Jamf Nation Community

Hi All,

We're starting to partition our macs so 1/3 is a SYSTEM partition, 2/3 USERS partition.

Post imaging, i'd like to correct the permissions on all the user accounts present..

I've done most of the script (below), but i think i'm setting the permissions wrong.. what would the correct settings be?

#!/bin/sh

# Get the Active Directory Node Name
adNodeName=`dscl /Search read /Groups/Domain Users | awk '/^AppleMetaNodeLocation:/,/^AppleMetaRecordName:/' | head -2 | tail -1 | cut -c 2-`

# Get the Domain Users groups Numeric ID
domainUsersPrimaryGroupID=`dscl /Search read /Groups/Domain Users | grep PrimaryGroupID | awk '{ print $2}'`

# Gets the unique ID of the Users account locally, if that fails performs a lookup
    uniqueID () 
{       
        # Attempt to query the local directory for the users UniqueID
        accountUniqueID=`dscl . -read /Users/$1 2>dev/null | ?grep UniqueID | cut -c 11-`

        # If no value recived fo
        if [ -z "$accountUniqueID" ]; then
                    echo "Account is not on this mac..."
                    accountUniqueID=`dscl "$adNodeName" -read /Users/$1 2>dev/null | grep UniqueID | awk '{ print $2}'`
        fi
}


IFS=$'
'

# Returns a list of all folders found under /Users
for userFolders in `ls -d -1 /Users/* | cut -c 8- | sed -e 's/ /\ /g' | grep -v "Shared"`

do
    # Return folder name found in /Users/
    echo "$userFolders..."
    # Check to see if folders contain a /Desktop folder, if they do assume it's a Home Folder
    if [ -d /Users/"$userFolders"/Desktop ]; then

        # Pass $userFolders to function uniqueID
        uniqueID "$userFolders"
        echo "User $userFolders's UniqueID = $accountUniqueID..."

        if [ -z "$accountUniqueID" ]; then
            #userFoldersPath=$(echo $userFolders | sed -e 's/ /\ /g' | sed -e 's/(/\(/g'| sed -e 's/)/\)/g' )
            echo "Account is not local & cannot be found on $adNodeName... skipping..."
            #echo "Making /Users/$userFoldersPath/ fully accessible to all..."
            #sudo chmod -R 777 /Users/$userFoldersPath
        else
            echo "Removing all ACL's from /Users/$userFolders/ Account..."   
            sudo chmod -R -N /Users/$userFolders

                if [ 1000 -gt "$accountUniqueID" ]; then
                    echo "$accountUniqueID is a local account..."
                    echo "As local account, setting Owners to $accountUniqueID:staff..."
                    sudo chown -R $accountUniqueID:staff /Users/$userFolders/
                else
                    echo "User $userFolders is a Domain account..."
                    echo "As domain account, setting Owners to $accountUniqueID:$domainUsersPrimaryGroupID..."
                    echo "$domainUsersPrimaryGroupID is the ID for the Domain Users group..."
                    sudo chown $accountUniqueID:$domainUsersPrimaryGroupID /Users/$userFolders
                fi

            echo "Setting rwx permission for Owner, None for Everyone for everything under /Users/$userFolders/..."
            sudo chmod -R 700 /Users/$userFolders/
            echo "Setting rwxr--r-- permission for Owner, Read for Everyone for /Users/$userFolders..."
            sudo chmod 755 /Users/$userFolders/

                # If the Public folder exists in /Users/$userFolders/, give it it's special permissions
                if [ -d /Users/$userFolders/Public/ ]; then
                    echo "Public folder found, setting Read only access for Everyone to /Users/$userFolders/Public/..."
                    sudo chmod -R 755 /Users/$userFolders/Public
                        # If the Drop Box folder exists in /Users/$userFolders/, give it it's special permissions
                        if [ -d /Users/$userFolders/Public/Drop Box/ ]; then
                            echo "Drop Box folder found, setting Write only access for Everyone to /Users/$userFolders/Public/Drop Box/..."
                            sudo chmod -R 733 /Users/$userFolders/Public/Drop Box/
                        fi
                else
                # Notify if not found
                    echo "Public folder not found @ /Users/$userFolders/Public/..."
                fi

                # If the Sites folder exists in /Users/$userFolders/, give it it's special permissions
                if [ -d /Users/$userFolders/Sites/ ]; then
                    echo "Sites folder found, setting Read only access for Everyone to /Users/$userFolders/Public/..."
                    sudo chmod -R 755 /Users/$userFolders/Public
                else
                # Notify if not found
                    echo "Sites folder not found @ /Users/$userFolders/Sites/..."
                fi
            fi
            #Creates a new line in the output, making it more readable
            echo ""
    else
        echo "No Desktop folder in /Users/$userFolders/.. assuming not a Home Folder... skipping.."
    fi

done

unset IFS