf Connect and Okta. It takes about 2 minutes to fix and we do have that many new users so we have not delved into it deeper. I would like to know what you come up with if anything, and will report my findings as well.

burdett
Contributor

I have bee seeing this too, one of the symptoms is outlook can't create it's preferences in the users library. I ended up putting in self service a script that set ownership of the home directory using chown and running diskutil command resetting user permissions using the user's UID.

chown -R $loggedInUser:staff /Users/$loggedInUser
diskutil resetUserPermissions / $loggedInUser_UID

Would like to find the source of this issue, this been a problems with mobil account in Catalina & Big Sur. For now I would like to figure out how to use extension atribute and a smart group to run this when the users logged in after upgrading to Catalina & Big Sur.

wveale
New Contributor II

Hi, 

 

Just wondering if you have since discovered any additional info about this and if you could maybe share the full script that you referred to? 

 

Thanks! 

wveale
New Contributor II

I'm seeing this issue with Macs with local, non-admin accounts as well. This only seems to happen to managed Macs AD or not.

sprousew
New Contributor

This has been a non-stop battle as I have been seeing in on ANY MacBook with Big Sur whenever a new account from AD is created on the machine. The permissions are not correct and the user can not save to Downloads and Documents without us having to correct the permissions. This permission issue also messes up the Keychain because when the user account is created the /Library/Keychain inside the user directory is a file not a directory. We have to delete this file and create a directory, and then make sure the user is the owner and such. This has been an absolute nightmare and we are about to have 250+ new MacBooks coming in sometime over the next few months.

burdett
Contributor

Here is the full script I use.

 

#!/bin/sh
####################################################################################################
#
# ABOUT THIS PROGRAM
#
# NAME
# reset_user_permission.sh -- Reset user's home folder permissions
#
# SYNOPSIS
# sudo reset_user_permission.sh
#
####################################################################################################
#
# HISTORY
#
# Version: 1.1
# Michael A. Burdett
# 2019/03/05
#
# Reference
#
#####################################################################################################
# variables
#get current loged in user
loggedInUser=`/bin/ls -l /dev/console | /usr/bin/awk '{ print $3 }'`
loggedInUser_UID=`id -u $loggedInUser`
#set log File
logfile="/Library/Logs/reset_user_permission_for_$loggedInUser.log"
#get os Version
os_ver=$(sw_vers -productVersion)
 
#Take Local time machine snapshot
if [[ "$os_ver" -ge 10.13.* ]]; then
  /bin/echo "--" >> ${logfile}
  /bin/echo "`date`: Takeing a Time Machine Snapshot" >> ${logfile}
  osascript -e 'display notification "Takeing a Time Machine Snapshot" with title "JAMF Management" sound name "Tink"'
  sleep 1
  tmutil snapshot
fi
 
#set permissions using chown
/bin/echo "--" >> ${logfile}
/bin/echo "`date`: set user permission for $loggedInUser using chown" >> ${logfile}
echo display notification \"Setting permission for $loggedInUser home folder\" with title \"JAMF Management\" sound name \"default\" | osascript
sleep 1
chown -R $loggedInUser:staff /Users/$loggedInUser
 
#reset permissions using diskutil
/bin/echo "--" >> ${logfile}
/bin/echo "`date`: set user permission for $loggedInUser using disk utility reset User Permissions" >> ${logfile}
echo display notification \"Setting permission for $loggedInUser home folder using Apple Disk Utility\" with title \"JAMF Management\" sound name \"default\" | osascript
sleep 1
diskutil resetUserPermissions / $loggedInUser_UID
 
#restart messsage
jamfHelper="/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper"
windowType="hud"
description="Your computer needs to be restarted to finish the permission repairs. To restart, select 'Restart' below. Applications will Quit and a restart will begin immediately. If you are unable to restart at the moment, please select 'Cancel.'
 
*Please save all working documents before selecting 'Restart.'
 
If you require assistance, please contact the Service Desk"
 
button1="Restart"
button2="Cancel"
icon="/Library/Application\ Support/JAMF/bin/TECHdesklogoWhitebox.png"
title="Restart required"
alignDescription="left"
alignHeading="center"
defaultButton="2"
cancelButton="2"
timeout="300"
 
userChoice=$("$jamfHelper" -windowType "$windowType" -lockHUD -title "$title" -timeout "$timeout" -defaultButton "$defaultButton" -cancelButton "$cancelButton" -icon "$icon" -description "$description" -alignDescription "$alignDescription" -alignHeading "$alignHeading" -button1 "$button1" -button2 "$button2")
 
if [ "$userChoice" == "0" ]; then
    echo "User clicked Restart; Quiting applications"
    osascript -e 'display notification "Restarting Computer" with title "JAMF Management" sound name "Tink"'
    osascript -e 'tell application "System Events"' -e 'restart' -e 'end tell'
 
elif [ "$userChoice" == "2" ]; then
    echo "User clicked Cancel or timeout was reached; now exiting."
      osascript -e 'display notification "You clicked Cancel or timeout was reached.  Please restart as soon as possible." with title "JAMF Management" sound name "Tink"'
    exit 0
fi
 

 

wveale
New Contributor II

Hi, thanks for posting this! 

 

I can't seem to chown most of these directories, even as root. Do you disable SIP first? 

 

Thanks again! 

SIP is the issue but I wouldn't disable it.  As I look in on this and see that chown is showing that the operation is not allowed.  To get around this I create a configuration profile to allow full disk access to terminal.  This seems to be working I my initial test.  

The configuration profile will allow terminal full disk access on all managed systems.  On a single system you can give access in system preferences.

If you go into system preferences -> security and privacy -> Privacy -> highlight full disk access -> unlock -> put a check next to terminal. 

This will allow terminal commands to make changes to all files on the computer.

You will need to use sudo chown to elevate to make changes in other home folders.

Example; while I'm logged in my admin account I can to set the owner of my standard account home folder with

sudo chown burdett:staff /Users/burdett

burdett
Contributor

This has been so problematic I set a policy to run this script on login, once per computer per user.  It annoying to have all users login and then be asked to restart but it seem to take care of the issue until the underlining issue if found.