User Account help required

[scouser75]

Hi guys, one of my kids keeps getting this message pop up on her Mac User Account when she tries to drag and drop documents.

I've setup 3 additional user accounts on my Mac Pro running El Capitan. I'm the administrator, I then have a user account for my wife, an account for my eldest and an account for my youngest.

On the computer, I have 3 hard drives. One is the boot disk, which holds only the OS and main applications, files and folders required to run the computer.

I then have 2 additional internal drives for documents etc. Within the first HD, I've set up 4 folders for all 4 of us and named them appropriately. This is so each person can save documents to their own folder rather than have one big folder for all.

But every time my eldest tries to drag and drop documents from the desk top to her own folder, she gets the above message. She has no problems though when she saves a document direct to her folder using the 'Save As' method.

She is the only person who is having this issue.

Any ideas what I can do to resolve this?

 

[chown33]

It sounds like a permissions issue.

My first guess was that the Eldest account didn't own the destination folder, or lacked write permission there.

However, if I correctly understand this sentence:

She has no problems though when she saves a document direct to her folder using the 'Save As' method.​

then that's probably not the problem. Lacking ownership or lacking write permission will prevent all writes, so if "Save As" is really working to the destination folder, then that's probably not the issue.


Looking at the dialog text, it appears that a "move" is occurring, as distinct from a "copy" or duplicate. A "move" implies that the original items are deleted from their original location after the data is copied to its new location.

So my second guess is that the Eldest account lacks write permission on that account's Desktop folder. It's also possible that the finer-grained "delete permission" is missing on the account's Desktop folder.


You can check whether the account's Desktop folder has write permission by doing a "Get Info" on that Desktop folder. That window will also show who owns the folder.


The "delete permission" is something that I don't think shows up in the "Get Info" window. You'll need to use this command, pasted into a Terminal window, while logged into the Eldest account:

ls -le ~/Desktop

You should then copy and paste the resulting output into a reply post here. A Terminal window supports drag-select, to select the range of text to copy to the clipboard.

 

[scouser75]

It sounds like a permissions issue.

My first guess was that the Eldest account didn't own the destination folder, or lacked write permission there.

However, if I correctly understand this sentence:

She has no problems though when she saves a document direct to her folder using the 'Save As' method.​

then that's probably not the problem. Lacking ownership or lacking write permission will prevent all writes, so if "Save As" is really working to the destination folder, then that's probably not the issue.


Looking at the dialog text, it appears that a "move" is occurring, as distinct from a "copy" or duplicate. A "move" implies that the original items are deleted from their original location after the data is copied to its new location.

So my second guess is that the Eldest account lacks write permission on that account's Desktop folder. It's also possible that the finer-grained "delete permission" is missing on the account's Desktop folder.


You can check whether the account's Desktop folder has write permission by doing a "Get Info" on that Desktop folder. That window will also show who owns the folder.


The "delete permission" is something that I don't think shows up in the "Get Info" window. You'll need to use this command, pasted into a Terminal window, while logged into the Eldest account:

ls -le ~/Desktop

You should then copy and paste the resulting output into a reply post here. A Terminal window supports drag-select, to select the range of text to copy to the clipboard.

Chown, thank you for such a top and informative reply.

You are correct. My daughter has no problems saving a document directly to her folder. It was just MOVING she had a problem with. I changed the settings in the Read & Write and all seems to be well now. I think I'd changed the main folder to Read only. I've now changed it to Read & Write.

But this throws up another possible problem...

My wife and I have sub folders in the same Media folder where my daughter's folder is and this is where we save our work and personal documents. We don't want her to be able access these documents. Is there any way this is possible?

The structure of the setup is as follows. We don't use the main HD on the Mac, but we use a second internal HD to store all our documents.

We have a main folder on the 2nd internal HD titled 'Media'. Within this folder, we have sub folders for each user - me, wifey, child 1 and child 2.

The main folder settings (within which are the sub folders for each user) are as follows:

Main User: Read & Write
Staff: Read & Write
Everyone: Read Only

Then I have a sub folder for my documents, for which the settings are:

Me: Read & Write
Staff: Read Only
Everyone: No access

Unfortunately, I can't change my setting for Staff to Read Only as that option is unavailable.

