Friday, May 17, 2019

Mac OS X ACL file sharing permissions nightmare and how to fix it

If you've ever had to set up a file share from within Mac OS X, you may have wanted to pull out your hair. Especially if you're trying to use account from somewhere like Windows Active Directory to grant access to the shares. I've struggled with share permissions on Macs for years, especially with permission inheritance or lack of it, but think I may have finally come across the solution.

One big reason that this is such a pain is because trying to juggle POSIX and ACL permissions on a Mac is not exactly straightforward. Which one is getting used? How do they interact? I'm not going to teach you about permissions and hope that if you're reading this you at least know the difference between the two and are familiar with how each works on its own.

Another reason is that ACL permissions aren't managed very well through the GUI tools in OS X, but it's made to look like you can do it that way. However, the "Read & Write" option that's available is not the same as full access, and doesn't include any inheritance features, which is one of the biggest pieces of ACLs that people want to use. Unless you know that, which I found out the hard way, you can be left wondering why someone can't access something.

First, if you're trying to set ACLs on the Mac from anywhere but Terminal, stop. I know command line tools aren't always user-friendly, but you'll regret it if you don't set your ACLs with Terminal.

Actually, that's the biggest secret to getting this working; Use Terminal to set the permissions.

For full access, use the command

chmod -R +a "group:groupName allow list,search,add_file,add_directory,delete,delete_child,read,readattr,readextattr,readsecurity,write,writeattr,writeextattr,write_security,file_inherit,directory_inherit,execute" pathToDirectoryToSetACLsOn

just change out groupName with the group, and pathToDirectoryToSetACLsOn with exactly that, the path to update permissions on

If you're working with a domain and want to assign permissions from a domain-based security group, you have to tweak the command slightly. Instead of group:groupName allow, you can instead use DOMAIN\groupName:allow. You don't need to word group at the beginning, need to include the domain, and should separate the group from the word allow with a colon. This also allows you to use domain-based security groups that have spaces in their name.

For read-only access, use the command

chmod -R +a "group:groupName allow list,search,read,readattr,readextattr,readsecurity,file_inherit,directory_inherit,execute" pathToDirectoryToSetACLsOn

Same rules from above apply to the syntax here if you want to use a domain-based group instead of a group local to the Mac.

For your POSIX permissions on the share, you should not have a group assigned for POSIX that also has an ACL defined. That will help you avoid conflicts. For me I had a local admin as the owner (with RWX), the built-in staff group as the group (with RWX), and everyone/global set with no access. Then I used Active Directory security groups with the ACLs. I also gave the local admin group the same access via ACLs because otherwise the local admin has no access to files created by the users that were logging in from Windows devices since it was setting those users as the file owners.

If you want more info on the ACL options, you can check the man page for chmod on the Mac, or this site looks to have the details too. Once you read up on them you can decide if you need to tweak the commands at all to avoid including certain options. I also need to give this page credit because that's where I landed before being able to get this working.

Good luck




Thursday, September 20, 2018

Mac OS X apps show question marks or damaged or incomplete error

I've ran into this with individual applications over the years, and can typically solve it with either a permission repair or reinstalling the app. Today I ran into this for ALL applications for a user. You couldn't run Terminal, Safari, Disk Utility... The only thing that appeared to be ok was Finder.

I logged into another account on the machine and everything worked fine. I ran the usual disk utility commands, but no luck fixing the issue. Then I created a new account and logged in, and that account was ok too. That made me expect user profile corruption. I backed up the files, deleted the user account, then set it up again. First login and the same problem, the entire dock was question marks and nothing would run. Whatever the issue, it appeared to be directly related to this user account, but wasn't in the profile.

After wasting a bunch of additional time trying to troubleshoot this, I finally ran across the answer in the MacRumors.com forum (thank you jpete for posting it). The system folders, specifically /var/folders/, contain some cache files from user accounts. What I found is that each folder is specific to a user account, and that user account may or may not still exist in Users & Accounts. Almost like a secondary user profile area that persists even after the account has been removed. This is where the problem was. I found the folder related to the user experiencing issues by using Get Info to see who the owner of the folder was, then went into the folder named 0 (that's a zero) and deleted all the contents that it would allow me to. After rebooting I was able to login with that user account and everything was working again.

