reset home folder permissions

McAdams
New Contributor III

I'm reading through Kevin White's "OS X Support Essentials" https://itunes.apple.com/us/book/apple-pro-training-series/id575890527?mt=11. Amazingly there's always something new to learn in those books.

In Lesson 13 he talks about using resetpassword in recovery boot to open the utility and reset home folder permissions. I did some digging and think I found the tool:

sudo /System/Library/PrivateFrameworks/Admin.framework/Versions/A/Resources/DirectoryTools -repairPermissions appleadmin

Now I can create a policy to fix System files and home folders.

8 REPLIES 8

donmontalvo
Esteemed Contributor II

I thought about getting that book for my iPad. πŸ™‚ Doesn't this work?

sudo chown -R username:staff /Users/username
--
https://donmontalvo.com

bentoms
Honored Contributor III
Honored Contributor III

I think the above only works with local accounts, linked with AD accounts too : http://macmule.com/2013/02/18/correct-ad-users-home-mobile-home-folder-permissions/

gknacks
New Contributor

This is what we use in Self Service. The user (all AD accounts) can run the following, then reboot. After that all is good.

#!/bin/sh

#  correct_home_folder_ownership_and_permissions.sh
#  Correct home folder ownership and permissions
#
#  Created by Knackstedt, Greg on 12/12/12.
#  Copyright (c) 2012 Limited Brands, Inc. All rights reserved.

##########################
#       Variables        #
##########################
#Current user
CurrentUser=$(logname)


###### Paths #####
SysVol=("/Volumes/System")
UserDataVol=("/Volumes/User Data")
UsersFol=("/Volumes/System/Users")
CurrentUserHome=("$UsersFol"/"$CurrentUser")

######## Functions #########

function CorrectOwnership {
chown -Rf "$CurrentUser" "$CurrentUserHome"
}

function CorrectPermissions {
chmod -Rf 755 "$CurrentUserHome"
}

########## Script ###############
CorrectOwnership
CorrectPermissions

acdesigntech
Contributor II

@gnacks - that doesn't really reset it to the correct permissions, although it WILL work. That will give everyone read access to the ~/Library/Safari folder, as one example, or the ~/Documents/Microsoft User Data/ folder as another.

What we use to set permissions to what a fresh user copied from the user template has:

cd /Users

  for i in `ls | grep -v [.]` ; do

    if [ $i == "Shared" ]; then
        chmod -R 777 /Users/"$i"
        continue;
    fi
    if [ $i == "localadmin" ]; then
        chown -R $i:staff /Users/$i
        chmod 755 /Users/$i
        chmod -R 700 /Users/$i/AG Applications/
        chmod -R 700 /Users/$i/Desktop/
        chmod -R 700 /Users/$i/Documents/
        chmod -R 700 /Users/$i/Downloads/
        chmod -R 700 /Users/$i/Library/
        chmod -R 700 /Users/$i/Movies/
        chmod -R 700 /Users/$i/Pictures/
        chmod 755 /Users/$i/Public/
        chmod -R 733 /Users/$i/Public/Drop Box/
        chmod 755 /Users/$i/Sites/
        chmod 644 /Users/$i/Sites/*
        chmod -R 755 /Users/$i/Sites/images/
        continue;
    fi

     echo "Setting $i home folder permissions 
"

    chown -R $i:"domaindomain users" /Users/$i
    chmod 755 /Users/$i
    chmod -R 700 /Users/$i/AG Applications/
    chmod -R 700 /Users/$i/Desktop/
    chmod -R 700 /Users/$i/Documents/
    chmod -R 700 /Users/$i/Downloads/
    chmod -R 700 /Users/$i/Library/
    chmod -R 700 /Users/$i/Movies/
    chmod -R 700 /Users/$i/Pictures/
    chmod 755 /Users/$i/Public/
    chmod -R 733 /Users/$i/Public/Drop Box/
    chmod 755 /Users/$i/Sites/
    chmod 644 /Users/$i/Sites/*
    chmod -R 755 /Users/$i/Sites/images/

  done

gknacks
New Contributor

@acdesigntech Nice! Thanks for sharing πŸ™‚ Def like the idea to use the same permissions as the user template.

sgrall-pfg
Contributor

@McAdams Have you had any issues with that command since your original post? I gave it a try and I may use it going forward.

spraguga
Contributor

@bentoms Is it necessary to apply the UserDomainPrimaryGroupID recursively? When a mobile user logs in that ownership is only set to the top level of the home folder directory. Seems like it might be a security issue?

Just trying to get my head around this, everyone seems to do it differently.

Thanks!

endor-moon
Contributor II

FYI, this seems to be gone in macOS Sierra. The whole 'reset permissions and ACLs' and its underlying framework is gone. Not sure why and that leaves the question of exactly how to do this for a restored user home directory where the permissions are incorrect.

It's easy to ignore the ACL aspect of home directory permissions but you do so at your peril. πŸ˜‰