Important: To use delegation, you and your delegate must have Microsoft Exchange account. On the Tools menu, click Accounts. Click the account that you want to add a delegate to, click Advanced, and then click Delegates. Under Delegates who can act on my behalf, click Add. Type the name of the person that you want to add as a delegate. Click the delegate's name in the search results list, and then click Add. In the Permissions box, select the permission level that you want to set for the delegate for each item type.
Note: Before a delegate can access your items, he or she must add you to the People I am a delegate for list in his or her Microsoft Exchange account. For information about how to become a delegate for someone else, see. Manage delegate permissions for multiple item types. On the Tools menu, click Accounts.
Click the account for which you want to change permissions, click Advanced, and then click Delegates. Under Delegates who can act on my behalf, click the delegate. Click the Action button, click Set Permissions, and then make the changes that you want. Note: If you set the permission level to None, the delegate remains on the list, which allows you to quickly reinstate permissions later. Manage delegate permissions for a single folder. In the navigation pane, click the folder that you want to change.
On the Organize tab: In Calendar, click Calendar Permissions. In Mail or People, click Folder Permissions. Click the name of the person for which you want to change the permissions.
In the Permission Level list, choose the access level that you want. Individual permission levels are automatically filled in below based on your selection in the list. To customize the user's permission levels, select or clear the check boxes under Read, Write, Delete, and Other. Important: To use delegation, you and your delegate must have Microsoft Exchange account. On the Tools menu, click Accounts.
Click the account that you want to add a delegate to, click Advanced, and then click the Delegates tab. Under Delegates who can act on my behalf, click Add. Type the name of the person that you want to add as a delegate, and then click Find.
Click the delegate's name, and then click OK. For each item type, use the pop-up menu to select the permission level that you want to set for the delegate.
To change the file permissions on a file, you need to specify the category (User, Group, Others, or all three), the type of operation (e.g. Add permissions, delete permissions, clear permissions, or use the defaults), and the permissions themselves (read, write, or execute).
For more information about the permission levels for delegates, see. Note: Before a delegate can access your items, he or she must add you to the People I am a delegate for list in his or her Microsoft Exchange account. Manage delegate permissions for multiple item types. On the Tools menu, click Accounts.
Click the account that you want to change permissions for, click Advanced, and then click the Delegates tab. Under Delegates who can act on my behalf, click the delegate. Click the Action button, click Set Permissions, and then make the changes that you want.
Note: If you set the permission level to None, the delegate remains on the list, which allows you to quickly reinstate permissions later. For information about the permission levels, see. Manage delegate permissions for a single folder. In the navigation pane, click the folder that you want to change. On the Organize tab, click Permissions. Click the name of the person that you want to change the permissions for. On the Permission Level pop-up menu, click the access level that you want.
To customize the permission levels, select the check boxes for the items that you want, and then under Edit Items and Delete Items, click the permission level that you want.
Hi, Currently I'm in the process of setting up a new ML (10.8.4) Mac Pro to act as an OD server in our College. I have successfully bound it to Active Directory, and any AD user can log in to the test Mac I have also bound. So far so good. What I want, is for all users to have local home folders on whichever Mac they log in to. This is working. What I also want is to mount a Network home folder located on the Mac server, on user login, so all preferences for software etc will be stored locally, but any files can be saved to a network location and accessed from any Mac. I have read various set up guides, white papers etc and I have reached a stumbling block.
I checked both 'Force local home directory on startup disk' and 'Use UNC path from Active Directory to derive network home location'. The problem comes when defining the home folder in the AD user's profile. I input server share%username% and when I click 'Apply' I get an error, 'The home folder could not be created because: the request is not supported.' However, if I check on the server, it has actually created the folder. When I click 'Apply' again, I get a message saying the folder already exists, do I want the user to be granted full control. I click 'Yes', BUT, and this is where I'm coming unstuck, when I check the permissions of the folder created, I get access to the folder, and everyone gets no Access.
The user of the folder has no rights therefore when I log in as that user to test, it doesn't work. If I manually add rights for that user to the folder, then that works, but this is impractical as I'd have to do this individually for a large number of students. As an aside, if I use the Attribute Editor in AD to add a homeDirectory and homeDrive, and Apply this, I get no error, but also no user folder created. It doesn't create the folder on login either. This is an issue, as the user creation process is automated, and I intend to get this field updated as part of the creation process for those students who will be using Macs. Both Domain Admins and Enterprise Admins have administrative rights to the ML Server.
I am a Domain Admin. The Users sharepoint has R+W access for System Administrator, Administrators group and Everyone Else.
I also tried adding Domain Admins and a local group called MacStudents, that contains an AD group (done in WGM) that the above users are members of. My next step is to update the AD Schema to include Apple specific attributes and see if I can get it work that way, though I have no guarantee it will work this way either. If there was a way to query a group, automatically create server based home folders with appropriate user names and grant the proper rights then this would be acceptable, however my scripting ability and knowledge is fairly non-existent. Any help would be hugely appreciated as I've spent a long time trawling through google and various forums to no avail. I did this once in a test environment, but since I didn't have access to our AD, I abandoned the project. I don't remember everything I did but the setup was difficult and it does work.
Hopefully my memory will help you in the right direction You are on the right track and it comes down to permissions on the network drive. IIRC, in AD the only thing you need to setup is the User Profile path. Use the IP address for the OD rather than the hostname. Windows SMB/CIFS doesn't work well with Apple's new implementation of SMB/CIFS.