The easiest way for you to try this is to login to the account having issues and then go to Finder->Go->Go to Folder. In there type /var/folders/, then it'll open in Finder. Now go into each of the two-character folders one by one and do Get Info on the folder it contains (long alphanumeric name) until you find one that shows the username that has problems as the owner. Once you find that, go into the long alphanumeric name folder and you should be able to access the 0 (zero), C, and T folders. Do not delete those folders themselves (not sure you can even if you tried), but go into them and delete all the contents within that the system will allow you to delete. Once done, reboot the system and try logging in. Hopefully it will show you the icons in the Dock and let you run your apps once again.

Assuming you don't have Time Machine to go back to before the problem started, if this doesn't work and you have access to a 2nd account that does work on that same Mac, your best bet is to create a new user account with a different username and move your files and settings over to it from the account that has problems. Or you could back up everything and run through an installation, cleaning the drive in the process, so you have a completely fresh start.


Wednesday, June 27, 2018

OneDrive "file wasn't uploaded... changes can't be merged" error

I ran into this with a user and thought it would be a relatively easy fix by telling Microsoft Excel to discard the changes. Unfortunately it took more than that, as the changes were cached for upload to OneDrive and discarding the changes from within Excel didn't remove the cached file. OneDrive doesn't control that file cache either. Instead, it's buried within another tool called the Microsoft Upload Center. The Microsoft KB articles I found referencing it say to simply search for it, then use it to delete the cached file. It doesn't quite work that way, or at least didn't for me with the Office 2016 applications. Searching gives you no results, making you wonder if you even have the application. It's there, but you have to go the long way through Windows Explorer.

If you're having the same or a similar problem, open the Microsoft Upload Center application. You can find it within your Office installation folder. This folder is typically

32-bit Office install - C:\Program Files (x86)\Microsoft Office\root\Office16
64-bit Office install - C:\Program Files\Microsoft Office\root\Office16

In that folder you'll find MSOUC.EXE, which is the Microsoft Upload Center application. Open that and it will show you any files that are pending upload to OneDrive. Assuming the changes you made are either no longer needed, or you have them saved already in a copy of the OneDrive document, removing problematic files from here will resolve the issue where you can't update or upload to OneDrive because of merge issues. Once removed from the Upload Center, the next time you open that document it'll pull down a new copy of the file to your OneDrive cache so you can once again work on it. That also means removing the file from the cache will also discard any changes you had made to the file since the last time it was able to sync to OneDrive, so keep that in mind.

If you keep having problems, within the Microsoft Upload Center settings, you can tell it to delete the entire cache and start over. That can be used as a secondary option if selectively removing specific files doesn't work. But again, be careful if you've made changes to these documents and want to keep those changes, as deleting the cache also means the changes you've made since the last successful OneDrive sync will be lost.

Thursday, May 3, 2018

Time Machine "Can't connect to a current Time Machine backup disk"

I decided to start using Time Machine alongside Crashplan to make sure I had a local backup. Plus I'm backing up ~8TB of data on that particular Mac device so having a quick restore option makes a lot of sense.

I purchased a new Thunderbolt 3 drive with plenty of storage and set up Time Machine. Easy enough, right? It only took 2 days to get the initial backup and everything looked like it was working fine. Then I went to try a test restore and that's where I ran into problems. As I entered the Time Machine system to view what was available to restore, an error popped up saying "Can't connect to a current Time Machine backup disk". Nothing would display and I would have to exit. At first I tried a reboot, which didn't work. Then I noticed that the disk displayed a little odd in the Time Machine Preferences so I started over by reselecting my disk and waiting another 2 days for it to redo the initial backup. No luck after that either. That's when I asked my friend Google and found that I should've started there because the answer was very simple...

I had NO permission to access the time machine backup database folder! Why in the world would that be the default setting?! You can confirm that this is your issue too by going into the Time Machine disk and trying to view the contents of the Backups.backupdb folder. If you see a red no-go sign or can't view, you're having the same problem I was.

Luckily it's easy to fix, but you have to use Terminal (Application->Utilities->Terminal) because Finder doesn't seem to work to change permissions on this particular folder. Once you have Terminal open

1. cd /Volumes/TimeMachineDriveName (make sure you put the name of your Time Machine disk here after /Volumes/)
2. sudo chgrp admin Backups.backupdb

The first command just gets you to the Time Machine drive that you need to work with. The second changes the group permissions so that the admin group on your machine can access the folder and it's contents. It will ask you to enter your password after the 2nd command, which is normal when you use sudo to run the command as the root user. Once you've done this you should be able to go back to Time Machine and actually view what has been backed up, and restore files/folders when needed

Wednesday, May 2, 2018

Replace character in variable within batch script

I wanted to rename a file using a batch script so it would replace underscores '_' with hyphens '-'. It was pretty easy