Then finally, for the Childs, the settings are:

Main User: Read & Write
Staff: Read & Write
Everyone: Read Only

I want to deny access to both childs to mine and my wife's folders.

Is this possible?

I did try the read only option on my sub folder, but as the title says, it's read only and the Childs can open the documents. Which is OK, as there's nothing they shouldn't see on there, but nevertheless, it would be good to have a total block.

I hope this all makes sense 😬

 

[chown33]

We have a main folder on the 2nd internal HD titled 'Media'. Within this folder, we have sub folders for each user - me, wifey, child 1 and child 2.

The main folder settings (within which are the sub folders for each user) are as follows:

Main User: Read & Write
Staff: Read & Write
Everyone: Read Only

Who is "Main User"? Is it you, wifey, or a completely separate account, such as a separate admin account you've created?

This would be easier for me to understand and comment on if you used consistent placeholder account names, such as Me, Wifey, Eldest, Younger.

Then I have a sub folder for my documents, for which the settings are:

Me: Read & Write
Staff: Read Only
Everyone: No access

Unfortunately, I can't change my setting for Staff to Read Only as that option is unavailable.

It's already Read Only, so I don't understand. Did you mean you want to set No Access?

Then finally, for the Childs, the settings are:

Main User: Read & Write
Staff: Read & Write
Everyone: Read Only

I want to deny access to both childs to mine and my wife's folders.

Is this possible?

I did try the read only option on my sub folder, but as the title says, it's read only and the Childs can open the documents. Which is OK, as there's nothing they shouldn't see on there, but nevertheless, it would be good to have a total block.

I hope this all makes sense 😬

Yes, it's possible to set any folder to prevent access by the child accounts. I don't think it's possible using Get Info, only commands in a Terminal window.

If you want to try it, I can give you the commands, but you'll have to post the output, which you may not want to do.


One thing you can start with that doesn't involve the command-line, and will be needed in order to manage the permissions, is to create a group which only the Me and Wifey account belong to, and the Eldest and Younger accounts don't.

See here, under the heading "Create a group":

Change Users & Groups settings on Mac

On your Mac, set up individual user accounts or groups, let occasional users log in as guests, and change network account server settings.

support.apple.com

I suggest a simple group name, such as "parents" or "adults".

If you have a secondary admin account, make sure it's added to the group, too.

If you're OK with using Terminal commands and posting the output, then we can proceed.


There's a completely different approach that uses an encrypted disk-image, which only the Me and Wifey accounts would know the password to. One down side is that it should be kept detached (not mounted or "connected") when not in use, otherwise the other accounts might be able to access it.

Even better would be a completely separate physical device, such as a USB thumb drive or an SD card, that you and your wife only use when necessary. That should also be encrypted, with limited knowledge of the password, and for safety, a separate recovery key printed on paper, kept in a very safe location.

If you want to test out an encrypted disk image, read the following, under the heading "Create a secure disk image":

Create a disk image using Disk Utility on Mac

Use Disk Utility on your Mac to create a disk image.

support.apple.com

 

[bogdanw]

BatChmod - Change permissions without the Terminal http://lagentesoft.com/batchmod/

 

[scouser75]

Who is "Main User"? Is it you, wifey, or a completely separate account, such as a separate admin account you've created?

I will be the main user and administrator.

This would be easier for me to understand and comment on if you used consistent placeholder account names, such as Me, Wifey, Eldest, Younger.



It's already Read Only, so I don't understand. Did you mean you want to set No Access?

Yup. I want my folder and my wife's folder as No Access.


Yes, it's possible to set any folder to prevent access by the child accounts. I don't think it's possible using Get Info, only commands in a Terminal window.

If you want to try it, I can give you the commands, but you'll have to post the output, which you may not want to do.

I could redact anything from the output, can't I?

One thing you can start with that doesn't involve the command-line, and will be needed in order to manage the permissions, is to create a group which only the Me and Wifey account belong to, and the Eldest and Younger accounts don't.

See here, under the heading "Create a group":

Change Users & Groups settings on Mac

On your Mac, set up individual user accounts or groups, let occasional users log in as guests, and change network account server settings.

support.apple.com

I suggest a simple group name, such as "parents" or "adults".

If you have a secondary admin account, make sure it's added to the group, too.

If you're OK with using Terminal commands and posting the output, then we can proceed.

