Fixing permissions after changing directory services

In my travels, an issue I’ve occasionally dealt with has been moving Macs between directory services. In some cases, this meant between AD domains. In others, moving a Mac from an AD domain to an OpenLDAP server. In each case, as part of the process, the UID of the user’s account changed from the UID associated with the old directory service to the UID associated with the new directory service.

File and folder ownership on OS X is associated with UIDs, so files and folders that were created and saved by the old account may now be either inaccessible or read-only. You can update the ownership by using the Unix find command to locate files and folders owned by the old account’s UID and change the permissions so that the file or folder is now owned by the new account. For details, see below the jump.

Locating the old account’s UID

This can be done a variety of ways, but one way is to run this command:

/usr/bin/find / -nouser -ls

This find command with the -nouser flag should display any files that have no associated user account that are on a filesystem associated with your Mac.

If you want to ensure that you’re only scanning drives that are using HFS or HFS+ filesystems, which would be the case for most direct attached storage, check to see which file systems are attached using the lsvfs command.

This tool shows you the filesystem modules that are loaded on your Mac, which tells you which filesystems are mounted. In the case of HFS+ filesystems, lsvfs displays them as hfs.

In this case, you can see that I have four hfs filesystems. This corresponds to the four hard drives that I have in this particular Mac.

Once you have the filesystems identified, you can use them with the find command. For example, to use the find command above only on disks using HFS+ for their filesystem, run the following command:

/usr/bin/find / -nouser \( -fstype hfs \) -ls

This will restrict your search and prevent it from trying to scan network storage.
Searching globally can take a while, depending on how much data needs to be checked. If you want to check a particular directory where you know the old user account stored files, run the following command:

/usr/bin/find /path/to/location -nouser -ls

As an example, you can run the following command to check /Library/WebServer/Documents:

/usr/bin/find /Library/WebServer/Documents -nouser -ls

The old UID should appear as a string of numbers in the ownership column of the affected file / folders.

Fixing permissions

Once you have the old account’s UID identified, run the following command:

sudo /usr/bin/find / -uid old_uid_number_here -exec chown username {} \;

This will search the Mac’s hard drive and update the ownership on all files and folders from the old account’s UID to the customer’s new account. For example, if the old account’s UID was 222214203 and the new username is troutont, you would run the following command:

sudo /usr/bin/find / -uid 222214203 -exec chown troutont {} \;

As noted previously, this search may take a while to run depending on how much data is stored on the machine.

NOTE: You may receive some Not a directory or Operation not permitted errors. Those errors can usually be ignored as it may not be possible to change the ownership on some special file types.

If you want to restrict the permissions update by filesystem, you can use the -fstype flag with find to specify only certain filesystems. If you wanted to update permissions on HFS+ filesystems, you can run the following command:

sudo /usr/bin/find / \( -fstype hfs \) -uid old_uid_number_here -exec chown username {} \;

Checking permissions

You can verify that the permissions have been updated in a particular location by running the following command:

ls -al /path/to/location

The files and folders should now appear as being owned by the new account.