Apple | Mac OS X Server Print Service Administration For Version 10.4 or Later | User manual | Mac OS X Server 10.4 User Management Admin (Manual)
Add to my manuals
232 Pages
advertisement
Mac OS X Server
User Management
For Version 10.4 or Later
K Apple Computer, Inc.
© 2005 Apple Computer, Inc. All rights reserved.
The owner or authorized user of a valid copy of
Mac OS X Server software may reproduce this publication for the purpose of learning to use such software. No part of this publication may be reproduced or transmitted for commercial purposes, such as selling copies of this publication or for providing paid-for support services.
Every effort has been made to ensure that the information in this manual is accurate. Apple Computer,
Inc., is not responsible for printing or clerical errors.
Apple
1 Infinite Loop
Cupertino, CA 95014-2084
408-996-1010 www.apple.com
Use of the “keyboard” Apple logo (Option-Shift-K) for commercial purposes without the prior written consent of Apple may constitute trademark infringement and unfair competition in violation of federal and state laws.
Apple, the Apple logo, AirPort, AppleShare, AppleTalk,
FireWire, iBook, Keychain, LaserWriter, Mac, Mac OS,
Macintosh, PowerBook, and QuickTime are trademarks of Apple Computer, Inc., registered in the U.S. and other countries. Extensions Manager, Finder, and SuperDrive are trademarks of Apple Computer, Inc.
Adobe and PostScript are trademarks of Adobe Systems
Incorporated.
Java and all Java-based trademarks and logos are trademarks or registered trademarks of Sun
Microsystems, Inc. in the U.S. and other countries.
UNIX is a registered trademark in the United States and other countries, licensed exclusively through X/Open
Company, Ltd.
Other company and product names mentioned herein are trademarks of their respective companies. Mention of third-party products is for informational purposes only and constitutes neither an endorsement nor a recommendation. Apple assumes no responsibility with regard to the performance of these products.
019-0170/03-24-05
1
Contents
1
2
13 About This Guide
14
What’s New in Version 10.4
What’s in This Guide
Using Onscreen Help
The Mac OS X Server Suite
Getting Additional Information
If You’re New to Server and Network Management
If You’re an Experienced Server Administrator
21
19 User Management Overview
Tools for User Management
Workgroup Manager
Server Admin
NetBoot
Network Install
Accounts
Administrator Accounts
Users and Managed Users
Guest Users
Groups, Primary Groups, and Workgroups
Computer Lists
The User Experience
Authentication
Identity Validation
Information Access Control
31 Getting Started With User Management
Setup Overview
Planning Strategies for User Management
Analyzing Your Environment
Identifying Directory Services Requirements
Determining Server and Storage Requirements
Using Client Management
3
4
3
41
41
41
Using Mobile Accounts
Portable Home Directories
Devising a Home Directory Strategy
Identifying Groups
Determining Administrator Requirements
Using Workgroup Manager
Working With Pre-Version 10.4 Computers From Version 10.4 Servers
Opening and Authenticating in Workgroup Manager
Major Workgroup Manager Tasks
Listing and Finding Accounts
Working With Account Lists in Workgroup Manager
Listing Accounts in the Local Directory Domain
Listing Accounts in Search Path Directory Domains
Listing Accounts in Available Directory Domains
Refreshing Account Lists
Finding Specific Accounts in a List
Sorting User and Group Lists
Using the Search Button in the Toolbar
Shortcuts for Working With Accounts
Batch Editing
Using Presets
Importing and Exporting Account Information
Backing Up and Restoring User Management Data
Backing Up and Restoring Files
Backing Up Root and Administrator User Accounts
49 User Management for Mobile Clients
Setting Up Mobile Clients
Configuring Portable Computers
Using Mobile Accounts
Creating a Mobile Account
Removing a Mobile Account
The User Experience for Mobile Accounts
Portable Home Directories
Considerations for Assigning Content to Be Synchronized
Managing Mobile Clients
Unknown Mac OS X Portable Computers
Mac OS X Portable Computers With Multiple Local Users
Mac OS X Portable Computers With One Primary Local User
Using Wireless Services
Security Considerations for Mobile Clients
Directory Services
FileVault for Mobile Clients
Contents
4
Security Considerations When Using Portable Home Directories
Loss and Data Recovery Considerations
61
61
57 Setting Up User Accounts
About User Accounts
Where User Accounts Are Stored
Predefined User Accounts
Administering User Accounts
Creating Mac OS X Server User Accounts
Creating Read-Write LDAPv3 User Accounts
Editing User Account Information
Editing Multiple Users Simultaneously
Modifying Accounts in an Open Directory Master
Working With Read-Only User Accounts
Defining a Guest User
Deleting a User Account
Disabling a User Account
Working With Presets for User Accounts
Creating a Preset for User Accounts
Using Presets to Create New Accounts
Renaming Presets
Changing Presets
Deleting a Preset
Working With Basic Settings for Users
Defining Long User Names
Defining Short User Names
Choosing Stable Short Names
Avoiding Duplicate Names
Avoiding Duplicate Short Names
Defining User IDs
Defining Passwords
Setting Password Options for Imported Users
Assigning Administrator Rights for a Server
Assigning Administrator Rights for a Directory Domain
GUIDs
Working With Advanced Settings for Users
Defining Login Settings
Defining a Password Type
Creating a Master List of Keywords
Applying Keywords to User Accounts
Editing Comments
Working With Group Settings for Users
Defining a User’s Primary Group
Contents 5
6
5
6
Adding a User to Groups
Removing a User From a Group
Reviewing a User’s Group Memberships
Working With Home Settings for Users
Working With Mail Settings for Users
Disabling a User’s Mail Service
Enabling Mail Service Account Options
81 Forwarding a User’s Mail
81 Working With Print Settings for Users
Disabling a User’s Access to Print Queues Enforcing Quotas
Enabling a User’s Access to Print Queues Enforcing Quotas
Deleting a User’s Print Quota for a Specific Queue
Resetting a User’s Print Quota
Working With Info Settings for Users
Choosing Settings for Windows Users
85 Setting Up Group Accounts
About Group Accounts
Administering Group Accounts
Where Group Accounts Are Stored
Predefined Group Accounts
Creating Mac OS X Server Group Accounts
Creating Read-Write LDAPv3 Group Accounts
Creating a Preset for Group Accounts
Editing Group Account Information
Creating Nested Groups
Upgrading Legacy Groups
Working With Read-Only Group Accounts
Working With Member Settings for Groups
Adding Users to a Group
91
Removing Users From a Group
Naming a Group
Defining a Group ID
Working With Group Folder Settings
Specifying No Group Folder
Creating a Group Folder in an Existing Share Point
Creating a Group Folder in a New Share Point
Creating a Group Folder in a Subfolder of an Existing Share Point
Designating a Group Folder for Use by Multiple Groups
Deleting a Group Account
101 Setting Up Computer Lists
About Computer Lists
Contents
7
8
102
102
103
104
104
105
105
Special Purpose Computer Lists
Creating a Computer List
Creating a Preset for Computer Lists
Using a Computer List Preset
Adding Computers to an Existing Computer List
Changing Information About a Computer
Moving a Computer to a Different Computer List
106
106
Deleting Computers From a Computer List
Deleting a Computer List
107 Searching for Computer Lists
107 Managing Guest Computers
108 Working With Access Settings
108 Restricting Access to Computers
109
110
Making Computers Available to All Users
Using Local User Accounts
111 Setting Up Home Directories
About Home Directories
112 Avoid Spaces and Long Names in Network Home Directory Path
112 Distributing Home Directories Across Multiple Servers
113 Specifying No Home Directory
Creating a Home Directory for a Local User at a Server
115 Creating a Network Home Directory
117 Creating a Custom Home Directory
119 Setting Up an Automountable AFP Share Point for Home Directories
Setting Up an Automountable NFS or SMB Share Point for Home Directories
121 Setting Disk Quotas
Defining Default Home Directories by Using Presets
Moving Home Directories
Deleting Home Directories
123 Client Management Overview
Using Network-Visible Resources
Defining Preferences
The Power of Preferences
Levels of Control
Degrees of Permanence
Designing the Login Experience
Who Can Log In
Caching Preferences
Helping Users Find Applications
Helping Users Find Group Folders
Installing and Booting Over the Network
Contents 7
8
9
Day-to-Day Client Administration
135 Managing Preferences
How Workgroup Manager Works With Mac OS X Preferences
Managing Preferences
About the Preferences Cache
Updating the Managed Preferences Cache at Intervals
Updating the Preference Cache Manually
Managing User Preferences
Managing Group Preferences
140
Managing Computer Preferences
Editing Preferences for Multiple Records
140 Disabling Management for Specific Preferences
Managing Access to Applications
142
142
143
Creating a List of Applications Users Can Open
Preventing Users From Opening Applications on Local Volumes
Managing Access to Helper Applications
Controlling the Operation of UNIX Tools
144 Managing Classic Preferences
144 Selecting Classic Startup Options
145
146
Choosing a Classic System Folder
Allowing Special Actions During Restart
146
147
Controlling Access to Classic Apple Menu Items
Adjusting Classic Sleep Settings
148 Maintaining Consistent User Preferences for Classic
148 Managing Dock Preferences
148
149
150
Controlling the User’s Dock
Providing Easy Access to Group Folders
Adding Items to a User’s Dock
Preventing Users From Adding or Deleting Items in the Dock
Managing Energy Saver Preferences
Using Sleep and Wake Settings for Desktop Computers
Working With Energy Saver Settings for Portable Computers
Displaying Battery Status for Users
154 Scheduling Automatic Startup, Shutdown, or Sleep
Managing Finder Preferences
Setting Up Simple Finder
Keeping Disks and Servers From Appearing on the User’s Desktop
Controlling the Behavior of Finder Windows
Hiding the Alert Message When a User Empties the Trash
Making Filename Extensions Visible
Controlling User Access to Remote Servers
Controlling User Access to an iDisk
Contents
Preventing Users From Ejecting Disks
Hiding the Burn Disc Command in the Finder
Controlling User Access to Folders
160
160
Removing Restart and Shut Down From the Apple Menu
Adjusting the Appearance and Arrangement of Desktop Items
Adjusting the Appearance of Finder Window Contents
162 Managing Internet Preferences
162
163
Setting Email Preferences
Setting Web Browser Preferences
163 Managing Login Preferences
164 Specifying How a User Logs In
165
166
166
Opening Items Automatically After a User Logs In
Providing Access to a User’s Network Home Directory
Providing Easy Access to the Group Share Point
Preventing Restarting or Shutting Down the Computer at Login
168
168
Using Hints to Help Users Remember Passwords
Enabling Simultaneous Multiple Users on a Client Computer
169 Enabling Automatic Logout for Idle Users
169 Login and Logout Scripts
Managing Media Access Preferences
Controlling Access to CDs, DVDs, and Recordable Discs
Controlling Access to Hard Drives and Disks
Ejecting Items Automatically When a User Logs Out
Managing Mobility Preferences
Managing Network Preferences
Configuring Proxy Servers by Port
Managing Printing Preferences
Making Printers Available to Users
Preventing Users From Modifying the Printer List
Restricting Access to Printers Connected to a Computer
Setting a Default Printer
180
Restricting Access to Printers
Managing Software Update Preferences
Managing Access to System Preferences
Managing Universal Access Preferences
Adjusting the User’s Display Settings
Setting a Visual Alert
Adjusting Keyboard Responsiveness
Adjusting Mouse and Pointer Responsiveness
180
Enabling Universal Access Shortcuts
Allowing Devices for Users With Special Needs
Using the Preference Editor With Preference Manifests
182 Adding a Managed Preference by Importing it From an Application
Contents 9
10
10
11
183
183
Editing Preference Values for an Application
Removing Preference Values With the Preferences Editor
185 Managing Network Views
185 Types of Managed Network Views
186 Creating a Managed Network View
Editing Managed Network Views
188 Defining Neighborhoods for Managed Network Views
188
189
Adding Neighborhoods to Managed Network Views
Deleting Neighborhoods From Managed Network Views
189 Defining Computers for Managed Network Views
189 Showing Computers in Managed Network Views
190 Deleting Computers From Managed Network Views
Defining Dynamic Lists for Managed Network Views
Adding Dynamic Lists to Managed Network Views
Deleting Dynamic Lists From Managed Network Views
Defining Use of Managed Network Views by Client Computers
How a Computer Finds Its Managed Network Views
194
Enabling Managed Network View Visibility
Disabling Managed Network View Visibility
Setting Managed Network View Refresh Rate
Setting Finder Behavior With Managed Network Views
198
199
200
200
200
200
201
201
197 Solving Problems
Online Help and the Apple Service & Support website
Solving Account Problems
You Can’t Modify an Account Using Workgroup Manager
198
198
198
You Can’t See Certain Users in the Login Window
You Can’t Unlock an LDAP Directory
You Can’t Modify a User’s Open Directory Password
You Can‘t Change a User’s Password Type to Open Directory
You Can’t Assign Server Administrator Privileges
Users Can’t Log In or Authenticate
Users Relying on a Password Server Can’t Log In
Users Can’t Log In With Accounts in a Shared Directory Domain
Users Can’t Access Their Home Directories
Users Can’t Change Their Passwords
A Mac OS X User in Shared NetInfo Domain Can’t Log In
Users Can’t Authenticate Using Single Sign-On or Kerberos
202 Solving Preference Management Problems
202 You Can’t Enforce Default Web Settings
202
202
You Can’t Enforce Default Mail Settings
Users Don’t See a List of Workgroups at Login
Contents
202
203
203
203
204
204
204
Users Can’t Open Files
Users Can’t Add Printers to a Printer List
Login Items Added by a User Don’t Open
Items Placed in the Dock by a User Are Missing
A User’s Dock Has Duplicate Items
Users See a Question Mark in the Dock
Users See a Message About an Unexpected Error
A 205 Importing and Exporting Account Information
205 Understanding What You Can Export and Import
206 Using Workgroup Manager to Import Users and Groups
207 Using Workgroup Manager to Export Users and Groups
208 Using dsimport to Import Users and Groups
208 Using XML Files Created With Mac OS X Server v10.1 or Earlier
209 Using XML Files Created With AppleShare IP 6.3
209 Using Character-Delimited Files
Writing a Record Description
B 213 ACL Permissions and Group Memberships Using GUID
213 Understanding GUIDs
ACLs Augment POSIX Permissions
GUIDs and Groups
File Permissions and Synchronization
SIDs and Windows Interoperability
Importing and Exporting Users
217
229
Contents 11
12 Contents
About This Guide
This guide tells you how to use Workgroup Manager to set up and manage home directories, accounts, preferences, and settings for clients.
•
•
•
•
What’s New in Version 10.4
Portable Home Directories. Users with portable computers can now enjoy synchronized versions of home directory folders locally and on the network. Portable
Home Directories synchronize selected content across local and network home directories based on the most recent version of a file.
Trusted directory binding. Users with portable computers can use trusted binding to make sure that servers accessed as they move around are trustworthy. Trusted binding offers a way for a client computer to authenticate to an LDAP server and for
the LDAP server to authenticate to the client. For more information, see Chapter 3,
“User Management for Mobile Clients,” on page 49.
Managed network views. You can now control what users see when they select the
Network icon in the sidebar of a Finder window (or choose Go > Network). A managed network view is one or more network neighborhoods, which appear in the
Finder as folders. Each folder contains a list of resources the server administrator has associated with the folder. Managed network views offer a meaningful way to present network resources. You can create multiple views for different client computers. And because the views are stored using Open Directory, a computer’s network neighborhood is automatically available when a user logs in. For more
information, see Chapter 10, “Managing Network Views,” on page 185.
Preference manifests and preference editor. If you want fine-grain control of preference settings, you can work with Workgroup Manager’s new preference editor which can utilize preference manifests where they exist. Preference manifests are files that describe the structure and values of an application’s or utility’s preferences. The preference editor can create or edit any PLIST (Preference File) and incorporates preference manifests to thoroughly describe preference settings which customize
the behavior of applications and utilities. For more information, see “Using the
Preference Editor With Preference Manifests” on page 181.
13
14
• User information. You can enter and edit personal data for each user, such as his or her address, phone numbers, iChat names, and webpage URL. The Address Book
application can access this information. For more information, see “Working With Info
Settings for Users” on page 84.
•
•
•
•
•
•
•
•
•
•
•
•
What’s in This Guide
This guide is organized as follows:
Chapter 1, “User Management Overview,” highlights important concepts, introduces
the user management tools, and tells you where to find additional information about user management and related topics.
Chapter 2, “Getting Started With User Management,” describes how to use features
and shortcuts to maximize efficiency when setting up and maintaining accounts and managed preferences.
Chapter 3, “User Management for Mobile Clients,” discusses considerations for
managing portable computers.
Chapters 4, 5, 6 tell you how to use Workgroup Manager to set up users, groups, and computer lists.
Chapter 7, “Setting Up Home Directories,” covers creating home directories.
Chapter 8, “Client Management Overview,” introduces client management tools and
concepts such as how to customize a user’s working environment and provide user access to network resources.
Chapter 9, “Managing Preferences,” describes how to use Workgroup Manager to
control preference settings for users, groups, and computers that use Mac OS X.
Chapter 10, “Managing Network Views,” discusses how you can create network views
in workgroup Manager to customize the browsing experience for each computer and control what appears in the Network folder in the Finder of that computer.
Chapter 11, “Solving Problems,” helps you address issues involving account creation,
home directory maintenance, preference management, or client setup; and also helps you solve problems encountered by managed clients.
Appendix A, “Importing and Exporting Account Information,” provides information
you’ll need when you want to transfer account information to or from an external file.
Appendix B, “ACL Permissions and Group Memberships Using GUID,”describes a user
identifier new in version 10.4.
The Glossary defines terms you’ll encounter as you read this guide.
Note: Because Apple frequently releases new versions and updates to its software, images shown in this book may be different from what you see on your screen.
Preface About This Guide
Using Onscreen Help
If you want to work with accounts, change preference settings, set up new home directories, or do any other day-to-day administration task, you can find step-by-step procedures by using the onscreen help available with Workgroup Manager. While all the administration tasks are also documented in this guide, sometimes it’s more convenient to retrieve information via onscreen help while using your server.
•
•
•
On a computer running Mac OS X Server, you can access onscreen help after opening
Workgroup Manager or Server Admin. From the Help menu, select one of the options:
Workgroup Manager Help or Server Admin Help displays information about the application.
Mac OS X Server Help displays the main server help page, from which you can search or browse for server information.
Documentation takes you to www.apple.com/server/documentation, from which you can download server documentation.
You can also access onscreen help from the Finder or other applications on a server or on an administrator computer. (An administrator computer is a Mac OS X computer with server administration software installed on it.) Use the Help menu to open Help
Viewer, then choose Library > Mac OS X Server Help.
To see the latest server help topics, make sure the server or administrator computer is connected to the Internet while you’re using Help Viewer. Help Viewer automatically retrieves and caches the latest server help topics from the Internet. When not connected to the Internet, Help Viewer displays cached help topics.
The Mac OS X Server Suite
The Mac OS X Server documentation includes a suite of guides that explain the services and provide instructions for configuring, managing, and troubleshooting the services.
All of the guides are available in PDF format from: www.apple.com/server/documentation/
This guide ...
Mac OS X Server Getting Started for Version 10.4 or Later
Mac OS X Server Upgrading and
Migrating to Version 10.4 or Later
Mac OS X Server User
Management for Version 10.4 or
Later
Mac OS X Server File Services
Administration for Version 10.4 or
Later tells you how to:
Install Mac OS X Server and set it up for the first time.
Use data and service settings that are currently being used on earlier versions of the server.
Create and manage users, groups, and computer lists. Set up managed preferences for Mac OS X clients.
Share selected server volumes or folders among server clients using these protocols: AFP, NFS, FTP, and SMB/CIFS.
Preface About This Guide 15
16
This guide ...
Mac OS X Server Print Service
Administration for Version 10.4 or
Later
Mac OS X Server System Image and Software Update
Administration for Version 10.4 or
Later
Mac OS X Server Mail Service
Administration for Version 10.4 or
Later tells you how to:
Host shared printers and manage their associated queues and print jobs.
Use NetBoot and Network Install to create disk images from which
Macintosh computers can start up over the network. Set up a software update server for updating client computers over the network.
Set up, configure, and administer mail services on the server.
Mac OS X Server Web
Technologies Administration for
Version 10.4 or Later
Set up and manage a web server, including WebDAV, WebMail, and web modules.
Mac OS X Server Network Services
Administration for Version 10.4 or
Later
Set up, configure, and administer DHCP, DNS, VPN, NTP, IP firewall, and NAT services on the server.
Manage directory and authentication services.
Mac OS X Server Open Directory
Administration for Version 10.4 or
Later
Mac OS X Server QuickTime
Streaming Server Administration for Version 10.4 or Later
Set up and manage QuickTime streaming services.
Mac OS X Server Windows
Services Administration for
Version 10.4 or Later
Mac OS X Server Migrating from
Windows NT for Version 10.4 or
Later
Set up and manage services including PDC, BDC, file, and print for
Windows computer users.
Move accounts, shared folders, and services from Windows NT servers to Mac OS X Server.
Mac OS X Server Java Application
Server Administration For Version
10.4 or Later
Configure and administer a JBoss application server on Mac OS X
Server.
Use commands and configuration files to perform server administration tasks in a UNIX command shell.
Mac OS X Server Command-Line
Administration for Version 10.4 or
Later
Mac OS X Server Collaboration
Services Administration for
Version 10.4 or Later
Set up and manage weblog, iChat, and other services that facilitate interactions among users.
Mac OS X Server High Availability
Administration for Version 10.4 or
Later
Manage IP failover, link aggregation, load balancing, and other hardware and software configurations to ensure high availability of
Mac OS X Server services.
Preface About This Guide
This guide ...
Mac OS X Server Xgrid
Administration for Version 10.4 or
Later tells you how to:
Manage computational Xserve clusters using the Xgrid application.
Mac OS X Server
Glossary: Includes Terminology for
Mac OS X Server, Xserve, Xserve
RAID, and Xsan
Interpret terms used for server and storage products.
Getting Additional Information
Regardless of your server administration experience, this resource may be of interest:
Apple customer training—instructor-led and self-paced courses for honing your server administration skills.
train.apple.com/
If You’re New to Server and Network Management
For more information, consult these resources:
Mac OS X Server website—gateway to extensive product and technology information.
www.apple.com/macosx/server/
AppleCare Service & Support—access to hundreds of articles from Apple’s support organization.
www.apple.com/support/
Apple discussion groups—a way to share questions, knowledge, and advice with other administrators.
discussions.info.apple.com/
•
Reference materials—publications such as the following, which contain background information, explanations of basic concepts, and ideas for getting the most out of your
• network:
Teach Yourself Networking Visually, by Paul Whitehead and Ruth Maran (IDG Books
Worldwide, 1998).
Internet and Intranet Engineering, by Daniel Minoli (McGraw-Hill, 1997).
Preface About This Guide 17
If You’re an Experienced Server Administrator
For more information, consult these resources:
Read Me documents—important updates and special information. Look for them on the server discs.
Mac OS X Server website—gateway to extensive product and technology information.
www.apple.com/macosx/server/
AppleCare Service & Support—access to hundreds of articles from Apple’s support organization.
www.apple.com/support/
Apple discussion groups—a way to share questions, knowledge, and advice with other administrators.
discussions.info.apple.com/
Apple mailing list directory—subscribe to mailing lists so you can communicate with other administrators using email. discussions.info.apple.com/
Reference materials—numerous publications are available from online resources such as this one.
www.ora.com
For additional information about Apache, go to www.apache.org/.
18 Preface About This Guide
1
User Management Overview
1
This chapter introduces important user management concepts and describes the applications you’ll use to manage accounts and privileges.
User management encompasses everything from setting up accounts for network access and creating home directories, to fine-tuning the user experience by managing preferences and settings for users, groups, and computer lists. Mac OS X Server provides tools for accomplishing all these tasks.
Tools for User Management
Primary user management tools and applications in Mac OS X Server include
Workgroup Manager, Server Admin, Netboot, and Network Install.
Workgroup Manager
Workgroup Manager is a powerful tool that delivers a range of features for comprehensive management of Macintosh clients. You can use Workgroup Manager directly from the server, or you can install Workgroup Manager independently of the
Mac OS X Server software on a non-server client computer.
Workgroup Manager provides network administrators with a centralized method of managing Mac OS X workstations, controlling access to software and removable media, and providing a consistent, personalized experience for users at different levels, whether they’re beginners in a classroom or advanced users in an office.
Using Workgroup Manager, you can create user accounts and set up groups to provide convenient access to resources. You can add and configure computer lists which can selectively permit or deny privileges to users or groups for specific computers or printers. You can manage user settings for mail, printing and home folders. Workgroup
Manager allows you to configure and manage share points. You can also use account settings and managed preferences to allow more or less flexibility to suit the level of administrative control you need.
19
20
•
•
When Workgroup Manager is used in conjunction with other Mac OS X Server services,
• you can:
Connect users to one another, using services such as mail, file sharing, iChat service, and Weblog service.
Share system resources, such as printers and computers, maximizing their availability as users move about and making sure that disk space and printer usage remain equitably shared.
Customize working environments, such as desktop resources and personal files, of network users.
Preference Management
You can use Mac OS X Server’s Workgroup Manager application to tailor the work environments of Mac OS X clients. Preferences you define for individual users and groups provide a consistent desktop, application, and network appearance regardless of the Macintosh computer they use to log in. Preferences defined for computer lists ensure a consistent user experience on computers in the list.
To learn more about client management tools and concepts, read Chapter 8, “Client
Home Directories
A home directory is a folder where a user’s files and preferences are stored. Other users can see a user’s home directory and read files in its Public folder, but they can’t (by default) access anything else in that directory. This is true only for other users whose home folders reside on the same server or sharepoint.
When you create a user in a directory domain on the network, you specify the location of the user’s home directory on the network, and the location is stored in the user account and used by various services, including the login window and Mac OS X
Managed Client services.
The Portable Home Directories feature synchronizes a mobile user's local home folder and network home folder automatically (or on demand). Synchronization can also be controlled by managed preferences. For more information about mobile accounts, see
Chapter 3, “User Management for Mobile Clients.”
Mail Settings
You can create a Mac OS X Server mail service account for a user by setting up mail settings in the user’s account. To use the mail account, the user simply configures a mail client using the mail settings you specify.
Mail account settings let you control a user’s access to mail services running on a particular Mac OS X Server. For mail accounts residing on servers using versions of
Mac OS X earlier than 10.3, you can also manage account characteristics such as how to handle automatic message arrival notification.
Chapter 1 User Management Overview
For details on settings for Mac OS X mail service, see the mail service administration guide.
Resource Usage
Disk, print, and mail quotas can be stored in a user account.
Mail and disk quotas limit the number of megabytes available for a user’s mail or files.
Print quotas limit the number of pages a user can print using Mac OS X Server print services. Print quotas also can be used to disable a user’s print service access altogether. User print settings work in conjunction with print server settings, which are explained in the print service administration guide.
Server Admin
The Server Admin application provides access to various tools and services that play a role in server management. This impacts user management directly. Once you have installed the Mac OS X Server software, set up directory services, and established your network, you can start creating and managing accounts using Workgroup Manager.
After setting up accounts and home directories, you can use Server Admin to set up additional services to provide mail service, host websites or share printers. Workgroup
Manager can then be used to create share points and to allow users to share folders and files once the server has been setup.
For more information about using Server Admin tools, refer to the documents listed in the table below.
If you want to
Assign permissions to folders and files within a share point
Share printers among users
Set up websites or WebDAV support on the server
Provide email service for users
Broadcast multimedia in real time from the server
Read about
Workgroup Manager
Print service
Web service
Mail service
QuickTime Streaming Service
Provide identical operating system and applications folders for client computers
Server Admin
In this document
Mac OS X Server File Services
Administration For Version 10.4 or Later
Mac OS X Server Print Service
Administration For Version 10.4 or Later
Mac OS X Server Web
Technologies Administration For
Version 10.4 or Later
Mac OS X Server Mail Service
Administration For Version 10.4 or Later
Mac OS X Server QuickTime
Streaming Server Administration
For Version 10.4 or Later
Mac OS X Server System Image and Software Update
Administration for Version 10.4 or Later
Chapter 1 User Management Overview 21
If you want to
Install applications across a network
Share information among multiple Mac OS X Servers or
Mac OS X Computers
Read about
Network Install
Directory services
In this document
Mac OS X Server System Image and Software Update
Administration for Version 10.4 or Later
Mac OS X Server Open Directory
Administration For Version 10.4 or Later
NetBoot
With NetBoot, Mac OS 9 and Mac OS X computers can start up from a network-based system disk image, providing quick and easy configuration of department, classroom, and individual systems as well as web and application servers throughout a network.
When you update NetBoot images, all computers using NetBoot have instant access to the new configuration.
Macintosh clients can boot from a system disk image located on Mac OS X Server instead of from the client computer’s disk drive. You can set up multiple NetBoot disk images, so you can boot clients into Mac OS 9 or X or even set up customized
Macintosh environments for different groups of clients.
NetBoot can simplify the administration and reduce the support normally associated with large-scale deployments of network-based Macintosh systems. NetBoot is ideal for an organization with a number of client computers that need to be identically configured. For example, NetBoot can be a powerful solution for a data center that needs multiple, identically configured web and application servers.
With NetBoot, administrators can configure and update client computers instantly by simply updating a boot image stored on the server. Each image contains the operating system and application folders for all clients on the server. Any changes made on the server are automatically reflected on the clients when they reboot. Systems that are compromised or otherwise altered can be instantly restored by rebooting.
•
•
•
You use several other applications to administer NetBoot:
NetBoot Desktop Admin (for modifying Mac OS 9 images)
System Image Utility (for creating and modifying Mac OS X images)
DHCP and NetBoot (used in conjunction to save NetBoot images)
For more information about these tools or about installing an operating system over a network, read the system image and software update administration guide.
22 Chapter 1 User Management Overview
Network Install
Network Install is a centralized network software installation service. It lets you
• selectively and automatically install, restore, or upgrade network-based Macintosh systems anywhere in the organization. You use PackageMaker, which is accessed via
Xcode, to create Network Install packages. Installation images can contain the latest release of Mac OS X, a software update, site-licensed or custom applications, and
• configuration scripts.
Network Install is an excellent solution for operating system migrations, installing software updates and custom software packages, restoring computer classrooms and labs, and reimaging desktop and portable computers.
You can define custom installation images for various departments in an organization, such as marketing, engineering, and sales.
With Network Install you don’t need to insert multiple CDs to configure a system.
All the installation files and packages reside on the server and are installed on the client computer at one time. Network Install also includes pre- and post-installation scripts you can use to invoke actions prior to or after the installation of a software package or system image.
For more information about using Network Install, read the system image and software update administration guide.
Accounts
There are three kinds of accounts you can set up with Workgroup Manager: user accounts, group accounts, and computer lists.
When you define a user’s account, you specify the information needed to prove the user’s identity: user name, password, and user identification number (user ID). Other information in a user’s account is needed by various services—to determine what the user is authorized to do and perhaps to personalize the user’s environment. Along with accounts you create, Mac OS X Server has some predefined users and group accounts, some of which are reserved for use by Mac OS X.
Administrator Accounts
Users with server or directory domain administration privileges are known as
administrators. An administrator can be a server admin, domain admin, or both. Server administrator privileges determine whether a user can view info about or change the settings of a particular server. Domain administrator privileges determine the extent to which the user can view or change the account settings for users, groups, and computer lists in the directory domain.
Chapter 1 User Management Overview 23
24
•
•
Server Administration
Server administration privileges determine the powers a user has when logged in to a particular Mac OS X Server. For example:
A server administrator can use Server Admin and can make changes to a server’s search policy using Directory Access.
A server administrator can see all the AFP directories on the server (from a computer other than the server), not just share points.
