Task or script to monitor file ownership, permissions and change as needed

I'm using a Mac OS X Tiger (10.4.9) computer as a file server for a group of people who are (1) individually non-administrative users and (2) members of Groups. The hard drive is partitioned into 2 volumes: Vol1 has no non-admin access, Vol2 has a Shared folder containing folders with files intended for either Public or Private access. I'm admin with UID=501 and trying not to be a danger. Each other user has a unique UID. Each Group has a unique GID. The folder that all users have access to is named Pub_shares. Every user allowed to access Pub_shares is a member of PubGroup (GID=505).
Now when a user accesses a file nested in Pub_shares, that file usually becomes owned by that user and the group membership may change from PubGroup and may undergo a change to "Read only" or "No Access." Since all members of PubGroup should have Read & Write access to files in Pub_shares, this is a problem. All files in Pub_shares, regardless of who last touched them, should remain:
Owner = chris / Access Read & Write
Group = PubGroup / Access Read & Write
Others = No Access
I've read some about Ownership & Permissions. I've seen it suggested that an admin set up an automated task, say to run every 3 minutes; that task checks file ownership and permissions and, if different, changes the values recursively to those shown above, such that:
Owner = 501 / Access = rwx
Group = 505 / Access = rwx
What do I need here? An Automator workflow? A shell script? AppleScript? Cron? launchd? How do I put this together? I don't know the syntax or the expressions to use. Any help is much much appreciated. [Note again: My "server" runs Tiger 10.4.9.] Thanks.

..."I have some Windows users (trying) to access shared files. Will the afp inheritance options stand up to a Windows user?"...
No the afp inherit settings won't apply to windows sharing, but I think there are equivalent settings that can be applied to smb.
..."I thought, too, I'd read somewhere that inheritance options use the topmost volume folder to set inheritance patterns."...
I am not able to double-check this for Tiger, but I don't think that is the case. As far as I know, with those settings enabled (and it doesn't work reliably if only one is enabled) permissions and ownership should be inherited from the folder that the items are added to.
..."My topmost folder on vol2 is "Shared" but it contains both Pub_shares (accessible by members of PubGroup) and a few Private_shares (folders accessible by members of various private groups)."...
Sorry I missed that point in your earlier post. The above would cause complications if a user were to move items from the private area to the public area. The inheritance only applies to when files are created, so something moved from the private area to the public area would retain its original permissions. To make it work, the public and private areas would have to be set up as separate shares, rather sharing the whole volume.

Similar Messages

  • OS X extern drive ownership/permissions and NFS exporting

    - I have an external (250GB) firewire drive on OS X 10.4.9.
    - I want to have it available to local users of this Mac but with ownership/permissions of created files/directories protected in the usual UNIX sense of unique UID/GID -- files/directories created by one user cannot be read/written by other users of this Mac except as allowed by standard UNIX permissions groups settings; eg., those set with 'chmod' command.
    - I want to NFS-server this drive volume to a linux NFS client (eg., RHEL 4), again with files/directories protected in this same UID/GID UNIX sense. In our case, the users' UID/GIDs will be made to match, but regardless, I wish likewise for file/directory use on the linux client to be restricted as per UNIX permissions and the files/directories created by the Mac users have protections remain in place against linux user access, and visa versa, as above.
    Is this feasable in Mac OS X (without OS X Server)?
    How does one go about acheiving it?
    I have basic Netinfo Manager skills for creating NFS exports and starting NFS daemon services, but am not expert on all available export options. I have average linux IT NFS server/client and user management skills.
    Thanks,
    -Neil

    I don't know about networking with Linux, but I don know that for OS X users, enforcing permissions on an external drive without OS X Server is tricky.
    First, log in to your admin account. Right-click the drive, Get Info, expand Ownership & Permissions, and uncheck "Ignore ownership on this volume". Then set permissions accordingly.
    The problem is that any unprivileged user can log in to his own account, Get Info, recheck the box, and get ownership of the entire contents of the drive. This is possible even without the admin password.
    There is a workaround that will remove the Ignore Ownership box from the Get Info panel so that there will be no box for them to check. First make sure that the box is unchecked and that the permissions are set how you want. Then enable ACLs on the volume by entering this command in a Terminal window:
    sudo fsaclctl -p /Volumes/volumename -e
    Then restart Finder. Now there's no box for the unprivileged user to check. But I don't know where this setting is stored; perhaps the unprivileged user can find some command-line way of getting the box re-checked and thus getting ownership of everything.
    If there is some way you can get the data off of the external drive and onto the main boot drive you will have the best chance of keeping the data safe.

