Help

Permissions issue with /Desktop folder in 10.11.6

preyman
New Contributor

Posted on ‎08-21-2016 09:19 AM

Good morning, all.

I build a monolithic image each summer for deployment for the Fall and Spring semester. I am running into a critical issue a week before we go live; when an authenticated AD user tries to save a file, the Desktop & Downloads folders show no access through the straightforward saving through Finder. It requires them to navigate to Macintosh HD>Users>username>Desktop and then they are able to successfully save. While this may not seem like a big deal, the "powers that be" are hyperventilating over the thought of having the "normal" way not work.

Can anyone help me with a terminal command that might help with this permissions issue? As a backstory, I edited the System/Library/User Template/English.lproj while making the image; I disabled SIP in order to do this and now I think this is why I'm running into this issue, as SIP is a per-machine setting. I have no time to re-image 500+ machines and am in almost-full panic mode.

As a side note, I just spent a half-week with Steve Welgoss from JAMF setting up Casper and will never be making a monolithic image again!!

Thanks in advance and I hope to meet some of you in Minneapolis for the JNUC in October.

--Paul Reyman

Labels:
0 Kudos
3 REPLIES 3

talkingmoose
Moderator
Moderator

Posted on ‎08-21-2016 11:42 AM

IIRC, the User Template folder in /System/Library is exempt from SIP. I don't believe you need to disable SIP to modify this specific location.

If you're able to access Desktop and Downloads by navigating to them, but unable to access them directly, I suspect you're looking at two locations. Possibly, you have a symlink in place of an actual folder or maybe you've replace a folder with a file with the same name.

What do you see in Terminal if you list the contents of the User Template? I see:

sudo ls -hal /System/Library/User Template/English.lproj
total 0
drwxr-xr-x   9 root  wheel   306B Aug 22  2015 .
drwx------  37 root  wheel   1.2K Sep 17  2015 ..
-rw-------   1 root  wheel     3B Jul 24  2007 .CFUserTextEncoding
drwx------+  3 root  wheel   102B Jul  8  2015 Desktop
drwx------+ 20 root  wheel   680B Jul  8  2015 Library
drwx------+  3 root  wheel   102B Jul  8  2015 Movies
drwx------+  3 root  wheel   102B Jul  8  2015 Music
drwx------+  3 root  wheel   102B Jul  8  2015 Pictures
drwxr-xr-x+  4 root  wheel   136B Jul  8  2015 Public
sudo ls -hal /System/Library/User Template/Non_localized
total 0
drwxr-xr-x   5 root  wheel   170B Sep 17  2015 .
drwx------  37 root  wheel   1.2K Sep 17  2015 ..
drwx------+  3 root  wheel   102B Jul  8  2015 Documents
drwx------+  3 root  wheel   102B Jul  8  2015 Downloads
drwx------@  9 root  wheel   306B Jul  8  2015 Library

donmontalvo
Esteemed Contributor III

Posted on ‎08-21-2016 06:36 PM

@preyman wrote:

I build a monolithic image each summer for deployment for the Fall and Spring semester.

Um...monolithic image?

3bf9b251fb804fc085ee86289b37bd55

--
https://donmontalvo.com
0 Kudos

rcantrell
New Contributor II

Posted on ‎08-22-2016 04:54 AM

Good Morning Preyman,

I wouldn't panic yet; I used to do the same thing with user templates until 10.11 came into town. My guess is your talking about your Dock icons and Finder links not pointing to the right folders? They have probably literally linked to your created Template User Desktop and Documents folder you copied to the English.lprog folder.

Due to this, I adopted Dockutil to set Docks in 10.11 and will for all future releases for as long as I can. There is another tool for Finder as well, I don't use it but I've heard it works well too.

Unfortunately, it sounds like you have a tight schedule. You could look into building a package with Dockutil that installs on startup along with a policy that will run a Dockutil script on login for each user. You can set the policy to run once per user per computer.

Another option would be if you could get a working Dock and Finder plist, you could have them copied to the User Template on startup. Or build a package with FUT/FET set that installs them to the Users preferences folder. There are also options to set the Dock through policy and configuration profiles.

I'm sure more people will share their expertise with you. Check this link as well; there may be some ideas in there to help you through this as well.

https://jamfnation.jamfsoftware.com/discussion.html?id=18357