When you assign server administration privileges to a user, the user is added to the predefined group named “admin” in the local directory domain of the server. Many
Mac OS X applications—such as Server Admin, Directory Access, and System
Preferences—use the admin group to determine whether a particular user can perform certain administrative activities with the application. The primary Administrator
(“admin” user) is user ID 501 in the server's local directory.
Local Mac OS X Computer Administration
Any user who belongs to the group “admin” in the local directory domain of any
Mac OS X computer has administrator rights on that computer.
Directory Domain Administration
In Mac OS X Server, when you create a directory domain, a domain administrator account is also created and added to the admin group in the domain. The UID of the domain administrator defaults to 1000 when the account creation dialogue appears, at which time you also have to set the name and password. The domain administrator account is also a server administrator account, but the server administrator is not a domain administer by default. Each directory has a separate domain administrator account and a domain administrator can create additional administrators in the same domain.
You can allow certain users to manage specific accounts. For example, you may want to make a network administrator the server administrator for all your classroom servers, but give individual teachers the privileges to manage student accounts in particular directory domains. Any user who has a user account in a directory domain can be made a directory domain administrator (an administrator of that domain).
You can control the extent to which a directory domain administrator can change account data stored in a domain. For example, you may want to set up directory domain privileges so your network administrator can add and remove user accounts, but other users can change the information for particular users. Or you may want to designate multiple administrators to manage different groups.
When you assign directory domain administration privileges to a user, the user is added to the admin group of the server on which the directory domain resides.
Chapter 1 User Management Overview
Users and Managed Users
Depending on how you set up your server and your user accounts, users can log in using Mac OS 9 and Mac OS X computers, Windows computers, or UNIX computers and be supported by Mac OS X Server in their work.
Most users have an individual account used to authenticate them and control their access to services. When you want to personalize a user’s environment, you define user, group, or computer preferences for that user. The term managed client or managed user designates a user who has administrator-controlled preferences associated with his or her account. Managed client is also used to refer to computer lists that have preferences defined for them.
When a managed user logs in, the preferences that take effect are a combination of the user’s preferences and preferences set up for any workgroup or computer list he or she
belongs to. See Chapter 9, “Managing Preferences,” on page 135 for managed user
information.
Guest Users
You may want to provide services for individuals who are anonymous; that is, they can’t be authenticated because they don’t have a valid user name or password. These users are known as guest users.
With some services, such as AFP, you can specify whether to let guest users access files.
If you enable guest access, users who connect anonymously are restricted to files and folders with permissions set to Everyone. The guest user account is used when no matching user record is found during authentication.
Groups, Primary Groups, and Workgroups
A group is simply a collection of users who have similar needs. For example, you can add all English teachers to one group and give the group permission to access certain files or folders on a volume.
Groups simplify the administration of shared resources. Instead of granting access to various resources to each individual who needs them, you can add the users to a group and then grant access to everyone in the group.
Information in group accounts is used to help control user access to directories and
files. See “Directory and File Access by Other Users” on page 30 for a description of how
this works.
Furthermore, groups can be nested within groups. For example, a group can be a member of another group. A group that contains another group is called a parent group, and the group that is contained is called a nested group. Nested groups are useful for inheriting access permissions and managed preferences at login time.
Chapter 1 User Management Overview 25
Group Folders
When you define a group, you can also specify a folder for storing files you want group members to share. The location of the folder is stored in the group account.
You can give individual users permission to write to a group folder or to change group folder attributes in the Finder.
Workgroups
When you define preferences for a group it is known as a workgroup. A workgroup provides you with a way to manage the working environment of group members.
Any preferences you define for a Mac OS X workgroup are stored in the group account.
See Chapter 9, “Managing Preferences,” on page 135 for a description of workgroup
preferences.
Computer Lists
A computer list comprises one or more computers that have the same preference settings and that are available to particular users and groups. You can create and modify computer lists in Workgroup Manager.
To learn more about how to set up computer lists for Mac OS X client computers, see
Chapter 6, “Setting Up Computer Lists.” To specify preferences for Mac OS X computer
lists, Chapter 9, “Managing Preferences.”
Guest Computers
Most computers on your network should be in a named computer list. If an unknown computer (one that isn’t already in a computer list) connects to your network and attempts to access services, that computer is treated as a guest. Settings chosen for a
Guest Computers list apply to these unknown, or guest, computers.
A Guest Computers list is automatically created for a server’s local directory domain.
If the server is an Open Directory master or replica, a Guest Computers list is also created for its LDAP directory domain.
26 Chapter 1 User Management Overview
The User Experience
Once you have created an account for a user, the user can access server resources
•
•
•
•
• according to the permissions you have allowed. For most users, the typical flow of events from login to logout occurs as follows:
Authentication The user enters a name and password.
Identity Validation The user name and password are verified by directory services.
Login The user is granted access to the server and network resources.
Access The user connects to and utilizes approved servers, share points, and applications.
Logout The user’s session is terminated.
Details of the user experience may vary depending upon the type of user, the permissions allowed, the type of client computer (such as Windows or UNIX) currently in use, whether the user is a member of a group, and whether preference management has been implemented at the user, group, or computer level.
You’ll find information about the Mac OS X user experience in Chapter 8, “Client
Management Overview.” Basic information about authentication, password validation,
and information access control is given in the sections that follow. For more detailed information about these topics, see the file services administration guide.
Authentication
Before a user can log in to or connect with a Mac OS X computer, he or she must enter a name and password associated with a user account that the computer can find.
•
A Mac OS X computer can find user accounts that are stored in a directory domain of
• the computer’s search policy.
A directory domain stores information about users and resources. It is like a database that a computer is configured to access in order to retrieve configuration information.
A search policy is a list of directory domains the computer searches when it needs configuration information, starting with the local directory domain on the user’s computer.
The Open Directory administration guide describes the different kinds of directory domains and tells you how to configure search policies on any Mac OS X computer. It also discusses different kinds of authentication methods and instructions for setting up user authentication options.
Chapter 1 User Management Overview 27
The following picture shows a user logging in to a Mac OS X computer that can locate the user’s account in a directory domain within its search policy.
Log in to
Mac OS X
Directory domains in search policy
After login, the user can connect to a remote Mac OS X computer if the user’s account can be located within the search policy of the remote computer.
Connect to
Mac OS X Server
Directory domains in search policy
If Mac OS X finds a user account containing the name entered by the user, it attempts to validate the password associated with the account. If the password can be validated, the user is authenticated and the login or connection process is completed.
After logging in to a Mac OS X computer, a user has access to all the resources defined in the directories in his or her computer’s search path, such as home directories, printers, and share points. A share point is a hard disk (or hard disk partition), CD-ROM disc, or folder that contains files you want users to share. Users can access their home directories by clicking their home folder in a Finder window or choosing Home from the Finder’s Go menu.
A user doesn’t have to log in to a server to gain access to resources on a network. For example, when a user connects to a Mac OS X computer, the user can access files he or she is authorized to access on the computer, although the file system may prompt the user to enter a user name and password first. When a user accesses a server’s public resources without logging in to the server, the search policy of the user’s computer remains in force, not the search policy of the computer the user has connected to.
28 Chapter 1 User Management Overview
Identity Validation
When authenticating a user, Mac OS X first locates the user’s account and then uses the password strategy designated in the user’s account to validate the user’s password.
Open
Directory
Kerberos KDC
Authentication
User account
Password can be validated using value stored in user account or Open Directory authentication database.
Password can also be validated using another authentication authority.
LDAP bind
Open Directory gives you several options for validating a user’s password. For more details about password validation options, read the Open Directory administration guide.
Information Access Control
For any directory (folder) or file on a Mac OS X computer, you can specify permissions
•
•
• for: the file’s owner the file’s group everyone else
MyDoc
Owner 127 can: Read & Write
Group 2017 can: Read only
Everyone else can: None
Mac OS X uses a particular data item in a user’s account—the user ID—to keep track of directory and file permissions.
Chapter 1 User Management Overview 29
Directory and File Owner Access
When a directory or file is created, the file system stores the user ID of the user who created it. When a user with that user ID accesses the directory or file, he or she can read and write to it by default. In addition, any process started by the creator can read and write to any files associated with the creator’s user ID.
If you change a user’s user ID, the user may no longer be able to modify or even access files and directories he or she created. Likewise, if the user logs in as a user whose user ID is different from the user ID he or she used to create the files and directories, the user will no longer have owner permissions for them.
Directory and File Access by Other Users
The user ID, in conjunction with a group ID, is also used to control access by users who are members of particular groups, or of parent groups.
•
•
•
•
Every user belongs to a primary group. The primary group ID for a user is stored in the user’s account. When a user accesses a directory or file and the user isn’t the owner, the file system checks the file’s group permissions.
If the user’s primary group ID matches the ID of the group associated with the file, the user inherits group permissions.
If the user’s primary group ID doesn’t match the file’s group ID, Mac OS X searches for the group account that does have permission. The group account contains a list of the short names of users who are members of the group. The file system maps each short name in the group account to a user ID, and if the user’s ID matches the user ID of a group member, the user is granted group permission for the directory or file.
If the user’s primary group ID (or a parent group ID) matches the ID of the group associated with the file (or a parent group), the user inherits group permissions.
If neither of these cases applies, the user’s access permissions default to the generic
“everyone/world.”
Globally Unique Identifiers
Beginning with Mac OS X version 10.4, a universal ID called a globally unique identifier
(GUID, pronounced GOO-id) provides user and group identity for ACL permissions. The
GUID also associates a user with group and nested group memberships.
A discussion of GUIDs and their implications appears in Appendix B.
30 Chapter 1 User Management Overview
2
Getting Started With
User Management
2
This chapter provides information for setting up a user management environment.
•
•
•
•
•
•
The chapter contains planning guidelines as well as tips for using the main user management tool, Workgroup Manager:
Setup overview appears below on this page.
Planning strategies for user management appear on page 37.
Instructions for using Workgroup Manager start on page 41.
Instructions for listing and finding accounts in Workgroup Manager start on page 43.
Shortcuts for working with accounts are provided on page 47.
Backing up and restoring user management files are addressed on page 48.
Setup Overview
•
•
•
•
•
•
•
•
•
•
This section provides an overview of user management setup tasks, with the goal of understanding the sequence in which an administrator would create a managed
• environment. Not all steps will be necessary in all cases:
Step 1: Before you begin, do some planning.
Step 2: Set up the server infrastructure.
Step 3: Set up an administrator computer.
Step 4: Set up a home directory share point.
Step 5: Create user accounts and home directories.
Step 6: Set up client computers.
Step 7: Define user account preferences.
Step 8: Create group accounts and group folders.
Step 9: Define group account preferences.
Step 10: Define computer lists and preferences.
Step 11: Plan for ongoing account maintenance.
31
32
Step 1: Before you begin, do some planning
Analyze your users’ needs to determine which directory service configuration and
home directory set up would be most suitable for them. See “Planning Strategies for
Step 2: Set up the server infrastructure
Make sure that one or more Mac OS X Servers are set up for hosting user accounts, group accounts, computer lists, home directories, group folders, and other shared folders. New servers come preinstalled with Mac OS X Server software. Use Server
Assistant (residing in /Applications/Server/) to perform initial server setup. If you need to install server software, use the getting started guide first to understand system requirements and installation options.
Set up the server so that it hosts or provides access to shared directory domains.
Shared directory domains (also called shared directories) contain user, group, and computer information you want many computers to be able to access. Users whose accounts reside in a shared directory are referred to as network users.
There are different kinds of shared directories and different ways to work with information stored in them. You can use Workgroup Manager to add and change accounts that reside in the LDAP directory of an Open Directory master, a NetInfo domain, or other read/write directory domains. If you’ll be using LDAPv2, read-only
LDAPv3, BSD configuration files, or other read-only directories, make sure they are configured to support Mac OS X Server access and that they provide the data you need for accounts. It may be necessary to add, modify, or reorganize information in a directory to provide the information in the format needed.
The Open Directory administration guide provides instructions for setting up a shared directory on Mac OS X Server or configuring access to a shared directory on another computer. An appendix in the Open Directory administration guide describes account data formats that Mac OS X expects—information useful when you need to use directories that don’t reside on Mac OS X Server computers.
If some of your users will be using Windows computers, see the Windows services administration guide to learn how to set up the server for managing Windows users, groups, and computers. For example, the Windows services administration guide describes how to set up user accounts in a Mac OS X Server directory domain so the server can provide file services, domain login, and home directories to Windows users.
Open Directory offers a variety of options for authenticating users (including Windows users) whose accounts are stored in directory domains on Mac OS X Server. In addition,
Open Directory can access accounts in existing directories on your network, such as a
Windows server’s Active Directory. See the Open Directory administration guide for setup instructions.
Chapter 2 Getting Started With User Management
Mac OS X Server makes important resources visible throughout the network. Key network-visible resources include network home directories, group folders, and other shared folders. Because these folders reside on the server, users can access them from different computers.
See the file services administration guide for information about setting up file services appropriate for the file sharing you want to implement. You can use AFP or NFS for home directories, AFP for group folders, and various protocols (AFP, Windows, NFS, and
FTP) for other shared folders.
Step 3: Set up an administrator computer
Since servers are kept in a secure, locked location, administrators conduct user management tasks remotely from any Mac OS X computer running version 10.4 or later.
This computer will be referred to in this guide as the administrator computer.
To set up an administrator computer:
1 Obtain a computer with Mac OS X version 10.4 or later installed.
Make sure it has at least 256 MB of RAM and 1 GB of unused disk space.
2 Insert the Mac OS X Server Administration Tools disc, then start the installer
(ServerAdmin.pkg).
3 Follow the onscreen instructions.
4 If you’ll be managing preferences that use specific paths to find files (such as Classic and Dock preferences), make sure the administrator computer has the same file system structure as each of the managed client computers. This means that folder names, volumes, the location of applications, and so forth should be similar.
Before you can use the administrator computer to create and manage accounts in a shared directory, you need a user account in the shared directory and you need to be a domain administrator. A domain administrator can use Workgroup Manager to add and change accounts that reside in the LDAP directory of an Open Directory master, a
NetInfo domain, or another read/write directory domain.
To create a domain administrator account:
1 On the administrator computer, open Workgroup Manager, authenticating as the administrator user created during initial server setup.
2 Access the shared directory by clicking the small globe above the accounts list.
Choose the directory of interest. If you’re not authenticated, click the lock.
3 Click New User.
4 Click Basic to provide basic information for the administrator.
Chapter 2 Getting Started With User Management 33
34
5 If you want the domain administrator to have other responsibilities, such as setting up file services to support shared folders, select “User can administer this directory domain.”
After you select the checkbox, a dialog appears in which you can disable specific
privileges for the administrator account. For more information, see “Assigning
Administrator Rights for a Directory Domain” on page 73.
6 Click Save.
Now the remaining steps can be conducted by the domain administrator from the administrator computer.
Step 4: Set up a home directory share point
Home directories for accounts stored in shared directories can reside in a network share point that the user’s computer can access. The share point must be
automountable—it must have a network mount record in the directory domain where the user account resides.
An automountable share point ensures that the home directory is visible in
/Network/Servers automatically when a user logs in to a Mac OS X computer configured to access the shared directory. It also lets other users access the home directory using the ~home-directory-name shortcut.
•
You can set up network home directories so they can be accessed using either AFP or
•
NFS. You can also set up home directories for use by Windows users:
For instructions on setting up AFP or NFS share points for network home directories
for Macintosh users see Chapter 7, “Setting Up Home Directories.”
For information about setting up SMB/CIFS share points for Windows user home directories, see the Windows services administration guide.
•
•
Step 5: Create user accounts and home directories
You can use Workgroup Manager to create user accounts in directories that reside on
Mac OS X Server and in non-LDAP directories that aren’t read-only. Detailed
•
• instructions appear in various locations in this guide:
For information about how to create Mac OS X user accounts, see Chapter 4, “Setting
For information about creating Mac OS X mobile user accounts, see Chapter 3, “User
Management for Mobile Clients.”
See Chapter 7, “Setting Up Home Directories,” for information about home
directories.
See “Working With Read-Only User Accounts” on page 62 for information about
working with read-only accounts.
Chapter 2 Getting Started With User Management
You can also create accounts on Mac OS X Server to manage Windows users and provide Windows domain login, roaming user profiles, home directories, file service, mail service, and so on. See the Windows services administration guide for instructions.
Step 6: Set up client computers
Mac OS X Server can support users of Mac OS X, Mac OS 9, or Windows client computers.
For Mac OS X computers, configure the search policy of the computer so it can locate shared directory domains. See the Open Directory administration guide for instructions and supplemental information about search policies in onscreen help. Use the
Automatic authentication option if you’ve set up a DHCP server to identify the location of the shared directory when it provides an IP address to Mac OS X client computers.
Otherwise, use the Custom Path option to identify the server hosting the shared directory.
For setup instructions for mobile Mac OS X computers that use AirPort to communicate with Mac OS X Server, see Designing AirPort Extreme Networks (accessible at www.apple.com/airport/).
Windows workstations that are used for Windows domain login must join the Mac OS X
Server PDC just as you would set up workstations to join a Windows NT server’s domain, as the Windows services administration guide explains.
If you have more than just a few Macintosh client computers to set up, consider using
Network Install to create a system image that automates client computer setup. See the system image and software update administration guide for options and instructions.
Step 7: Define user account preferences
You manage the working environment of Macintosh users whose accounts reside in a shared domain by defining user account preferences. For information about Mac OS X
user preferences, see Chapter 8, “Client Management Overview,” and Chapter 9,
•
Step 8: Create group accounts and group folders
Use Workgroup Manager to create group accounts in directories that reside on
Mac OS X Server and in non-Apple Open Directory domains that aren’t read-only.
Detailed instructions appear in various locations in this guide.
For information about how to create Mac OS X group accounts, see Chapter 5,
Although some group information doesn’t apply to Windows users, you can add
Windows users to groups that you create. The procedures for managing group accounts for Windows users are the same as those for groups that contain only
Mac OS X users.
Chapter 2 Getting Started With User Management 35
•
For information about working with read-only group accounts, see “Working With
Read-Only Group Accounts” on page 90.
You can set up a group folder for use by group members. Use Workgroup Manager to define a share point for the group folder and associate the share point with the group.
Create the group folder using the CreateGroupFolder command in the Terminal
application. See “Working With Group Folder Settings” on page 93 for instructions.
For Mac OS X users, use Dock or Login preferences to make it easy to locate the group directory. For Windows users, share the group folder share point using SMB/CIFS. Users can go to My Network Places (or Network Neighborhood) and access the contents of the group folder.
Step 9: Define group account preferences
You can manage the preferences for a group of Macintosh users. A group with managed preferences is referred to as a workgroup. For information about Mac OS X
workgroups, see Chapter 8, “Client Management Overview,” and Chapter 9, “Managing
•
•
Step 10: Define computer lists and preferences
Use computer lists if you want to manage client Macintosh or Windows computers.
For information about creating Mac OS X computer lists, see Chapter 6, “Setting Up
Computer Lists.” For information about computer list preferences, see Chapter 8,
“Client Management Overview,” and Chapter 9, “Managing Preferences.”
Every Windows computer supported by the Mac OS X Server primary domain controller must be part of the Windows Computers computer list. See the Windows services administration guide for details.
•
•
Step 11: Perform ongoing account maintenance
As users come and go and the requirements for your servers change, you’ll update
• account information periodically:
maintaining them.
Information in Chapter 3 through Chapter 6 will help you do common tasks such as
defining a guest account, disabling user accounts, adding and removing users from groups, and deleting accounts.
For solutions to common problems, see Chapter 11, “Solving Problems.”
36 Chapter 2 Getting Started With User Management
Planning Strategies for User Management
Here are some planning activities to undertake before you start to implement user management.
•
•
•
•
•
•
•
•
•
•
Analyzing Your Environment
Your user management settings need to complement your particular environment, including:
The size and distribution of your network
The number of users who will access your network
The kind of computers users will use (Mac OS 9, Mac OS X, or Windows)
How users will use client computers
Which computers are mobile computers
Which users should have administrator privileges
Which users should have access to particular computers
What services and resources users need (such as mail or access to data storage)
How you might divide users into groups (for example, by class topic or job function)
How you want to group sets of computers (such as all computers in a public lab)
Identifying Directory Services Requirements
Identify the directories in which you’ll store user and group accounts and computer
•
•
• lists.
If you have an Active Directory or LDAP server already set up, you might be able to take advantage of existing account records. See the Open Directory administration guide for details about accessing existing directories.
If you have an earlier version of an Apple server, you might be able to migrate existing records. See the migration guide for available options.
Set up Open Directory master and replicas to host LDAP directories to store other user accounts, group accounts, and computer lists on your network. See the Open
Directory administration guide for instructions and for complete information about password handling options.
Note: If all the domains have not been finalized when you’re ready to start adding user and group accounts, simply add the accounts to any directory domain that already exists on your server. (You can use the local directory domain—it’s always available.)
You can move users and groups to another directory domain later by using your
server’s export and import capabilities, described in the Appendix A, “Importing and
Exporting Account Information.”
Chapter 2 Getting Started With User Management 37
•
•
•
•
Determining Server and Storage Requirements
These requirements vary with the number of users and computers:
For fewer than 450 users and fewer than 150 computers, one server is adequate for account management and authentication, home directories, and group folders. This guideline assumes 1 GB/user of storage space per drive module in an Xserve computer. More storage can be provided with additional drive modules and/or RAID.
For 450–1000 users and 150–450 computers, one server is required for account management and authentication. You’ll need one home directory and group folder server for every 150 computers; the server should provide about 180 GB of storage.
One server acts as the Open Directory master; this server also hosts primary services such as DNS, DHCP, and web as needed. If more dedicated services are needed, explore using servers specifically for those tasks, such as QuickTime streaming. Group folders are often shared among many computers at the same time. Avoid more than
150–300 concurrent connections to a group folder by establishing multiple workgroups and distributing users into more than one workgroup.
For over 1000 users and over 450 computers, you’ll need multiple servers for account management and authentication; see the Open Directory administration guide for replication guidelines. You’ll also need one home directory and group folder server and 180 GB of storage for every 150 concurrently connected computers, if the users have network home directories.
Do not use more than 3 automountable share points per server. You may need to create fewer sharepoints with sub-folders to logically distribute users into home directory sets.
•
•
•
Using Client Management
•
Take advantage of Macintosh client management if you want to:
Provide users with a consistent, controlled interface while allowing them access to their files from any computer
Use mobile accounts
Reserve certain resources for specific groups or individuals
Secure computer usage in key areas such as administrative offices, classrooms, or open labs
Determine the users, groups, and computers whose preferences you want to manage.
See Chapter 8, “Client Management Overview,” on page 123 and Chapter 9, “Managing
Preferences,” on page 135 for planning guidelines.
38 Chapter 2 Getting Started With User Management
Using Mobile Accounts
Mobile accounts are network accounts which have been set up to be accessible even when the user is not connected to the server where the account resides. The mobile account user is provided a local home directory on the system they are logged into.
This functionality reduces network traffic and improves overall performance.
Determine whether mobile accounts might be useful before implementing them.
Mobile accounts are well suited for users who carry their computers from location to location. They’re useful for users who don’t require ongoing access to the server for their day-to-day work. Using mobile accounts reduces network traffic by minimizing the need to mount network resources (such as network home directories).
Mobile accounts are documented in Chapter 3, “User Management for Mobile Clients.”
Portable Home Directories
A mobile account can be configured to use a Portable Home Directory (PHD). Portable
Home Directories replicate files across both local and network home directories. This way, your content follows you everywhere and is always up-to-date.
Administrators can choose which content will be replicated on a per user, per group or per computer list basis.
Devising a Home Directory Strategy
Determine which users need home directories and identify the computers on which you want user home directories to reside. For performance reasons, avoid using network home directories over network connections slower than 100 Mbps.
A user’s network home directory doesn’t need to be stored on the same server as the directory containing the user’s account. In fact, distributing directory domains and home directories among various servers can help you balance your network workload.
“Distributing Home Directories Across Multiple Servers,” on page 112, describes several
such scenarios.
You may want to store home directories for users with last names from A to F on one computer, G to J on another, and so on. Or you may want to store home directories on a Mac OS X Server but store user and group accounts on an Active Directory or LDAP server.
Portable Home Directories pose further strategic consideration as to which mobile users you designate to have portable accounts. There are additional limitations
discussed in “Portable Home Directories,” on page 52, that have to be taken into
account.
Chapter 2 Getting Started With User Management 39
Pick a strategy before creating users. You can move home directories, but if you do, you may need to change a large number of user records.
Determine the access protocol to use for the home directories. Most of the time you will use AFP because it offers the greatest security. But you can use NFS (useful for UNIX clients) and SMB/CIFS (for Windows clients).
Identifying Groups
Identify users with similar requirements and consider assigning them to groups. See
Chapter 5, “Setting Up Group Accounts.”
Determining Administrator Requirements
Decide which users you want to be able to administer accounts and make sure they have domain administrator privileges.
The domain administrator has the greatest amount of control over other users and their privileges. The domain administrator can create user accounts, group accounts, and computer lists and assign settings, privileges, and managed preferences for them.
He or she can also create other server administrator accounts, or give some users (for example, teachers or technical staff ) administrative privileges within certain directory domains.
Give some thought to which users require domain administrative privileges. Managed users can be given various administrative privileges also, allowing them to manage specific groups of users or adjust certain account settings. A well-planned hierarchy of administrators and users with special administration privileges can help you distribute system administration tasks and make workflows and system management more efficient.
When you use Server Assistant to initially configure your server, you specify a password for the owner/administrator. The password you specify also becomes the root password for your server. Many server administrators don’t need knowledge of the root password, but sometimes it’s necessary when using command-line tools (such as
CreateGroupFolder). For administrators who don’t need root access, use Workgroup
Manager to create an administrator user with a password that is different from the root password.
The root password should be used with extreme caution and stored in a secure location. The root user has full access to the system, including system files. If you need to, you can use Workgroup Manager to change the root password.
40 Chapter 2 Getting Started With User Management
Using Workgroup Manager
Once you have installed the Mac OS X Server software, you can access Workgroup
Manager. This section provides an introduction to the application.
Working With Pre-Version 10.4 Computers From Version 10.4
Servers
Mac OS X version 10.3 and 10.2 servers can be administered using version 10.4 server administration tools. Workgroup Manager on a version 10.4 server can be used to manage Mac OS X clients running Mac OS X version 10.2.4 or later.
Once you’ve edited a user record using Workgroup Manager on version 10.4, it can be accessed only by using Workgroup Manager on version 10.4. Preferences of Mac OS 9 clients can be managed from a version 10.4 server using Macintosh Manager only when you perform an upgrade installation of version 10.4; you can use an upgrade installation to install version 10.4 on version10.2.8 or version 10.3 servers.
Opening and Authenticating in Workgroup Manager
Workgroup Manager is installed in /Applications/Server/ when you install your server or
• set up an administrator computer. You can open it from that folder by using the Finder.
You can also open Workgroup Manager by clicking its icon in the Dock or in the toolbar
• of the Server Admin application.
To work with directory domains on a particular server, enter the server’s IP address or
DNS name in the Workgroup Manager Connect window, or click Browse to choose from a list of available servers. Specify the user name and password for a domain administrator, then click Connect. Only domain administrators on the directory domain server will have directory administration privileges.
You can view a directory domain without authenticating (by choosing Server > View
Directories). You will have read-only access to information displayed in Workgroup
Manager. To make changes in a directory, you must authenticate using a domain administrator account. This approach is most useful when you’re administering different servers and working with different directory domains.
After opening Workgroup Manager, you can open a Workgroup Manager window for a different computer by clicking Connect in the toolbar or choosing Server > Connect.
Chapter 2 Getting Started With User Management 41
Click small globe to switch directories.
Users button
Type here to search or filter the list below.
Accounts list
Major Workgroup Manager Tasks
After login, the user account window appears, showing a list of user accounts.
Groups button
Computer Lists button
Currently selected domain
Click to authenticate
42
•
Initially, the accounts listed are those stored in the last directory domain of the server’s search path. Here is how to get started with the major tasks you perform with this application:
To specify the directory or directories that store accounts you want to work with, click the small globe icon.
To work with accounts in different directories at the same time or to work with different views of accounts in a particular directory, open multiple Workgroup
Manager windows by clicking the New Window icon in the toolbar.
•
•
•
To administer accounts in the selected directory, click the Accounts icon in the toolbar. Click the Users, Groups, or Computer Lists button on the left side of the window to list the accounts that currently exist in the directory or directories you are working with. To filter the account list displayed, use the pop-up search list above the accounts list.
To work with managed preferences, select the account list of interest and then click the Preferences icon in the toolbar.
To work with share points, click the Sharing icon in the toolbar.
Chapter 2 Getting Started With User Management
•
•
•
To import or export user and group accounts, choose Server > Import or Server >
Export, respectively.
To retrieve online information, use the Help menu. The Help menu gives you access to help for administration tasks you accomplish using Workgroup Manager as well as other Mac OS X Server topics.
To open Server Admin so you can monitor and work with services on particular servers, click the Admin icon in the toolbar. See the getting started guide for information about Server Admin.
Listing and Finding Accounts
This section tells you about the various ways to view user accounts, group accounts, and computer lists in Workgroup Manager.
Working With Account Lists in Workgroup Manager
In Workgroup Manager, user accounts, group accounts, and computer lists are listed at the left side of the Workgroup Manager window.
•
•
There are several settings that influence the contents and appearance of the list:
Workgroup Manager preferences control whether system users and groups are listed and the order in which items are listed. Choose Workgroup Manager > Preferences to set up Workgroup Manager preferences.
The list reflects the directory or directories you select using the small globe above the accounts list. Initially, the parent directory domain accounts are listed if you’re connected to the network.
The domains available for selection are the local directory, all directory domains in the server’s search path, and all available directory domains (domains the server is configured to access which may or may not be in the search path). See the Open
Directory administration guide for instructions for configuring a server to access directory domains.
After you choose directory domains, all the accounts residing in those domains are listed.
•
•
• To sort a list, click a column heading. An arrow shows the sort order (ascending or descending), which you can reverse by clicking the column heading again.
You can filter the list by using the pop-up search list above the accounts list.
You can search for specific items in the list by typing in the field above the accounts list.
To work with one or more of the accounts listed, select them. Settings for the selected accounts appear in the pane to the right of the list. Available settings vary, depending upon which pane you’re currently viewing.
Chapter 2 Getting Started With User Management 43
44
Listing Accounts in the Local Directory Domain
Services and programs running on a server can access the server’s local directory.
Programs running on a client computer, such as the client computer’s login window, can’t access the server’s local directory. Therefore, a server’s file service can authenticate users with accounts from the server’s local directory. User accounts from the server’s local directory can’t be used to authenticate in the login window on client computers, because the login window is a process running on the client computer.
To list accounts in a server’s local directory domain:
1 In Workgroup Manager, connect to the server hosting the domain, then click the small globe above the accounts list and choose Local.
The local domain might also be listed as /NetInfo/root/<host name> or
/NetInfo/DefaultLocalNode.
2 To view user accounts, click the Users button (the leftmost button above the search field). Click the Groups button (the middle button) to view group accounts, and click the Computer Lists button (the rightmost) to view computer lists.
3 To work with a particular account, select it. To change the account, which requires that you have domain administrator privileges, you may need to click the lock to authenticate.
Listing Accounts in Search Path Directory Domains
The search path directory domains are those in the search policy defined for the
Mac OS X Server you’re connected to. The Open Directory administration guide tells you how to set up search policies.
To list accounts in search path domains of the server you’re working with:
1 In Workgroup Manager, connect to a server whose search policy contains the directory domains of interest.
2 Click the small globe above the accounts list and choose Search Path.
3 To view user accounts, click the Users button (the leftmost button above the search field). Click the Groups button to view group accounts, and click the Computers button to view computer lists.
Listing Accounts in Available Directory Domains
You can list user accounts, group accounts, and computer lists residing in any specific directory domain accessible from the server you’re connected to using Workgroup
Manager. You select the domain from a list of all the directory domains configured to be accessible from the server you’re using.
Chapter 2 Getting Started With User Management
Note that “available” directory domains are not the same as directory domains in a search policy. A search policy consists of the directory domains a server searches routinely when it needs to retrieve, for example, a user’s account. However, the same server might be configured to access directory domains that haven’t been added to its search policy.
See the Open Directory administration guide to learn how to configure access to directory domains.
To list accounts in directory domains accessible from a server:
1 In Workgroup Manager, connect to a server from which the directory domains of interest are accessible.
2 Click the small globe above the accounts list and choose Other.
3 In the dialog that appears, select the domain(s), then click OK.
To view user accounts residing in selected directory domains click the Users button
(the leftmost button above the search field). Click the Groups button to view group accounts, and click the Computer Lists button to view computer lists.
4 To work with a particular account, select it. To change an account that requires you to have domain administrator privileges, you may need to click the lock to authenticate.
Refreshing Account Lists
If more than one administrator can make changes to directories, make sure you’re
•
•
•
• viewing the most current list of user accounts, group accounts, and computer lists by refreshing the lists. To refresh the lists, you can:
Click Refresh.
Type search terms in the field above the list to view a new filtered list.
Delete terms in the field above the list to show the original unfiltered list.
Click the small globe above the accounts list and choose another item in the list, and then reselect the domain(s) with which you had been working.
Finding Specific Accounts in a List
After you’ve displayed a list of accounts in Workgroup Manager, you can filter the list to find particular users or groups of interest.
To filter items in the list of accounts:
1 After listing accounts, click the Users, Groups, or Computer Lists button.
2 In the pop-up menu above the account list (labeled with a magnifying glass), select an option to describe what you want to find, then type search terms in the text field.
The original list is replaced by items that satisfy your search criteria. If you type a user name, both full and short names of users or groups are searched.
Chapter 2 Getting Started With User Management 45
3 Choose Workgroup Manager > Preferences to make finding accounts more convenient when the domains you work with contain thousands of accounts.
To avoid listing any accounts until a filter is specified, select “Limit search results to requested records.” When the filter field is empty, no accounts are listed.
To list all accounts in the domains selected in the At pop-up menu, type “*” in the filter field.
To list accounts in those domains that satisfy filter criteria, select an option from the pop-up menu next to the filter field, then enter a filter string.
To specify the maximum number of accounts to list, select “List a maximum of n records,” and enter a number no greater than 25,000. Workgroup Manager can display as many as 25,000 accounts.
Sorting User and Group Lists
After displaying a list of accounts in Workgroup Manager, click a column heading to sort entries using the values in that column. Click the heading again to reverse the order of the entries in the list.
Using the Search Button in the Toolbar
The Search button can be used in the Accounts or Preferences panes to locate specific users or groups by searching for fields relevant them.
To locate specific users or groups in the Accounts or Preferences panes:
1 After selecting the pane you want to work in, click Search in the Toolbar.
2 The field you want to search with the conditions that apply in the Search dialogue.
3 Enter the text you want to search and any additional conditions.
4 You can select, Save, Rename, or Delete presets using the Search Presets pop-up.
You also have the option of performing a batch edit on the search results. If you select this option via the checkbox, you can choose to “preview and edit search results before applying changes” or “display postview of changes or errors”.
5 Click Search Now once your search criteria is defined.
Once you get your search results, you can either Clear the search to revert to your default display or Edit the search to refine it further. Any search can be saved as a
Preset for use at a later time.
46 Chapter 2 Getting Started With User Management
•
•
•
Shortcuts for Working With Accounts
There are a several techniques that let you manage accounts more efficiently. You can:
Make changes to multiple accounts at once.
Use presets, which are like templates for new accounts.
Import user and group account information from a file.
Batch Editing
You can edit settings (if they don’t need to be unique) for multiple user accounts, group accounts, or computer lists at the same time. Multiaccount editing is referred to as batch editing.
To select multiple accounts, press Shift-click to select a range of accounts and/or
Command-click to select accounts individually. You can also choose Edit > Select All, then Command-click to deselect accounts individually.
An example of when batch editing can save you time is when you need to change
preference settings for large numbers of accounts. See “Editing Preferences for Multiple
Using Presets
You can select settings for a user account, group account, or computer list and save them as a preset. Presets work like templates, allowing you to apply predefined settings to a new account. Using presets, you can easily set up multiple accounts with similar settings.
You can use presets only during account creation. You can’t use a preset to modify an existing account. You can use presets when creating accounts manually or when importing them from a file.
If you change a preset after it has been used to create an account, accounts already created using the preset are not updated to reflect those changes.
For more information, see “Creating a Preset for User Accounts” on page 63.
Importing and Exporting Account Information
You can use XML or character-delimited text files to import and export user and group account information. Importing information this way can make it easier to set up large numbers of accounts quickly. Exporting information to a file can be useful for record keeping or backing up user data.
For more information, see Appendix A, “Importing and Exporting Account Information.”
Chapter 2 Getting Started With User Management 47
Backing Up and Restoring User Management Data
Backing Up and Restoring Files
See onscreen help for information about backing up and restoring directory domains and authentication database files.
Backing Up Root and Administrator User Accounts
System files are owned by root or system administrator user IDs that exist at the time they’re created. Should you need to restore system files, the same IDs should exist on the server so that the original permissions are preserved.
To ensure that you can re-create these user IDs, periodically export the server’s user
and group information to a file as described in Appendix A, “Importing and Exporting
48 Chapter 2 Getting Started With User Management
3
User Management for Mobile Clients
3
This chapter provides suggestions for managing portable computers used by an individual user or multiple users.
Setting Up Mobile Clients
If you own a number of portable computers slated for distribution to specific users or groups of users, you can implement a variety of management techniques to personalize the user environment and control the level of access a user has to both local and network resources.
Configuring Portable Computers
In preparing portable computers for use on your network, follow these guidelines.
Step 1: Install the OS, applications, and utilities
Most computers will already have an operating system installed. However, if you need to install a new one, be sure the computer meets the minimum requirements for installation of the operating system and any additional applications or utilities you want to install.
Step 2: Create local accounts on Mac OS X computers
Create at least one local administrator account and local user accounts as needed.
Make sure the user’s local account name and password are not easily confused with the user’s network name and password.
Step 3: Set up computer lists on your server
For Mac OS X computers, use Workgroup Manager to add the computers to a computer list and enforce preference management at the computer level. You may also want to set user-level preference management settings for the user’s network account.
Details about configuring directory services are in the Open Directory administration
guide. For more information about how to work with computer lists, see Chapter 6,
“Setting Up Computer Lists.” For additional information and instructions about using
managed preference settings, see Chapter 9, “Managing Preferences.”
49
Using Mobile Accounts
A mobile account on a Mac OS X Server is a user account whose account is synchronized with a local (usually portable) computer. The user may log in on the portable computer using the network account name and password, even if the computer isn’t connected to the network. This functionality is useful for both portable systems and other instances of “one to one” deployments where one user is dedicated to a single computer. It is also useful in situations where having local home directories improve performance, such as in video production.
When a mobile account user logs in to the network, account data—the account name, password, and managed preferences—is automatically synchronized with the server account so that both locations contain a matching set of data. When the computer is disconnected from the network, any managed preference settings applied remain in force.
The home directory for the mobile account resides on the user’s computer, whereas the home directory for the network account resides on the server. When the computer is connected to the network, the user authenticates directly to the server account, bypassing the mobile account but still using a local home directory.
When a mobile account’s local home directory is configured for synchronization with a network home directory, it becomes a Portable Home Directory which can enable a network user to work on a copy of their network content offline.
Content may be synchronized between the two home directories, depending on how the mobile account is configured. A Portable Home Directory can be configured to synchronize a user’s modified content during login in the background, network, and at logout.
Synchronization of specific needed content can also be initiated manually, so that a user’s modified content in one location may be immediately accessible everywhere.
If users have afp home directories, their network home directory is created the first time they attempt to access their network home directory. If you have mobile account users accessing a server hosting non-AFP network home directories, you need to create
those network home directories manually (see “Creating a Custom Home Directory” on page 117).
50 Chapter 3 User Management for Mobile Clients
Creating a Mobile Account
Once a mobile account is created, it appears in the account list in the Accounts System
Preferences. The account type is labeled “Mobile,” and when you select it, most items in the Accounts pane are dimmed. You can use Workgroup Manager to create a mobile account automatically when a user logs in.
To create a mobile account using Workgroup Manager:
1 In Workgroup Manager, click Accounts.
2 Select a user account, then click Preferences.
3 Click Mobility and set the management setting to Always.
4 Select “Create Mobile Account at login” and select the checkbox for “Synchronize account for offline use”.
5 Select “Require confirmation before creating a mobile account” if you want to allow the user to decide whether to create a mobile account at login.
If this option is selected, the user sees a confirmation dialog when logging in. The user can click Create to create the mobile account immediately, or can click Continue to log in as a network user without creating the mobile account.
6 Click Apply Now.
You can use Workgroup Manager to make changes to the corresponding server account as needed. Any changes are applied to the mobile account the next time the computer connects to the network.
Removing a Mobile Account
If a user no longer requires a mobile account, you can remove the individual account on the client computer. Both the mobile account and its local home directory are removed. You must be a local administrator, or a domain administrator with permission to manage the computer list the system belongs to, in order to remove a mobile account, as this is done locally on the machine where the account resides. The administrator cannot use the admin console in Workgroup Manager to conduct this operation remotely.
To remove a mobile account:
1 Open System Preferences on the client computer.
2 Click Accounts, then select the user in the list.
3 Select the account you want to delete.
The mobile account should have the word “Mobile” listed in the Type column.
4 Click the Delete (–) button, then click OK.
5 Choose either to Archive or Remove the home directory in the dialogue that comes up.
Chapter 3 User Management for Mobile Clients 51
The User Experience for Mobile Accounts
If the computer is configured to display a list of users at login, the mobile account is displayed with local users. The user selects his or her account and then enters the correct password to complete login. For managed clients, if the network administrator has designated mobile accounts to be created at login, the login window account list displays all users. After the user selects his or her account and types the correct password, a local copy of the network account is created immediately, becoming the mobile account. The mobile account becomes permanent on that system when the user logs out or disconnects from the network. The user may disconnect from the network and continue to log in to that account on that system.
Portable Home Directories
A mobile account is a local user account whose account record is synchronized with a network user account on a Mac OS X Server computer. The user can log in using the network account name and password, even if his or her computer isn’t connected to the network.
End users who are administrators can create mobile accounts from the Accounts pane of System Preferences after entering an administrator’s name and password. Server administrators can prevent a user from creating a mobile account by either unchecking
“Synchronized account for offline use” in Workgroup Manager’s Mobility/
Synchronization pane, or disabling the Accounts System Preference in Workgroup
Manager’s System Preferences pane.
An end user (using the Accounts pane of System Preferences) or a server administrator
(using Workgroup Manager) can configure a mobile account’s local home directory to be synchronized with the network home directory—creating a Portable Home
Directory. A server administrator controls a user’s Portable Home Directory synchronization settings in Workgroup Manager’s Mobility/Rules pane.
A Portable Home Directory is synchronized at login right after the mobile account is created. After the first sync, subsequent syncs take place as background synchronizations, or when the user selects Sync Now from the Accounts pane of
System Preferences or Sync Home Now from the home sync menu addition.
Note that all synchronization requires a connection to the user's network home directory server. Synchronization will not occur if the user's computer is not connected to the network or If the user's home directory server is not available.
52 Chapter 3 User Management for Mobile Clients
Considerations for Assigning Content to Be Synchronized
Server administrators should explore the trade-offs between the different types of mobile account creation mechanisms and Portable Home Directory Synchronization settings. Workgroup Manager allows rules-based control of background syncs as well as login and logout syncs. The Accounts pane of System Preferences only controls background syncs of top-level home folders.
A background synchronization occurs periodically or when the user selects Sync Home
Now from the home sync menu addition. Synchronization affects currently viewed or open files, but does not take up time at login or logout.
A login or logout sync copies all files before and after a user may change them, but also delays the login and logout process, depending on the number of files that must be checked, and the size and number of files that must be copied to complete synchronization.
Managing Mobile Clients
After setting up the portable or dedicated computers, you can use various features of
Workgroup Manager to apply restrictions or permit access to network services for users.
If a user has a network account and the computer binds to Open Directory, the user can log in using the network account name and password to gain access to available resources. For more information about binding a computer to Open Directory service, see the Open Directory administration guide.
For users without network accounts who have portable computers of their own but still require access to your network resources, you can use Workgroup Manager features to apply settings for unknown or guest computers.
Unknown Mac OS X Portable Computers
To manage users who have their own personal portable computers running Mac OS X system software, you can use the Guest Computers account to apply computer-level management for unknown or guest computers on your network. If these users log in using a Mac OS X Server user account, user and group managed preferences and account settings also apply.
For more information about setting up the Guest Computers account for Mac OS X
users, see “Managing Guest Computers” on page 107.
Chapter 3 User Management for Mobile Clients 53
54
Mac OS X Portable Computers With Multiple Local Users
One example of shared portable computers is an iBook Wireless Mobile Lab. An iBook
Wireless Mobile Lab contains either 10 or 15 student iBooks (plus an additional iBook for an instructor), an AirPort Base Station, and a printer, all on a mobile cart. The cart lets you take the computers to your users (for example, from one classroom to another).
To manage the iBooks on your cart, create identical generic local user accounts on each computer (for example, all the accounts could use “Math” as the user name and
“student” as the password). You might want to create different generic local accounts for different purposes, such as an account for a History class, one for a Biology class, and so on. Each account should have a local home directory and should not have administrative privileges. Use a separate local administrator account on each computer to allow server administrators (or other individuals) to perform maintenance tasks and upgrades, install software, and administer the local user accounts.
After creating the local user accounts, add each of the computers to a computer list, then manage preferences for that list. Because multiple users can store items in the local home directory for the generic account, you may want to periodically clean out that folder as part of your maintenance routine.
You can also create mobile accounts for users or use Workgroup Manager preference management to create a mobile account automatically when a user logs in.
Mac OS X Portable Computers With One Primary Local User
There are two ways set up portable computers for a single user who doesn’t use a
• mobile account.
The user doesn’t have administrator privileges, but has a local account.
Set up a local administrator account on the computer (don’t give the user any information about this account), then set up a local account for the user. Users with local accounts that don’t have administrator privileges can’t install software and can add or delete items only in their own home directories. A local user can share items with other local users by using the Public folder in his or her local home directory.
If this user had a mobile account, it would function as a local account but could be managed like a network account. If the user has an existing network account, you can change managed preference settings so that a mobile account is created during the user’s first login. Additionally, if this user has syncing (PHD), then his home directory content will also be synchronized when he is connected with the network.
• The user is the administrator for the computer.
Mac OS X v10.4 gives you the ability to allow or deny administrators the ability to turn off management during login.
Note: In many cases, a local admin can still override management settings.
Chapter 3 User Management for Mobile Clients
If the user also has a Mac OS X Server user account and network access is available, they may still prefer to log in using the local account to reduce network traffic. The user can connect to his or her network home directory (to store or retrieve documents, for example) via the “Go to Folder” command in the Finder’s Go menu.
Different considerations apply for a mobile account with Portable Home Directories and a Mobile Account that is also an admin.
Using Wireless Services
You can provide wireless network service to managed clients using AirPort, for example. When a user with a portable computer leaves the wireless area or changes to a different network directory server (by moving out of one wireless area and into another), client management settings may be different. Users may notice that some network services, such as file servers, printers, shared group volumes, and so forth, are unavailable from the new location. Users can purge these unavailable resources by logging out and logging in again.
If you need more information about using AirPort, consult AirPort documentation or visit the website: www.apple.com/airport/.
Security Considerations for Mobile Clients
Mobile clients can be made more secure by requiring alphanumeric passwords with frequent expiration dates. Screen savers should activate with minimum delay and always require a password to resume operation. Restrictions should be placed on hard disk imaging and cold booting directly to the disk via target disk mode. For further information about setting up open firmware passwords, see the Apple Service &
Support website article 106482 at docs.info.apple.com/article.html?artnum=106482
Make sure SSH is off to eliminate any unmanaged user logins. A user logged in via SSH will not be covered under any managed preferences which modify his privileges.
Remote login and other external access like FTP and AFP should not be activated unless specifically needed. Apple Remote Desktop may be used to provide secure, remote access and management of the computers.
Directory Services
Unrestricted DHCP binding should be disabled for mobile clients because the computer will implicitly trust any directory found on other networks. Authenticated
Directory Binding is the best security, but it requires individual setup of each computer.
Static Directory binding can be easier but it’s not as secure.
The Open Directory administration guide provides details on different directory binding mechanisms.
Chapter 3 User Management for Mobile Clients 55
FileVault for Mobile Clients
Mac OS X offers the ability to turn on FileVault for mobile accounts. First activate the mobile account, then log in as the mobile account (which gets created at that time).
Once logged in, you turn on FileVault in System Preferences. You will need local administrator privileges and must set a master password.
Security Considerations When Using Portable Home Directories
Portable Home Directories enable mobile clients to take local (or portable) versions of their network home directory with them, work on files offline, and synchronize when they reconnect to the network.
All security considerations that apply to network accounts also apply to mobile clients using Portable Home Directories. Mobile clients might change their access privileges on the network home to be more open. Thus security considerations for Portable
Home Directories are part of the security considerations for network users.
Note: You can have a mobile account without a Portable Home Directory. This could be a network home directory with no synchronization with the local account’s home directory or a network account with no network home directory at all.
VPN Connections
Creating a new mobile account or setting it up for synchronization must be done while connected directly to the network, not while connected via VPN. The first time you log in to a mobile account and a Portable Home Directory, it will automatically synchronize with the network home directory. Once the mobile account has been established, you can log in offline, establish a VPN connection and then initiate a manual sync.
Loss and Data Recovery Considerations
Portable Home Directories should not be used instead of a regimen of systematic backup. Portable Home Directories synchronize only new and changed files and any managed preferences modified since the last synchronization. A synchronization is never a full mirror of a user’s environment. It is only the subset of modified content out of all the content designated by the administrator. Also, unlike a formal backup solution, you cannot specifically retrieve any content synchronized prior to the last sync.
56 Chapter 3 User Management for Mobile Clients
4
Setting Up User Accounts
4
This chapter tells you how to set up, edit, and manage user accounts.
About User Accounts
A user account stores data that Mac OS X Server needs to validate the user’s identity and provide services for the user. This section provides an overview of user accounts.
Where User Accounts Are Stored
User accounts, as well as group accounts and computer lists, can be stored in any Open
Directory domain accessible from any Mac OS X computer. A directory domain can reside on a Mac OS X computer (for example, the LDAP directory of an Open Directory master, a NetInfo domain, or other read/write directory domain) or it can reside on a non-Apple server (for example, a non-Apple LDAP or Active Directory server).
You can use Workgroup Manager to work with accounts in all kinds of directory domains, but you can update only the LDAP directory of an Open Directory master, a
NetInfo domain, or other read/write directory domain using Workgroup Manager.
For complete information about the different kinds of Open Directory domains, see the
Open Directory administration guide.
57
Predefined User Accounts
The following table describes some of the user accounts that are created automatically when you install Mac OS X Server (unless otherwise indicated). For a complete list, open Workgroup Manager and choose View > Show System Users and Groups.
Predefined user name
Anonymous FTP User
Short name User ID ftp 98
Macintosh Manager User
My SQL Server
Sendmail User sshd Privilege separation
System Administrator
System Services
Unknown User
Unprivileged User
World Wide Web Server mmuser mysql smmsp sshd root daemon unknown nobody www
-17
74
25
75
0
1
99
-2
70
Use
The user name given to anyone using FTP as an anonymous user.
This user is created the first time the FTP server is accessed if the FTP server is turned on, if anonymous
FTP access is enabled, and if the anonymous ftp user doesn’t already exist.
The user created by Macintosh
Management Server when the application is first started on a particular server. This user has no home directory, and the password is changed periodically.
The user that the MySQL database server uses for its processes that handle requests.
The user that sendmail runs as.
The user for the sshd child processes that process network data.
The most powerful user.
A legacy UNIX user.
The user that is used when the system doesn’t know about the hard disk.
This user was originally created so that system services don’t have to run as System Administrator. Now, however, service-specific users, such as World Wide Web Server, are often used for this purpose.
The nonprivileged user that Apache uses for its processes that handle requests.
58 Chapter 4 Setting Up User Accounts
Administering User Accounts
This section describes how to administer user accounts stored in various kinds of directory domains.
Creating Mac OS X Server User Accounts
You need administrator privileges for a directory domain to create a new user account in it.
To create a user account:
1 In Workgroup Manager, click Accounts.
2 Ensure that the directory services of the Mac OS X Server you’re using has been configured to access the domain of interest.
See the Open Directory administration guide for instructions.
3 Click the small globe above the accounts list, then choose the domain in which you want the user’s account to reside.
For example, Local, /NetInfo/root/<host name>, and /NetInfo/DefaultLocalNode all refer to the local directory domain. /NetInfo/root refers to a shared NetInfo domain if the server is set up to access one; otherwise, /NetInfo/root is the local domain.
4 To authenticate, click the lock.
5 Choose Server > New User or click New User in the toolbar.
6 Specify settings for the user in the tabs provided.
See “Defining Long User Names” on page 66 through “Forwarding a User’s Mail” on page 81 for details.
You can also use a preset or an import file to create a new user.
Note: Workgroup Manager can't be used to create users, groups, or computers in a standard Active Directory domain. The Active Directory schema must be extended to allow creating users, groups, or computers.
For details, see “Using Presets to Create New Accounts” on page 64 and “Using
Workgroup Manager to Import Users and Groups” on page 206.
Chapter 4 Setting Up User Accounts 59
60
Creating Read-Write LDAPv3 User Accounts
You can create a user account on a non-Apple LDAPv3 server if it has been configured for write access.
To create an LDAPv3 user account:
1 In Workgroup Manager, click Accounts.
2 Ensure that the directory services of the Mac OS X Server you’re using has been configured to use the LDAP server for user accounts.
The Open Directory admin guide has information about well known attributes in user accounts and instructions for mapping attributes. For information about the user
account elements that may need to be mapped, see Appendix A, “Importing and
Exporting Account Information.”
3 Click the small globe above the accounts list, then choose the LDAPv3 domain in which you want the user’s account to reside.
4 To authenticate, click the lock.
5 Choose Server > New User or click New User in the toolbar.
6 Specify settings for the user in the tabs provided.
For details, see “Working With Basic Settings for Users” on page 65 through “Working
With Print Settings for Users” on page 81.
You can also use a preset or an import file to create a new user. For details, see “Using
Presets to Create New Accounts” on page 64 and “Using Workgroup Manager to Import
Users and Groups” on page 206.
Editing User Account Information
You can use Workgroup Manager to change a user account that resides in the LDAP directory of an Open Directory master, a NetInfo domain, or other read/write directory domain.
To make changes to a user account:
1 In Workgroup Manager, click Accounts.
2 Ensure that the directory services of the Mac OS X Server you’re using has been configured to access the desired directory domain.
3 See the Open Directory administrator’s guide for instructions. Click the small globe above the accounts list, then choose the domain in which the user’s account resides.
4 To authenticate, click the lock.
5 Click the Users button and select the user.
6 Edit settings for the user in the tabs provided.
For details, see “Working With Basic Settings for Users” on page 65 through “Working
With Print Settings for Users” on page 81.
Chapter 4 Setting Up User Accounts
Editing Multiple Users Simultaneously
You can use Workgroup Manager to make the same change to multiple user accounts in the LDAP directory of an Open Directory master, a NetInfo domain, or other read/ write directory domain at the same time.
To edit multiple users:
1 In Workgroup Manager, click Accounts.
2 Select the user accounts you want to change.
Click the globe icon below the toolbar and choose the directory domain, and
Command-click to select each user.
3 To authenticate, click the lock.
4 Click to display the pane you want to work with and make desired changes in fields that Workgroup Manager lets you update.
Modifying Accounts in an Open Directory Master
You can modify accounts in the LDAP directory of an Open Directory if you're authorized to administer the directory domain master but not the server itself. Your user ID must have the “User can Administer this directory domain” option selected in the Basic pane of Accounts in Workgroup Manager.
If you do not have this privilege, you will have to authenticate to the directory domain with the Directory Administrator account which gets created in Mac OS X Server when you specify your server to be a directory master in the Server Admin utility. The UID, user name and password of the Directory Administrator account (which defaults to the modifiable UID of 1000 and user name “diradmin”) is set by the server administrator at the time of directory creation.
To modify accounts:
1 Use an administrator computer that has been set up (using the Services pane of
Directory Access) to access the server hosting the Open Directory master.
2 Open Workgroup Manager on the administrator computer.
3 When the login window appears, choose Server > View Directories.
4 Click the small globe icon above the accounts list and choose Other from the pop-up menu.
5 Open the directory domain you want to administer, and then click the lock to be authenticated as a domain administrator.
These instructions assume there is only one domain administrator. If multiple domain administrator accounts have been created in the directory domain, any of them can be used to unlock the directory.
Chapter 4 Setting Up User Accounts 61
62
Working With Read-Only User Accounts
You can use Workgroup Manager to review information for user accounts stored in read-only directory domains. Read-only directory domains include LDAPv2 domains,
LDAPv3 domains not configured for write access, and BSD configuration files.
To work with a read-only user account:
1 In Workgroup Manager, click Accounts.
2 Ensure that the directory services of the Mac OS X Server you’re using has been configured to access the directory domain in which the account resides.
For information about using Directory Access to configure server connections, see the
Open Directory administration guide. For information about the user account elements
that need to be mapped, see Appendix A, “Importing and Exporting
3 Click the small globe above the accounts list and choose the directory domain in which the user’s account resides.
4 Use the tabs provided to review the user’s account settings.
For details, see “Working With Basic Settings for Users” on page 65 through “Working
With Print Settings for Users” on page 81.
Defining a Guest User
You can set up some services to support “anonymous” users, who can’t be authenticated because they don’t have a valid user name or password. The following
•
•
•
• services can be set up to support anonymous users:
Windows services (see the Windows Services guide for information about configuring guest access)
Apple file service (see the file services administration guide for information about configuring guest access)
FTP service (see the file services administration guide for information about configuring guest access)
Web service (see the web technologies administration guide for information about configuring guest access)
Users who connect to a server anonymously are restricted to files, folders, and websites with permissions set to Everyone.
Another kind of guest user is a managed user that you can define to allow easy setup of public computers or kiosk computers. For more about these kinds of users, see
Chapter 9, “Managing Preferences,” on page 135.
Chapter 4 Setting Up User Accounts
Deleting a User Account
You can use Workgroup Manager to delete a user account stored in the LDAP directory of an Open Directory master or a NetInfo domain.
Warning: You cannot undo this action.
To delete a user account using Workgroup Manager:
1 In Workgroup Manager, click Accounts.
2 Select the user account you want to delete.
To locate the account, click the small globe above the accounts list and choose the directory domain where the account resides, then select the user.
3 To be authenticated, click the lock.
4 Choose Server > Delete Selected User or click the Delete icon in the toolbar.
•
•
•
Disabling a User Account
•
To disable a user account, you can:
Deselect the “User can log in” option on the Basic pane in Workgroup Manager.
Delete the account.
Change the user’s password to an unknown value.
Set a password policy that disables login (for a user account whose password type is
Open Directory).
Working With Presets for User Accounts
Presets are like templates with which you define attributes that automatically apply to new user or group accounts.
Creating a Preset for User Accounts
You can create one or more presets to choose from when creating new user accounts in a particular directory domain.
To create a preset for user accounts:
1 Open Workgroup Manager on the server from which you will be creating user accounts.
Ensure that the server has been configured to access the Mac OS X directory domain or non-Apple LDAPv3 domain in which the preset will be used to create new accounts. To access a different domain, click the small globe above the accounts list.
2 Click Accounts.
3 To create a preset using data in an existing user account, open the account. To create a preset using an empty user account, create a new user account.
Chapter 4 Setting Up User Accounts 63
4 Fill in the fields with values you want new user accounts to inherit. Delete any values you don’t want to prespecify if you’re basing the preset on an existing account.
The following attributes can be defined in a user account preset: password settings, administrator privileges, home directory settings, quotas, default shell, primary group
ID, group membership list, comment, login settings, print settings, and mail settings.
5 Click Preferences, configure settings that you want the preset to define, and then click
Accounts.
After configuring preference settings for a preset, you must return to the Accounts settings to save the preset.
6 Choose Save Preset from the Presets pop-up menu, enter a name for the preset, then click OK.
The preset is saved to the current directory domain.
Using Presets to Create New Accounts
Presets provide a quick way to apply settings to a new account. After you apply the preset, you can continue to modify settings for the new account, if necessary.
To create a new account using a preset:
1 Open Workgroup Manager on a server configured to access the Mac OS X directory domain or non-Apple LDAPv3 domain in which the preset will be used to create the new account.
2 Click Accounts.
3 Click the small globe above the accounts list, then choose the directory domain in which you want the new account to reside.
4 To authenticate, click the lock.
5 Choose an item from the Presets pop-up menu. If you plan to import a file, you choose a preset in the import options dialog.
6 Create a new account, either interactively or using an import file.
If a setting is specified in both the preset and an import file, the value in the file is used.
If a setting is specified in the preset but not in the import file, the value in the preset is used.
7 Add or update attribute values if required, either interactively or using an import file.
64 Chapter 4 Setting Up User Accounts
Renaming Presets
Name your presets to help remind you of the template settings or identify the type of user account, group account, or computer list for which that preset is best suited. You can rename your presets if required.
To rename a preset:
1 Open Workgroup Manager on the server where the preset has been defined.
2 Click Accounts.
3 Choose Rename Preset from the Presets pop-up menu.
4 Enter the new name and click OK.
Changing Presets
When you change a preset, existing accounts created using it are not updated to reflect your changes.
To change a preset:
1 Open Workgroup Manager on the server where the preset has been defined.
2 Click Accounts.
3 Choose an item from the Presets pop-up menu.
4 After completing your changes, choose Save Preset from the Presets pop-up menu.
You can also change a preset while using it to create a new account by changing any of the fields defined by the preset, then saving the preset.
Deleting a Preset
If you no longer need a particular preset, you can delete it.
To delete a preset:
1 Open Workgroup Manager on the server where the preset has been defined.
2 Click Accounts.
3 Choose Delete Preset from the Presets pop-up menu.
4 Select the preset you want to delete and click Delete.
Working With Basic Settings for Users
Basic settings are a collection of attributes that must be defined for all users.
In Workgroup Manager, you use the Basic pane in the user account window to work with basic settings.
Chapter 4 Setting Up User Accounts 65
66
Defining Long User Names
The user name is the long name for a user, such as Ellen Brown or Dr. Arnold T. Smith.
(Sometimes the user name is referred to as the “full name” or the “real” name.) Users can log in using the user name or a short name associated with their accounts.
Long user names are case-sensitive in the login window; so if an account has the user name Mary Smith, login fails if MARY SMITH is entered in the login window. However, user names are not case-sensitive when used to authenticate a user for file server access or to log in from Macintosh Manager Mac OS 9 clients.
A long user name can contain no more than 255 bytes. Since long user names support various character sets, the maximum number of characters for long user names can range from 255 Roman characters to as few as 85 characters (for character sets in which characters occupy up to 3 bytes).
You can use Workgroup Manager to edit the user name of an account stored in the
LDAP directory of an Open Directory master, a NetInfo domain, or other read/write directory domain. You can also use Workgroup Manager to review the user name in any directory domain accessible from the server you’re using.
To work with the user name using Workgroup Manager:
1 In Workgroup Manager, click Accounts.
2 Select the account you want to work with.
To select the account, click the small globe above the accounts list and choose the directory domain where the account resides, then select the user in the user list.
3 To be authenticated, click the lock.
4 In the Name field (on the Basic pane), review or edit the user name.
Initially, the value of user name is “Untitled <some-number>.” After changing the name,
Workgroup Manager doesn’t check to verify that the user name is unique.
Avoid assigning the same name to more than one user. Workgroup Manager doesn’t let you assign the same name to different users in any particular domain or in any domain in the search path (search policy) of the server you’re using, but has no way of detecting whether duplicates might exist in other domains.
Defining Short User Names
A short name is an abbreviated name for a user, such as ebrown or arnoldsmith. Users can log in using the short name or the user name associated with their accounts. The
• short name is used by Mac OS X for home directories and groups:
When Mac OS X automatically creates a user’s local or network AFP home directory, it names the directory after the user’s short name. For more information about home
directories, see Chapter 7, “Setting Up Home Directories.”
Chapter 4 Setting Up User Accounts
• When Mac OS X checks to see whether a user belongs to a group authorized to access a particular file, it uses short names to find user IDs of group members. For an
example, see “Avoiding Duplicate Short Names” on page 70.
You can have as many as 16 short names associated with a user account. You might want to use multiple short names as aliases for email accounts, for example. The first short name is the name used for home directories and group membership lists; don’t reassign that name after you save the user account.
A short user name can contain as many as 255 Roman characters. However, for clients using Mac OS X version 10.1.5 and earlier, the first short user name must be 8 characters or fewer.
•
•
•
Use only these characters for the first short user name (subsequent short names can
• contain any Roman character): a through z
A through Z
0 through 9
_ (underscore)
Typically, short names contain eight or fewer characters.
You can use Workgroup Manager to edit the short name of an account stored in the
LDAP directory of an Open Directory master, a NetInfo domain, or other read/write directory domain. You can also use Workgroup Manager to review the short name in any directory domain accessible from the server you’re using.
To work with a user’s short name using Workgroup Manager:
1 In Workgroup Manager, click Accounts.
2 Select the account you want to work with.
To select the account, click the small globe above the accounts list and choose the directory domain where the account resides, then select the user account.
3 To be authenticated, click the lock.
4 In the Short Names field (on the Basic pane), review or edit the short names.
Initially, the value of the short name is “untitled_<some-number>.” If you specify multiple short names, each should be on its own line.
Avoid assigning the same short name to more than one user. Workgroup Manager doesn’t let you assign the same short name to different users in any particular domain or in any domain in the search path (search policy) of the server you’re using, but has no way of detecting whether duplicates might exist in other domains.
After the user’s account has been saved, you can’t change the first short name, but you can change others in a list of short names.
Chapter 4 Setting Up User Accounts 67
Choosing Stable Short Names
When you create groups, Mac OS X identifies users in them by their first short name, which can’t be changed.
If a short name change is unavoidable, you can create a new account for the user (in the same directory domain) that contains the new short name, but retains all other information (user ID, primary group, home directory, and so forth). You can then disable login for the old user account. Now the user can log in using the changed name, yet
have the same access to files and other network resources as before. (See “Disabling a
User Account” on page 63 for information on disabling use of an account for login.)
Avoiding Duplicate Names
If separate user accounts have the same name (user name or short name) on a
Mac OS X computer, login window will display the list of users for you to choose from.
This functionality is new to Mac OS X v10.4 and is not supported in previous versions.
Consider an example that consists of three directory domains which were shared after their users were created. Tony Smith has an account in the Students domain, and Tom
Smith has an account in the root domain. Both accounts contain the short name
“tsmith” and the password “smitty.”
Tony Smith
(tsmith,smitty)
Students
/
Tom Smith
(tsmith,smitty)
Faculty
Tony’s computer Tom’s computer
When Tony logs in to his computer with a user name “tsmith” and the password
“smitty,” the login window lists the two users whose accounts have the same short name and password (Tony Smith and Tom Smith). If Tony selects Tom’s name, he’s able to log in as Tom. Tony can access Tom’s files, not a desirable result.
68 Chapter 4 Setting Up User Accounts
Now let’s say that Tony and Tom have the same short name, but different passwords.
Tony Smith
(tsmith, tony)
Students
/
Tom Smith
(tsmith,smitty)
Faculty
Tony’s computer Tom’s computer
If Tom attempts to log in to Tony’s computer using the short name “tsmith” and his password (smitty), Mac OS X finds “tsmith”, in both domains and gives him the option to choose the user he wishes to authenticate to. His only option is to authenticate to his own user record in the root domain, with his own password.
If Tony has a user record in his local directory domain that has the same names and password as his record in the Students domain, he would still get the option to choose the user ID he wishes to log in to. Tony’s local domain should offer a name/password combination that distinguishes it from the Students domain’s record. If the Students domain is not accessible (when Tony works at home, for example), he can log in to the
Students domain only if the account is set up as a mobile account. In that case, he can use the files on his computer which were created under the mobile user. Tony will still get the login window option to choose the user he wishes to authenticate to if his user
ID in both the local domain and Students domain is the same.
Duplicate short names can have undesirable effects in group records, described in the next section.
Chapter 4 Setting Up User Accounts 69
Avoiding Duplicate Short Names
Since short names are used to find user IDs of group members, duplicate short names can result in file access being granted to groups you hadn’t intended to give access.
Return to the example of Tony and Tom Smith, who have duplicate short names.
Assume that the administrator has created a group in the root domain to which all students belong. The group—AllStudents—has a GID of 2017.
Tony Smith
(tsmith,smitty,
UID 3000)
Students
/
Tom Smith (tsmith,smitty, UID 2000)
AllStudents (tsmith, GID 2017)
Faculty
MyDoc
Tony’s computer Tom’s computer
Owner 127 can: Read & Write
Group 2017 can: Read only
Everyone else can: None
Now suppose that a file, MyDoc, resides on a computer accessible to both Tony and
Tom. The file is owned by a user with the user ID 127. It has read-only access permissions for AllStudents. Tony, not Tom, was added as a member of AllStudents, but because a group’s member list consists of short names, not user IDs, and the short name tsmith is listed as a member of AllStudents, both Tony and Tom are effectively members of AllStudents.
When Tom attempts to access MyDoc, Mac OS X determines that the owner permissions do not apply for Tom, and moves on to check if group permissions apply for Tom. Mac OS X searches the login hierarchy for user records with short names that match those associated with AllStudents. Tom’s user record is found (short name tsmith) because it resides in the login hierarchy, and the user ID in the user record is compared with Tom’s login user ID. They match, so Tom is allowed to read MyDoc, even though he’s not actually a member of AllStudents.
70 Chapter 4 Setting Up User Accounts
Defining User IDs
A user ID is a number that uniquely identifies a user. Mac OS X computers use the user ID to keep track of a user’s directory and file ownership. When a user creates a directory or file, the user ID is stored as the creator ID. A user with that user ID has read and write permissions to the directory or file by default.
The user ID should be a unique string of digits from 500 through 2,147,483,648.
Assigning the same user ID to different users is risky, since two users with the same user ID have identical directory and file permissions.
The user ID 0 is reserved for the root user. User IDs below 100 are reserved for system use; users with these user IDs should not be deleted and should not be modified except to change the password of the root user.
In general, once user IDs have been assigned and users start creating files and directories throughout a network, you shouldn’t change user IDs. One possible scenario in which you may need to change a user ID is when merging users created on different servers into one new server or cluster of servers. The same user ID may have been associated with a different user on the previous server.
When you create a new user account in any shared directory domain, Workgroup
Manager automatically assigns a user ID; the value assigned is an unused user ID (1025 or greater) in the server’s search path. (New users created using the Accounts
Preferences pane on Mac OS X Desktop computers are assigned user IDs starting at
501.)
You can use Workgroup Manager to edit the user ID of an account stored in the LDAP directory of an Open Directory master or a NetInfo domain. You can also use
Workgroup Manager to review the user ID in any directory domain accessible from the server you’re using.
To change a user ID in Workgroup Manager:
1 In Workgroup Manager, click Accounts.
2 Select the account you want to work with.
To select an account, click the small globe above the accounts list and choose the directory domain where the user’s account resides, and select the user.
3 To authenticate, click the lock.
4 In the Basic pane, specify a value in the User ID field.
Make sure the value is unique in the search policy (search path) of computers the user will log in to.
Defining Passwords
For information about defining passwords, see the Open Directory administration guide.
Chapter 4 Setting Up User Accounts 71
72
Setting Password Options for Imported Users
When you export users using Workgroup Manager, password information isn’t exported. If you want to set passwords, you can modify the export file before you import it or you can set passwords after importing. You can also create a text-delimited import file manually and include passwords in it. Appendix A describes how to work with import files.
To set password options after importing:
1 Import the users by using Workgroup Manager or the dsimport
command-line tool.
2 In Workgroup Manager, click Accounts.
3 Open the directory into which the users were imported.
4 Select the users whose password options you want to set.
5 Click Advanced.
6 Make sure the User Password Type is set to Open Directory, click Options, set password options, and click OK.
7 Click Save.
For more information about importing users, see Appendix A. For additional information about Open Directory passwords, see the Open Directory administration guide.
Assigning Administrator Rights for a Server
A user who has server administration privileges can control most of the server’s configuration settings and use applications, such as Server Admin, that require a user to be a member of the server’s admin group.
You can use Workgroup Manager to assign server administrator privileges to the LDAP directory of an Open Directory master or a NetInfo domain. You can also use
Workgroup Manager to review the server administrator privileges in any directory domain accessible from the server you’re using.
To set server administrator privileges in Workgroup Manager:
1 Log in to Workgroup Manager by specifying the name or IP address of the server for which you want to grant administrator privileges.
2 Click Accounts.
3 Click the small globe above the accounts list and choose the directory domain in which the user’s account resides.
4 To authenticate, click the lock.
5 In the Basic pane, select “User can administer the server” to grant server administrator privileges.
Chapter 4 Setting Up User Accounts
Assigning Administrator Rights for a Directory Domain
A user who has administrator privileges for an Apple directory domain can make changes to user accounts, group accounts, and computer lists stored in that domain using Workgroup Manager. The changes the user can make are limited to those you specify.
You can use Workgroup Manager to assign directory domain administrator privileges for an account stored in the LDAP directory of an Open Directory master or a NetInfo domain. You can also use Workgroup Manager to review these privileges in any directory domain accessible from the server you’re using.
To set directory domain administrator privileges in Workgroup Manager:
1 Make sure the user has an account in the directory domain.
2 In Workgroup Manager, click Accounts.
3 Select the user account.
To select the account, click the small globe above the accounts list and choose the directory domain in which the user’s account resides, and select the account.
4 To be authenticated, click the lock.
5 In the Basic pane, select “User can administer this directory domain.”
6 To specify what the user should be able to administer in the domain, click Privileges.
By default, the user has no directory domain privileges.
7 Click the Users, Groups, or Computer Lists button and make the desired settings.
If you don’t select a checkbox (such as “The administrator can edit user preferences”), the user can view the account or preference information in Workgroup Manager, but not change it.
To add an item the “listed below” area (on the right), drag it from the Available list (on the left). To remove an item, select it and press the Delete key on the keyboard.
GUIDs
Beginning with Mac OS X version 10.4, a universal ID called a globally unique identifier
(GUID, pronounced GOO-id) provides user and group identity for ACL permissions. The
GUID also associates a user with group and nested group memberships.
A discussion of GUIDs and their implications appears in Appendix B.
Chapter 4 Setting Up User Accounts 73
74
Working With Advanced Settings for Users
Advanced settings include login settings, keywords, password validation policy, and a comment field.
In Workgroup Manager, use the Advanced pane in the user account window to work with advanced settings.
•
•
•
Defining Login Settings
•
By specifying user login settings, you can:
Control whether the user can be authenticated using the account.
Allow a managed user to simultaneously log in to more than one managed computer at a time or prevent the user from doing so.
Indicate whether a user of a managed computer can or must select a workgroup at login or whether you want to avoid showing workgroups when the user logs in.
Identify the default shell the user will use for command-line interactions with
Mac OS X, such as /bin/csh or /bin/bash (default). The default shell is used by the
Terminal application on the computer the user is logged in to, but Terminal has a preference that lets you override the default shell. The default shell is used by SSH
(Secure Shell) or Telnet when the user logs in to a remote Mac OS X computer.
You can use Workgroup Manager to define login settings of an account stored in the
LDAP directory of an Open Directory master, a NetInfo domain, or other read/write directory domain. You can also use Workgroup Manager to review login settings in any directory domain accessible from the server you’re using.
To work with login settings using Workgroup Manager:
1 In Workgroup Manager, click Accounts.
2 Select the account you want to work with.
To select the account, click the small globe above the accounts list and choose the directory domain where the account resides, and select the user in the user list.
3 To be authenticated, click the lock.
4 Click Advanced.
5 Select “Allow simultaneous login” to let a user log in to more than one managed computer at a time.
Note: Simultaneous login is not recommended for most users. You may want to reserve simultaneous login privileges for technical staff, teachers, or other users with administrator privileges. (If a user has a network home directory, that’s where the user’s application preferences and documents are stored. Simultaneous login may modify these items; many applications don’t support such modification while they are open.)
You cannot disable simultaneous login for users with NFS home directories.
Chapter 4 Setting Up User Accounts
6 Choose a shell from the Login Shell pop-up menu to specify the default shell for the user when logging in to a Mac OS X computer.
Note: Terminal has a preference that lets the user override the default shell.
To enter a shell that doesn’t appear in the list, click Custom. To make sure a user can’t access the server remotely using a command line, choose None.
Defining a Password Type
For details about setting up and managing passwords, see the Open Directory administration guide.
Creating a Master List of Keywords
You can define keywords that enable quick searching and sorting of users. Using keywords can simplify tasks such as creating groups or editing multiple users.
Before you begin adding keywords to user records, you must create a master keyword list. The list of keywords shown in the Advanced pane for a selected user apply only to that user.
To edit the master keyword list:
1 In Workgroup Manager, click Accounts.
2 Select the account you want to work with.
To select the account, click the small globe above the accounts list and choose the directory domain where the account resides, and select the user in the user list.
3 To be authenticated, click the lock.
4 Click Advanced.
5 Click the Edit (pencil) button to view the master keyword list.
The master list shows all terms available for use as keywords. You can access and edit the master keyword list from any selected user account.
6 To add a keyword to the master list, click (+) and type the keyword in the text field.
7 To remove a keyword from the master list and all user records where it appears, select the keyword, select Remove Deleted Keywords From Users, and click (–).
If you only want to remove a keyword from the master list, make sure Remove Deleted
Keywords From Users is not selected, then select the keyword you want to remove and click (–).
8 When you’ve finished editing the master list, click OK.
Chapter 4 Setting Up User Accounts 75
Applying Keywords to User Accounts
You can’t add keywords to more than one user at a time; however, you can remove a keyword from all users that are tagged with that keyword if necessary.
To work with keywords for an individual user account:
1 In Workgroup Manager, click Accounts.
2 Select the account you want to work with.
To select the account, click the small globe above the accounts list and choose the directory domain where the account resides, then select the user in the user list.
3 To be authenticated, click the lock.
4 Click Advanced.
5 To add a keyword to the selected account, Click (+) to view the list of available keywords. Select one or more terms in the list, then click OK.
6 To remove a keyword from a specific user, select the term you want to remove and click (–).
7 When you’ve finished adding or removing keywords for the selected user, click Save.
Editing Comments
You can save a comment in a user’s account to provide whatever documentation might help with administering the user. A comment can be as long as 32,676 characters.
You can use Workgroup Manager to define the comment of an account stored in the
LDAP directory of an Open Directory master, a NetInfo domain, or other read/write directory domain. You can also use Workgroup Manager to review the comment in any directory domain accessible from the server you’re using.
To work with a comment using Workgroup Manager:
1 In Workgroup Manager, click Accounts.
2 Select the account you want to work with.
To select the account, click the small globe above the accounts list and choose the directory domain where the account resides, then select the user in the user list.
3 To be authenticated, click the lock.
4 Click Advanced.
5 Edit or review the contents of the Comment field.
76 Chapter 4 Setting Up User Accounts
Working With Group Settings for Users
Group settings identify the groups a user is a member of.
In Workgroup Manager, use the Groups pane in the user account window to work with group settings.
For information on administering group, see Chapter 5, “Setting Up Group Accounts.”
Defining a User’s Primary Group
A primary group is the group to which a user belongs by default. You can make the primary group a member of another group, or you can nest groups within the primary group. However, any preferences defined for the primary group override preferences defined for its nested groups or its parent group(s).
The ID of the primary group is used by the file system when the user accesses a file he or she doesn’t own. The file system checks the file’s group permissions, and if the primary group ID of the user matches the ID of the group associated with the file, the user inherits group access permissions. The primary group offers the fastest way to determine whether a user has group permissions for a file.
The primary group ID should be a unique string of digits. By default, it is 20 (which identifies the group named “staff”), but you can change it. The maximum value is
2,147,483,648.
You can use Workgroup Manager to define the primary group ID of an account stored in the LDAP directory of an Open Directory master, a NetInfo domain, or other read/ write directory domain. You can also use Workgroup Manager to review the primary group information in any directory domain accessible from the server you’re using.
To work with a primary group ID using Workgroup Manager:
1 In Workgroup Manager, click Accounts.
2 Select the account you want to work with.
To select the account, click the small globe above the accounts list and choose the directory domain where the account resides, then select the user in the user list.
3 To be authenticated, click the lock.
4 Click the Groups button.
5 Edit or review the contents of the Primary Group ID field. Workgroup Manager displays the full and short names of the group after you enter a primary group ID if the group exists and is accessible in the search path of the server you’re logged into.
Chapter 4 Setting Up User Accounts 77
78
Adding a User to Groups
Add a user to a group when you want multiple users to have the same file permissions or when you want to manage their Mac OS X preferences using workgroups or computer lists. An example of such use might be students in a classroom who are disallowed from using the printer, or the quality control team in a factory which requires access to the internal reports of different groups.
You can use Workgroup Manager to add a user to a group if the user and group accounts are in the LDAP directory of an Open Directory master or a NetInfo domain. In case the directory is implemented via NFS, a 16-group limitation is imposed by the NFS architecture which has to be taken into consideration.
Note: There is no limit to the number of groups a user may belong to.
To add a user to a group using Workgroup Manager:
1 In Workgroup Manager, click Accounts.
2 Select the user account you want to work with.
To select the account, click the small globe above the accounts list and choose the directory domain where the account resides, then select the user in the user list.
3 To be authenticated, click the lock.
4 Click the Groups button.
5 Click the Add (+) button to open a drawer listing the groups defined in the directory domain you’re working with. (To include system groups in the list, choose Preferences on the Workgroup Manager menu, then select “Show system users and groups.”)
6 Select the group, then drag it into the Other Groups list on the Groups pane.
You can also add users to a group by using the Members pane of group accounts.
Note: If a user is a direct member of multiple groups, the only way to acquire the managed preferences of a group different from its primary group is at login time.
Removing a User From a Group
You can use Workgroup Manager to remove a user from a group if the user and group accounts reside in the LDAP directory of an Open Directory master or a NetInfo domain.
To remove a user from a group using Workgroup Manager:
1 In Workgroup Manager, click Accounts.
2 Select the account you want to work with.
To select the account, click the small globe above the accounts list and choose the directory domain where the account resides, then select the user in the user list.
Chapter 4 Setting Up User Accounts
3 To be authenticated, click the lock.
4 Click the Groups button.
5 Select the group or groups from which you want to remove the user, then click the
Remove (–) button.
You can also add users to a group by using the Members pane of group accounts.
Reviewing a User’s Group Memberships
You can use Workgroup Manager to review the groups a user belongs to if the user account resides in a directory domain accessible from the server you’re using.
To review group memberships using Workgroup Manager:
1 In Workgroup Manager, click Accounts.
2 Select the account you want to work with.
To select the account, click the small globe above the accounts list and choose the directory domain where the account resides, then select the user in the user list.
3 To be authenticated, click the lock.
4 Click the Groups button.
The primary group to which the user belongs is displayed, and other groups the user belongs to are listed in the Other Groups list.
Working With Home Settings for Users
Home settings describe a user’s home directory attributes. For information about using
and setting up home directories, see Chapter 7, “Setting Up Home Directories.”
Working With Mail Settings for Users
You can create a Mac OS X Server mail service account for a user by specifying mail settings for the user in the user’s account. To use the account, the user configures a mail client to identify the user name, password, mail service, and mail protocol you specify in the mail settings.
In Workgroup Manager, use the Mail pane in the user account window to work with a user’s mail service settings.
See the mail service administration guide for information about how to set up and manage Mac OS X Server mail service.
Chapter 4 Setting Up User Accounts 79
80
Disabling a User’s Mail Service
You can use Workgroup Manager to disable mail service for users whose accounts are stored in the LDAP directory of an Open Directory master, a NetInfo domain, or other read/write directory domain.
To disable a user’s mail service using Workgroup Manager:
1 In Workgroup Manager, click Accounts.
2 Select the account you want to work with.
To select the account, click the small globe above the accounts list and choose the directory domain where the account resides, then select the user in the user list.
3 To be authenticated, click the lock.
4 Click Mail.
5 Select None.
Enabling Mail Service Account Options
You can use Workgroup Manager to enable mail service and set mail options for a user account stored in the LDAP directory of an Open Directory master, a NetInfo domain, or other read/write directory domain. You can also use Workgroup Manager to review the mail settings of accounts stored in any directory domain accessible from the server you’re using.
To work with a user’s mail account options using Workgroup Manager:
1 In Workgroup Manager, click Accounts.
2 Select the account you want to work with.
To select the account, click the small globe above the accounts list and choose the directory domain where the account resides, then select the user in the user list.
3 To be authenticated, click the lock.
4 Click Mail.
5 To allow the user to use mail service, select Enabled.
6 Enter a valid mail server name or address in the Mail Server fields for the DNS name or
IP address of the server to which the user’s mail should be routed. Workgroup Manager doesn’t verify this information.
7 Enter a value in the Mail Quota field to specify the maximum number of megabytes for the user’s mailbox.
A 0 (zero) or empty value means no quota is used. When the user’s message space approaches or surpasses the mail quota you specify, mail service displays a message prompting the user to delete unwanted messages to free up space. The message shows quota information in kilobytes (KB) or megabytes (MB).
Chapter 4 Setting Up User Accounts
8 Select a Mail Access setting to identify the protocol used for the user’s mail account: Post Office Protocol (POP) and/or Internet Message Access Protocol (IMAP).
9 The following features are supported only for mail accounts that reside on a server using Mac OS X Server software earlier than version 10.3.
Select an Options setting to determine inbox characteristics for mail accounts that access email using both POP and IMAP.
“Use separate inboxes for POP and IMAP” creates an inbox for POP mail and a separate inbox for IMAP mail. “Show POP Mailbox in IMAP folder list” shows an IMAP folder named POP Inbox.
Select “Enable NotifyMail” to automatically notify the user’s mail application when new mail arrives. The IP address to which the notification is sent can be either the last IP address from which the user logged in or an address you specify.
Forwarding a User’s Mail
You can use Workgroup Manager to set up email forwarding for users whose accounts are stored in the LDAP directory of an Open Directory master or a NetInfo domain.
To forward a user’s mail using Workgroup Manager:
1 In Workgroup Manager, click Accounts.
2 Select the account you want to work with.
To select the account, click the small globe above the accounts list and choose the directory domain where the account resides, then select the user in the user list.
3 To be authenticated, click the lock.
4 Click Mail.
5 Select Forward and enter the forwarding email address in the Forward To field.
Make sure you enter the correct address. Workgroup Manager doesn’t verify that the address exists.
Working With Print Settings for Users
Print settings associated with a user’s account define the ability of a user to print to accessible Mac OS X Server print queues for which print service enforces print quotas.
The print service administration guide tells you how to set up quota-enforcing print queues.
•
•
•
In Workgroup Manager, use the Print Quota pane in the user account window to set a user’s print quotas:
Select None (the default) to disable a user’s access to print queues enforcing print quotas.
Select All Queues to let a user print to all accessible print queues that enforce quotas.
Select Per Queue to let a user print to specific print queues that support quotas.
Chapter 4 Setting Up User Accounts 81
82
Disabling a User’s Access to Print Queues Enforcing Quotas
You can use Workgroup Manager to prevent a user from printing to any accessible
Mac OS X print queue that enforces quotas. To use Workgroup Manager, the user’s account must be stored in the LDAP directory of an Open Directory master or a NetInfo domain.
To disable a user’s access to print queues enforcing quotas:
1 In Workgroup Manager, click Accounts.
2 Select the account you want to work with.
To select the account, click the small globe above the accounts list and choose the directory domain where the account resides, then select the user in the user list.
3 To be authenticated, click the lock.
4 Click Print Quota.
5 Select None.
Enabling a User’s Access to Print Queues Enforcing Quotas
You can use Workgroup Manager to allow a user to print to all or only some accessible
Mac OS X print queues that enforce quotas. To use Workgroup Manager, the user’s account must be stored in the LDAP directory of an Open Directory master or a NetInfo domain.
To set a user’s print quota for print queues enforcing quotas:
1 In Workgroup Manager, click Accounts.
2 Select the account you want to work with.
To select the account, click the small globe above the accounts list and choose the directory domain where the account resides, then select the user in the user list.
3 To be authenticated, click the lock.
4 Click Print Quota.
To set up a quota that applies to all queues, go to step 5. Alternatively, to set up quotas for specific print queues, go to step 6.
5 Click “All Queues,” then specify the maximum number of pages the user should be able to print in a certain number of days for any print queue enforcing quotas.
6 Click “Per Queue,” then use the Queue Name pop-up menu to select the print queue for which you want to define a user quota. If the print queue you want to specify is not on the Queue Name pop-up menu, click Add to enter the queue name and specify, in the Print Server field, the IP address or DNS name of the server where the queue is defined.
To give the user unlimited printing rights to the queue, click “Unlimited printing.”
Otherwise, specify the maximum number of pages the user should be able to print in a certain number of days. Then click Save.
Chapter 4 Setting Up User Accounts
Deleting a User’s Print Quota for a Specific Queue
If you no longer require a print quota for a particular queue, you can delete that quota for specific users.
To delete a user’s print quota using Workgroup Manager:
1 In Workgroup Manager, click Accounts.
2 Select the user account you want to work with.
To select the account, click the small globe above the accounts list and choose the directory domain where the account resides, then select the user in the list.
3 To be authenticated, click the lock.
4 Click Print Quota.
5 Use the Queue Name pop-up menu and the Print Server field to identify the print queue to which you want to disable a user’s access.
6 Click Delete.
Resetting a User’s Print Quota
On some occasions, a user may exceed his or her print quota but needs to print additional pages. For example, an administrator may want to print a 200-page manual, but her print quota is only 150 pages. Or, a student may exceed his quota by printing an essay but needs to print a new revised copy. You can use Workgroup Manager to reset a user’s print quota and allow the user to continue printing.
To restart a user’s print quota using Workgroup Manager:
1 In Workgroup Manager, click Accounts.
2 Select the account you want to work with.
To select the account, click the small globe above the accounts list and choose the directory domain where the account resides, then select the user in the user list.
3 To be authenticated, click the lock.
4 Click Print Quota.
5 If the user is set up for printing to all print queues supporting quotas, click Restart Print
Quota.
If the user’s print quotas are print queue-specific, use the Queue Name pop-up menu and the Print Server field to identify a print queue, then click Restart Print Quota.
You can also extend a user’s page limit without resetting the quota period by changing the number of pages allowed for the user. In this way, the time period for the quota remains the same and is not reset, but the number of pages the user can print during that period is adjusted for both the current and future print quota periods. To extend or decrease a selected user’s page limit, type a new number in the “Limit to ___ pages” field and click Save.
Chapter 4 Setting Up User Accounts 83
Working With Info Settings for Users
If a user's account resides in an LDAPv3 directory domain, it can contain information that can be imported by Address Book. Attributes that are currently tracked in this pane include phone, email, weblog URL, and homepage URL.
Note: There is only one phone attribute, and that defaults to the work number in
Address Book.
To work with Info Settings:
1 In Workgroup Manager, click Accounts.
2 Ensure that the directory services of the Mac OS X Server you’re using has been configured to access the desired directory domain.
3 See the Open Directory administrator’s guide for instructions. Click the small globe above the accounts list, then choose the domain in which the user’s account resides.
4 To authenticate, click the lock.
5 Click the Users button and select the user.
6 Click Info, enter or change values as required, and click Save when you are finished.
Choosing Settings for Windows Users
Computers that use the Windows operating system can be integrated into your
Mac OS X Server network. You can set up user accounts and select settings in the
Windows pane of Workgroup Manager for individuals who need access to the Windows computers.
For detailed instructions about how to use settings for users accessing Windows computers, see the Windows services administration guide.
84 Chapter 4 Setting Up User Accounts
5
Setting Up Group Accounts
5
A group account offers a simple way to manage a collection of users with similar needs. This chapter tells you how to set up and manage group accounts.
About Group Accounts
Group accounts store the identities of users who belong to the group as well as information that lets you customize the working environment for members of a group.
When you define preferences for a group, the group is known as a workgroup.
A primary group is the user’s default group. Primary groups can expedite the checking done by the Mac OS X file system when a user accesses a file.
Administering Group Accounts
This section describes how to administer group accounts stored in various kinds of directory domains.
Where Group Accounts Are Stored
Group accounts, as well as user accounts and computer lists, can be stored in any Open
Directory domain. A directory domain can reside on a Mac OS X computer (for example, the LDAP directory of an Open Directory master or a NetInfo domain) or it can reside on a non-Apple server (for example, an LDAP or Active Directory server).
You can use Workgroup Manager to work with accounts in all kinds of directory domains. For complete information about the different kinds of Open Directory domains, see the Open Directory administration guide.
Predefined Group Accounts
The following table characterizes the group accounts that are created automatically when you install Mac OS X Server. For a complete list, open Workgroup Manager and choose View > Show System Users and Groups.
85
network nobody nogroup operator smmsp sshd staff sys tty
Predefined group name admin bin daemon dialer guest kmem mail mysql
1
68
31
2
Group ID
80
7
6
74
3
4
5
25
75
20
69
-2
-1 unknown utmp uucp wheel www
99
45
66
0
70
Use
The group to which users with administrator privileges belong.
A group that owns all binary files.
A group used by system services.
A group for controlling access to modems on a server.
A legacy group used to control access to reading kernel memory.
The group historically used for access to local UNIX mail.
The group that the MySQL database server uses for its processes that handle requests.
This group has no specific meaning.
A group used by system services.
A group used by system services.
This group has no specific meaning.
The group used by sendmail.
The group for the sshd child processes that process network data.
The default group into which UNIX users are traditionally placed.
This group has no specific meaning.
A group that owns special files, such as the device file associated with an SSH or telnet user.
The group used when the system doesn’t know about the hard disk.
The group that controls what can update the system’s list of logged-in users.
The group used to control access to UUCP spool files.
Another group (in addition to the admin group) to which users with administrator privileges belong.
The nonprivileged group that Apache uses for its processes that handle requests.
86 Chapter 5 Setting Up Group Accounts
Creating Mac OS X Server Group Accounts
You need administrator privileges for a directory domain to create a new group account in it.
To create a group account:
1 In Workgroup Manager, click Accounts.
2 Ensure that the directory services of the Mac OS X Server you’re using has been configured to access the domain of interest.
For instructions, see the Open Directory administration guide.
3 Click the small globe above the accounts list and open the domain in which you want the group account to reside.
4 Click the lock to be authenticated as a directory domain administrator.
5 Click the Groups pane.
6 Click New Group, then specify settings for the group in the tabs provided.
You can also use a preset or an import file to create a new group. For details, see
“Creating a Preset for Group Accounts” and Appendix A, “Importing and Exporting
Creating Read-Write LDAPv3 Group Accounts
You can create a group account on a non-Apple LDAPv3 server if it has been configured for write access.