  • How do i run an external monitor with my macbook and change settings so that when i close the lid the signal to the monitor is not lost and i can continue using the mac with a mouse and a wireless keyboard?

    How do i run an external monitor with my macbook and change settings so that when i close the lid the signal to the monitor is not lost and i can continue using the mac with a mouse and a wireless keyboard?

    No, nothing will prevent the computer from going to sleep when you close its display except third-party hacks that are designed to do exactly that. I strongly advise against using any of those, as they may interfere with successful entry into clamshell mode (and they carry other downside risks as well). Just wait until the computer is asleep (with its sleep light pulsing), then press any key on the keyboard. It sounds as though your setup is working as it's designed to do.

  • Scheduled task powershell script cant write file

    Hello experts
    I have scheduled task with powershell but cant write CSV file. Below my PS script:
    $ExemptGroup = Get-ADGroup app_users
    Get-ADUser -Filter { -not (memberOf -RecursiveMatch $ExemptGroup.DistinguishedName) } -Properties * |
     Select-Object -Property DisplayName,SamAccountName,WhenCreated,@{Name='Last Logon';Expression={[System.DateTime]::FromFileTime($_.LastLogon).ToString('g')}},LogonCount,@{N='Status';E={
    If ( $_.useraccountControl -match '^(?:514|546|66050|66082)$' ) { 'Disabled' } Else { 'Enabled' } }} |
     Sort-Object -Property DisplayName | Export-Csv C:\Users\22041912\Documents\User_statis_list.csv
    In Powershell my script working normally and writing CSV file but in scheduled task cant write CSV file. Task history told me succesfully finished.
    Anyone suggest? What wrong?

    copy this on a batch file and point the task scheduler to the batch file.
    PowerShell.exe -WindowStyle Hidden  -File
    E:\Shell\OdmaaGet-Aduser.ps1 
    check if it works..
    Every second counts..make use of it. Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
    IT Stuff Quick Bytes

  • Need a perl script which monitors a network folder and sends email when new files/folders arrived...

    I need a perl script (or something else better) which monitors a network folder and sends email when new files/folders arrived. I tried it in Automator but failed.
    Thanks!

    Yes. I tried it. But whenever I restart m Mac, the watch folder doesn't work until I reconnect to network or run the Automator... I need a simple system that automatically connects to the network and monitor the folder, even I restart the Mac.
    Thanks!

