macOS Server Network Account Permissions | Active Directory
macOS Server Network Accounts

Permissions Issues with macOS Server Network Account under Active Directory


We recently had a call from a school running a suite of iMacs on macOS Mojave 10.14.6.

As is often the case, the previous Mac consultant had retired or disappeared for some other reason. This left the client without a solution provider to manage ongoing upgrades and Mac system maintenance.

The client called us because, after a recent re-image of their base macOS system, they noticed that students could suddenly access each other’s files on the main server.

Knowing very well that a group of teenagers would very quickly find 1000 practical jokes of varying degrees of offensiveness, taking advantage of this permissions problem, we were asked to fix the issue as quickly as possible.

Findings

It turns out that all the student home folders were kept inside a single shared folder on the Windows server, which is fairly typical. The Macs were bound to Active Directory in the usual way though System Preferences > Users and Group > Login Options (which essentially is a quick setup that might otherwise require the Directory Utility app for more complex environments).

When a student logged into the Mac with their Active Directory credentials, they would see not only their network home folder mounted on the desktop (this was auto-mounted using a login script) but would ALSO see the parent folder, containing all the other students’ home folders.

It didn’t take long to notice that a given student could access those other students’ home folders.

Active Directory binding

After some rummaging around, we noticed that the DeployStudio image being used had a checkbox relating to the Active Directory binding, which would usually only be visible in the Directory Utility app, if you were to interrogate the settings of the AD binding. The checkbox says “Use UNC path from Active Directory to derive network home location”.

With this box checked, the macOS client was retrieving a path to the student home folder parent directory, which was being defined by the AD server, and automatically mounting it. As such, any student could easily browse to other student’s home folders. Simply unticking this box on each of the macOS client machines stopped this behaviour from happening.

However, this wasn’t the end of the story. It occurred to us that really, even if the student couldn’t see their peers’ home folders, there must still be a permissions issue. If a student happened to know the network path to type in, not too difficult, they could in theory still access other students’ folders if they have permission. So, what was going on?

Further investigation

After some investigation it transpired that the IT company who managed the Active Directory infrastructure was using Group Policy restrictions to disallow Windows PC users from browsing each others’ home folders. This was working quite effectively on Windows.  However, GPO does not apply to macOS workstations and this was masking an underlying issue where the user home folders were not having the correct permissions set on them.

You might reasonably expect a student to own their home folder and its contents, with staff members able to read/write, but nobody else able to access it. In our case, the permissions were being inherited very erratically such that most students could access each others’ folders due to a very open read/write permission on the parent folder. But the Windows-centric IT provider was using Group Policy to prevent unauthorised access, rather than getting the core permissions right in the first place, thus masking an underlying problem.

Summary

So, two points to take home here. Firstly, make sure if you’re in a mixed macOS and Windows environment that your Windows file server permissions are kosher and set correctly. Don’t rely on Group Policy to manage access restrictions in a mixed environment. If you struggle to get the permissions and inheritance formula right, you probably need to consider restructuring your folders to make your job easier. Secondly, remember the UNC Path checkbox on macOS bindings will, often, mount the parent folder of your network homes in addition to the user’s home folder itself (depending on your specific AD setup). This may or may not be desirable behaviour, but it’s easy to control if you know how.

Real-Time Feedback

When we solve a support ticket, clients are given the choice of leaving good or bad feedback along with an optional comment. We post the 10 most recent comments here automatically and in real-time. You can view even more on our page.

Date Name Comments
Sep 20th Lynn H great service as always. many thanks
Sep 14th Longcroft O Thanks so much Jack, all sorted.
Sep 14th Longcroft O Fantastic as usual, thank you Lochie.
Sep 14th Amanda H I hope the problem is solved. Sorry not to have been able to find another example of what went wrong. Definitely I can now get at the word document I was being blocked from. So, thanks for your prompt effective treatment!
Sep 13th Nigel B Very practical and quick advice that made resolving the issue very efficient
Sep 6th Alexandra O Very quick and solved the problem easily, thank you Jack.
Sep 5th Chris S another one solved....
Aug 23rd Adina I Brilliant, thank you very much!
Aug 23rd Catherine E Excellent
Aug 22nd Graham R Excellent, as always. Thanks very much!