Administrator access to /users folder

wangl2
Contributor

We know in OS X a local administrator also don't have the right to access other users' home folder, such as Desktop and Documents. If you try to click on them, you will see a red minus and it says you don't have permission to access it. There is another thread talking about going to "Get info" on the folder and change permission that way. But it doesn't change the sub folder. So I end up trying to use chmod -R command to change the permission on /users. However, I have two problems:
1. I don't know the correct syntax to use to just give Local Admin RW right using chmod command. It looks like I am giving everyone or domain admin the full access. I can't get this right.
2. Even you have given the full access to Local Admin to the /Users folder, when a new AD user logs in to the computer first time, his home folder will become unaccessible to Admin again. And I have to chmod again. Any other way to get this done besides setting this command as login policy? Somehow my MAC stucks at "Apply Policy" for minutes if there are any login policies.

1 ACCEPTED SOLUTION

tlarkin
Honored Contributor

If you log in as the root user you can have access to every folder. I have a small package I created that enables the root account when admins need access to student data. You can also look at the dsenableroot command as well, which essentially is what I used to create this policy.

By default root is disabled, if some student gets in trouble and some admin needs full access to their account I log them under root for full access.

View solution in original post

9 REPLIES 9

talkingmoose
Moderator
Moderator

This isn't Mac OS 9 anymore:

  1. If you're already an administrator you can access user files any time you need. Administrators don't need to change user folder permissions to grant themselves access because they can elevate themselves to root.
  2. Being an administrator doesn't mean you should give yourself carte blanche to everything under your purview. Yes, as an administrator you can do this, but that doesn't mean you should.

If you need to gain access to a user's files because he has left the company or because your HR has reason to locate some data then that's when you exercise your administrative credentials. You don't do it beforehand.

wangl2
Contributor

Hi talkingmoose,
Thanks for your reply. But that didn't really answer my question. I work in the school. All students log in MAC using their AD credentials. After they save their work on the Desktop, teachers need to be able to check these files to monitor the progress. That's why I wanted to create a local admin account on each MAC, which will be used by teacher to access other users' folder. I am running 10.6.8 in our environment. All the iMACs have been joined Active Directory. What I find is that the local admin account cannot access other users' home folder. They all have a red minus and when you click on it, it says you do not have permission. This doesn't happen with Root user but does happen with Admin accounts.

CasperSally
Valued Contributor II

I would suggest either having students save in /users/shared or even better saving work to a shared directory that is shared access for student/teacher.

We use MCX to wipe student home directories on logout - so students quickly learn if they don't save in one of these 2 places their work is lost.

talkingmoose
Moderator
Moderator

My point is that I feel you're handling this issue incorrectly.

The idea behind running as an administrator is that you are still working like a Standard user but can at any time elevate your privileges. If your administrators don't know how to access files that are inaccessible to them in the GUI then they probably don't need to be administrators.

As Sally and I have said, shared folders or server shares are for allowing everyone to share files. User home folders belong to each user. As a best practice they shouldn't be made easily accessible to anyone else including administrators.

tlarkin
Honored Contributor

If you log in as the root user you can have access to every folder. I have a small package I created that enables the root account when admins need access to student data. You can also look at the dsenableroot command as well, which essentially is what I used to create this policy.

By default root is disabled, if some student gets in trouble and some admin needs full access to their account I log them under root for full access.

krichterjr
Contributor

We had a similar situation where we had a teacher who was an admin on the lab computers. She would login as root to access students folder to view their work (Video Lab Class). When were started removing admin rights from our teachers she still wanted access to the students' home folders.

We ended up running this at each login to give the teacher access. I'm no expert here but maybe this will work for you.

### Replace USER/GROUP with the actual User or Group
### Replace FOLDER with the actual FOLDER
### Add -R before the +a to make it apply to all folders already in that Folder

chmod +a "USER/GROUP allow read,list,search,add_file,add_subdirectory,delete_child,file_inherit,directory_inherit" FOLDER

Kenny

wangl2
Contributor

Thanks guys for your replies. Really appreaciate.
We have a share facility in place. But we want the student work from local because their files are huge, usually 1 to 2 GB. We don't want 25 students editing video from the same share server at the same time. For the same reason, we only use the share drive for students to submit final work. Kids are not patient enough to upload their work to server after every class.
So when the teacher want to monitor their process, he needs to log in to the local computer check student's work. I think for now I will ask the teacher to log in as Root user.
Thanks Kenny for your little trick. I have to test it on Monday. But the problem with AD users is: Even you give full permission to an admin account to access users' home folder, when another new AD user logs in and created a new home folder, it will become unaccessible to the admin again. So you have to start again to use CHMOD.

sean
Valued Contributor

I would suggest using the admin Dropbox as a submission of work, it's kinda why it is there.

/Users/[adminusername]/Public/Drop Box/

If they drop in the local admins directory, then it isn't a copy to a server and shouldn't take long, although it would obviously be nicer to upload it to the teacher's Dropbox directly.

If a teacher wants to monitor progress, then shouldn't they be doing that with the student there or if the student submits the work? I'd like to think a teacher wouldn't take an exercise book from a students bag to see how they are getting on, but this is equivalent to what you are trying to achieve.

I'm with talkingmoose on this. You shouldn't really be allowing admin access to users accounts. Get the students to submit their work.

Sean

hari286
New Contributor

Hello All,

Is there a way to (temporarily) view another user's "Notes Application" files on Macbook Air by login as Administrator?

Thanks