  • TSQL Script to monitor SQL Server transactional and snapshot replication

    Hi Team,
    Could you please let me know do you have any TSQL script to monitor replication(Transactional, Snapshot) with current status ? I have tried below script but it giving error. could you please have a look at the below script or do you have any other new TSQL
    script to monitor the replication status ?
    "Msg 8164, Level 16, State 1, Procedure sp_MSload_tmp_replication_status, Line 80
    An INSERT EXEC statement cannot be nested."
    DECLARE @srvname VARCHAR(100)
    DECLARE @pub_db VARCHAR(100)
    DECLARE @pubname VARCHAR(100)
    CREATE TABLE #replmonitor(status    INT NULL,warning    INT NULL,subscriber    sysname NULL,subscriber_db    sysname NULL,publisher_db    sysname NULL,
    publication    sysname NULL,publication_type    INT NULL,subtype    INT NULL,latency    INT NULL,latencythreshold    INT NULL,agentnotrunning    INT NULL,
    agentnotrunningthreshold    INT NULL,timetoexpiration    INT NULL,expirationthreshold    INT NULL,last_distsync    DATETIME,
    distribution_agentname    sysname NULL,mergeagentname    sysname NULL,mergesubscriptionfriendlyname    sysname NULL,mergeagentlocation    sysname NULL,
    mergeconnectiontype    INT NULL,mergePerformance    INT NULL,mergerunspeed    FLOAT,mergerunduration    INT NULL,monitorranking    INT NULL,
    distributionagentjobid    BINARY(16),mergeagentjobid    BINARY(16),distributionagentid    INT NULL,distributionagentprofileid    INT NULL,
    mergeagentid    INT NULL,mergeagentprofileid    INT NULL,logreaderagentname VARCHAR(100),publisher varchar(100))
    DECLARE replmonitor CURSOR FOR
    SELECT b.srvname,a.publisher_db,a.publication
    FROM distribution.dbo.MSpublications a,  master.dbo.sysservers b
    WHERE a.publisher_id=b.srvid
    OPEN replmonitor 
    FETCH NEXT FROM replmonitor INTO @srvname,@pub_db,@pubname
    WHILE @@FETCH_STATUS = 0
    BEGIN
    INSERT INTO #replmonitor
    EXEC distribution.dbo.sp_replmonitorhelpsubscription  @publisher = @srvname
         , @publisher_db = @pub_db
         ,  @publication = @pubname
         , @publication_type = 0
    FETCH NEXT FROM replmonitor INTO @srvname,@pub_db,@pubname
    END
    CLOSE replmonitor
    DEALLOCATE replmonitor
    SELECT publication,publisher_db,subscriber,subscriber_db,
            CASE publication_type WHEN 0 THEN 'Transactional publication'
                WHEN 1 THEN 'Snapshot publication'
                WHEN 2 THEN 'Merge publication'
                ELSE 'Not Known' END,
            CASE subtype WHEN 0 THEN 'Push'
                WHEN 1 THEN 'Pull'
                WHEN 2 THEN 'Anonymous'
                ELSE 'Not Known' END,
            CASE status WHEN 1 THEN 'Started'
                WHEN 2 THEN 'Succeeded'
                WHEN 3 THEN 'In progress'
                WHEN 4 THEN 'Idle'
                WHEN 5 THEN 'Retrying'
                WHEN 6 THEN 'Failed'
                ELSE 'Not Known' END,
            CASE warning WHEN 0 THEN 'No Issues in Replication' ELSE 'Check Replication' END,
            latency, latencythreshold, 
            'LatencyStatus'= CASE WHEN (latency > latencythreshold) THEN 'High Latency'
            ELSE 'No Latency' END,
            distribution_agentname,'DistributorStatus'= CASE WHEN (DATEDIFF(hh,last_distsync,GETDATE())>1) THEN 'Distributor has not executed more than n hour'
            ELSE 'Distributor running fine' END
            FROM #replmonitor
    --DROP TABLE #replmonitor
    Rajeev R

    INSERT INTO #replmonitor
    Hi Rajeev,
    Could you please use the following query and check if it is successful?
    INSERT INTO #replmonitor
    SELECT a.*
    FROM OPENROWSET
    ('SQLNCLI', 'Server=DBServer;Trusted_Connection=yes;',
    'SET FMTONLY OFF; exec distribution..sp_replmonitorhelpsubscription
    @publisher = DBServer,
    @publication_type = 0,
    @publication=MyPublication') AS a;
    There is a similar thread for your reference.
    https://social.msdn.microsoft.com/Forums/sqlserver/en-US/634090bf-915e-4d97-b71a-58cf47d62a8a/msg-8164-level-16-state-1-procedure-spmsloadtmpreplicationstatus-line-80?forum=sqlreplication
    Thanks,
    Lydia Zhang
    Lydia Zhang
    TechNet Community Support

  • I have to select a file – get Info – and change – open with and change from preview to another program and CHANGE ALL everytime I boot up

    Why do I have to select a file – get Info – select – open with – and change from Preview to another program and click CHANGE ALL with every file extention everytime I boot up.

    Back up all data.
    This procedure will unlock all your user files (not system files) and reset their ownership and access-control lists to the default. If you've set special values for those attributes on any of your files, they will be reverted. In that case, either stop here, or be prepared to recreate the settings if necessary. Do so only after verifying that those settings didn't cause the problem. If none of this is meaningful to you, you don't need to worry about it.
    Step 1
    If you have more than one user account, and the one in question is not an administrator account, then temporarily promote it to administrator status in the Users & Groups preference pane. To do that, unlock the preference pane using the credentials of an administrator, check the box marked Allow user to administer this computer, then reboot. You can demote the problem account back to standard status when this step has been completed.
    Triple-click the following line to select it. Copy the selected text to the Clipboard (command-C):
    { sudo chflags -R nouchg,nouappnd ~ $TMPDIR.. ; sudo chown -Rh $UID:staff ~ $_ ; sudo chmod -R u+rwX ~ $_ ; chmod -R -N ~ $_ ; } 2> /dev/null
    Launch the Terminal application in any of the following ways:
    ☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)
    ☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.
    ☞ Open LaunchPad. Click Utilities, then Terminal in the icon grid.
    Paste into the Terminal window (command-V). You'll be prompted for your login password, which won't be displayed when you type it. You may get a one-time warning not to screw up. If you don’t have a login password, you’ll need to set one before you can run the command. If you see a message that your username "is not in the sudoers file," then you're not logged in as an administrator.
    The command will take a noticeable amount of time to run. Wait for a new line ending in a dollar sign (“$”) to appear, then quit Terminal.
    Step 2 (optional)
    The first step should give you usable permissions in your home folder. This step will restore special attributes set by OS X on some user folders to protect them from unintended deletion or renaming. You can skip this step if you don't consider that protection to be necessary.
    Boot into Recovery by holding down the key combination command-R at startup. Release the keys when you see a gray screen with a spinning dial.
    When the OS X Utilities screen appears, select
    Utilities ▹ Terminal
    from the menu bar. A Terminal window will open.
    In the Terminal window, type this:
    resetpassword
    That's one word, all lower case, with no spaces. Then press return. A Reset Password window will open. You’re not  going to reset a password.
    Select your boot volume ("Macintosh HD," unless you gave it a different name) if not already selected.
    Select your username from the menu labeled Select the user account if not already selected.
    Under Reset Home Directory Permissions and ACLs, click the Reset button.
    Select
     ▹ Restart
    from the menu bar.

  • How can one edit a .gif file graphics background and change the fonts in Photoshop Elements 13?

    I am trying to change the color and fonts of some of my web sites .gif files. Can I change the color to another hexadecimal color and change the fonts of the letters in Photoshop 13? I am using Windows 7 and heard that you could save the .gif file to another format, edit it, then change the file back to a .gif file. Is this true? If so, how do you do it? The file just has a solid color with the letters "Firm " on it. No animation.

    You can edit a gif without changing the format, but once you save the file as a gif the text becomes part of the image, not text anymore, so you would need to clone or heal away the existing text and then create a new text layer and use save for web to create a new gif.
    For access to the most editing tools, while the file is open in the editor go to image>mode and change it from index color to RGB. Saving as a gif will change it back to index mode.

  • Modified CR2 files in ACR and changes were not saved

    I have a directory with 1400 CR2 files in it. I have a stack of picks that I am working with. I went through and for 6 hours adjusted all the images by opening them in Camera Raw and making changes to White Balance, Fill light, etc... When I was done, i clicked done to save the changes to the file (Like I've done many many times before).However most of the modifications were never saved. All the files have sidecar xmp files, but most show original files without modification. I edited approximately 580 images this way and probably 20% kept the changes and the rest "seem" to have reverted back to their original "As Shot" state. Any ideas what happened? Is this reversible or did I just waste my life?

    Look at the folder in windows Explorer.   What are the time stamps on  the xmp files?  Do they appear to be "current" -- that is, timestamps approximately when you performed the ACR edits and pressed Done?  Or do 70 to 80% of them have earlier time stamps?  Current time stamps would suggest that xmp files are being written or updated, possibly omitting some ACR edit data; earlier time stamps suggest that the xmp files were not updated by ACR-Done.
    Sequence the xmp files by Date Modified.   Do the xmp file time stamps appear to be in time groups?  If you clicked Done after editing 20-25 images in ACR, you would expect to see 20-25 xmp files with the same file modified date and time.  If you see this, it suggests that entire groups of edits were saved; but some groups of edits that should be saved by a Done from ACR may not have been saved to xmp.  If you see groups of substantially fewer than your usualy edit Done sets of 20-25, it suggests that only some xmp files were written.
    Since it looks like that you will need to go back and redo the edits to a good many of your 580 images, you might try looking at the xmp files after each ACR Done.  Sequence the xmp files by Date Modified.  Is the number of file modified timestamps with the 'now' date and time the same as the number of files you just edited in ACR?
    In Bridge, do the just-performed edits appear in the thumbnails?  Look a the ACR values in the metadata for each of the just-edited images.  Do they show the values you just edited?  (Be sure that you have checked on Camera Raw metadata in Bridge preferences.)

  • Lightroom changes file date (build and changeing date) by jpg files

    Hallo
    I am using Lightroom on Mac OS X Snow Leopard. The Problem is that Lightroom changes both dates of the file (the date when the file was build and the date when you have made changings on the file) when i save the Metadates to the file.
    This happens only by jpg files. By raw / xmp files is the date of the raw file not changed, the both dates of the xmp are also changed like by jpg.
    I want not to change the time when the file was build. So that i can see in the Finder / Explorer when the file was build ( Photo taken).
    How can I solve this Problem.
    Thanks for Help

    Do not save the metadata to the files. It's quite unnecessary to do so, but of course, you should have full backups of the images and the catalog(s) [.lrcat].

  • Changing File Ownership & Permissions

    Is there a way via AppleScript to change the ownership and permissions for all files (docs & folders)en masse? Can I do so regardless of original owner or permissions for files that are not password protected?

    Yes, by invoking the do shell script command and the Unix commands chown and chmod. You might get better answers in the OS X Technologies fourm: http://discussions.apple.com/category.jspa?categoryID=162.

  • Issues with Time Machine File Restore Permissions and Interface

    Hi All,I bought a Time Capsule in January 2010, and i've had backups since then.
    Time Machine's interface has pretty much always been laggy as ****, but I've always put that down to using it over wifi, perhaps that was a wrong assumption.
    Anyway, I went to open a folder in a virtual machine which resides in my mac's documents folder, and it wasn't there. Sure enough this folder wasn't in my documents folder, so I thought i'd restore it from time machine. Time machine shows every segment as a pink fully coloured one (signalling theres a backup there) for a few secs, before most of them turn into a pale pink. Looking into the issue further, it seems as though I don't have permission to access the documents folder on a lot of backups, by looking at the users/brett/ folders on them (which i do have access to), right clicking on the restricted folder shows that everyone has no access, and it's fetching the other user. Trying to add myself to it doesn't work.
    I have gone through two MBPs with the same backup set, and a number of hard drives (the latest being a SSD I put in yesterday, and the migration assistant restore from time machine worked without skipping a beat - never had a problem doing full restores or migrations, just using the interface)
    Obviously the easiest thing to do would be to start afresh, but I'd rather not as I'd lose 2 years worth of backups, and who's to say this wouldn't just happen again in the future? Could this be why the interface is so slow too?
    Thanks guys

    studentguy wrote:
    Time Machine's interface has pretty much always been laggy as ****, but I've always put that down to using it over wifi, perhaps that was a wrong assumption.
    Yes, there is a lot going on to "populate" the display -- it can be sluggish even to a FireWire 800 drive. 
    Looking into the issue further, it seems as though I don't have permission to access the documents folder on a lot of backups, by looking at the users/brett/ folders on them (which i do have access to), right clicking on the restricted folder shows that everyone has no access, and it's fetching the other user. Trying to add myself to it doesn't work.
    I don't do Windoze, so am not familiar with the structure of the VM files, or how the permissions on them work.  Many folks exclude them from Time Machine, and back them up separately.
    I have gone through two MBPs with the same backup set, and a number of hard drives (the latest being a SSD I put in yesterday, and the migration assistant restore from time machine worked without skipping a beat
    Yes, because it simply copies whatever permissions are there.  It doesn't need to (and shouldn't) check whether the logged-on user has permission to anything.
    Could this be why the interface is so slow too?
    It could be a contributor.  
    Can you set the permissions on the VM files on your Mac so everyone has read rights?  That should at least allow you to restore their backups. 

  • Reading NTFS permissions and changing them with PowerShell

    Hi,
    I have a large folder structure which contains the shares for several sites.  I've been asked to change the permissions for a group on each of these folders from 'full control' to 'read and execute' on the top level only.  My problem is that the
    name of the group to change is different on each folder.  They follow the same naming convention however which I've attempted to show in the example below.
    Folder1 has a group named FOL1-AdminUsers which has full control, there are several other administrative AD groups with permissions to the folder which must remain the same.  Similarly there is a Folder2 which has a group named FOL2-AdminUsers
    which needs to be changed and so on.
    The part of the script I'm having trouble with is reading the existing permissions from a specific folder and searching for the group I need to change.  Everything else has been fairly straight forward but I've just become completely stuck
    on this.  I'd really appreciate any help anybody could give me or if you could point me in the right direction for further assistance.     
    Many thanks,
    Gary.

    Hi Gary,
    you can read access permissions from a folder by using the Get-Acl cmdlet (Get-Acl "C:\ExampleFolder"). This will return an
    DirectorySecurity object. This comes with an Access CodeProperty that will return all permissions on the folder:
    $Acl = Get-Acl "C:\ExampleFolder"
    $Acl.Access
    It has many useful methods as well, so check out its members:
    $Acl | Get-Member
    Finally, there are useful tools for manipulating Acls, notably the official Set-Acl cmdlet or Rohn's AccessControl Module (Thanks Rohn, it's awesome) in the Gallery.
    If the module is a bit complex for you, there are some simple functions - shameless advertisement incoming - you could instead use: New-AccessRule and
    Add-AccessRule.
    Cheers,
    Fred
    There's no place like 127.0.0.1
    Thanks for the compliment!
    Gary, Rhys and Fred already mentioned that the info you're looking for is in the Access property when you use the built-in Get-Acl cmdlet. You could also use the Get-AccessControlEntry function from
    the module Fred mentioned:
    # List all ACEs for a single folder
    Get-AccessControlEntry C:\Folder
    # List all ACEs for specific principals (this example searches for two):
    Get-AccessControlEntry C:\Folder -Principal FOL*AdminUsers, AnotherUserNameHere
    # List ACEs for all subfolders (uses PSv3 syntax):
    dir C:\Folder -Directory -Recurse | Get-AccessControlEntry

  • Help with script to eject an external drive and change Network Location?

    Hello,
    Could someone help me with a script that would do the following:
    -eject an external hard drive call "1TB_BU"
    -change the Network System Preferences Location from "Work" to "Home"
    I then need another that would change the Location from "Home" to "Work"
    THx!
    ~Von

    1. Use the following:
    tell application "Finder"
    eject disk "1TB_BU"
    end tell
    2. Click here for information.
    (35975)

  • Using referenced files in Aperture and changing names of Master files

    My Aperture library (masters) are stored on an external hard drive. The label for each image is simply the one that the camera supplied on the SD card. After importing the images into Aperture, I give them a more meaningful version name. Is there a way I can now add those version names to the masters stored on the external hard drive? (I would eliminate the numbers provided by the camera) Please give specific steps if this is possible. Thank you so very much!

    You can change the name of the Master as it is imported into Aperture, have a look at the manual regarding Import Options:
    http://documentation.apple.com/en/aperture/usermanual/index.html#chapter=4%26sec tion=6%26hash=apple_ref:doc:uid:Aperture-UserManual-91292IMP-SW8
    For masters already added to your library you can rename them to match the version names, have a look at the manual regarding Renaming Master Image Files:
    http://documentation.apple.com/en/aperture/usermanual/index.html#chapter=5%26sec tion=15%26tasks=true

Maybe you are looking for