![Permissions Permissions](/uploads/1/2/5/4/125409636/855202176.png)
Not sure what they did but it's VERY minimal. On the Client, it needs to be setup to use: 'Use UNC path.' Using SMB protocol. The OD sharepoint needs to have appropriate permissions for the Domain Admin, Domain users, and OD admin to have access to it.
This is where my memory fails. It was something like the sharepoint was shared to everyone with full permissions. The security permissions took care of actual read/write permissions. If you search for setting up roaming profiles in Windows, it will also give you some clues. You do not need the Apple Schema for AD for what you are trying to accomplish unless you plan to manage the Apple Machines using AD. The Apple Schema does not manage users, at all. Since you are using an OD, just use the OD to manage the machines.
It will do much better at managing machines than the AD will. I was able to successfully mount network homes using either the AD sharepoint or the OD sharepoint for network homes. What didn't work for me is that it also forced local homes, which I didn't want. Rlkarren - Thanks for your reply. That does make sense - I've got it to a point now that when I specify the home folder in AD, and check the permissions after creation, there is one unspecified user that has R&W access that just says 'Fetching' for however long I've tried leaving it.
I've given Domain Admins and Users access to the share, as well as local Mac admin, though I've unticked inheritance for Domain Users. I've also enabled File Sharing for Domain Admins and Users (previously it was just for a specific security group in AD) Somewhere it seems there is almost definitely a permissions error, I just can't pin it down! Anything else you can recall would by much appreciated!
Network home woes Let me start by saying I'm not really proposing any sort of solution to the mentioned problem. Instead what I've found so far trying to get AD/OD 'Magic Triangle' working. I'm working in a large university environment and really can barely touch AD.
Extending the schema of AD is not an option.I've been running os 10.5 server for several years now with 10.6 clients. AD is used to authenticate and OD is used to manage but mostly just to host the network home. Students can sit at any computer in my lab and get the same desktop all while using there University username and password from AD. In order to get this all working I had to use augmented records from AD imported into Workgroup Manager on 10.5 server.
Not the easiest of routes but works. I'm currently trying to get 10.8 server to work preferably without an augmented record.
So far everything works without augments except hosting the users network home on the OD master. I really need to present the user with the same desktop regardless of which computer they choose to sit at. I have found how to get augments working with the os 10.8 server and 10.6 clients. It's very similar to 10.5 setup but instead using the directory utility and directory editor instead of making a change in workgroup manager.
However, 10.7 and 10.8 clients seem to just ignore the augmented record and mount the local drive regardless of how I have the client AD plugin set. Every combination has been tried unc path,no unc path,smb,afp,mobile accounts,everything disabled, you name it I've tried it. I called Apple and they will not help unless I purchase an enterprise support agreement.
Kinda a bummer since everything works as it should on 10.6 clients. Well this probably didn't help at all but I'm hoping someone will have a thought or a direction to get this all working preferably without augments. It seems simple enough but just can't get clients to look at OD for the home directories when AD is involved. You're right - it doesn't help me!
Actually that might be premature, as I have yet to investigate augmented records properly. It does seem like you're trying to do it slightly differently to me. Our current set up has all users hosted on 10.6 with no integration, but the network traffic caused by all the home directories on the server was too much for the server to cope with, and resulted in lots of beachballing. Hence trying to do it with local home directories and auto-mounting individual network homes too - we don't have the storage capacity on the windows side of things for all the graphics intensive work done on the Macs and students will have to learn that if they save to the desktop, that's where it stays. This is how the PCs have been for years, so it's no biggy. Have you read Apple's white paper on the topic?
There might be some pointers in there to help you. Someone on another forum suggested using ADmitMac or similar 3rd party solution.
![How to set permissions for a user account directory mac os sierra 2017 How to set permissions for a user account directory mac os sierra 2017](/uploads/1/2/5/4/125409636/652283981.png)
Here's what I've got in place now: AD users (Students) get created automatically. Those on courses that will use Macs are flagged and details exported to csv. A powershell script runs to populate the home directory attribute in AD, add the users to a security group and create a user home folder on the Mac server, and a subfolder within that folder. As it's the start of term, new users are appearing daily, so this process runs daily. I have a script created in Passenger to correct permissions on the user folders. I have a plist file that lauches this script daily, after the user creation process, to correct the permissions on the user folders (took a while to get this working!) On the windows side, using Group Policy folder redirection, the Documents folder is set to redirect to the subfolder within the user folder on the Mac server, created in the above process. This way, the students can access files on Macs and PCs.
The client Macs are bound to AD and OD. They are set to use UNC path from AD via SMB (AFP would be better but I think there are issues to do with passwords not being sent in plain text, so authentication fails) and also to force local home folder on startup disk. The user folder then mounts in the dock, although it isn't a default file location for saving unfortunately, which would be useful. It's long winded, but it works, and fortunately I have access to people with scripting skills!
Click to expand.You can significantly cut down on the network traffic of the home directories by linking each user's /Library/Caches folder to a local disk. We've got it going to a subdir of /tmp but, you can put it somewhere else if you don't want it deleted after each reboot. Some programs (MS Office, and TextEdit if I remember correctly) don't appreciate it when the cache and home folders are on different partitions.
So, once the Caches folder is created in /tmp, I link back to the network home for 'TemporaryItems' and 'Cleanup At Startup' in the Caches/ folder. I don't remember specifically why each of them was important; but, I'm pretty sure there was a reason. Another directory to look at is /Library/PubSub/ where Safari keeps its RSS and favorite site info.