Home > Mac administration, Mac OS X, Unix > Fixing permissions after changing directory services

Fixing permissions after changing directory services

In my travels, an issue I’ve occasionally dealt with has been moving Macs between directory services. In some cases, this meant between AD domains. In others, moving a Mac from an AD domain to an OpenLDAP server. In each case, as part of the process, the UID of the user’s account changed from the UID associated with the old directory service to the UID associated with the new directory service.

File and folder ownership on OS X is associated with UIDs, so files and folders that were created and saved by the old account may now be either inaccessible or read-only. You can update the ownership by using the Unix find command to locate files and folders owned by the old account’s UID and change the permissions so that the file or folder is now owned by the new account. For details, see below the jump.

Locating the old account’s UID

This can be done a variety of ways, but one way is to run this command:

/usr/bin/find / -nouser -ls

This find command with the -nouser flag should display any files that have no associated user account that are on a filesystem associated with your Mac.

If you want to ensure that you’re only scanning drives that are using HFS or HFS+ filesystems, which would be the case for most direct attached storage, check to see which file systems are attached using the lsvfs command.

This tool shows you the filesystem modules that are loaded on your Mac, which tells you which filesystems are mounted. In the case of HFS+ filesystems, lsvfs displays them as hfs.

Screen Shot 2013-11-20 at 4.32.38 PM

In this case, you can see that I have four hfs filesystems. This corresponds to the four hard drives that I have in this particular Mac.

Once you have the filesystems identified, you can use them with the find command. For example, to use the find command above only on disks using HFS+ for their filesystem, run the following command:

/usr/bin/find / -nouser \( -fstype hfs \) -ls

This will restrict your search and prevent it from trying to scan network storage.
Searching globally can take a while, depending on how much data needs to be checked. If you want to check a particular directory where you know the old user account stored files, run the following command:

/usr/bin/find /path/to/location -nouser -ls

As an example, you can run the following command to check /Library/WebServer/Documents:

/usr/bin/find /Library/WebServer/Documents -nouser -ls

Screen Shot 2013-11-20 at 11.01.23 AM

The old UID should appear as a string of numbers in the ownership column of the affected file / folders.

Fixing permissions

Once you have the old account’s UID identified, run the following command:

sudo /usr/bin/find / -uid old_uid_number_here -exec chown username {} \;

This will search the Mac’s hard drive and update the ownership on all files and folders from the old account’s UID to the customer’s new account. For example, if the old account’s UID was 222214203 and the new username is troutont, you would run the following command:

sudo /usr/bin/find / -uid 222214203 -exec chown troutont {} \;

As noted previously, this search may take a while to run depending on how much data is stored on the machine.

NOTE: You may receive some Not a directory or Operation not permitted errors. Those errors can usually be ignored as it may not be possible to change the ownership on some special file types.

Screen Shot 2013-11-20 at 11.32.34 AM

If you want to restrict the permissions update by filesystem, you can use the -fstype flag with find to specify only certain filesystems. If you wanted to update permissions on HFS+ filesystems, you can run the following command:

sudo /usr/bin/find / \( -fstype hfs \) -uid old_uid_number_here -exec chown username {} \;

Screen Shot 2013-11-20 at 4.56.06 PM

Checking permissions

You can verify that the permissions have been updated in a particular location by running the following command:

ls -al /path/to/location

Screen Shot 2013-11-20 at 11.32.20 AM

The files and folders should now appear as being owned by the new account.

  1. mh
    December 7, 2013 at 10:09 am

    keep in mind you will also get ‘Operation not permitted’ errors on locked files; ultimately requiring unlocking, changing ownership, re-locking. The find -flags uchg is useful is locating these.

  2. July 24, 2014 at 11:40 pm

    a wee script do this this for each and every file on the system would be nice.
    i have an apple file server – with lots of set ACLs, and i wish to migrate from OD to AD. i’ve been syncing my users in OD from an external database – and will use the same database to create my AD users. i wish to simply stop using OD as my LDAP server and use AD but then i have the file server, the ACLs and each person’s laptop to contend with.
    is there another way of adding the user’s apple user ID or GeneratedUID to the AD records?

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: