Previous 1 2 3 Next 37 Replies Latest reply: Oct 30, 2015 9:04 AM by dodonian Go to original post
  • eidsvoog Level 1 Level 1



    You're a genius.  That's the answer.  The "primary group" must remain as "Administrators" with "Read Only" access.


    At first, I couldn't figure out how to set it back correctly so I unshared a folder, renamed it, created a new one with old name, moved the files, and shared the new folder.  The primary group comes up as "Administrators" with "Read Only.


    But instead of doing this with about 10 shares, I figured it out.  Under "View" in the Server app, select "Show System Accounts".  Now you can restore the primary group to "Administrators" and set "Read Only".  Make sure to add in the group you had as primary.


    Inheritance problems are over for me.  Thanks so much.


    John Eidsvoog

  • John Vargo Level 2 Level 2

    What if we don't have the server app? I'm sharing from OS X 10.7.3, not 10.7.3 Server.

  • Darryl C. Level 1 Level 1

    Hi John,

    There are a few options that you can try.


    1) Use the built-in options Apple provides in the Sharing panel of System Preferences.

    2) Use a free utility like BatChmod to help manage privs.

    3) Learn a few Terminal commands and tinker around that way.


    4) Open the purse strings and purchase Mountain Lion 10.8 upgrade for $19.99, plus the Server application for $19.99, as well.

  • John Vargo Level 2 Level 2



    Thanks for responding. I think I'm going to start a new thread instead of hijacking!

  • jakemooremd Level 1 Level 1

    This issuse has been driving me bannanas but the reason I am working on it at 2:00 am is becasue I need my file server running correctly tomorrow.


    Darryl C's solution didn't quite work for me, but the issue is I am running LDAP on 2 different servers than this particular file server.  One LDAP server is 10.6.8 and the other 10.7.1


    Inherited permissions were not working for network users and groups, but by serendipidy I created a local user and permissions were inherited correctly for local users and groups.


    This fixed it for me:


    I created a local group and set inherited ACL permissions for that group in the server pane.  Add your network group to this and the permissions propogate.

  • prbsparx Level 1 Level 1

    Are any of you still having a problem with permissions in OS X Server - Lion or OS X Server - Mountain Lion?


    I am an Apple Consultant and Trainer working with several school districts currently. If you have any problems, please feel free to message me.

  • John Vargo Level 2 Level 2

    I ended up giving up on it. I downloaded an app called SMBUp and haven't had any problems since.

  • DougTheThug Level 1 Level 1

    So how do I fix this on 10.6.8.


    It does not appear to have the Server app.


    I am so tired of constantly having to "propogate permission" I am about to throw that uselsss MAC server out of the window and migrate the data onto a Microsoft Windows 2008 server and have the MAC users map to a windows machine, a solution that I am pretty sure will work way better than using a MAC server.


    Sorry but that MAC server does not impress me one little bit!!!

  • tekman101101 Level 1 Level 1

    Hello Everybody,


    One of the companies that I support purchased a brand new top of the line MAC server and I was tasked with getting it set up on their mostly Windows domain.


    This is EXACTLY the same issue that I ran into and I spent hours and hours setting and resetting all of the settings on the MAC server EXACTLY as recommended by APPLE....but nothing worked.


    It appears that even Apple is not aware of this flaw.


    1. is a link to a solution that worked PERFECTLY and has now been working for the whole domain for over a year:



  • tekman101101 Level 1 Level 1

    To make a long story short....


    You simply turn OFF Macintosh's  "AFP (Apple File Protocol)" and use Microsoft's "SMB (a Microsoft sharing protocol going back over twenty years) which is a MUCH better protocol.


    And I know all you DIE HARD Mac people out there are going to hate this solution but I guarantee you it works PERFECTLY.

  • John Vargo Level 2 Level 2

    It has nothing to do with hate, this just isn't a good solution for companies that run mostly Macs, as SMB performance is much weaker than AFP in a Mac environment.


    In my case, I'm supporting a single Windows workstation, which I would eliminate if I could.

  • Darryl C. Level 1 Level 1

    Unfortunately, that solution works fine for PCs, but it fails miserably on Macs. There are serious issues and ramifications by having Macs use the SMB protocol. I'll list a couple of problems that I personally ran into by doing this...


    • Directory listings don't get pushed out properly and Mac clients are left with incomplete file listings. At times, folders would appear incomplete or empty, when in actuality they were loaded with files.


    • Microsoft Office freaks out by using SMB. Word and Excel files continually open as "Read Only" and it becomes a nightmare to save files back to the server.


    • Side bar links in the Finder just break. They'll work for a while, but if you restart or log out, they will generally stop working.


    These are just a few of the problems I ran into, but it's enough to say, NEVER AGAIN.


    BUT, the issues that I ran into with SMB was with 10.7.5 Server. I have not tried it in 10.8.2 Server. Hopefully Apple fixed all the SMB issues in 10.8. All I can say is, good luck!

  • tekman101101 Level 1 Level 1

    Fair enough then....


    Each domain configuration is unique....


    I guess the bottom line then is for Macintosh to actually recognize that there is a flaw on at least 10.6 and fix it...... which they may have already done with 10.7 ???

  • tekman101101 Level 1 Level 1

    DANG..... sounds like the issue STILL exists in 10.8


    Why is Macintosh completely missing this flaw?


    It's all over the web.

  • tilobauer Level 1 Level 1

    OS X 10.8.3 Server

    Same symptons: Wrong inheritance … sometimes … somewhere …


    I don't like the idea of disabling AFP. That's not a solution. (You could call it a temporary walkaraound.)


    I like the solution of kalmicka: creating new folder and new shares of these folders without touching the initial rights. seems to solve thing, but …


    new folders have these rights:

    Finder info (10.8.3):

    Bildschirmfoto 2013-03-26 um 20.24.41.png

    same folder in (2.2.1) / Storage

    Bildschirmfoto 2013-03-26 um 20.28.33.png


    a freshly created share point under file sharing looks like this (system accounts viewable):


    Bildschirmfoto 2013-03-26 um 20.35.20.png


    So – following the advise of kalmicka – "Staff" (which is the primary group) is the group to be untouched by you. (Only member of group "Staff" is "System Administrator" aka root.)



    The problem with this solutions is, that as long there is "staff: read only" this volume/share point is viewable by any user on the network:

    Bildschirmfoto 2013-03-26 um 20.48.09.png

    though this user has no rights, he can see everything on this volume/sharepoint.


    What must be done to keep their eyes away from this sharepoint/volume – without changing the primary group "Staff" to "no access"?


    Thanks in advance!