macOS Server Network Account Permissions | Active Directory
macOS Server Network Accounts

Permissions Issues with macOS Server Network Account under Active Directory


We recently had a call from a school running a suite of iMacs on macOS Mojave 10.14.6.

As is often the case, the previous Mac consultant had retired or disappeared for some other reason. This left the client without a solution provider to manage ongoing upgrades and Mac system maintenance.

The client called us because, after a recent re-image of their base macOS system, they noticed that students could suddenly access each other’s files on the main server.

Knowing very well that a group of teenagers would very quickly find 1000 practical jokes of varying degrees of offensiveness, taking advantage of this permissions problem, we were asked to fix the issue as quickly as possible.

Findings

It turns out that all the student home folders were kept inside a single shared folder on the Windows server, which is fairly typical. The Macs were bound to Active Directory in the usual way though System Preferences > Users and Group > Login Options (which essentially is a quick setup that might otherwise require the Directory Utility app for more complex environments).

When a student logged into the Mac with their Active Directory credentials, they would see not only their network home folder mounted on the desktop (this was auto-mounted using a login script) but would ALSO see the parent folder, containing all the other students’ home folders.

It didn’t take long to notice that a given student could access those other students’ home folders.

Active Directory binding

After some rummaging around, we noticed that the DeployStudio image being used had a checkbox relating to the Active Directory binding, which would usually only be visible in the Directory Utility app, if you were to interrogate the settings of the AD binding. The checkbox says “Use UNC path from Active Directory to derive network home location”.

With this box checked, the macOS client was retrieving a path to the student home folder parent directory, which was being defined by the AD server, and automatically mounting it. As such, any student could easily browse to other student’s home folders. Simply unticking this box on each of the macOS client machines stopped this behaviour from happening.

However, this wasn’t the end of the story. It occurred to us that really, even if the student couldn’t see their peers’ home folders, there must still be a permissions issue. If a student happened to know the network path to type in, not too difficult, they could in theory still access other students’ folders if they have permission. So, what was going on?

Further investigation

After some investigation it transpired that the IT company who managed the Active Directory infrastructure was using Group Policy restrictions to disallow Windows PC users from browsing each others’ home folders. This was working quite effectively on Windows.  However, GPO does not apply to macOS workstations and this was masking an underlying issue where the user home folders were not having the correct permissions set on them.

You might reasonably expect a student to own their home folder and its contents, with staff members able to read/write, but nobody else able to access it. In our case, the permissions were being inherited very erratically such that most students could access each others’ folders due to a very open read/write permission on the parent folder. But the Windows-centric IT provider was using Group Policy to prevent unauthorised access, rather than getting the core permissions right in the first place, thus masking an underlying problem.

Summary

So, two points to take home here. Firstly, make sure if you’re in a mixed macOS and Windows environment that your Windows file server permissions are kosher and set correctly. Don’t rely on Group Policy to manage access restrictions in a mixed environment. If you struggle to get the permissions and inheritance formula right, you probably need to consider restructuring your folders to make your job easier. Secondly, remember the UNC Path checkbox on macOS bindings will, often, mount the parent folder of your network homes in addition to the user’s home folder itself (depending on your specific AD setup). This may or may not be desirable behaviour, but it’s easy to control if you know how.

Real-Time Feedback

When we solve a support ticket, clients are given the choice of leaving good or bad feedback along with an optional comment. We post the 10 most recent comments here automatically and in real-time. You can view even more on our page.

Date Name Comments
Jun 12th Simon D Great service - got the programme working A+
Jun 10th Helen W Alex was great - sorted all the issues and got me back up and running
Jun 6th Darlene F The support received from Jack today was above and beyond my satisfaction. Great work! Thank you! Have a lovely rest of this day. We appreciate YOU! :-)
Jun 6th Niamh O Thanks for the speedy response/ help
Jun 2nd Bill S I was totally locked out and out of my depth with office 365 and outlook. I tried everything. Dean fixed it, got me up and running, (and on a weekend no less) and I am supremely grateful. Your Toronto staff rules!
May 30th Andy W Awesome, super fast response as it was an urgent requirement, thank you guys
May 29th Mark H As ever a quick response and problem sorted ... thanks Lochie!
May 22nd Georgina H Great service, as always from Purple. Thanks guys!
May 15th Salaheddin A Thank you very much for the clear communication, the helpful information, and for being professionals, thank you.
May 14th Amanda H Lots of advice and help with my iPhone.