Set img1=this-was_the_original-name-of_the_file
Set newName=%img1:_=-%
echo %newName%

The key to doing it is the :_=- in the second line, which is saying take the text value stored in the variable img1 and make underscores instead equal hyphens. Now, you could make line 2 instead be

Set img1=%img1:_=-%

If you don't need to reference the original value you're storing in img1 later, but for my purposes I was renaming a file so I needed both the original filename and what the new filename should be, so I had to store the new name with the hyphens in a separate variable

Thursday, March 22, 2018

Exchange Resource room only shows who scheduled in Outlook

Apparently the default behavior of resources in Exchange is to replace the subject line with the organizer's name. I'm not going to argue whether or not that is pointless, but I will tell you how to fix it. It's a simple one-line powershell command you can run.

Make sure you connect to the Exchange (or Exchange Online) Powershell, and then run


Set-CalendarProcessing -Identity resourceName -DeleteSubject $False -AddOrganizerToSubject $False

Make sure you replace "resourceName" with the actual name of your resource. Running that will leave the original subject line intact so you don't have to check the organizer's calendar to see what the meeting is about if trying to schedule a resource.

I originally found the answer in this Microsoft support article

Wednesday, November 16, 2016

iPhone missed calls showing on second iPhone

If you're sharing an Apple ID across multiple iPhones, you have likely ran into an issue at some point with one phone having something from the other phone. For this post we're talking specifically about missed call history.

If you have missed calls for one phone showing up on another phone, turn off iCloud Drive. You can do so by going into Settings->iCloud, then toggle the iCloud Drive setting to off. Make sure to verify it is off too. I've seen it take a couple tries to get it to actually go to off.

Once it's turned off the missed call history will no longer be getting synchronized, and won't show up on other phones signed into the same Apple ID

Monday, September 12, 2016

Windows 7 stuck searching for updates forever

If you've had to reinstall Windows 7, depending on how old your install media is you may run into this problem. Once Windows is installed and ready for updates, you tell it to search and it keeps searching, and searching, and searching... until you finally reboot or shutdown because it's been 5 hours and still nothing. I've ran into this a few times myself, and luckily I think I finally found a fix.

First, download and save Microsoft KB 3138612, which is an update to the Windows Update client. Apparently you now need this update to get the update process to work, but if the process is already broken then you can't get the new client through normal means and need to use the standalone installer. In my case, trying to install from the standalone left it searching forever for installed updates too, so just save this for now. You're going to need this in a minute.

Now, open up a command prompt and run it under the administrator context. The easiest way to do this would be click the Start button, type cmd, then right-click and select Run as Administrator on the Command Prompt or cmd.exe result you should see.

Once Command Prompt opens, type (without the quotes) "net start appidsvc" and press Enter. This should make sure the appid service is running.

Now that the service is running you can go ahead and install KB3138612 from the download you saved earlier. It should only take a couple of minutes to do this. If it gets stuck on searching for installed updates for more than 5 minutes, you may need to find another method. Once the KB is installed, reboot the computer.

Once the PC is on again, repeat opening the command prompt in the administrator context and starting appidsvc. After you've done that, type (without the quotes) "wuauclt.exe /detectnow" and press Enter. That should force the Windows Update client to search for updates and show you results once done.

In my case, it still took a while for it to search for updates because when it came back I had over 200 of them waiting to be installed. However, that was at most an hour. Prior to that I had left the machine searching for updates as long as 48 hrs and it never moved past that status. Once the updated client is installed, and you get past the initial round of updates that will likely be faily large, you should be fine from there to update normally in the future.


Monday, June 20, 2016

iPhone showing an unread text message but you can't find it

Ever see the notification on your Messages app, but have no luck finding it? Use Siri. Activate Siri, and then say "Read me my unread messages". Siri should then locate and read the unread message, after which the notification will go away.

I had a user that this happened to today. The odd thing was the message in question had been read and deleted already, but somehow hadn't been marked read so the notification kept coming back no matter how many times the user went into that particular message thread. Using Siri took care of it.

Tuesday, March 29, 2016

OS X Application Window not showing or visible

I recently had a user trying to open Acrobat Pro DC on a Mac laptop. The user would get the menu bar across the top, but could not see the application window on the screen to actually do anything. The trick was to go to Window->Zoom, which brought the app window back to normal on the screen. Either it has been zoomed out so much it was too small to see, or it had somehow gotten moved off the screen to where it was open but not in an area the user could see it.