I'm having some trouble with OSX setting odd permissions (Everyone/Deny/Delete) on users folders when they login to a Mac for the first time and I don't have enough experience with Macs to get it working properly.
Our file server and domain controller is Server 2012 R2 and we have a Mini Mac server and Mac clients connected to Active Directory in the "Golden Triangle" configuration. The home directory for users is set in AD under the home folder and points to \\fileserver\networkshare$\<username> using SMB (no AFP server). We have a couple of folder redirection GPO's for Videos/Pictures/Music/Documents that point to \\fileserver\networkshare$\username\<folder>.
What tends to happen is a user logs onto a Windows machine first and everything works fine and then the first time they log onto a Mac machine after, it creates the Library/Spotlight etcfolders in the user folder and then applies Everyone/Deny/Deleteto the user folder, not just the Library/Spotlight etc folders and then cannot map their directory because it cannot access it. User will not be able to access their drive if logged onto the Windows side at this point either.
If the user logs into a Mac machine first, the folders are created correctly and only the Library, Desktop and Downloads folder get the deny permission (which seems fine). When the user logs onto Windows for the first time after, the remaining folders are created and it works...until they log onto a Mac machine again and then all the child folders of the user folder get the deny permission (but not the user folder like before)
As far as I can tell it's normal for OSX to apply the Everyone/Deny/Delete permission to protect the user folders being accessed by other users but something is conflicting with Windows and I can't quite figure out what. Maybe there's a best practice folder structure I don't know about or a setting somewhere but I think my lack of OSX knowledge is limiting me.
0 Answers