I'm fine using Terminal. Have used it a few times previously.

There's a completely different approach that uses an encrypted disk-image, which only the Me and Wifey accounts would know the password to. One down side is that it should be kept detached (not mounted or "connected") when not in use, otherwise the other accounts might be able to access it.

Even better would be a completely separate physical device, such as a USB thumb drive or an SD card, that you and your wife only use when necessary. That should also be encrypted, with limited knowledge of the password, and for safety, a separate recovery key printed on paper, kept in a very safe location.

If you want to test out an encrypted disk image, read the following, under the heading "Create a secure disk image":

Create a disk image using Disk Utility on Mac

Use Disk Utility on your Mac to create a disk image.

support.apple.com

Hi mate, apologies for the delayed reply. Just finishing off a manic Xmas period of having friends and family over.

I've given answers above under your questions.

But just to give you a slightly clearer overview of how my system is setup, here it is. I'm the administrator. Everyone else only has a user account each.

The main HD is only used to store the Boot Disk, applications and system file.

The second internal HD is used to store documents for me the admin and each other user. So, in total, on the second HD, there are 4 folders. One is for me (which I want to have no access for the 2 kids). One is for my wife (again no access for he kids). And finally a folder each for the kids. It is within this HD that I want to give No Access to my folder and my wife's folder.

Here's a picture to give you an idea of the setup within the second HD. The redactions are the users (there's one additional folder in there also). I've shown my user folder and the sub folders within.

I hope this is a little clearer.

[automerge]1577540383[/automerge]

BatChmod - Change permissions without the Terminal http://lagentesoft.com/batchmod/

Thanks mate. This seems like a nice tool to use. If I have no luck with the other options, I may go with this.

 

[chown33]

If you redact too much, I won't be able to see things that might be needed.

For example, the command line refers to things by name. More specifically, by pathname, which is a list of directories (folders or disks) that "lead to" another named item. That is, the sequence of names is a "path of names" that is followed to refer to a particular item. If you redact names, then I can't tell where things are, and I have to guess about what the names of things are, or what things contain other things. Guessing is a risky approach on the command line, because there are some not-so-obvious rules about how names are interpreted.

You didn't propose a different set of placeholder names, so I'm going to use the following as account names or folder names, depending on context. You will, of course, need to use the actual name:

You - your admin account​

Wifey - your wife's account​

Eldest - your eldest child's account​

Younger - your younger child's account​

If you don't understand something in the steps below, or there are unexpected results, then stop. Instead of proceeding and possibly harming something, ask a specific question about the specific step. Mistakes with the command-line can be costly.


Before anything else, I advise a full backup of all HDs with valuable data on them. Then disconnect the backup media, so if something goes wrong, it can't possibly affect the backup.


First, you should create a group. I linked to the description above, so I won't repeat it.

Give the group the name parents, with exactly that spelling and case.

Add the accounts You and Wifey as group members. DO NOT add Eldest or Younger as group members. Group membership will be what controls access to the Media folders owned by You and Wifey.

You can confirm that You is a member of the parents group by typing this command in a Terminal window:

id

The output should be a list identifying the user ID (uid) and the groups it's a member of (gids), in both numeric and name form. You should see an entry for the parents group. If not, stop and post a reply here.


Second, make a non-admin user account. It will be deleted later, but for testing you'll need a separate account whose password you know and can login to.

Give this account the name puppet. DO NOT add it to the parents group.


Third, I'm going to use the placeholder name Secondary as the name of your secondary internal disk, where the Media folder resides. You should substitute the actual disk name, or temporarily rename the disk so its actual name is "Secondary".

The following Terminal command should list the contents and permissions info for all the folders in the Media folder on Secondary:

ls -leO@ '/Volumes/Secondary/Media'

Run the command, then copy and paste the output in a reply post here. You can use placeholder names, but they'll need to be consistent. For example, don't change every name to REDACTED, because then everything will have the same name, and every item will be owned by the same account.

If the command doesn't list the folders, then post the complete exact error message.


In the next steps, I'm going to show commands to:

- make a test folder owned by You, and change its group.​

- test access using the puppet account.​

- if that works, I'll post the cmds to change the group and permissions on the Media folders for You and Wifey.​

I have several time-sensitive tasks happening this week, so it might take me a day or more to make any non-trivial replies here.