Posted on 02-16-2013 07:36 AM
I'm reading through Kevin White's "OS X Support Essentials" https://itunes.apple.com/us/book/apple-pro-training-series/id575890527?mt=11. Amazingly there's always something new to learn in those books.
In Lesson 13 he talks about using resetpassword in recovery boot to open the utility and reset home folder permissions. I did some digging and think I found the tool:
sudo /System/Library/PrivateFrameworks/Admin.framework/Versions/A/Resources/DirectoryTools -repairPermissions appleadmin
Now I can create a policy to fix System files and home folders.
Posted on 02-16-2013 12:06 PM
I thought about getting that book for my iPad. :) Doesn't this work?
sudo chown -R username:staff /Users/username
Posted on 02-18-2013 02:35 PM
I think the above only works with local accounts, linked with AD accounts too : http://macmule.com/2013/02/18/correct-ad-users-home-mobile-home-folder-permissions/
Posted on 02-18-2013 04:17 PM
This is what we use in Self Service. The user (all AD accounts) can run the following, then reboot. After that all is good.
#!/bin/sh
# correct_home_folder_ownership_and_permissions.sh
# Correct home folder ownership and permissions
#
# Created by Knackstedt, Greg on 12/12/12.
# Copyright (c) 2012 Limited Brands, Inc. All rights reserved.
##########################
# Variables #
##########################
#Current user
CurrentUser=$(logname)
###### Paths #####
SysVol=("/Volumes/System")
UserDataVol=("/Volumes/User Data")
UsersFol=("/Volumes/System/Users")
CurrentUserHome=("$UsersFol"/"$CurrentUser")
######## Functions #########
function CorrectOwnership {
chown -Rf "$CurrentUser" "$CurrentUserHome"
}
function CorrectPermissions {
chmod -Rf 755 "$CurrentUserHome"
}
########## Script ###############
CorrectOwnership
CorrectPermissions
Posted on 02-19-2013 05:17 AM
@gnacks - that doesn't really reset it to the correct permissions, although it WILL work. That will give everyone read access to the ~/Library/Safari folder, as one example, or the ~/Documents/Microsoft User Data/ folder as another.
What we use to set permissions to what a fresh user copied from the user template has:
cd /Users
for i in `ls | grep -v [.]` ; do
if [ $i == "Shared" ]; then
chmod -R 777 /Users/"$i"
continue;
fi
if [ $i == "localadmin" ]; then
chown -R $i:staff /Users/$i
chmod 755 /Users/$i
chmod -R 700 /Users/$i/AG Applications/
chmod -R 700 /Users/$i/Desktop/
chmod -R 700 /Users/$i/Documents/
chmod -R 700 /Users/$i/Downloads/
chmod -R 700 /Users/$i/Library/
chmod -R 700 /Users/$i/Movies/
chmod -R 700 /Users/$i/Pictures/
chmod 755 /Users/$i/Public/
chmod -R 733 /Users/$i/Public/Drop Box/
chmod 755 /Users/$i/Sites/
chmod 644 /Users/$i/Sites/*
chmod -R 755 /Users/$i/Sites/images/
continue;
fi
echo "Setting $i home folder permissions
"
chown -R $i:"domaindomain users" /Users/$i
chmod 755 /Users/$i
chmod -R 700 /Users/$i/AG Applications/
chmod -R 700 /Users/$i/Desktop/
chmod -R 700 /Users/$i/Documents/
chmod -R 700 /Users/$i/Downloads/
chmod -R 700 /Users/$i/Library/
chmod -R 700 /Users/$i/Movies/
chmod -R 700 /Users/$i/Pictures/
chmod 755 /Users/$i/Public/
chmod -R 733 /Users/$i/Public/Drop Box/
chmod 755 /Users/$i/Sites/
chmod 644 /Users/$i/Sites/*
chmod -R 755 /Users/$i/Sites/images/
done
Posted on 02-19-2013 10:00 AM
@acdesigntech Nice! Thanks for sharing :-) Def like the idea to use the same permissions as the user template.
Posted on 03-26-2013 07:19 AM
@McAdams Have you had any issues with that command since your original post? I gave it a try and I may use it going forward.
Posted on 09-19-2014 08:39 AM
@bentoms Is it necessary to apply the UserDomainPrimaryGroupID recursively? When a mobile user logs in that ownership is only set to the top level of the home folder directory. Seems like it might be a security issue?
Just trying to get my head around this, everyone seems to do it differently.
Thanks!
Posted on 10-28-2016 04:53 AM
FYI, this seems to be gone in macOS Sierra. The whole 'reset permissions and ACLs' and its underlying framework is gone. Not sure why and that leaves the question of exactly how to do this for a restored user home directory where the permissions are incorrect.
It's easy to ignore the ACL aspect of home directory permissions but you do so at your peril. ;)