To create an LDAPv3 group account:
1 In Workgroup Manager, click Accounts.
2 Ensure that the directory services of the Mac OS X Server you’re using has been configured to use the LDAP server for group accounts.
For information about using Directory Access to configure an LDAP connection, see the
Open Directory administration guide. For information about the group account
elements that may need to be mapped, see Appendix A, “Importing and Exporting
3 Click the small globe above the accounts list and open the LDAPv3 domain in which you want the group account to reside.
4 To be authenticated, click the lock.
5 Choose Server > New Group.
6 Specify settings for the group in the tabs provided.
For details, see “Working With Member Settings for Groups” on page 90 and “Working
With Group Folder Settings” on page 93.
Chapter 5 Setting Up Group Accounts 87
88
You can also use a preset or an import file to create a new group. For details, see
“Creating a Preset for Group Accounts” below and Appendix A, “Importing and
Exporting Account Information.”
Creating a Preset for Group Accounts
Group account presets can be used to apply predetermined settings to a new group account.
To create a preset for group accounts:
1 Open Workgroup Manager on the server from which you will be creating group accounts.
2 Click Accounts.
3 Ensure that the server has been configured to access the Mac OS X directory domain or non-Apple LDAPv3 domain in which the preset will be used to create new accounts.
4 To create a preset using data in an existing group account, open the account. To create a preset using an empty group account, create a new group account.
5 Fill in the fields with values you want new user groups to inherit. Delete any values you don’t want to prespecify if you’re basing the preset on an existing account.
6 Click Preferences, configure settings that you want the preset to define, and then click
Accounts.
After configuring preference settings for a preset, you must return to the Accounts settings to save the preset.
7 Choose Save Preset from the Presets pop-up menu, enter a name for the preset, and click OK.
Editing Group Account Information
You can use Workgroup Manager to change a group account that resides in the LDAP directory of an Open Directory master, a NetInfo domain, or other read/write directory domain.
To make changes to a group account:
1 In Workgroup Manager, click Accounts.
2 Ensure that the directory services of the Mac OS X Server you’re using has been configured to access the directory domain of interest.
For instructions, see the Open Directory administration guide.
3 Click the small globe above the accounts list and open the domain in which the group account resides.
4 To be authenticated, click the lock.
5 Click the Groups pane and select the group you want to work with.
Chapter 5 Setting Up Group Accounts
6 Edit settings for the group in the tabs provided.
See “Working With Member Settings for Groups” on page 90 and “Working With Group
Folder Settings” on page 93 for details.
Creating Nested Groups
A nested group is a group that is a member of another group.
Each group can have its own managed preferences which are inherited by any users who are members of that group. If you define preferences for a group or any of its nested groups, the preferences that take effect after a group member logs in are those defined for the workgroup the user chooses after login.
To create a nested group account:
1 In Workgroup Manager, click Accounts.
2 Ensure that the directory services of the Mac OS X Server you’re using has been configured to access the directory domain of interest.
For instructions, see the Open Directory administration guide.
3 Click the small globe above the accounts list and open the domain in which you want the nested group to reside.
4 To be authenticated, click the lock.
5 Click the Groups button and create a new group.
6 Click the Add (+) button to nest a group within the selected group. Drag the group from the drawer to the Members list.
All members of that group will become child-members of the parent group as well.
7 Click Save.
Groups created using server versions prior to version 10.4 can't have nested groups unless you convert them as “Upgrading Legacy Groups” describes. If you upgrade from
10.3 and earlier to 10.4, groups remain legacy groups and continue to function as they always have. Whereas groups created in Mac OS X v10.4 are considered upgraded groups and can have nested groups and other objects as members, along with user records.
Upgrading Legacy Groups
When you upgrade to server version 10.4 or import groups created before version 10.4, existing groups can't have nested groups unless you convert them first.
To upgrade a legacy group account to an upgraded group account:
1 In Workgroup Manager, click Accounts.
2 Ensure that the directory services of the Mac OS X Server you’re using has been configured to access the directory domain of interest.
For instructions, see the Open Directory administration guide.
Chapter 5 Setting Up Group Accounts 89
90
3 Click the small globe above the accounts list and open the domain in which the group account resides.
4 To be authenticated, click the lock.
5 Click the Groups button and select the individual legacy group you wish to upgrade.
6 Click the Upgrade Legacy Group button.
7 Click Save.
Working With Read-Only Group Accounts
You can use Workgroup Manager to review information for group accounts stored in read-only directory domains. Read-only directory domains include LDAPv2 domains,
LDAPv3 domains not configured for write access, and BSD configuration files.
To work with a read-only group account:
1 In Workgroup Manager, click Accounts.
2 Ensure that the directory services of the Mac OS X Server you’re using has been configured to access the directory domain in which the account resides.
For information about using Directory Access to configure server connections, see the
Open Directory administration guide. For information about the group account
elements that need to be mapped, see Appendix A, “Importing and Exporting
3 Click the small globe above the accounts list and open the directory domain in which the group account resides.
4 Use the tabs provided to review the group account settings.
For details, see “Working With Member Settings for Groups” below and “Working With
Group Folder Settings” on page 93.
Working With Member Settings for Groups
Member settings include a group’s names, its ID, and a list of the users who are members of the group.
In Workgroup Manager, you use the Members pane in the group account window to work with member settings.
When the name of a user in the Members list appears in italics, the group is the user’s primary group.
Adding Users to a Group
Add users to a group when you want multiple users to have the same file permissions or when you want to make them managed users.
Chapter 5 Setting Up Group Accounts
When you create a user account and assign the new user a primary group, the user is automatically added to the group you specify; you don’t need to explicitly do so.
Otherwise, you explicitly add users to a group.
You can use Workgroup Manager to add users to a group if the user and group accounts are in the LDAP directory of an Open Directory master or a NetInfo domain.
To add users to a group using Workgroup Manager:
1 In Workgroup Manager, click Accounts.
2 Select the group account you want to work with.
To select an account, click the small globe above the accounts list and open the directory domain where the account resides, click the Groups pane, and select the group.
3 To be authenticated, click the lock.
4 Click Members.
5 Click the Add (+) button to open a drawer listing the users defined in the directory domain you’re working with.
6 To include system users in the list, choose Workgroup Manager > Preferences, then select “Show system users and groups.”
Make sure that the group account resides in a directory domain specified in the search policy (search path) of computers the user will log in to.
7 Select the user, then drag it into the Members list on the Members pane.
Removing Users From a Group
You can use Workgroup Manager to remove a user from a group that is not the user’s primary group if the user and group accounts reside in the LDAP directory of an Open
Directory master or a NetInfo domain.
To remove a user from a group using Workgroup Manager:
1 In Workgroup Manager, click Accounts.
2 Select the group account you want to work with.
To select an account, click the small globe above the accounts list and open the directory domain where the account resides, click the Groups pane, and select the group.
3 To be authenticated, click the lock.
4 Click Members.
5 Select the user or users you want to remove from the group, then click the Remove (–) button.
Chapter 5 Setting Up Group Accounts 91
92
•
•
Naming a Group
A group has two names: a long name and a short name.
•
•
•
•
The long group name (for example, English Department Students) is used for display purposes only and can contain no more than 255 bytes. Since full group names support various character sets, the maximum number of characters for full group names can range from 255 Roman characters to as few as 85 characters (for character sets in which characters occupy up to 3 bytes).
A short group name can contain as many as 255 Roman characters. However, for clients using Mac OS X version 10.1.5 and earlier, the short group name must be eight characters or fewer. Use only these characters in a short group name: a through z
A through Z
0 through 9
_ (underscore)
The short name, typically eight or fewer characters, may be used by Mac OS X to find user IDs of group members when determining whether a user can access a file as a
result of his or her group membership. See Appendix B for more information.
You can use Workgroup Manager to edit the names of a group account stored in the
LDAP directory of an Open Directory master, a NetInfo domain, or other read/write directory domain. You can also use Workgroup Manager to review the names in any directory domain accessible from the server you’re using.
To work with group names using Workgroup Manager:
1 In Workgroup Manager, click Accounts.
2 Select the group account you want to work with.
To select an account, click the small globe above the accounts list and open the directory domain where the account resides, click the Groups pane, and select the group.
3 To be authenticated, click the lock.
4 In the Name or “Short name” field (on the Members pane), review or edit the names.
Before saving a new name, Workgroup Manager checks to ensure that the name is unique.
Defining a Group ID
A group ID is a string of ASCII digits that uniquely identifies a group. The maximum value is 2,147,483,648.
You can use Workgroup Manager to edit the ID for a group account stored in the LDAP directory of an Open Directory master or a NetInfo domain, or to review the group ID in any directory domain accessible from the server you’re using. The group ID is associated with group privileges and permissions.
Chapter 5 Setting Up Group Accounts
To work with a group ID using Workgroup Manager:
1 In Workgroup Manager, click Accounts.
2 Select the group account you want to work with.
To select an account, click the small globe above the accounts list and open the directory domain where the account resides, click the Groups pane, and select the group.
3 To be authenticated, click the lock.
4 In the Group ID field (on the Members pane), review or edit the ID.
Before saving a new group ID, Workgroup Manager checks to ensure that it is unique in the directory domain you’re using.
Working With Group Folder Settings
A group folder offers a way to organize documents and applications of special interest to group members and gives group members a way to pass information back and forth among themselves. Group folders are not directly linked to workgroup management, but access and workflow management can be improved by using group folders within managed client with workgroup settings.
To set up a group folder:
1 In Workgroup Manager, click Accounts.
2 Select the group account you want to work with.
To select an account, click the small globe above the accounts list and open the directory domain where the account resides, click the Groups pane, and select the group.
3 To be authenticated, click the lock.
4 Click the Groups pane and select a group.
5 Click Group Folder.
6 To set up a group folder in a subfolder of a share point, click the Add (+) button or the
Duplicate button (copy icon).
Specifying No Group Folder
You can use Workgroup Manager to change a group account that has a group folder to have none. By default, a new group has no group directory.
To define no group folder:
1 In Workgroup Manager, click Accounts.
Chapter 5 Setting Up Group Accounts 93
94
2 Select the group account you want to work with.
To select an account, click the small globe above the accounts list and open the directory domain where the account resides, click the Groups pane, and select the group.
3 To be authenticated, click the lock.
4 Click the Groups pane and select a group.
5 Click Group Folder.
6 Select (None) in the list.
Creating a Group Folder in an Existing Share Point
You can create a group folder for a group in any existing share point, or you can create the group folder in the /Groups folder—a predefined share point.
To set up a group folder in the /Groups folder or in another existing share point:
1 In Workgroup Manager, click Accounts.
2 Select the group account you want to work with.
To select a group account, connect to the server where the account resides. Click the small globe above the accounts list and open the directory domain where the group account is stored, click the Groups pane, and select the group.
3 To be authenticated, click the lock.
4 Click Group Folder.
5 To add an existing share point to the list, click the Add (+) button and enter the requested information.
In the URL field, enter the full URL to the share point where you want the group folder to reside. For example, enter “AFP://myserver.example.com/SchoolGroups” to identify an AFP share point named “SchoolGroups” on a server whose DNS name is
“myserver.example.com”. If you are not using DNS, replace the DNS name of the server hosting the group folder with the server’s IP address: “AFP://192.168.2.1/SchoolGroups”.
In the Path field, enter the path from the share point to the group folder, including the group folder but excluding the share point. Do not put a slash at the beginning or the end of the path. For example, if the share point is SchoolGroups and the full path to the group folder is SchoolGroups/StudentGroups/SecondGrade, enter “StudentGroups/
SecondGrade” in the Path field.
Note: Configuring a group folder share point to have a network mount record does not make the group folder mount automatically when a group member logs in. You can provide easy access to a group folder by managing Dock preferences or Login preferences for the group.
Chapter 5 Setting Up Group Accounts
6 In the Owner Name field, enter the name of the user you want to own the group folder so the user can act as group folder administrator.
Click the Browse (...) button to choose an owner from a list of users in the current directory domain.
The group folder owner will be given read/write access to the group folder.
7 Click Save.
8 To create the folder, use the CreateGroupFolder command in Terminal.
You must be the root user to use the command. For more information, type “man
CreateGroupFolder” in Terminal to see the man page. The group folder is named using the short name of the group with which it is associated.
•
•
You can automate a group member’s access to the group folder when the user logs in:
You can set up Dock Preferences to make the group folder visible in the Dock. For
instructions, see “Providing Easy Access to Group Folders” on page 149.
You can set up login preferences so that users can click Computer in the Finder to see the group folder share point and the group folders within it. For instructions, see
“Providing Easy Access to the Group Share Point” on page 166.
When using these preferences, make sure the group is defined in a shared domain in the search policy of the group member’s computer. See the Open Directory administration guide for instructions on setting a computer’s search policy.
If you don’t automate group folder access, group members can use the “Connect to
Server” command in the Finder’s Go menu to navigate to the server where the group folder resides to access the group folder.
Creating a Group Folder in a New Share Point
You can use Workgroup Manager to create a group folder in a new share point.
To create a group folder in a new share point:
1 On the server where you want the group folder to reside, create a folder that will serve as the share point for the group folder.
2 In Workgroup Manager, connect with the server in step 1 and click Sharing.
3 Click All (above the list on the left) and select the folder you created for the share point.
4 In the General pane, select “Share this item and its contents.”
5 Set Group permissions to Read & Write, set Everyone permissions to Read Only, and change the name in the Group field to “admin.”
Ignore the Owner permissions for now.
6 Click Save.
Chapter 5 Setting Up Group Accounts 95
96
7 Click Accounts and select the group account you want to work with.
To select a group account, connect to the server where the account resides. Click
Accounts. Click the small globe above the accounts list and open the directory domain where the group account is stored. Click the Groups pane and select the group.
8 To be authenticated, click the lock.
9 In the Owner Name field, enter the name of the user you want to own the group folder so the user can act as group folder administrator.
Click the Browse (...) button to choose an owner from a list of users in the current directory domain.
The group folder owner will be given read/write access to the group folder.
10 To create the folder, use the CreateGroupFolder command in Terminal.
You must be the root user to use the command. For more information, type “man
CreateGroupFolder” in Terminal to see the man page. The group folder is named using the short name of the group with which it is associated.
The group folder is named using the short name of the group with which it is associated.
•
•
You can automate a group member’s access to the group folder when the user logs in:
You can set up Dock Preferences to make the group folder visible in the Dock. For
instructions, see “Providing Easy Access to Group Folders” on page 149.
You can set up login preferences so that users can click Computer in the Finder to see the group folder share point and the group folders within it. For instructions, see
“Providing Easy Access to the Group Share Point” on page 166.
When using these preferences, make sure the group is defined in a shared domain in the search policy of the group member’s computer. See the Open Directory administration guide for instructions on setting a computer’s search policy.
If you don’t automate group folder access, group members can use the “Connect to
Server” command in the Finder’s Go menu to navigate to the server where the group folder resides to access the group folder.
Creating a Group Folder in a Subfolder of an Existing Share Point
In Workgroup Manager, you can create group folders that don’t reside immediately below a share point. For example, you may want to organize group folders into several subfolders under a share point that you define. If Groups is the share point, you may want to place student groups’ folders in /Groups/StudentGroups and teacher groups’ folders in /Groups/TeacherGroups. The full path to a group folder for second-grade students could be /Groups/StudentGroups/SecondGrade.
Chapter 5 Setting Up Group Accounts
The procedure detailed here assumes the share point exists. If the share point does not
To set up a group folder in a subfolder of an existing share point:
1 In Workgroup Manager, click Accounts.
2 Select the group account you want to work with.
To select a group account, connect to the server where the account resides. Click the small globe above the accounts list and open the directory domain where the group account is stored, click the Groups pane, and select the group.
3 To be authenticated, click the lock.
4 Click Group Folder.
5 Click the Add (+) button to add a custom group folder location or click Duplicate (copy icon) to copy an existing location.
To remove a group folder location, select it and click the Delete (–) button. You can delete only locations that were added with the Add or Duplicate buttons.
6 In the URL field, enter the full URL to the share point where you want the group folder to reside.
For example, enter “AFP://myserver.example.com/SchoolGroups” to identify an AFP share point named “SchoolGroups” on a server whose DNS name is
“myserver.example.com.” If you are not using DNS, replace the DNS name of the server hosting the group folder with the server’s IP address: “AFP://192.168.2.1/SchoolGroups.”
7 In the Path field, enter the path from the share point to the group folder, including the group folder but excluding the share point.
For example, if the share point is SchoolGroups and the full path to the group folder is
SchoolGroups/StudentGroups/SecondGrade, enter “StudentGroups/SecondGrade” in the Path field.
Do not put a slash at the beginning or the end of the path.
8 Click OK.
9 In the Owner Name field, enter the name of the user you want to own the group folder so the user can act as group folder administrator.
Click the Browse (...) button to choose an owner from a list of users in the current directory domain.
The group folder owner will be given read/write access to the group folder.
Chapter 5 Setting Up Group Accounts 97
10 To create the folder, use the CreateGroupFolder command in Terminal.
You must be the root user to use the command. For more information, type “man
CreateGroupFolder” in Terminal to see the man page. The group folder is named using the short name of the group with which it is associated.
11 Set up access to the group folder for users who log in as group members.
• You can automate a group member’s access to the group folder when the user logs in.
•
• You can set up Dock Preferences to make the group folder visible in the Dock. For
instructions, see “Providing Easy Access to Group Folders” on page 149.
You can set up login preferences so users can click Computer in the Finder to see the group folder share point and the group folders within it. For instructions, see
“Providing Easy Access to the Group Share Point” on page 166.
When using these preferences, make sure the group is defined in a shared domain in the search policy of the group member’s computer. See the Open Directory administration guide for instructions on setting a computer’s search policy.
If you don’t automate group folder access, group members can use the “Connect to
Server” command on the Finder’s Go menu to navigate to the server where the group folder resides to access the group folder.
Designating a Group Folder for Use by Multiple Groups
To permit a group folder to be accessed by multiple groups, you identify the folder for each group separately.
To configure more than one group to use the same group folder:
1 In Workgroup Manager, click Accounts.
2 Select the first group account you want to use the folder.
To select a group account, connect to the server where the account resides. Click the small globe above the accounts list and open the directory domain where the group account is stored, click the Groups pane, and select the group.
3 Click Group Folder, select the folder you want the group to use, and click Save.
4 Repeat for each group you want to use the same group folder.
98 Chapter 5 Setting Up Group Accounts
Deleting a Group Account
You can use Workgroup Manager to delete a group account stored in the LDAP directory of an Open Directory master, a NetInfo domain, or other read/write directory domain.
Warning: You cannot undo this action.
To delete a group account using Workgroup Manager:
1 In Workgroup Manager, click Accounts.
2 Select the group account you want to delete.
To select the account, click the small globe above the accounts list and open the directory domain where the account resides, click the Groups pane, and select the group.
3 To be authenticated, click the lock.
4 Choose Server > Delete Selected Group or click the Delete icon in the toolbar.
Chapter 5 Setting Up Group Accounts 99
100 Chapter 5 Setting Up Group Accounts
6
Setting Up Computer Lists
6
This chapter tells you how to set up and manage groups of computers.
About Computer Lists
A computer list comprises one or more computers that have the same preference settings and that are available to particular users and groups. You create and modify computer lists in Workgroup Manager.
There are two preset computer lists, Guest Computers and Windows Computers. These two lists, along with the computer lists that you set up, appear on the left side of the
Workgroup Manager window. Settings appear on the List, Access, and Cache panes on the right side of the window.
Before you set up a computer list, determine the names and addresses of the computers that will be included. In this context, you customarily use the computer name specified in a computer’s Sharing preferences. If you prefer, you can use a descriptive name that you find more suitable.
A computer’s address must be the “on board,” or built-in, Ethernet address, which is unique to each computer. (A computer’s Ethernet address, or Ethernet ID, is also known as its MAC address.) You can browse for a computer and Workgroup Manager will enter the computer’s name and Ethernet address for you. A client computer uses this data to find preference information when a user logs in.
Note: For Windows Computers lists, you need to know the NetBIOS name of each
Windows client computer. This name is entered in the Windows Computer Name field.
You don’t need to know the Ethernet address of Windows client computers.
When a client computer starts up, directory services check for a computer list that contains the computer’s Ethernet address, and uses preference information for that computer list. If no record is found, the client computer uses preference information for the Guest Computers computer list.
101
102
To edit computer lists or computer list preferences, you must have domain administrative privileges. You can have administrative privileges for all computer lists or for a set of specific computer lists. For more information about assigning administrative
privileges, see Chapter 4, “Setting Up User Accounts.”
•
•
•
Special Purpose Computer Lists
Workgroup Manager defaults with a set of preexisting computer lists, each of which serve a special purpose. These lists are:
Guest Computers: Computers that are not in any list are automatically members of the guest computers list. You can inherit preferences for guest computers or set them individually.
Windows Computers: A Windows Computers computer list is created automatically in the server's local directory and in the LDAP directory of an Open Directory master or replica. An administrator doesn't create and can't remove a Windows Computers list.
For information and instructions on managing the Windows Computers computer list and on setting up Mac OS X Server as a primary or backup domain controller
(PDC or BDC).
All Computers: This list holds all the computer records, whether present in a list or not. Computers that had previously been in lists can also be found here. This list serves as a handy reference location.
Creating a Computer List
A computer list is a group of computers that have the same preference settings and are available to the same users and groups. You can use a computer list to assign the same privileges and preferences to multiple computers. You can add up to 2000 computers to a computer list.
A computer cannot belong to more than one list, and you cannot add computers to the Guest Computers list.
To set up a computer list:
1 In Workgroup Manager, click Accounts.
2 Click the small globe above the accounts list and choose the directory domain where you want to store the new computer list.
3 To authenticate, click the lock.
4 Click the Computer Lists button (on the left), then click List (on the right).
5 Choose Server > New Computer List (or click New Computer List in the toolbar), then type a name for the computer list.
6 To use a preset, choose one from the Presets pop-up menu.
Chapter 6 Setting Up Computer Lists
7 To add a computer to the list, click the Add (+) button and enter the computer’s
Ethernet address and name. Or click the Browse (...) button and choose a computer, and Workgroup Manager will enter the computer’s Ethernet address and name for you.
A computer’s address must be the unique built-in Ethernet address, even if the client is connected to the network using AirPort. (A computer’s Ethernet address, or Ethernet ID, is also known as its MAC address.) If you manually add a computer, be sure to use the built-in Ethernet address for each client.
8 Add a comment (optional).
Comments are useful for providing information about a computer’s location, configuration (for example, a computer set up for individuals with special needs), or attached peripherals. You could also use the comment for identification information such as the computer’s model or serial number.
9 Continue adding computers until your computer list is complete.
10 Fill in the information requested on the Access and Cache panes.
11 Save the computer list.
After you set up a computer list, you can manage preferences for it if you wish.
For more information about using managed preferences, see “Defining Preferences” on
page 125 and Chapter 9, “Managing Preferences.”
Creating a Preset for Computer Lists
You can select settings for a computer list and save them as a “preset.” Presets work like templates, allowing you to apply preselected settings and information to new computer lists. Using presets, you can easily set up multiple computers to use similar settings. You can use presets only when creating a new computer list; you can’t use a preset to modify an existing computer list.
Settings in the List pane are specific to individual computers and don’t apply to presets.
To set up a preset for computer lists:
1 In Workgroup Manager, click Accounts.
2 Click the small globe above the accounts list and choose the directory domain where you want to create a computer list using presets.
3 To authenticate, click the lock.
4 Click the Computer Lists button (on the left), then click List (on the right).
5 To create a completely new preset, first create a computer list by clicking New
Computer List. To create a preset using data in an existing computer list, select it (on the left).
6 Fill in the information requested on the Access and Cache panes.
7 Choose Save Preset from the Presets pop-up menu.
Chapter 6 Setting Up Computer Lists 103
104
After you create a preset, you can no longer change its settings, but you can delete it or change its name.
To change a preset’s name, choose the preset from the Presets pop-up menu, then choose Rename Preset.
To delete a preset, choose a preset from the Presets pop-up menu, then choose Delete
Preset.
Using a Computer List Preset
When you create a new computer list, you can choose any preset from the Presets popup menu to apply initial settings; you can further modify the computer list settings before you save the list. When you save the computer list, you can’t use the Preset menu again for that list (for example, you can’t switch the list to a different preset).
To use a preset for computer lists:
1 In Workgroup Manager, click Accounts.
2 Click the small globe above the accounts list and choose the directory domain where you want to store the new list.
3 To authenticate, click the lock.
4 Click the Computer Lists button (on the left), then click List (on the right).
5 Choose a preset from the Presets pop-up menu.
6 Create a new list (click New Computer List).
7 Add or update settings as needed, then save the list.
Adding Computers to an Existing Computer List
You can easily add more computers to an existing list. You can’t add computers to the
Guest Computers list, however, because it is predefined to include any computer that’s not part of another computer list.
To add computers to a list:
1 In Workgroup Manager, click Accounts.
2 Select the computer list.
To select the list, click the small globe above the accounts list and choose the directory domain that contains the list, click the Computer Lists button, and select the list.
3 To authenticate, click the lock.
4 Click List.
5 To use a preset, choose one from the Presets pop-up menu.
Chapter 6 Setting Up Computer Lists
6 Click the Add (+) button and enter the requested information.
Or click the Browse (...) button, select the computer you want, and Workgroup Manager will enter the computer’s Ethernet address and name for you.
A computer’s address must be the “on board,” or built-in, Ethernet address, which is unique to each computer. (A computer’s Ethernet address, or Ethernet ID, is also known as its MAC address.)
7 Add a comment (optional).
Comments are useful for providing additional information about a computer’s location, configuration (for example, a computer set up for individuals with special needs), or attached peripherals. You could also use the comment for identification information such as the computer’s model or serial number.
8 Click Save.
9 Continue adding computers and information until your list is complete.
Changing Information About a Computer
After you add a computer to a computer list, you can edit information when necessary.
To change computer information:
1 In Workgroup Manager, click Accounts.
2 Select the list to which the computer belongs.
To select the list, click the small globe above the accounts list and choose the directory domain that contains the computer you want to modify, click the Computer Lists button, and select the list.
3 To authenticate, click the lock.
4 On the List pane, select the computer whose information you want to edit and click the
Edit (pencil) button.
Or double-click the Address, Description, or Comment of a computer in the list to edit the information directly in the list.
5 Change information as needed, then click Save.
Moving a Computer to a Different Computer List
Occasionally, you may want to group computers differently. You can easily move computers from one list to another.
Note: A computer can belong to only one list. You can’t add computers to the Guest
Computers list.
To move a computer from one list to another:
1 In Workgroup Manager, click Accounts.
2 Select the list to which the computer belongs.
Chapter 6 Setting Up Computer Lists 105
106
To select the list, click the small globe above the accounts list and choose the directory domain that contains the computer list you want to modify, click the Computer Lists button, and select the list.
3 To authenticate, click the lock.
4 On the List pane, select the computer you want to move and click the Edit (pencil) button.
5 Choose a list from the “Move to list” pop-up menu and click OK.
6 Click Save.
Deleting Computers From a Computer List
After you delete a computer from a computer list, that computer is managed by using the Guest Computers list.
To delete a computer from a list:
1 In Workgroup Manager, click Accounts.
2 Select the list to which the computer belongs.
To select the list, click the small globe above the accounts list and choose the directory domain that contains the computer list you want to modify, click the Computer Lists button, and select the list.
3 To authenticate, click the lock.
4 On the List pane, select one or more computers.
5 Click the Remove (–) button, then click Save.
Deleting a Computer List
If you no longer need any computers in a computer list, you can delete the entire list.
You can’t delete the Guest Computers list or the Windows Computers list.
Warning: You can’t undo this action.
To delete a computer list:
1 In Workgroup Manager, click Accounts.
2 Select the list.
To select the list, click the small globe above the accounts list and choose the directory domain that contains the computer list you want to delete, click the Computer Lists button, and select the list.
3 To authenticate, click the lock.
4 Choose Server > Delete Selected Computer List or click Delete in the toolbar.
Chapter 6 Setting Up Computer Lists
Searching for Computer Lists
Workgroup Manager has a search feature that allows you to find specific computer lists quickly. You can search within a selected domain and filter search results.
To search for a computer list:
1 In Workgroup Manager, click Accounts, click the Computer Lists button (on the left), then click List (on the right).
2 To limit your search, click the small globe above the accounts list and choose a directory domain:
Local: Search for computer lists in the local directory domain.
Search Path: Search for computer lists in all directories of the server’s search path (for example, myserver.mydomain.com).
Other: Browse and select an available directory domain to search for computer lists.
3 To authenticate, click the lock.
4 Select an additional filter from the filter pop-up menu next to the search field, if you wish.
5 Type search terms in the search field.
Managing Guest Computers
If an unknown computer (one that isn’t already in a computer list) connects to your network and attempts to access services, that computer is treated as a “guest.” Settings for the Guest Computers list apply to these unknown, or “guest,” computers.
A Guest Computers list is automatically created for a server’s local directory domain. If the server is an Open Directory master or replica, a Guest Computers list is also created for its LDAP directory domain.
The Guest Computers list is not recommended for large numbers of computers; most computers should belong to regular computer lists.
Note: You cannot add or move computers to the Guest Computers list, and you cannot change the list name.
To set up a Guest Computers list:
1 In Workgroup Manager, click Accounts.
2 Click the small globe above the accounts list and choose the directory domain that contains the Guest Computers list you want to modify.
3 To authenticate, click the lock.
4 Click the Computer Lists button (on the left) and select Guest Computers in the list.
5 Click List (on the right), then select a setting for preferences.
Chapter 6 Setting Up Computer Lists 107
108
To set up managed preferences, select “Define Guest Computer preferences here.”
If you select this option, click Save and continue with the next step.
To make guest computers have the same managed preference settings as the parent server (a server whose LDAP directory or shared NetInfo directory is listed in the search policy of the server you’re configuring), select “Inherit preferences for Guest
Computers.” If you select this option, click Save; the next step is not necessary.
Note: You must either create unique computer account lists, or have Guest Computers set to define preferences within the search path, or else the management settings will not be cached at the local computer. This could result in client systems becoming unmanaged when disconnected from the network.
6 If you selected Define, click Access and select the settings you want to use. Click Cache, set an interval for clearing the preferences, then click Save.
After you set up the Guest Computers list, you can manage preferences for it if you
wish. For more information about using managed preferences, see “Defining
Preferences” on page 125 and Chapter 9, “Managing Preferences.”
If you don’t select settings or preferences for the Guest Computers list, guest computers are not managed. However, if the person using the guest computer has a
Mac OS X Server user account with managed user or group preferences, those settings still apply when the person logs in with that user account.
If the user has an administrator account in a client computer’s local directory, the user can choose not to be managed at login. Unmanaged users can still use the “Go to
Folder” command to access a home directory on the network.
Working With Access Settings
Settings in the Access pane let you make computers in a list available to users in groups. You can allow only certain groups to access computers in a list, or you can allow all groups (and therefore, all users) to access the computers in a list. You can also control certain aspects of local user access.
Restricting Access to Computers
You can reserve computers so that only certain users have access to them. For example, if you have two computers with video-editing hardware and software, you can reserve them for users doing video production. First, create a computer list of those computers, make sure the users have user accounts, add the users to a “video production” group, and then give only that group access to the video-production computer list.
Note: A user with an administrator account in a client computer’s local directory can always log in.
Chapter 6 Setting Up Computer Lists
To reserve a set of computers for specific groups:
1 In Workgroup Manager, click Accounts.
2 Select the computer list.
To select the list, click the small globe above the accounts list and choose the directory domain that contains the computer list, click the Computer Lists button, and select the list.
3 To authenticate, click the lock.
4 In the List pane, enter the computer records with their Ethernet IDs.
You can use Lists in order to restrict login to specific computers. You can also
accomplish this with flexibility via “Network Views”, which are discussed in Chapter 10.
5 Click Access.
6 Select “Restrict to groups below.”
7 Click the Add (+) button, then select one or more groups in the drawer and drag them to the list in the Access pane.
To remove an allowed group, select it and click the Remove (–) button.
8 Click Save.
On the login screen, only users of the permitted group(s) will show up or be able to log in.
Making Computers Available to All Users
You can make computers in a list available to any user in any group account you set up.
To make computers available to all users:
1 In Workgroup Manager, click Accounts.
2 Select the computer list.
To select the list, click the small globe above the accounts list and choose the directory domain that contains the computer list, click the Computer Lists button, and select the list.
3 To authenticate, click the lock.
4 Click the Computer Lists button and select one or more computer lists.
5 In the List pane, check the computer records or enter one if none exists.
6 Click the Access pane.
7 Select “All groups can use the computer” and “Allow computer administrators to disable management.”
8 Click the Cache pane and ensure that the setting for updating the preference cache is set to the appropriate duration.
Chapter 6 Setting Up Computer Lists 109
110
Do not set the cache refresh to '0' or else the cache will not be created. This will result in the computers becoming unmanaged when disconnected from the network.
9 Click Save.
Using Local User Accounts
A “local user account” is a user account defined in a client computer’s local directory domain. Local accounts are useful for both stationary and mobile computers with either single or multiple users. Anyone with a local administrator account on a client computer can create local user accounts using the Accounts pane of System
Preferences. Local users authenticate locally.
If you plan to supply individuals with their own portable computers (iBooks, for example), you may want to make each user a local administrator for the computer. A local administrator has more privileges than a local or network user. For example, a local administrator can add printers, change network settings, or decide not to be managed.
The easiest way to manage preferences for local users of a particular computer is to manage preferences for the computer list to which the computer belongs, and make sure you allow users with local-only accounts to use computers in the computer list.
To provide access for users with local accounts:
1 In Workgroup Manager, click Accounts.
2 Select a computer list that supports computers with local users.
To select a list, click the small globe above the accounts list and choose the directory domain that contains the computer list, click the Computer Lists button, and select the list.
3 To authenticate, click the lock.
4 Click Access.
5 Select “Restrict to groups below” to determine which workgroups are displayed when a local user logs in.
Local user accounts cannot be set to allow access to only specific workgroups. If you have created workgroups that must be restricted to specific accounts, then you must create a unique computer account list that contains only common access workgroups.
To let the user see a list of all available workgroups, select “All groups can use the computer.”
To display only certain workgroups (in case of non-local accounts), select “Restrict to groups below,” then drag groups from the drawer to the list in the Access pane.
6 Make sure “Allow users with local-only accounts” is selected.
7 Click Save.
Chapter 6 Setting Up Computer Lists
7
Setting Up Home Directories
7
Mac OS X uses the home directory—a folder for a user’s personal use—to store system preferences and managed settings. This chapter provides guidelines for setting up and managing home directories.
About Home Directories
You can set up home directories so they can be accessed using either Apple Filing
•
•
Protocol (AFP) or Network File System (NFS):
The preferred protocol is AFP, because it provides authentication-level access security. A user has to log in with a valid name and password to access files.
NFS file access is based not on user authentication, but on client IP address, so it is generally less secure than AFP. Use NFS only if you need to provide home directories for a large number of users who use UNIX workstations.
To set up a home directory for a user in Workgroup Manager, you use the Home pane in the Accounts window.
You can also import user home directory settings from a file. For an explanation of how
to work with import files, see Appendix A, “Importing and Exporting
A user’s home directory doesn’t need to be stored on the same server as the directory domain containing the user’s account. In fact, distributing directory domains and home directories among various servers can help you balance your workload among several
servers. “Distributing Home Directories Across Multiple Servers” on page 112 describes
several such scenarios.
The home directory that you designate on the Home pane can be used when logging in from a Windows workstation or a Mac OS X computer. This can be useful for a user whose account resides on a server that is a Windows primary domain controller. See the Windows services administration guide for information about setting up home directories for Windows workstation users.
111
•
•
•
•
The maximum path length of limit of 89 characters for home directories and other automount share points is reduced by different amounts depending on the version of
Mac OS X used on clients:
10.2 - 10.2.8: (89-24 overhead) = 65 characters max
10.3 - 10.3.4: (89-38 overhead) = 51 characters max
10.3.5 or more recent versions of 10.3: (89-24 overhead) = 65 characters max
10.4 Tiger: (89-16 overhead) = 73 characters max
Avoid Spaces and Long Names in Network Home Directory Path
If the absolute path from the client to the network home directory on the server contains either spaces or more than 89 characters, certain types of clients cannot connect. For example, a client using automount with an LDAP-based AFP home directory may not be able to access its home directory.
To resolve or avoid the issue, be sure that the full path to the network home directory contains no spaces, and that the total path does not exceed 89 characters. The solidus or “slash” (/) counts as a character.
For more information, see the Apple Service & Support website article “Avoid Spaces and Long Names in Network Home Directory Name, Path” at docs.info.apple.com/ article.html?artnum=107695.
Distributing Home Directories Across Multiple Servers
The following illustration depicts using one Mac OS X Server for storing user accounts and two other Mac OS X Servers for storing AFP home directories.
User accounts
Mac OS X Servers
112
Home directories A through M
Chapter 7 Setting Up Home Directories
Home directories N through Z
When a user logs in, he or she is authenticated using an account stored in a shared directory domain on the accounts server. The location of the user’s home directory, stored in the account, is used to mount the home directory, which resides physically on one of the two home directory servers.
Here are the steps you could use to set up this scenario for AFP home directories:
Step 1: Create a shared domain for the user accounts on the accounts server
You create a shared LDAP directory domain by setting up an Open Directory master, as described in the Open Directory administration guide.
Step 2: Set up an automountable share point for the home directories on each home directory server
For instructions on how to set up automountable share points, see “Setting Up an
Automountable AFP Share Point for Home Directories” on page 119.
Step 3: Create the user accounts in the shared domain on the accounts server
Instructions later in this chapter tell you how to set up accounts so that home directories reside in one or the other of the automountable share points.
See instructions in “Creating Mac OS X Server User Accounts” on page 59 to learn how
to set user account attributes and subsequent sections of this chapter for details specific to home directory setup.
Step 4: Set up the directory services of the client computers so their search policy includes the shared directory domain on the accounts server
See the Open Directory administration guide for information about configuring search policies.
When a user restarts his or her computer and logs in using the account in the shared domain, the home directory is created automatically (if it hasn’t already been created) on the appropriate server and is visible on the user’s computer.
Note: Home directories are automatically created the first time a user logs in only on share points served via an AFP server. NFS home directories must be created manually.
Specifying No Home Directory
You can use Workgroup Manager to change a user account that has a home directory to have none. By default, new users have no home directory.
To define no home directory:
1 In Workgroup Manager, click Accounts.
2 Open the directory domain in which the user account resides and authenticate as an administrator of the domain.
Chapter 7 Setting Up Home Directories 113
114
To open a directory domain, click the small globe above the accounts list and choose from the pop-up menu. To authenticate, click the lock.
3 Click the Users button and select one or more user accounts.
4 Click Home, then select (None) in the list.
5 Click Save.
Creating a Home Directory for a Local User at a Server
You can use Workgroup Manager to define home directories for users whose accounts are stored in a server’s local directory domain. You might want to use local user accounts on standalone servers (servers not accessible from a network) and for administrator accounts on a server. These accounts are meant to be used by users physically logging into the server. They are not meant to be used by network users.
Home directories for local users should reside in AFP share points on the server where the users’ accounts reside. These share points do not have to be automountable (they do not require network mount records).
To create a home directory for a local user account:
1 Make sure that a share point for the home directory exists on the server where the local user account resides.
You can use the predefined /Users share point or any other AFP share point that has been defined on the server. Alternatively, you can define your own share point. To use an existing share point, skip to step 4. To define a new share point, continue with steps 2 and 3.
Because of the way home directory disk quotas work, you may want to set up home directory share points on a partition different from other share points. For more
information, see “Setting Disk Quotas” on page 121.
2 Using the Finder, create the folder you want to use as the share point if required.
3 In Workgroup Manager, connect to the server where the local user account resides and click Sharing to set up the folder as an AFP share point.
Click All (above the list on the left) and select the folder.
Click General and select “Share this item and its contents.”
Specify the share point owner and group names by typing names into those fields or by dragging names from the drawer that opens when you click Users & Groups.
Set Owner permissions to Read & Write, and set Group permissions and Everyone permissions to Read Only.
Click Save.
Chapter 7 Setting Up Home Directories
4 In Workgroup Manager, click Accounts and select the user account you want to work with.
To select a local user account, click the small globe above the user list and open the local directory domain, click the Users button, then select the user in the user list.
5 Click the lock and authenticate as an administrator of the local directory domain.
6 Click Home to set up the selected user’s home directory.
7 In the share points list, select the share point you want to use.
The list displays all the AFP share points on the server you are connected to.
8 (Optional) Enter a disk quota and specify megabytes (MB) or gigabytes (GB).
9 Click Create Home Now, then click Save.
If you do not click Create Home Now before clicking Save, the home directory is created the next time the user restarts the client computer and logs in remotely.
However, only certain clients can connect to servers hosting sharepoints in the local
The home directory has the same name as the user’s first short name.
10 Make sure AFP service is running on the server where the local user’s home directory resides.
To check the status of AFP service, open Server Admin and connect to the server where the local user account resides. Select AFP in the Computers & Services list and click
Overview. If the status indicates Apple File Service is stopped, choose Server > Start
Service or click Start Service in the toolbar.
Creating a Network Home Directory
In Workgroup Manager, you can set up a network home directory for a user account stored in a shared directory domain.
A user’s network home directory can reside in any AFP or NFS share point that the user’s computer can access. The share point must be automountable. An automountable share point ensures that the home directory is visible in
/Network/Servers automatically when the user logs in to a Mac OS X computer configured to access the shared domain. It also lets other users access the home directory using the ~home-directory-name shortcut.
You can use Workgroup Manager to define a network home directory for a user whose account is stored in the LDAP directory of an Open Directory master or another read/ write directory domain accessible from the server you are using. You can also use
Workgroup Manager to review home directory information in any accessible read-only directory domain.
Chapter 7 Setting Up Home Directories 115
116
To create a network home directory in an AFP or NFS share point:
1 Make sure the share point exists on the server where you want the home directory to reside and the share point has a network mount record configured for home directories.
For instructions, see “Setting Up an Automountable AFP Share Point for
Home Directories” on page 119, or “Setting Up an Automountable NFS or SMB Share
Point for Home Directories” on page 120.
2 In Workgroup Manager, click Accounts and select the user account you want to work with.
To select an account, connect to the server where the account resides. Click the small globe above the accounts list and open the directory domain where the user account is stored. Click the Users button and select the user in the user list.
3 To be authenticated, click the lock.
4 Click Home to set up the selected user’s home directory.
5 In the share points list, select the share point you want to use.
The list displays all the automountable network-visible share points in the search path of the server you are connected to. If the share point you want to select is not listed, try clicking Refresh. If the share point still does not appear, it might not be automountable.
In this case, you need to set up the share point to have a network mount record configured for home directories as described in step 1.
6 (Optional) Enter a disk quota and specify megabytes (MB) or gigabytes (GB).
7 Click Create Home Now, then click Save.
If you do not click Create Home Now before clicking Save, the home directory is created the next time the user restarts the client computer and logs in remotely.
The home directory has the same name as the user’s first short name.
8 Make sure that the user restarts his or her client computer so that the share point is visible on it.
Note that when the user logs in using SSH to obtain command-line access to the server, the user’s home directory isn’t mounted, and the user has only guest access to it.
If you want more control over where the user’s home directory resides within a share point or what it is named, click the Add (+) or Duplicate (copy icon) button to create a
custom home directory. For instructions, see “Creating a Custom Home Directory.”
Chapter 7 Setting Up Home Directories
Creating a Custom Home Directory
In Workgroup Manager, you can customize a user’s home directory settings. You’ll want
•
• to customize home directory settings when:
You want the user’s home directory to reside in directories not immediately below the home directory share point. For example, you may want to organize home directories into several subdirectories within a share point. If Homes is the home directory share point, you may want to place teacher home directories in
Homes/Teachers and student home directories in Homes/Students.
You want to specify a home directory name different from the user’s first short name.
You can use Workgroup Manager to define a custom home directory for a user whose account is stored in a server’s local directory domain or in a shared directory domain accessible from the server you are using. The shared directory domain can be the LDAP directory of an Open Directory master or another read/write directory domain.
You can also use Workgroup Manager to review home directory information in any accessible read-only directory domain.
To create a custom home directory using Workgroup Manager:
1 Make sure the share point exists and is configured correctly.
The share point for a local user account’s home directory should reside in an AFP share point on the server where the user’s accounts resides. This share point does not have to be automountable (it does not require a network mount record).
The share point for the home directory of a user account in a shared directory domain can reside in any AFP or NFS share point that the user’s computer can access. The share point must be automountable—it must have a network mount record in the directory.
For instructions, see “Setting Up an Automountable AFP Share Point for
Home Directories” on page 119 or “Setting Up an Automountable NFS or SMB Share
Point for Home Directories” on page 120.
2 If you want the home directory to reside beneath a folder under the share point, use the Finder to create all the folders in the path between the share point and where the home directory will reside.
3 In Workgroup Manager, click Accounts and select the user account you want to work with.
To select an account, connect to the server where the account resides. Click the small globe above the accounts list and open the directory domain where the user account is stored. Click the Users button and select the user.
4 To be authenticated, click the lock.
5 Click Home to set up the selected user’s home directory.
Chapter 7 Setting Up Home Directories 117
118
6 Click the Add (+) button to add a custom home directory location, or click the
Duplicate (copy icon) button to copy an existing location.
You can remove a home directory location by selecting it and clicking the Delete (–) button. You can delete only locations that were added with the Add or Duplicate buttons.
7 In the URL field, either enter the full URL to an existing automountable AFP share point where you want the home directory to reside, or leave this field blank for an NFS share point.
For example, if the AFP share point is Homes and you are using DNS, you might enter “AFP://server.example.com/Homes.” If you are not using DNS, replace the DNS name of the server hosting the home directory with the server’s IP address:
AFP://192.168.2.1/Homes.” You can use or omit a slash (/) at the end of the URL.
8 In the Path field, enter the path from the AFP share point to the home directory, including the home directory but excluding the share point; leave this field blank for an
NFS share point.
For example, you might enter “Teachers/SecondGrade/Smith.”
Do not put a slash at the beginning or the end of the path.
9 In the Home field, enter the full path to the home directory, concluding with the home directory itself.
Use an initial slash (/) but no terminating slash.
Example for a local user account: /Users/Teachers/SecondGrade/Smith
Example for a user account in a shared directory domain:
/Network/Servers/myServer/Homes/Teachers/SecondGrade/Smith
The name you type following “/Network/Servers/” must be the host name entered when the server was initially set up. If you do not know the host name, open the
Terminal application, type “hostname” and press Return to display the name.
10 Click OK.
11 (Optional) Enter a disk quota and specify megabytes (MB) or gigabytes (GB).
12 Click Create Home Now, then click Save.
The home directory has the name specified in step 8.
If you do not click Create Home Now before clicking Save, the home directory is created the next time the user restarts the client computer and logs in remotely.
Note: Home directories are automatically created the first time a user logs in only on share points served via an AFP server. NFS home directories must be created manually.
13 For a user account in a shared directory domain, make sure that the user restarts his or her client computer so that the share point is visible on it.
Chapter 7 Setting Up Home Directories
Setting Up an Automountable AFP Share Point for
Home Directories
You can use Workgroup Manager to set up an AFP share point for home directories.
Home directories for user accounts stored in shared directory domains, such as the
LDAP directory of an Open Directory master, can reside in any AFP share point that the user’s computer can access. This share point must be automountable—it must have a network mount record in the directory domain where the user account resides.
An automountable share point ensures that the home directory is visible in
/Network/Servers automatically when the user logs in to a Mac OS X computer configured to access the shared domain. It also lets other users access the home directory using the ~home-directory-name shortcut.
To set up an automountable AFP share point for home directories:
1 On the server where you want the home directories to reside, create a folder that will serve as the share point for home directories.
Because of the way home directory disk quotas work, you may want to set up home
directory share points on a partition different from other share points. See “Setting Disk
Quotas” on page 121 for more information.
2 In Workgroup Manager, connect with the server in step 1 and click Sharing.
3 Click All (above the list on the left) and select the folder you created for the share point.
4 In the General pane, select “Share this item and its contents.”
5 Specify the share point owner and group names by typing names into those fields or by dragging names from the drawer that opens when you click Users & Groups.
6 Set Owner permissions to Read & Write, set Group permissions and Everyone permissions to Read Only, and click Save.
7 Click Network Mount and authenticate as an administrator of the directory domain in which the user account resides.
Use the Where pop-up menu to choose the directory domain in which the user account resides. Then click the lock and authenticate as an administrator of the directory domain.
8 Select “Create a mount record for this share point” and “Use For User Home Directories.”
9 Make sure the Protocol pop-up menu is set to AFP, and click Save.
10 Set up guest access to the share point so that users with home directories on different servers can access the home directory using the ~home-directory-name/Public shortcut.
Click Protocols, choose Apple File Settings from the pop-up menu, and make sure
“Share this item using AFP” and “Allow AFP guest access” are selected. (They are selected by default.)
Chapter 7 Setting Up Home Directories 119
120
In Server Admin, make sure AFP guest access is enabled. Connect to the home directory server and select AFP in the Computers & Services list. Click Settings, then click Access, and make sure “Enable Guest access” is selected. Also make sure the AFP service is running.
Setting Up an Automountable NFS or SMB Share Point for
Home Directories
Although AFP is the preferred protocol for accessing home directories because of the security it offers, you can use Workgroup Manager to set up a network NFS share point for home directories. NFS or SMB share points can be used for home directories of users defined in shared directory domains, such as the LDAP directory of an Open
Directory master or an Active Directory domain. The share point must be automountable—it must have a network mount record in the directory domain where the user account resides.
An automountable share point ensures that the home directory is visible in /Network/
Servers automatically when the user logs in to a Mac OS X computer configured to access the shared domain. It also lets other users access the home directory using the
~home-directory-name shortcut.
To set up an automountable NFS or SMB share point for home directories:
1 On the server where you want the home directories to reside, create a folder that will serve as the share point for home directories.
Because of the way home directory disk quotas work, you may want to set up home
directory share points on a partition different from other share points. See “Setting Disk
Quotas” on page 121 for more information.
2 In Workgroup Manager, connect with the server in step 1 and click Sharing.
3 Click All (above the list on the left) and select the folder you created for the share point.
4 Click General and select “Share this item and its contents.”
5 Specify the share point owner and group names by typing names into those fields or by dragging names from the drawer that opens when you click Users & Groups.
6 Set Owner permissions to Read & Write, set Group permissions and Everyone permissions to Read Only, and click Save.
7 Click Protocols, then choose NFS or SMB Export Settings from the pop-up menu.
8 Select “Export this item and its contents to” and make sure Client is chosen in the popup menu below it.
9 Add client computers you want to be able to access the share point.
Click Add and type the IP address or host name of a client you want to add the
Computer list.
Chapter 7 Setting Up Home Directories
Click Remove to remove the selected address from the list.
10 Set up share point permissions.
Select “Map Root user to nobody” and deselect the remaining boxes.
11 Click Network Mount and authenticate as an administrator of the directory domain in which the user account resides.
Use the Where pop-up menu to choose the directory domain in which the user account resides. Then click the lock and authenticate as an administrator of the directory domain.
12 Select “Create a mount record for this share point” and “Use For User Home Directories.”
13 Choose NFS or SMB from the Protocol pop-up menu and click Save.
Setting Disk Quotas
You can limit the disk space a user can use to store files he or she owns in the partition where his or her home directory resides.
This quota doesn’t apply to the home directory share point or to the home directory, but to the entire partition within which the home directory share point and the home directory reside. Therefore, when a user places files into another user’s folder, it can have implications on the user’s disk quota:
•
•
When you copy a file to a user’s AFP drop box, the owner of the drop box becomes the owner of the file.
In NFS, however, when you copy a file to another folder, you remain the owner and the copy operation decrements your disk quota on a particular partition.
To set up a home directory share point disk quota using Workgroup Manager:
1 In Workgroup Manager, click Accounts.
2 Select the user account you want to work with.
To select an account, connect to the server where the account resides, click the small globe above the accounts list and open the directory domain where the user account is stored, click the Users button, and select the user.
3 To be authenticated, click the lock.
4 Click Home.
5 Specify the disk quota using the Disk Quota field and the adjacent pop-up menu.
6 Make sure that disk quotas are enabled for the volume on which the share point resides.
7 Click Sharing, select the volume in the All list, and choose “Enable disk quotas on this volume.”
Chapter 7 Setting Up Home Directories 121
Defining Default Home Directories by Using Presets
You can define default home directory settings to use for new users by using a preset
to predefine them. For information about defining and using presets, see “Using
Presets to Create New Accounts” on page 64.
Moving Home Directories
If you need to move a home directory, create the new one and copy the contents of the old home directory into the replacement home directory before deleting the old home directory.
Deleting Home Directories
When you delete a user account, the associated home directory is not automatically deleted. The administrator must delete the home folder manually by moving it to Trash.
122 Chapter 7 Setting Up Home Directories
8
Client Management Overview
8
This chapter provides an introduction to Mac OS X client management.
•
•
Client management is the centralized administration of your users’ computer experience. It’s usually implemented by:
Managing access to network printers and to server-resident home directories, group directories, and other folders.
Customizing the computer work environment of individual users, groups, and computers by defining preferences for user accounts, group accounts, and computer lists.
Computers and desktops
Printers and volumes
Client management
Applications, folders, and files
Users & Groups
You can also take advantage of two additional client management options—installing and booting client computers over the network (using NetBoot and Network Install) and day-to-day computer administration (using Apple Remote Desktop).
This chapter introduces each of these client management topics as they apply to users of Mac OS X computers.
123
Using Network-Visible Resources
Mac OS X Server lets you make various resources visible throughout your network, so users can access them from different computers and various locations.
•
There are several key network-visible resources.
Network home directories. A home directory, often referred to as a home folder or simply home, is a place for each Mac OS X user to keep personal files. Users with records in a shared Open Directory directory may have home directories that reside on the network, often on the same server where the user account resides.
A home directory contains several folders—such as Desktop, Documents, and
Public—to help organize information. After logging in, a user accesses his or her network home directory by clicking the home icon in the Finder.
• Group folders. When you set up a group account for network users, you can associate a group folder with the group. A group folder is a place for group members to exchange information electronically. A group folder contains three folders by default—Documents, Library, and Public; the Public folder contains a Drop Box folder.
Residing on the server for easy access throughout the network, a group folder can be shown in the Dock for easy network access wherever a user wants to work on group activities.
124 Chapter 8 Client Management Overview
•
•
Other shared folders. You can set up other folders on the server to provide network user access to applications, handouts, announcements, schedules, and other information.
Boot and install images. You can use boot images and install images located on the server to automate the setup of network users’ computers.
A user’s computer can start up from a boot image stored on the server. In fact, you can use the same computer for a science lab when it boots from one image and for a
French lab when it boots from a different image. Each time a lab computer restarts, the system reflects the original condition of the selected boot image, regardless of what the previous student may have done on the computer.
An install image automatically installs software on users’ computers, making it easy to deploy the operating system, additional applications, and even custom computer settings remotely and without user interactions.
Defining Preferences
You manage a network user’s work environments by defining preferences: settings that customize and control a user’s computer experience. There are two tabs in the
Preferences pane, Overview and Details. The Overview tab manages predefined system preferences while the Details tab can be used to manage preferences for any well behaved application or utility in Mac OS X.
The Overview tab is identical for Users and Groups:
An additional item, “Energy Saver”, appears for computer lists.
Many factors, including user responsibilities and security issues, determine what computer work environment a user should be presented with. In some cases, setting up informal usage guidelines may be allowable. In other cases, extensively controlling the computer experience, with each system setting defined and locked and each application controlled, may be necessary. The preferences you define should implement system capabilities that best support your user and business requirements.
Chapter 8 Client Management Overview 125
126
The Power of Preferences
Many preferences, such as Dock and Finder preferences, are used to customize the appearance of desktops. For example, you can set up Dock preferences and Finder preferences so that the work environment is dramatically simplified.
Other preferences are used to manage what a user can access and control. For example, you can set up Media Access preferences to prevent users from burning CDs and DVDs or making changes to a computer’s internal disk.
Here’s a summary of how preferences affect the appearance of the desktop and the activities a user can perform:
This preference
Applications
Classic
Dock
Energy Saver
Finder
Internet
Login
Media Access
Mobility
Network
Printing
Software Update
System Preferences
Universal Access
Tailors the work environment
Limits access and control x x x x x x x x x x x x x x x x
By letting you manage
The applications a user can open
Classic environment startup
The appearance and contents of the Dock
Startup, shutdown, wake, sleep, and performance settings
The appearance of desktop icons and Finder elements
Default email and web settings
The login experience
Ability to use recordable media
The creation of mobile accounts
Specific proxies to use or bypass
Which printers a user can use
Which server to use for updates
Which system preferences are enabled on the user’s computer
Hardware settings for users with special visual, auditory, or other needs
Chapter 8 Client Management Overview
Levels of Control
You can define preferences for user accounts, group accounts, and computer lists that are defined in a shared directory domain. A user whose account has preferences associated with it is referred to as a managed user. A computer assigned to a computer list with preferences defined is called a managed computer. A group with preferences defined is called a workgroup.
Energy Saver preferences and Login Window settings can be defined only for computer lists, but other preferences can be set for user, workgroup, and/or computer lists.
The illustration below shows how managed preferences interact when the same preferences are set at multiple levels:
Preferences
Group (G)
Computer (C)
User (U)
G+C+U
Combined Overridden Inherited
• Printing, Login, Applications, and some Dock preferences (items that appear in the
Dock) are combined.
For example, if you define printing preferences for users and computers, a user’s printer list includes printers set up for both the user and the computer being used.
Note: Managed System Preferences are combined, in that different settings defined in Workgroup Manager act collectively at login.
• Other preference settings defined at more than one level may be overridden at login. When a user logs in to a managed computer and chooses a workgroup, user preferences override redundant computer preferences, and computer preferences override redundant workgroup preferences.
For example, you may want to prevent all students from using recording devices attached to a school computer except for students who serve as lab assistants. You could set up Media Access preferences for workgroups or computer lists to limit all students’ access, but override these restrictions for lab assistants using Media Access settings at their user account level.
• Inherited preferences are preferences set at only one level.
Chapter 8 Client Management Overview 127
Suppose you select Left as the Dock’s position on the screen for Workgroup A, but you select Bottom for the Dock position for the computer list containing Computer 2, and you select Right as the Dock position for user Alice. When Alice logs in to Computer 2 and chooses Workgroup A, the Dock will be on the right side of her screen.
Now suppose that you decide to stop managing the Dock Display settings for Alice
(you select Never in Alice’s Dock Display preferences pane). When Alice logs in to
Computer 2 and chooses Workgroup A, the Dock will be on the bottom of her screen.
In some cases, you may find it easier and more useful to set certain preferences at only one level. For example, you could set printer preferences only for computers; set application preferences only for workgroups; and set Dock preferences only for users. In such a case, no overriding or combining occur, and the user inherits them without competition.
•
Most of the time you’ll use workgroup-level and computer-level preferences.
Workgroup preferences are most useful if you want to customize the work environment (such as application visibility) for specific groups of users, or if you want to use group folders.
For example, a student may belong to a group called “Class of 2011” for administrative purposes and to a workgroup called “Students” to limit application choices and provide a group shared folder for turning in homework. Another workgroup may be “Teacher Prep,” used to provide faculty members access to folders and applications for their use only.
• Computer-level preferences are useful when you want to manage preferences for users regardless of their group associations. At the computer level, you might want to limit access to System Preferences, manage Energy Saver settings, list particular users in the login window, and prevent saving files and applications to recordable discs.
Computer preferences also offer a way to manage preferences of users who don’t have a network account but who can log in to a Mac OS X computer using a local account. (The local account, defined using the Accounts pane of System Preferences, resides on the user’s computer.) You’d set up a computer list that supports local-only accounts. Preferences associated with the computer list and with any workgroup a user selects during login take effect. More about managing the login experience appears next.
128 Chapter 8 Client Management Overview
Degrees of Permanence
When you define preferences, you choose to manage them Always or Once; they are
•
•
Never-managed by default.
Always causes the preferences to remain in effect until you change them on the server. Well behaved Mac OS X applications will also disable the setting of Always preferences by the user. You can use the Always, for example, to make sure users can’t add or remove Dock items.
Once is available for some preferences. It’s a quick and easy way to set up default preferences without managing them. For example, you could set up a group of computers to display the Dock in a certain way the first time users log in. A user can change preferences you’ve set to Once, and the selected changes always apply to that user.
In the Overview Preference panes, you can’t set the following preferences to
Once: Applications, Finder (Commands), Mobile Accounts, Printing, System
Preferences, Login (Scripts, Login Window, and Options), and Energy Saver. For these preferences you must choose either Always or Never.
•
•
Often applies only to the Preference Editor (Details view). Often settings are like Once settings, but are applied at every login and after the computer is connected or disconnected from the network. These are most useful for application settings that do not disable the Human Interface for Always Preferences.
Never lets a user control his or her own preferences. However, some preference settings, such as Accounts and Date & Time, require a local administrator’s name and password before changes can be made. Never also means that the preferences are not managed at this account level, but may be managed at a higher level of the hierarchy.
Chapter 8 Client Management Overview 129
Designing the Login Experience
You can set up Login preferences for computer lists to control the appearance of the login window. For example, if you set these options for the login window in Workgroup
Manager, the login screen will look like this:
130
The first user in this case is the local computer administrator. The next three are users who have accounts that reside on the server, the last of whom has a mobile account.
Chapter 8 Client Management Overview
To log in, a user selects his or her login name in the list (if the login window is set up this way), then types a password when prompted. If the user belongs to more than one workgroup (in case of being a network user, or is a local user which gets its workgroups from the computer list), a list of workgroups appears so the user can select the environment of interest. Note that it’s possible for a user to belong to a group that doesn’t appear in the list; only workgroups (groups with managed preferences and only those workgroups which are also in the workgroups from the computer list) are listed.
If the computer is associated with a computer list that supports local-only users, all workgroups given access to the computer by the computer list are listed after a local user logs in. The user can select any of them.
Any preferences that are associated with the user, the chosen workgroup, and the computer being used take effect automatically.
Who Can Log In
Mac OS X enables you to control which users are able to login to a computer. This includes all the users that are in the computer’s access list. This is filtered because if at that moment the user has their access disabled in the password server, then they are not in the list either.
Chapter 8 Client Management Overview 131
132
Caching Preferences
Preferences can be cached on Mac OS X computers, so they remain in effect even when
•
• the computer is off the network:
Computer preferences and preferences for any workgroups that can use the computer are cached.
User preferences are always cached for users who have mobile accounts.
When a client computer is off the network, only users with local accounts or network users with mobile accounts on that computer can log in.
Helping Users Find Applications
Applications can be stored locally on a user computer’s hard disk or on a server in a share point. If applications are stored locally, users can find them in the Applications folder. If applications are stored on a server, the user must connect to the server (by choosing Go > Connect to Server in the Finder) in order to locate and use the applications. Applications may also be made available through an automounted sharepoint as the /Network/Applications mount record.
To make specific local applications easy to find, you can use Dock Items preferences to place an alias for the My Applications folder in the user’s Dock. The My Applications folder contains aliases to applications a user is permitted to open. Doing this might delay login time for managed users because Mac OS X has to search available disks to build this list every time you log in.
You manage user access to local applications by creating lists of approved applications
in the Applications preference. To set up a list of approved applications, see “Creating a
List of Applications Users Can Open” on page 141. Whether you choose to use the
Simple Finder or the Regular Finder user environment, this list of approved applications determines what users find in the My Applications folder located in the Dock.
For more information about using the Simple Finder or Regular Finder, see “Hiding the
Alert Message When a User Empties the Trash” on page 157. To place an alias to My
Applications and other folders in a user’s Dock, see “Adding Items to a User’s Dock” on page 150.
Helping Users Find Group Folders
If you have set up a group folder, you can set up quick access to it when a user logs in to the workgroup with which the folder is associated.
You use the Dock Items preference. To learn more, read “Providing Easy Access to
Group Folders” on page 149. To provide access to the group volume, which contains
the Public Folder and Drop Box for the group, see “Providing Easy Access to the Group
Chapter 8 Client Management Overview
Installing and Booting Over the Network
The key to fast initial setup of multiple user computers and rapid refresh of computers is the use of Network Install and NetBoot images that reside on Mac OS X Server. User’s computers start up using those images automatically.
Mac OS X
Server
Network Install images
NetBoot images
You use Network Install images when you want to install software on user computers.
You use NetBoot images when you want users’ computer environments to be refreshed every time their computers are started.
•
•
Using a network-based boot image provides many advantages over booting from a
• local hard drive:
The NetBoot image is locked from the user perspective. It can’t be accidentally or maliciously damaged. In a training lab where students may make mistakes or in a computer science class where system protection can’t be used because of programming tool needs, a NetBoot image allows computers to be restarted to their original state after each use. No matter what a student does while on the system, the image snaps back to the original condition at each startup.
A network administrator who needs to perform maintenance doesn’t need to carry a case full of diagnostic CDs. Instead, he or she can boot a system using a network image that contains all of the diagnostic and repair tools.
Multiple images can be provided on the network from a single server, and multiple servers can be used to provide a single image for optimum throughput.
The server can host as many as 25 different images, so you can maintain a collection of customized software configurations for different workgroups and computers. For example, one image can be used for installing the latest applications needed by particular users, and another image can be used for booting computers in particular classrooms, offices, or labs.
Chapter 8 Client Management Overview 133
Day-to-Day Client Administration
Administering networked computers entails record keeping, help desk operations, and
•
•
•
•
•
•
•
• minor updates while users are logged in and working. To accomplish these and other day-to-day tasks, you can use Apple Remote Desktop (ARD). ARD provides a remote management environment that simplifies user computer setup, monitoring, and maintenance:
Screen observation. View user computer screens on your computer to monitor activities.
Screen control. Show users how to perform tasks by controlling their screens from your computer.
Screen sharing. Display your screen or a user’s screen on user computers for training and demonstration purposes.
Screen locking. Prevent users from using their computers.
Text communications. Exchange messages with one or more users, and host questions and requests from individual users.
Hardware and software management. Audit hardware information and software installed. Search for specific files and folders on user systems.
Software distribution and startup. Identify NetBoot or Network Install images for user computers to use. Initiate network installations and user computer shutdown and startup. Use ARD to deploy application packages or new system updates instead of running Software Update on individual computers.
Troubleshooting. Perform basic network troubleshooting by checking network traffic performance for all your workstations and servers.
134 Chapter 8 Client Management Overview
9
Managing Preferences
9
This chapter provides information about managing preferences for users, workgroups, and computers.
How Workgroup Manager Works With Mac OS X
Preferences
With Workgroup Manager you can set and lock certain system settings for users on their network. You can set preferences once and thereafter allow users to change them, or you can keep preferences under administrative control at all times (or you can leave settings unmanaged).
Workgroup Manager provides control over most major system and application preferences in addition to various settings for users, groups, and computer lists. The
Preference Editor covers the remainder of the applications which may require management.
Preference pane
Applications
Classic
Dock
Energy Saver
Finder
Internet
Login
Media Access
Mobility
Network
What you can manage
Applications available to users
Classic startup settings, sleep settings, and the availability of Classic items such as Control Panels
Dock location, behavior, and items
Performance options for Mac OS X client and server computers,
Battery usage for portable computers, and sleep or wake options.
Finder behavior, desktop appearance and items, and availability of
Finder menu commands
Email account preferences and web browser preferences
Login window appearance, mounted volumes, and items that open automatically when a user logs in
Settings for CDs, DVDs, and recordable discs, plus settings for internal and external disks such as hard drives or floppy disks
Creation of mobile account at login
Configuration of specific proxy servers and settings for hosts and domains to bypass
135
136
Preference pane
Printing
Software Update
System Preferences
Universal Access
What you can manage
Available printers and printer access
Specific server to use for software update service
System preferences available to users
Settings to control mouse and keyboard behavior, enhance display settings, and adjust sound or speech for users with special needs
Managing Preferences
In Workgroup Manager, information about users, groups, and computer lists is integrated with directory services. After you set up the accounts, you can manage preferences for them. Managing preferences means you can control settings for certain system preferences in addition to controlling user access to system preferences, applications, printers, and removable media. Information about settings and preferences in user, group, or computer records is stored in a directory domain accessible to Workgroup Manager, such as the LDAP directory of an Open Directory master.
All preferences are stored in a record, which is either a user, group or computer record.
At login time, MCX client picks those out and puts them in a location where the final combined management list is applied to the user experience.
After user accounts, group accounts, and computer lists are created, you can start managing preferences for them using the Preferences pane in Workgroup Manager. To manage preferences for Mac OS X clients, you should make sure each user you want to manage has either a network or a local home directory. For information about how to
set up a group volume or how to set up home directories for users, see Chapter 4,
Note: When you manage preferences for a user, group, or computer, an arrow icon appears next to the managed preference in the Preferences pane to indicate that you’re managing that preference. You can select multiple users, groups, or computers to review managed preferences. If the arrow icon is dimmed, it means managed preference settings are mixed for the selected items.
About the Preferences Cache
The preference cache stores preferences for the computer list to which that computer belongs, preferences for groups associated with that computer, and preferences for users who have recently logged in on that computer. While this is true for network users, the cache is also used by workgroups for mobile accounts. The stored preferences can influence how a user is managed offline, and using the preference cache may improve performance.
Chapter 9 Managing Preferences
The cached preferences can help you manage local user accounts on portable computers even when they’re not connected to a network. For example, you can create a list of computers you want to manage, and then manage preferences for the computer list. Next, you can make these computers available to groups and then manage preferences for the groups. Finally, you can set up local user accounts on the computers. Now, if a user goes offline or disconnects from your network, he or she is still managed by the computer and group preferences in the cache.
When you make a change that affects cached information for an account, Workgroup
Manager sets a “flag” in Open Directory to indicate that change. When a user logs in, the client updates automatically.
Note: When you modify an account or preference setting, the preferences cache is updated automatically. New preferences take effect at the user’s next login/logout cycle. If the user is already logged in while away from the network, they must perform a logout and re-login in order to update the preference cache.
Updating the Managed Preferences Cache at Intervals
You can update a computer’s managed preference cache regularly. The computer checks the server for updated preferences according to the schedule you set. The cache is also updated automatically every time a change is made to any of the managed preferences within Workgroup Manager. If you manage directory services using a different tool, you can still use Workgroup Manager to update the cache at fixed intervals.
To set an update interval for the managed preferences cache:
1 In Workgroup Manager, click Accounts.
2 Make sure the right directory is selected and that you are authenticated for it.
To switch directories, click the small globe above the accounts list. If you are not authenticated, click the lock.
3 Click the Computer Lists button and select one or more computer lists.
4 Click Cache.
5 Type in a number representing how frequently you want to update the cache, then choose an update interval (seconds, minutes, hours, days, or weeks) from the pop-up menu. For example, you could update the cache every 5 days.
6 Click Save.
Note: Setting the cache interval to “0” turns off caching. Be aware that without caching, managed preferences will not be in effect when the computer is disconnected from the network.
Chapter 9 Managing Preferences 137
138
Updating the Preference Cache Manually
When you need to, you can manually update the managed preferences cache for every computer in a selected computer list.
To update the managed preferences cache:
1 In Workgroup Manager, click Accounts.
2 Make sure the right directory is selected and that you are authenticated for it.
To switch directories, click the small globe above the accounts list. If you are not authenticated, click the lock.
3 Click the Computer Lists button and select one or more computer lists.
4 Click the Access pane and verify (or add) the required information.
5 Click Cache, then click “Update Cache” and “Save.”
You can also update the cache on the client computer directly. Hold down the Option key when you log in on the client computer (using a local administrator name and password), then click Refresh Preferences in the dialog displayed.
Note: If this action is performed while the computer is disconnected from the network, the preferences cache will be deleted and the computer will become unmanaged.
Managing User Preferences
You can manage preferences for individual users as needed. However, if you have large numbers of users, it may be more efficient to manage most preferences by group and computer instead. You might want to manage preferences at the user level only for specific individuals, such as directory domain administrators, teachers, or technical staff.
You should also consider which preferences you want to leave under user control. For example, if you aren’t concerned about where a user places the Dock, you might want to set Dock Display management to Never or Once.
To manage user preferences:
1 In Workgroup Manager, click Preferences.
2 Make sure the right directory is selected and that you are authenticated for it.
To switch directories, click the small globe above the accounts list. If you are not authenticated, click the lock.
3 Click the Users button and select one or more user accounts from the list.
4 Click the icon for the preference you want to manage.
5 In each preference pane, choose a management setting.
In some cases (Printing and Media Access, for example), the management setting applies to all preferences rather than to individual panes within the preference.
Chapter 9 Managing Preferences
6 Select preference settings or fill in information you want to use.
Some management settings are not available for some preferences, and some preferences are not available to some types of accounts.
7 When you’ve finished, click Apply Now.
Managing Group Preferences
Group preferences are shared among all users in the group. Setting some preferences only for groups instead of for each individual user can save time, especially when you have large numbers of managed users.
Because users can select a workgroup at login, they have the opportunity to choose a group with managed settings appropriate to the current task, location, or environment.
It can be more efficient to set preferences once for a single group instead of setting preferences individually for each member of the group.
To manage group preferences:
1 In Workgroup Manager, click Preferences.
2 Make sure the right directory is selected and that you are authenticated for it.
To switch directories, click the small globe above the accounts list. If you are not authenticated, click the lock.
3 Click the Groups button and select one or more group accounts from the list.
4 Click the icon for the preference you want to manage.
5 In each preference pane, choose a management setting.
In some cases (Printing and Media Access, for example), the management setting applies to all preferences rather than to individual panes within the preference.
6 Select preference settings or fill in information you want to use.
Some management settings are not available for some preferences, and some preferences are not available to some types of accounts.
7 Click Apply Now.
Managing Computer Preferences
Computer preferences are shared among all computers in a list. In some cases, it may be more useful to manage preferences for computers instead of for users or groups.
To manage computer preferences:
1 In Workgroup Manager, click Preferences.
2 Make sure the right directory is selected and that you are authenticated for it.
To switch directories, click the small globe above the accounts list. If you are not authenticated, click the lock.
Chapter 9 Managing Preferences 139
140
3 Click the Computer Lists button and select one or more computer lists.
If you are setting preferences for the Guest computers account, you must select the radio button “Define Guest Computer preferences”.
4 Click the icon for the preference you want to manage.
5 In each preference pane, choose a management setting.
In some cases (Printing and Media Access, for example), the management setting applies to all preferences rather than to individual panes within the preference.
6 Select preference settings or fill in information you want to use.
Some management settings are not available for some preferences, and some preferences are not available to some types of accounts.
7 Click Apply Now.
Editing Preferences for Multiple Records
You can edit preferences for more than one user account, group account, or computer list at a time. If some settings are not the same for two or more accounts, you may see a “mixed-state” slider, radio button, checkbox, text field, or list. For sliders, radio buttons, and checkboxes, a dash is used to indicate that the setting is not the same for all selected accounts. For text fields, the term “Varies” indicates a mixed state. Lists show a combination of items for all selected accounts.
If you adjust a mixed-state setting, every account will have the new setting you choose.
For example, suppose you select three group accounts that each have different settings for the Dock size. When you look at the Dock Display preference pane for these accounts, the Dock Size slider is centered and has a dash on it. If you change the position of the Dock Size slider to Large, all selected accounts will have a large-size
Dock.
Disabling Management for Specific Preferences
After you set up managed preferences for any account, you can turn off management for specific preference panes by setting the management setting to Never.
Note: Once and Often settings will always remain at their last setting on the client machine.
To selectively disable preference management:
1 In Workgroup Manager, click Preferences.
2 Make sure the right directory is selected and that you are authenticated for it.
To switch directories, click the small globe above the accounts list. If you are not authenticated, click the lock.
3 Select one or more users, groups, or computer lists.
4 Click the icon for a preference that is currently being managed.
Chapter 9 Managing Preferences
5 Click a button to display the pane containing the preference settings you no longer want to manage.
In some cases (Printing and Media Access, for example), you can skip this step because the management settings apply to all panes in the preference.
6 Select Never.
7 Click Apply Now.
Note: If preferences are managed at a higher level in the hierarchy, setting the management value to Never may not result in unmanaged preferences.
When you change the preference management settings, the new setting applies to all items in the active preference pane. If you want to disable all management for an individual preference (for example, Dock), make sure the management setting is set to
Never in each pane of that preference.
Managing Access to Applications
Use settings in the Applications pane to provide users with access to applications. You can create lists of “approved” applications that users are allowed to open, and you can allow users to open items on local volumes. You can also prevent applications from opening restricted applications.
Note: Applications are identified by their bundle ID. Since a clever user may change an application’s bundle ID and thus defeat their access restrictions, the application restrictions should be used as a policy, not a steadfast barrier that no user may overcome.
Creating a List of Applications Users Can Open
There are two ways to control user access to applications. You can either provide access to a set of “approved” applications users can open, or you can prevent them from opening a set of “nonapproved” applications.
If you create a list of approved applications, users can open only the listed applications.
(You can, however, allow applications to open “helper applications” that are not listed.)
If you create a list of nonapproved applications, users can open any application that is not in that list.
To set up a list of accessible applications:
1 In Workgroup Manager, click Preferences.
2 Make sure the right directory is selected and that you are authenticated for it.
To switch directories, click the small globe above the accounts list. If you are not authenticated, click the lock.
3 Select one or more users, groups, or computer lists.
Chapter 9 Managing Preferences 141
142
4 Click Applications.
5 Set the management setting to Always.
6 Select either “User can only open these applications” or “User can open all applications except these.”
7 Add and remove items in the list.
To browse for an application, click Add.
To select multiple items, hold down the Command key.
8 When you have finished creating the list of applications, click Apply Now.
Preventing Users From Opening Applications on Local Volumes
When users have access to local volumes, they can access applications on the computer’s local hard drive, in addition to approved applications on CDs, DVDs, or other external disks. If you don’t want to allow this, you can disable local volume access.
To prevent access to local applications:
1 In Workgroup Manager, click Preferences.
2 Make sure the right directory is selected and that you are authenticated for it.
To switch directories, click the small globe above the accounts list. If you are not authenticated, click the lock.
3 Select one or more users, groups, or computer lists.
4 Click Applications.
5 Set the management setting to Always.
6 Deselect “User can also open all applications on local volumes.”
7 Click Apply Now.
Managing Access to Helper Applications
Sometimes, applications use “helper applications” for tasks they cannot complete themselves. For example, if a user tries to open a web link in an email message, the email application might need to open a web browser to display the webpage.
When you make a set of applications available for users, groups, or computer lists, you may want to include common helper applications in that list. For example, if you give users access to an email application, you might also want to add a web browser, a PDF viewer, and a picture viewer to avoid problems opening and viewing email contents or attached files.
When you set up a list of approved applications, you can choose whether to allow them to use helper applications that aren’t in the approved-items list.
Chapter 9 Managing Preferences
To manage access to helper applications:
1 In Workgroup Manager, click Preferences.
2 Make sure the right directory is selected and that you are authenticated for it.
To switch directories, click the small globe above the accounts list. If you are not authenticated, click the lock.
3 Select one or more users, groups, or computer lists.
4 Click Applications.
5 Set the management setting to Always.
6 Select “User can only open these applications.”
7 If you haven’t already created a list of approved applications, including helper applications, do so now.
To browse for an application, click Add.
8 To allow access to helper applications, select “Allow approved applications to launch nonapproved applications.”
9 Click Apply Now.
Controlling the Operation of UNIX Tools
Some applications, or the operating system, may occasionally require the use of nonapplication tools, such as the QuickTime Image Converter. These tools cannot be accessed directly, and generally operate in the background without the user’s knowledge. You can, however, activate them using a command-line interface such as
Terminal.
If you choose not to allow access to these types of tools, some applications may not function properly. Allowing this option enhances application compatibility and efficient operation, but for more strict security, you may choose not to allow this option.
To allow access to UNIX tools:
1 In Workgroup Manager, click Preferences.
2 Make sure the right directory is selected and that you are authenticated for it.
To switch directories, click the small globe above the accounts list. If you are not authenticated, click the lock.
3 Select one or more users, groups, or computer lists.
4 Click Applications.
5 Set the management setting to Always.
6 Select “Allow UNIX tools to run.”
7 Click Apply Now.
Chapter 9 Managing Preferences 143
144
Managing Classic Preferences
Classic Preferences are used to set Classic startup options, select the Classic System
Folder, set sleep options for the Classic environment, and make certain Apple menu items available to users.
The table below describes what settings on each Classic pane can do.
Classic preference pane
Startup
Advanced
What you can control
Which folder is the Classic System Folder and what actions occur when Classic starts
Items in the Apple menu, Classic sleep settings, and the user’s ability to turn off extensions or rebuild the Classic desktop file during startup
Selecting Classic Startup Options
Workgroup Manager provides a number of ways to control how and when the Classic environment starts. If users often need to work with applications that run in Classic, it is convenient to have Classic start up immediately after a user logs in. If users rarely need to use Classic, you can have Classic start only when a user opens a Classic application or document that requires such an application. You can also choose to display an alert when Classic starts and give users the option of canceling Classic startup.
To work with various startup options for Classic:
1 In Workgroup Manager, click Preferences.
2 Make sure the right directory is selected and that you are authenticated for it.
To switch directories, click the small globe above the accounts list. If you are not authenticated, click the lock.
3 Select one or more users, groups, or computer lists.
4 Click Classic.
5 Click Startup.
6 Set the management setting to Always.
7 Select “Start up Classic on login to this computer” to start Classic immediately when a user logs in. When Classic starts at login, the startup window is hidden and the user cannot cancel Classic startup.
If users rarely need to use Classic, you can deselect this option and Classic will start up automatically when a user opens a document or an application that requires it. In this case, the Classic startup window will be visible to users and they may cancel Classic startup.
Chapter 9 Managing Preferences
8 Select “Warn at Classic startup” to show an alert dialog when Classic starts only after a user attempts to open a Classic application or document.
Users can allow Classic startup to continue, or they can choose to cancel the process. If you don’t want to allow users to interrupt Classic startup, deselect this option.
9 Click Apply Now.
Choosing a Classic System Folder
In most cases, there will be only one Mac OS 9 System Folder on a given computer, and that folder is located on the Mac OS X startup disk. In this situation, you don’t have to specify a Classic System Folder. If a computer has multiple Mac OS 9 System Folders on the startup disk and you haven’t set a specific path to one folder, users will see an error message and be unable to use Classic.
If there is more than one Mac OS 9 System Folder on a computer’s startup disk or if you want to use a Mac OS 9 System Folder located on a different disk, you should enforce the use of a specific folder when Classic is in use. It is important that if you specify a path to the folder’s location, all clients should have the Mac OS 9 System Folder in the same relative location on their hard disks.
If multiple Mac OS 9 System Folders are available and you don’t enforce any settings in the Startup pane of the Classic preference, users may choose from among available
Mac OS 9 System Folders if they have access to the Classic System preference.
To choose a specific Classic System Folder:
1 In Workgroup Manager, click Preferences.
2 Make sure the right directory is selected and that you are authenticated for it.
To switch directories, click the small globe above the accounts list. If you are not authenticated, click the lock.
3 Select one or more users, groups, or computer lists.
4 Click Classic.
5 Click Startup.
6 Set the management setting to Always.
7 Type in the path to the Classic System Folder you want to use; for example:
/Volumes/<VolumeName>/System Folder/
Or click Choose to browse for the folder you want.
Be sure the path to the Classic System Folder on the client computer is the same as the path to the Classic System Folder on the administrator computer.
8 Click Apply Now.
Chapter 9 Managing Preferences 145
146
Allowing Special Actions During Restart
If managed users have access to the Classic System preference, they can click the Start/
Restart button in the Classic pane to start or restart Classic. You can allow users to perform special actions, such as turning off extensions or rebuilding the Classic desktop file, when they start or restart Classic from the Advanced pane of the Classic
System preference. You may want to allow this privilege only for specific users, such as members of your technical staff.
To allow special actions during restart:
1 In Workgroup Manager, click Preferences.
2 Make sure the right directory is selected and that you are authenticated for it.
To switch directories, click the small globe above the accounts list. If you are not authenticated, click the lock.
3 Select one or more users, groups, or computer lists.
4 Click Classic.
5 Click Advanced.
6 Set the management setting to Always.
7 Select “Allow special startup modes.”
8 Select “Allow user to rebuild Desktop” if you want to allow users to rebuild the Classic desktop file. Deselecting this option disables the Rebuild Desktop button in the
Advanced pane of the Classic System Preference.
9 Click Apply Now.
Controlling Access to Classic Apple Menu Items
Classic managed preference options allow you to control access to certain items in
Classic’s Apple menu, including Mac OS 9 control panels, the Chooser and Network
Browser, and other Apple menu items. You can choose to show or hide all, some, or none of these items in the Apple menu.
If an item is hidden, users cannot access that item from the Apple menu; however, there may be alternative methods of access, such as starting the Chooser by navigating to it within the Mac OS 9 System Folder. If you want to further limit user access to these items, you can use the Applications preferences in Workgroup Manager to determine which specific applications a user may or may not open. For more information, see
“Managing Access to Applications” on page 141.
Note: Disallowing access to the Chooser may affect what happens when a client attempts to print from Classic if printer management is also enforced. If users cannot access the chooser, they cannot set up new printers or switch between types of printers (such as PostScript vs. non-PostScript printers).
Chapter 9 Managing Preferences
To hide or show items in the Apple menu:
1 In Workgroup Manager, click Preferences.
2 Make sure the right directory is selected and that you are authenticated for it.
To switch directories, click the small globe above the accounts list. If you are not authenticated, click the lock.
3 Select one or more users, groups, or computer lists.
4 Click Classic.
5 Click Advanced, and set the management setting to Always.
6 Select “Hide Control Panels” to remove this item from the Apple menu. Deselect this option to show this item.
7 Select “Hide Chooser and Network Browser” to remove both of these items from the
Apple menu. Deselect this option to show these two items.
8 Select “Hide other Apple menu items” to hide remaining Apple menu items. This group includes items such as Calculator, Key Caps, and Recent Applications. Deselect this option to show these Apple menu items.
9 Click Apply Now.
Adjusting Classic Sleep Settings
When no Classic applications are open, Classic will go to sleep to reduce its use of system resources. You can adjust the amount of time Classic waits before going to sleep after a user quits the last Classic application. If Classic is in sleep mode, opening a
Classic application may take a little longer.
In some circumstances, you may need to use applications that operate in the background without the user’s interaction or knowledge. If a background application is in use when Classic enters sleep mode, that application will suspend its activity. If you want to keep the application running, you can set Classic’s sleep setting to Never.
To adjust Classic sleep settings:
1 In Workgroup Manager, click Preferences.
2 Make sure the right directory is selected and that you are authenticated for it.
To switch directories, click the small globe above the accounts list. If you are not authenticated, click the lock.
3 Select one or more users, groups, or computer lists.
4 Click Classic.
5 Click Advanced and set the management setting to Always.
6 Drag the slider to set how long Classic waits before going to sleep.
If you don’t want Classic to go to sleep at all, drag the slider to Never.
7 Click Apply Now.
Chapter 9 Managing Preferences 147
148
Maintaining Consistent User Preferences for Classic
Ordinarily, Classic looks for an individual user’s data for Mac OS 9 preferences in the
Mac OS 9 System Folder. If a user uses more than one computer or if multiple users work on the same computer, you should make sure Classic uses preferences from the
Home folder in ~/Library/Classic so that preferences remain consistent for each user.
If you choose not to use preferences in the user’s own Home folder, a user’s Mac OS 9 data is stored in the Mac OS 9 System Folder and is not kept separate from other user’s data. In this case, users share preferences and any changes made by the last user will be in effect when the next user logs in.
To choose where Classic user preferences are stored:
1 In Workgroup Manager, click Preferences.
2 Make sure the right directory is selected and that you are authenticated for it.
To switch directories, click the small globe above the accounts list. If you are not authenticated, click the lock.
3 Select one or more users, groups, or computer lists.
4 Click Classic.
5 Click Advanced and set the management setting to Always.
6 Select “Use preferences from home folder” to maintain consistent Classic preferences per user.
Deselect this option to use the local Mac OS 9 System folder for all Classic user preferences.
7 Click Apply Now.
Managing Dock Preferences
Dock settings allow you to adjust the behavior of the user’s Dock and specify what items appear in it. The table below describes what settings on each Dock pane can do.
Dock preference pane
Dock Items
Dock Display
What you can control
Items and their position in a user’s Dock
The Dock’s position and behavior
Controlling the User’s Dock
Dock settings allow you to adjust the position of the Dock on the desktop and change the Dock’s size. You can also control animated Dock behaviors.
To set how the Dock looks and behaves:
1 In Workgroup Manager, click Preferences.
2 Make sure the right directory is selected and that you are authenticated for it.
Chapter 9 Managing Preferences
To switch directories, click the small globe above the accounts list. If you are not authenticated, click the lock.
3 Select one or more users, groups, or computer lists.
4 Click Dock.
5 Click Dock Display.
6 Select a management setting (Once or Always).
7 Drag the Dock Size slider to make the Dock smaller or larger.
8 If you want items in the Dock to be magnified when a user moves the pointer over them, select the Magnification checkbox, then adjust the slider. Magnification is useful if you have many items in the Dock.
9 If you don’t want the Dock to be visible all the time, select “Automatically hide and show the Dock.” When the user moves the pointer to the edge of the screen where the
Dock is located, the Dock pops up automatically.
10 Select whether to place the Dock on the left, right, or bottom of the desktop.
11 Select a minimizing effect.
12 If you don’t want to use animated icons in the Dock when an application opens, deselect “Animate opening applications.”
13 Click Apply Now.
Providing Easy Access to Group Folders
After you have set up a group volume, you can make it easy for users to locate the group directory by placing an alias in the user’s Dock. The group directory contains the group’s Library folder, Documents folder, and Public folder (including a drop box). If you
need help setting up a group share point, see “Working With Group Folder Settings” on page 93.
If the group directory is not available when the user clicks the group folder icon, the user must enter a user name and password to connect to the server and open the directory.
Note: This preference setting applies only to groups. You cannot manage this setting for users or computers.
To add a Dock item for the group directory:
1 If you haven’t set up a group share point, do so before you proceed.
2 In Workgroup Manager, click Preferences.
3 Make sure the right directory is selected and that you are authenticated for it.
To switch directories, click the small globe above the accounts list. If you are not authenticated, click the lock.
4 Click the Groups button and select one or more group accounts from the list.
Chapter 9 Managing Preferences 149
150
5 Click Dock.
6 Click Dock Items.
7 Select a management setting (Once or Always).
If you select Once, the group folder icon appears in the user’s dock initially, but the user can remove it.
8 Select “Add group folder.”
9 Click Apply Now.
If you change the location of the group share point, be sure to update the Dock item for the group in Workgroup Manager.
Adding Items to a User’s Dock
You can add applications, folders, or documents to a user’s Dock for easy access.
To add items to the Dock:
1 In Workgroup Manager, click Preferences.
2 Make sure the right directory is selected and that you are authenticated for it.
To switch directories, click the small globe above the accounts list. If you are not authenticated, click the lock.
3 Select one or more users, groups, or computer lists.
4 Click Dock.
5 Click Dock Items.
6 Select a management setting (Once or Always).
7 To add individual applications, regular folders, and documents to the Dock, click Add to browse and select the item you want.
To remove a Dock item, select it and click Remove.
You can rearrange Dock items in the list by dragging them into the order in which you want them to appear. Applications are always grouped at one end; folders and files are grouped at the other.
8 Select My Applications, Documents, or Network Home to add one or more of these items to the user’s Dock.
The My Applications folder contains aliases to available applications.
The Documents folder is the Documents folder found in the user’s home directory.
The Network Home folder is the mobile account user’s home directory that is housed on the server.
9 When you have finished adding Dock items, click Apply Now.
Chapter 9 Managing Preferences
Preventing Users From Adding or Deleting Items in the Dock
Ordinarily, users can add items to their own Docks, but you can prevent this. Users can’t remove items you add to the Dock while Always (“Manage these settings”) is selected.
To prevent users from adding items to their Docks:
1 In Workgroup Manager, click Preferences.
2 Make sure the right directory is selected and that you are authenticated for it.
To switch directories, click the small globe above the accounts list. If you are not authenticated, click the lock.
3 Select one or more users, groups, or computer lists.
4 Click Dock.
5 Click Dock Items, then set the management setting to Always.
6 Deselect “Users may add and remove additional Dock items.”
7 Click Apply Now.
Managing Energy Saver Preferences
Energy Saver preference settings help you save energy and battery power by managing wake, sleep, and restart timing for servers and client computers. The table below summarizes what you can control with the settings on each Energy Saver pane.
Energy Saver preference pane What you can control
Desktop Sleep timing for the computer, display, and hard disk(s), and wake and restart options for Mac OS X and Mac OS X Server
Portable
Battery Menu
Processor performance setting, sleep timing similar to Desktop, and wake and restart options for Adapter and Battery power sources
Whether the battery status indicator appears for users
Schedule Regular schedules for startup, shutdown, or sleep
Using Sleep and Wake Settings for Desktop Computers
Putting a computer to sleep saves energy because it turns off the display and stops the hard disk from running. Waking up from sleep is faster than starting your computer when it's off.
You can use Workgroup Manager’s Energy Saver preference settings to put client computers to sleep automatically after a specified period of inactivity. Other settings enable you to wake or restart the computer when certain events happen.
To set sleep and wake settings:
1 In Workgroup Manager, click Preferences.
2 Make sure the right directory is selected and that you are authenticated for it.
Chapter 9 Managing Preferences 151
152
To switch directories, click the small globe above the accounts list. If you are not authenticated, click the lock.
3 Select one or more users, groups, or computer lists.
4 Click Energy Saver.
5 Click Desktop.
6 Choose either Mac OS X or Mac OS X Server from the OS pop-up menu and set the management setting to Always.
7 To adjust sleep settings, choose Sleep from the Settings pop-up menu.
Move the slider to set how long the computer waits to enter sleep mode. The default setting is 1 hour. The computer will not enter sleep mode if the slider is set to Never.
To use a different time interval for the computer’s display, select “Put the display to sleep when the computer is inactive for” and move the slider. The interval cannot be longer than the computer’s sleep setting.
To put the computer to sleep during periods of inactivity, select “Put the hard disk(s) to sleep when possible.”
8 To set wake and restart settings, choose Options from the Settings pop-up menu.
To wake the computer when the modem is activated, select “Wake when the modem detects a ring.”
To wake the computer when an administrator attempts access remotely, select “Wake for Ethernet network administrator access.”
To make sure the computer restarts if the power fails, select “Restart automatically after a power failure.” Deselect this option to disable automatic restart.
9 Click Apply Now.
To manually wake up a sleeping computer or display, users can click the mouse or press a key on the keyboard.
Working With Energy Saver Settings for Portable Computers
You can use Energy Saver Portable settings to vary sleep and wake responses in addition to processor performance settings depending upon what power source a portable computer is using (either an adapter or a battery). You can also have the computer restart automatically if power fails suddenly.
Users should be encouraged to use the computer’s adapter when possible to save battery power.
To manage portable computer settings:
1 In Workgroup Manager, click Preferences.
2 Make sure the right directory is selected and that you are authenticated for it.
Chapter 9 Managing Preferences
To switch directories, click the small globe above the accounts list. If you are not authenticated, click the lock.
3 Select one or more users, groups, or computer lists.
4 Click Energy Saver.
5 Click Portable.
6 Choose either Adapter or Battery from the Power Source pop-up menu and set the management setting to Always.
7 To adjust sleep settings, choose Sleep from the Settings pop-up menu.
Move the slider to set how long the computer waits to enter sleep mode. The default setting is 1 hour. The computer will not enter sleep mode if the slider is set to Never.
To use a different time interval for the computer’s display, select “Put the display to sleep when the computer is inactive for” and move the slider. The interval cannot be longer than the computer’s sleep setting.
To put the computer to sleep during periods of inactivity, select “Put the hard disk(s) to sleep when possible.”
8 To set wake, restart, and processor performance settings, choose Options from the
Settings pop-up menu.
To wake the computer when the modem is activated, select “Wake when the modem detects a ring”.
To wake the computer when an administrator attempts access remotely, select “Wake for Ethernet network administrator access.”
To make sure the computer restarts if the power fails, select “Restart automatically after a power failure.” Deselect this option to disable automatic restart.
Select either Highest, Automatic, or Reduced in the Processor Performance pop-up menu. For computers using an adapter, the recommended setting is Highest. For computers using a battery, the recommended setting is Automatic.
9 Click Apply Now.
To manually wake up a sleeping computer or display, users can click the mouse or press a key on the keyboard.
Displaying Battery Status for Users
Portable computers use a battery as either a direct or backup power source when not connected to a power adapter. When battery power is too low to function, the computer will put itself to sleep to conserve energy. When a user reconnects the computer to a direct power source (such as by inserting a fresh battery or connecting a power adapter), they can wake the computer and begin working again.
Users should be encouraged to monitor battery status when roaming free and use a power adapter when possible to maintain a fully charged battery.
Chapter 9 Managing Preferences 153
154
To show battery status in the menu bar:
1 In Workgroup Manager, click Preferences.
2 Make sure the right directory is selected and that you are authenticated for it.
To switch directories, click the small globe above the accounts list. If you are not authenticated, click the lock.
3 Select one or more users, groups, or computer lists.
4 Click Energy Saver.
5 Click Battery Menu and set the management setting to Always.
6 Select “Show battery status in the menu bar” to display the battery menu. To disable the battery menu, deselect this option.
7 Click Apply Now.
Scheduling Automatic Startup, Shutdown, or Sleep
You can choose to have computers start up, shut down, or sleep at specific times on specific days of the week. Scheduling shutdown or sleep can help you conserve energy during predictable times of user inactivity, such as after work hours, on weekends, or after a class is finished. Scheduling startup automatically can allow you to conveniently prepare a lab or classroom for immediate use.
To schedule automatic actions:
1 In Workgroup Manager, click Preferences.
2 Make sure the right directory is selected and that you are authenticated for it.
To switch directories, click the small globe above the accounts list. If you are not authenticated, click the lock.
3 Select one or more users, groups, or computer lists.
4 Click Energy Saver.
5 Click Schedule.
6 Choose either Mac OS X or Mac OS X Server from the OS pop-up menu and set the management setting to Always.
7 To schedule automatic startup, select “Start up the computer” and choose a day or range of days (Weekdays, Weekends, or Every Day) from the pop-up menu. Then, enter a time in the time field. To disable scheduled startup, deselect this option.
8 To schedule automatic sleep or shutdown, select the checkbox and then choose either
Sleep or Shut Down from the pop-up menu. Next, choose a day or range of days
(Weekdays, Weekends, or Every Day) from the pop-up menu. Then, enter a time in the time field. To disable scheduled sleep or shutdown, deselect this option.
9 Click Apply Now.
Chapter 9 Managing Preferences
Managing Finder Preferences
You can control various aspects of Finder menus and windows. The table below summarizes what you can do with each Finder preference pane.
Finder preference pane
Preferences
Commands
Views
What you can control
Finder window behavior, Simple Finder, whether open items appear on the desktop, filename extension visibility, and the Empty
Trash warning dialog
Commands in Finder menus and the Apple menu allow users to easily connect to servers or restart the computer, for example. In some situations, you may want to limit user access to these commands. Settings in the Commands pane let you control whether certain commands are available to users.
Finder Views allow you to adjust the arrangement and appearance of items on a user’s desktop, in Finder windows, and in the toplevel directory of the computer.
Setting Up Simple Finder
You can select either the regular Finder or Simple Finder as the user environment. The regular Finder looks and acts like the standard Mac OS X desktop. Simple Finder provides an easier-to-navigate interface (for example, the Documents and My
Applications folders appear in the user’s Dock).
In addition to using Workgroup Manager, you can set up Simple Finder on a client computer (locally) using System Preferences. When you use Workgroup Manager to apply the Simplified Finder environment and the feature is not in use on the local computer, only the client’s Finder is affected; Dock and Application access settings must be managed separately. You can set up the Simplified Finder on the local computer, and use the application and Dock management features in Workgroup
Manager to add Dock items and application access.
Important: For client computers using Mac OS X versions 10.2 through 10.2.8, don’t turn on Simple Finder for users who log in to a workgroup with its own group folder
(directory). These users can’t use applications because Simple Finder prevents access to the group directory.
To turn on Simple Finder:
1 In Workgroup Manager, click Preferences.
2 Make sure the right directory is selected and that you are authenticated for it.
To switch directories, click the small globe above the accounts list. If you are not authenticated, click the lock.
3 Select one or more users, groups, or computer lists.
4 Click Finder.
5 Click Preferences and select a management setting (Always).
Chapter 9 Managing Preferences 155
156
6 If you select Always, you can select either “Use normal Finder” or “Use Simplified Finder to limit access to this computer.”
If you select Once, only “Use normal Finder” is available.
7 Click Apply Now.
Keeping Disks and Servers From Appearing on the User’s Desktop
Normally when a user inserts a disk, that disk’s icon appears on the desktop. Icons for local hard disks or disk partitions and mounted server volumes are also visible. If you don’t want users to see these items on the desktop, you can hide them.
These items still appear in the top-level directory when a user clicks the Computer icon in a Finder window toolbar.
To hide disk and server icons on the desktop:
1 In Workgroup Manager, click Preferences.
2 Make sure the right directory is selected and that you are authenticated for it.
To switch directories, click the small globe above the accounts list. If you are not authenticated, click the lock.
3 Select one or more users, groups, or computer lists.
4 Click Finder.
5 Click Preferences and select a management setting (Once or Always).
6 Under “Show these items on the Desktop,” deselect the items you want to hide.
7 Click Apply Now.
Controlling the Behavior of Finder Windows
You can select which directory appears when a user opens a new Finder window. You can also define how contents are displayed when a user opens folders.
To set Finder window preferences:
1 In Workgroup Manager, click Preferences.
2 Make sure the right directory is selected and that you are authenticated for it.
To switch directories, click the small globe above the accounts list. If you are not authenticated, click the lock.
3 Select one or more users, groups, or computer lists.
4 Click Finder.
5 Click Preferences and select a management setting (Once or Always).
6 Under “New Finder window shows,” specify the items you want to display.
Select Home to show items in the user’s home directory.
Chapter 9 Managing Preferences
Select Computer to show the top-level directory, which includes local disks and mounted volumes.
7 Select “Always open folders in a new window” to display folder contents in a separate window when a user opens a folder. Normally, Mac OS X users can browse through a series of folders using a single Finder window.
8 Select “Always open windows in Column View” to maintain a consistent view among windows.
9 Click Apply Now.
Hiding the Alert Message When a User Empties the Trash
Normally, a warning message appears when a user empties the Trash. If you don’t want users to see this message, you can turn it off.
To hide the Trash warning message:
1 In Workgroup Manager, click Preferences.
2 Make sure the right directory is selected and that you are authenticated for it.
To switch directories, click the small globe above the accounts list. If you are not authenticated, click the lock.
3 Select one or more users, groups, or computer lists.
4 Click Finder.
5 Click Preferences and select a management setting (Once or Always).
6 Deselect “Show warning before emptying the Trash.”
7 Click Apply Now.
Making Filename Extensions Visible
A filename extension usually appears at the end of a file’s name (for example, “.txt” or
“.jpg”). Applications use the filename extension to identify the file type.
To make filename extensions visible:
1 In Workgroup Manager, click Preferences.
2 Make sure the right directory is selected and that you are authenticated for it.
To switch directories, click the small globe above the accounts list. If you are not authenticated, click the lock.
3 Select one or more users, groups, or computer lists.
4 Click Finder.
5 Select a management setting (Once or Always).
6 Select “Always show file extensions.”
7 Click Apply Now.
Chapter 9 Managing Preferences 157
158
Controlling User Access to Remote Servers
Users can connect to a remote server by using the “Connect to Server” command in the
Finder’s Go menu and providing the server’s name or IP address. If you don’t want users to have this menu item, you can hide the command.
To hide the “Connect to Server” command:
1 In Workgroup Manager, click Preferences.
2 Make sure the right directory is selected and that you are authenticated for it.
To switch directories, click the small globe above the accounts list. If you are not authenticated, click the lock.
3 Select one or more users, groups, or computer lists.
4 Click Finder.
5 Click Commands and set the management setting to Always.
6 Deselect “Connect to Server.”
7 Click Apply Now.
Controlling User Access to an iDisk
If users want to connect to an iDisk, they can use the “Go to iDisk” command in the
Finder’s Go menu. If you don’t want users to see this menu item, you can hide the command.
To hide the “Go to iDisk” command:
1 In Workgroup Manager, click Preferences.
2 Make sure the right directory is selected and that you are authenticated for it.
To switch directories, click the small globe above the accounts list. If you are not authenticated, click the lock.
3 Select one or more users, groups, or computer lists.
4 Click Finder.
5 Click Commands and set the management setting to Always.
6 Deselect “Go to iDisk.”
7 Click Apply Now.
Preventing Users From Ejecting Disks
If you don’t want users to be able to eject disks (for example, CDs, DVDs, floppy disks, or FireWire drives), you can hide the Eject command in the Finder’s File menu.
To hide the Eject command:
1 In Workgroup Manager, click Preferences.
2 Make sure the right directory is selected and that you are authenticated for it.
Chapter 9 Managing Preferences
To switch directories, click the small globe above the accounts list. If you are not authenticated, click the lock.
3 Select one or more users, groups, or computer lists.
4 Click Finder.
5 Click Commands and set the management setting to Always.
6 Deselect Eject.
7 Click Apply Now.
Hiding the Burn Disc Command in the Finder
On computers with appropriate hardware, users can “burn discs” (write information to recordable CDs or DVDs). If you don’t want users to have this privilege, you can hide the Burn Disc command in the Finder’s File menu.
To hide the Burn Disc command:
1 In Workgroup Manager, click Preferences.
2 Make sure the right directory is selected and that you are authenticated for it.
To switch directories, click the small globe above the accounts list. If you are not authenticated, click the lock.
3 Select one or more users, groups, or computer lists.
4 Click Finder.
5 Click Commands and set the management setting to Always.
6 Deselect “Burn Disc.”
7 Click Apply Now.
To prevent users from using or burning recordable CDs or DVDs, use settings in the
Media Access panes.
Only computers with a CD-RW drive, Combo Drive, or SuperDrive can burn CDs. The
Burn Disc command will work only with CD-R, CD-RW, or DVD-R disks. Only a
SuperDrive can burn DVDs.
Controlling User Access to Folders
Users can open a specific folder by using the “Go to Folder” command in the Finder’s
Go menu and providing the folder’s path name. If you don’t want users to have this privilege, you can hide the command.
To hide the “Go to Folder” command:
1 In Workgroup Manager, click Preferences.
2 Make sure the right directory is selected and that you are authenticated for it.
To switch directories, click the small globe above the accounts list. If you are not authenticated, click the lock.
Chapter 9 Managing Preferences 159
160
3 Select one or more users, groups, or computer lists.
4 Click Finder.
5 Click Commands and set the management setting to Always.
6 Deselect “Go to Folder.”
7 Click Apply Now.
Removing Restart and Shut Down From the Apple Menu
If you don’t want to allow users to restart or shut down the computers they’re using, you can remove the Restart and Shut Down commands from the Apple menu.
To hide the Restart and Shut Down commands:
1 In Workgroup Manager, click Preferences.
2 Make sure the right directory is selected and that you are authenticated for it.
To switch directories, click the small globe above the accounts list. If you are not authenticated, click the lock.
3 Select one or more users, groups, or computer lists.
4 Click Finder.
5 Click Commands and set the management setting to Always.
6 Deselect Restart and Shut Down.
7 Click Apply Now.
As an additional preventive measure, you can make the Restart and Shut Down buttons unavailable (dimmed) from the login window, by using settings in Login preferences.
For instructions, see “Managing Login Preferences” on page 163.
Adjusting the Appearance and Arrangement of Desktop Items
Items on a user’s desktop appear as icons. You can control the size of desktop icons and how they’re arranged.
To set preferences for the desktop view:
1 In Workgroup Manager, click Preferences.
2 Make sure the right directory is selected and that you are authenticated for it.
To switch directories, click the small globe above the accounts list. If you are not authenticated, click the lock.
3 Select one or more users, groups, or computer lists.
4 Click Finder.
5 Click Views, then select a management setting (Once or Always). This setting applies to options in all three views.
Chapter 9 Managing Preferences
6 Click Desktop View.
7 Drag the slider to adjust icon size.
8 To keep items aligned in rows and column, select “Snap to grid.”
To arrange items by criteria such as name or type (for example, all folders grouped together), select “Keep arranged by,” then choose a method from the pop-up menu.
9 Click Apply Now.
Adjusting the Appearance of Finder Window Contents
Items in Finder windows can be viewed in a list or as icons. You can control aspects of how these items look, and you can also control whether to show the toolbar in a Finder window.
Default View settings control the overall appearance of all Finder windows. Computer
View settings control the view for the top-level computer directory, showing hard disks and disk partitions, external hard disks, mounted volumes, and removable media (such as CDs or floppy disks).
To set preferences for the default and computer views:
1 In Workgroup Manager, click Preferences.
2 Make sure the right directory is selected and that you are authenticated for it.
To switch directories, click the small globe above the accounts list. If you are not authenticated, click the lock.
3 Select one or more users, groups, or computer lists.
4 Click Finder.
5 Click Views, then select a management setting (Once or Always). This setting applies to options in all three views.
6 Click Default View.
7 Drag the Icon View slider to adjust icon size.
8 Select how you want to arrange icons.
Select None to allow users to place items anywhere on the desktop.
Select “Snap to grid” to keep items aligned in rows and columns.
Select “Keep arranged by,” then choose a method from the arrangement pop-up menu.
You can arrange items by name, creation or modification date, size, or kind (for example, all folders grouped together).
9 Adjust List View settings for the default view.
If you select “Use relative dates,” an item’s creation or modification date is displayed as
“Today” instead of “3/24/05,” for example.
Chapter 9 Managing Preferences 161
162
If you select “Calculate folder sizes,” the computer calculates the total size of each folder shown in a Finder window. This can take some time if a folder is very large.
Select a size for icons in a list.
10 Click Computer View and adjust Icon View and List View settings for the computer view. Available settings are similar to those available for the default view described in steps 5 through 9.
11 Click Apply Now.
Managing Internet Preferences
Internet preferences let you set email and web browser options. Some Internet browser or email applications may not support these settings. The table below describes what settings on each Internet pane can do.
Internet preference pane
Web
What you can control
Preferred email application and email information
Preferred web browser and URLs for the home page and search page
Setting Email Preferences
Email settings let you specify a preferred email application and supply information for the email address, incoming mail server, and outgoing mail server.
Note: Some mail applications may ignore these settings.
To set email preferences:
1 In Workgroup Manager, click Preferences.
2 Make sure the right directory is selected and that you are authenticated for it.
To switch directories, click the small globe above the accounts list. If you are not authenticated, click the lock.
3 Select one or more users, groups, or computer lists.
4 Click Internet.
5 Click Email and select a management setting (Once or Always).
6 To set the default email reader, click Set and choose the email application you prefer.
7 Type information for the email address, incoming mail server, and outgoing mail server.
8 Select an email account type (either POP or IMAP).
9 Click Apply Now.
Chapter 9 Managing Preferences
Setting Web Browser Preferences
Use web settings in Internet preferences to specify a preferred web browser and a place to store downloaded files. You can also specify a starting point URL for your browser using the Home Page location. Use the Search Page location to specify a search engine URL.
Note: Some web browsers may ignore these settings.
To set web preferences:
1 In Workgroup Manager, click Preferences.
2 Make sure the right directory is selected and that you are authenticated for it.
To switch directories, click the small globe above the accounts list. If you are not authenticated, click the lock.
3 Select one or more users, groups, or computer lists.
4 Click Internet.
5 Click Web and select a management setting (Once or Always).
6 To set the Default Web Browser, click Set and choose a preferred web browser application.
7 Type a URL for the Home Page. This is the page a user sees when a browser opens.
8 Type a URL for the Search Page.
9 Type a folder location for storing downloaded files, or click Set to browse for a folder.
10 Click Apply Now.
Managing Login Preferences
Use Login preferences to set options for user login, provide password hints, and control the user’s ability to restart and shut down the computer from the login screen. You can also mount a group volume or make applications open automatically when a user logs in. The table below summarizes what you can do with the settings on each Login pane.
Login preference pane
Login Items
Scripts
Login Window
Options
What you can control
Access to the group volume, which applications open automatically for the user, enable users to manage opening items
Specify a script to execute at Login or Log-out, execute or disable the client computer’s own LoginHook or LogoutHook scripts
For computer lists only: The appearance and function of items in the Login window, which users are listed if List of users is specified
For computer lists only: Allow Fast User Switching. How many minutes of inactivity result in the user being logged out
Chapter 9 Managing Preferences 163
164
Scripts, Login Window and Options can be managed for computers only, not for users or groups. The following relevant managed preferences are discussed in detail.
Specifying How a User Logs In
Depending on the settings you choose, a user will see either a name and password text field or a list of users in the login window. These settings apply only to computer lists.
To set up how a user logs in:
1 In Workgroup Manager, click Preferences.
2 Make sure the right directory is selected and that you are authenticated for it.
To switch directories, click the small globe above the accounts list. If you are not authenticated, click the lock.
3 Select one or more computer lists.
4 Click Login.
5 Click Login Window and set the management setting to Always.
6 To require the user to type his or her user name and password, select “Name and password text fields.”
7 To allow a user to select his or her name from a list, select “List of users able to use these computers.”
If you decide to use a list of users, select categories of users you want to display in the list. To ensure a type of user doesn’t show up in the list, deselect the corresponding setting. If you allow unknown users, you can select “Show other users.”
Note: When the “Allow users with local-only accounts” checkbox is deselected (in
Workgroup Manager/Accounts/Computer Lists/Access), local non-administrators won’t be able to log in.
The “computer administrators” checkbox refers to all computer administrators, with other local or network accounts.
The complete list displayed at login is only of users who are able to log in. That is, only the users shown in the computer’s access pane. Furthermore, users with disabled accounts will not be shown (see Password Policy Settings.)
8 You may want to prevent users from logging in using the Darwin console (commandline interface) and avoiding management. To disable Darwin login, uncheck “Allow users to log in using >console.”
9 To disable automatic log in as a specific user when the computer starts up, uncheck
“Enable Auto Login Client Setting.”
In case you decide to use this setting, you must set up automatic login on the client computer. Open System Preferences, click Accounts, click Login Window, select “Enable
Auto Login Client Setting,” choose a user from the pop-up menu, and provide the correct password for that user account.
Chapter 9 Managing Preferences
10 When you have finished selecting managed login settings, click Apply Now.
Opening Items Automatically After a User Logs In
You can open frequently used items for a user. You can also hide items that open automatically to help prevent screen clutter, while still making the item easily accessible.
Items open in the order they appear in Login Items preferences (you can specify the order). As items open, they “stack” on top of one another; the last item is closest to the top. For example, if you specify three items to open (and none is hidden), the user sees the menu bar for the last item opened. If an application has open windows, they may overlap windows from other applications.
A user can stop login items from opening by holding down the Shift key during login until the Finder appears on the desktop; you can turn off this feature.
To make an item open automatically:
1 In Workgroup Manager, click Preferences.
2 Make sure the right directory is selected and that you are authenticated for it.
To switch directories, click the small globe above the accounts list. If you are not authenticated, click the lock.
3 Select one or more users, groups, or computer lists.
4 Click Login.
5 Click Login Items and select a management setting (Once or Always).
6 To add an item to the list, click Add.
7 Select the Hide checkbox for any item you don’t want the user to see right away.
The application remains open, but its windows and menu bar remain hidden until the user activates the application (for example, by clicking its icon in the Dock).
8 Deselect “User may add and remove additional items” if you don’t want users to have this privilege. (This checkbox is available only if Login Items preferences are always managed.)
Users cannot remove items added to this list by an administrator, but users can remove items they’ve added themselves.
9 To prevent users from stopping applications that open automatically at login, deselect
“User may press Shift to keep items from opening.” (This checkbox is available only if
Login Items preferences are always managed.)
10 Click Apply Now.
Chapter 9 Managing Preferences 165
166
Providing Access to a User’s Network Home Directory
This setting is used primarily for mobile accounts. When a user logs in while connected to the network, the share point with the user’s original home directory (located on the server) is mounted on the desktop.
Note: If you are using Portable Home Directories with mobile accounts, direct access to the network home is recommend only for advanced users. This is because users can get confused by the multiple folders which are all titled with their username as well as multiple similarly named folders like Documents, Music, and others, some of which may have the same content.
To automatically mount the Network Home:
1 In Workgroup Manager, click Preferences.
2 Make sure the right directory is selected and that you are authenticated for it.
To switch directories, click the small globe above the accounts list. If you are not authenticated, click the lock.
3 Select a mobile user account in the account list.
4 Click Login.
5 Click Login Items.
6 Select a management setting (Once or Always).
7 Select “Add network home share point.”
8 Click Apply Now.
Providing Easy Access to the Group Share Point
After you have set up a group share point, you can make it easy for users to locate group directories by accessing the share point automatically at login. (For information
about setting up a group share point, see “Working With Group Folder Settings” on page 93.)
Note: This preference setting applies only to groups. You cannot manage this setting for users or computers.
To add a login item for the group share point:
1 If you haven’t set up a group share point and group folder, do so before you proceed.
2 In Workgroup Manager, click Preferences.
3 Make sure the right directory is selected and that you are authenticated for it.
To switch directories, click the small globe above the accounts list. If you are not authenticated, click the lock.
4 Click the Groups button and select one or more group accounts from the list
5 Click Login.
Chapter 9 Managing Preferences
6 Click Login Items.
7 Set the management setting to Always.
8 Select “Add group share point.”
9 Select the newly added group share point item in the list under “Open these items automatically when the user logs in.”
If you don’t want the group share point to appear in the Dock, select the Hide checkbox.
10 Make sure the “Mount with user’s name and password” is selected.
11 Click Apply Now.
When the user logs in, the computer connects to the group share point with the user name and password given at login. If you manage Finder preferences and choose not to show connected servers, the group volume’s icon will not appear on the desktop.
However, the user can find the volume by clicking Computer in a Finder window.
If you change the location of the group share point, be sure to update the login item for the group in Workgroup Manager.
Preventing Restarting or Shutting Down the Computer at Login
Normally, the Restart and Shut Down buttons appear in the login window. If you don’t want the user to restart or shut down the computer, you can make these buttons unavailable.
You may also want to remove the Restart and Shut Down commands from the Finder
menu. (For instructions, see “Managing Finder Preferences” on page 155.) Check the
Commands pane of Finder preferences and make sure Restart and Shut Down are not selected.
Note: Login Window settings are available only for computer lists.
To disable the Restart and Shut Down buttons:
1 In Workgroup Manager, click Preferences.
2 Make sure the right directory is selected and that you are authenticated for it.
To switch directories, click the small globe above the accounts list. If you are not authenticated, click the lock.
3 Click the Computer Lists button and select one or more accounts.
4 Click Login.
5 Click Login Window and set the management setting to Always.
6 Deselect the “Show Restart” and “Show Shut Down” buttons in Login Window.
7 Click Apply Now.
Chapter 9 Managing Preferences 167
168
Using Hints to Help Users Remember Passwords
You can use a “hint” to help users remember their passwords. After three consecutive attempts to log in with an incorrect password, a dialog displays the hint you created.
If a password hint has been created for a local user, the hint is always displayed after three failed attempts, even if Show Password Hint is not selected. Password hints are not used for network user accounts.
To show a password hint:
1 In Workgroup Manager, click Preferences.
2 Make sure the right directory is selected and that you are authenticated for it.
To switch directories, click the small globe above the accounts list. If you are not authenticated, click the lock.
3 Click the Computer Lists button and select one or more accounts.
4 Click Login.
5 Click Login Window and set the management setting to Always.
6 Select “Show password hint after 3 attempts to enter a password.”
7 Click Apply Now.
Enabling Simultaneous Multiple Users on a Client Computer
With Fast User Switching, more than one account is available at the same time on a single computer. The list of current active (authenticated) accounts appears in a menu on the right side of the Finder menu bar; you switch to a different account by selecting it. A user must authenticate to switch to his or her account, but the previous user does not have to log out first.
Fast User Switching can be convenient for computers used by small, consistent groups.
But there is also the caveat that fast user switching may not work between users with network home directories or one with media access preferences.
To enable Fast User Switching:
1 In Workgroup Manager, click Preferences.
2 Make sure the right directory is selected and that you are authenticated for it.
To switch directories, click the small globe above the accounts list. If you are not authenticated, click the lock.
3 Click the Computer Lists button and select one or more accounts.
4 Click Login.
5 Click Options and set the management setting to Always.
Chapter 9 Managing Preferences
6 Select “Enable Fast User Switching” to allow users to use this feature. Deselect this option to disable it.
7 Click Apply Now.
Enabling Automatic Logout for Idle Users
You can reduce load on your servers and help keep user accounts more secure by automatically initiating logout after a period of inactivity. When the set amount of time has passed, the user is logged out and returned to the login window.
Note: This feature is for clients running Mac OS X version 10.3 and later.
To log a user out automatically:
1 In Workgroup Manager, click Preferences.
2 Make sure the right directory is selected and that you are authenticated for it.
To switch directories, click the small globe above the accounts list. If you are not authenticated, click the lock.
3 Click the Computer Lists button and select one or more accounts.
4 Click Login.
5 Click Auto Log-Out and set the management setting to Always.
6 Adjust the slider to set the amount of time a user can remain inactive before automatic logout occurs.
7 Click Apply Now.
Login and Logout Scripts
Login scripts allow you run a routine script whenever a user logs in to a particular computer. Since login or logout scripts run as root, they are very powerful. You must be careful that the scripts don't harm the system settings or user files. You can add a login script to a computer in two ways. You can add a LoginHook to a specific computer or you can apply a login script to a computer list using Workgroup Manager. This section will describe how you can configure login scripts for computer lists in Workgroup
Manager. Similarly, you can add logout scripts to customize the logout experience.
To set up a login or logout script execute the following commands at each client:
1 Set the key “EnableMCXLoginScripts” in ~root/Library/Preferences/ com.apple.loginwidow.plist to TRUE.
$ sudo defaults write com.apple.loginwindow.plist
EnableMCXLoginScripts -bool TRUE
Chapter 9 Managing Preferences 169
170
2 Optionally set the key “MCXScriptTrust” in ~root/Library/Preferences/ com.apple.loginwidow.plist to a valid TRUST string.
$ sudo defaults write com.apple.loginwindow.plist MCXScriptTrust string PartialTrust
If this is not set it becomes an invalid TRUST string. The trust level of “FullTrust” is needed to execute any available scripts set up in the Scripts pane in Login System
Preferences above.
The valid TRUST strings in relative trust order are “Anonymous”, “DHCP”, “Encryption”,
“Authenticated”, “PartialTrust”, “FullTrust”. Specifying a TRUST string also allows any trust value above that TRUST string. Thus “Anonymous” allows all trust levels; “PartialTrust” allows “PartialTrust” and “Full Trust”. Note that most Active Directory nodes will support
“PartialTrust” and not “FullTrust”.
After you have accomplished the previous two steps you would add the login or logout script using Workgroup Manager to the computer list of choice. Note that the script can’t be more than 30 kb in size.
Managing Media Access Preferences
Media Access preferences let you control settings for and access to CDs, DVDs, the local hard drive, and external disks (for example, floppy disks and FireWire drives). The table below describes what you can do with the settings on each Media Access pane.
Media Access preference pane What you can control
Disc Media Settings for CDs, DVDs, and recordable discs (for example, a CD-R,
CD-RW, or DVD-R). Computers without appropriate hardware to use
CDs, DVDs, or recordable discs are not affected by these settings.
Other Media Internal hard disks and external disks other than CDs or DVDs
Controlling Access to CDs, DVDs, and Recordable Discs
If a computer can play or record CDs or DVDs, you can control whether users can access items (music, movies, and so on) on these discs. You cannot permit access to only certain discs or to specific items on a disc.
If a computer has the appropriate hardware, you can control whether users can “burn discs”: write information to a recordable disc such as a CD-R, CD-RW, or DVD-R. Users can burn CDs on computers with a CD-RW drive, Combo Drive, or SuperDrive. Users can burn DVDs only on computers with a SuperDrive.
To control access to disc media:
1 In Workgroup Manager, click Preferences.
2 Make sure the right directory is selected and that you are authenticated for it.
Chapter 9 Managing Preferences
To switch directories, click the small globe above the accounts list. If you are not authenticated, click the lock.
3 Select one or more users, groups, or computer lists.
4 Click Media Access.
5 Set the management setting to Always. This setting applies to all Media Access preference options.
6 Click Disc Media and select the desired options.
7 Click Apply Now.
Controlling Access to Hard Drives and Disks
You can control access to internal or external disk drives such as floppy disk drives, Zip drives, and FireWire drives.
Note: Behavior for internal hard disks may vary slightly between clients running
Mac OS X 10.2 (Jaguar) and 10.3 (Panther). For consistent results, set access privileges for internal disks and partitions on individual clients by using Ownership and
Permissions settings in the Finder.
To restrict access to internal and external disks:
1 In Workgroup Manager, click Preferences.
2 Make sure the right directory is selected and that you are authenticated for it.
To switch directories, click the small globe above the accounts list. If you are not authenticated, click the lock.
3 Select one or more users, groups, or computer lists.
4 Click Media Access.
5 Set the management setting to Always. This setting applies to all Media Access preference options.
6 Click Other Media and select desired options.
If you select the Read-Only checkbox, users can view the contents of a disk but cannot modify or save files on it.
7 Click Apply Now.
Ejecting Items Automatically When a User Logs Out
If you allow users to access CDs, DVDs, or external disks such as Zip disks or FireWire drives on shared computers, you may want to automatically eject removable media when a user logs out.
To eject removable media automatically:
1 In Workgroup Manager, click Preferences.
2 Make sure the right directory is selected and that you are authenticated for it.
Chapter 9 Managing Preferences 171
172
To switch directories, click the small globe above the accounts list. If you are not authenticated, click the lock.
3 Select one or more users, groups, or computer lists.
4 Click Media Access.
5 Set the management setting to Always. This setting applies to all Media Access preference options.
6 Click Other Media.
7 Select “Eject all removable media at logout.”
8 Click Apply Now.
Managing Mobility Preferences
If a user requires a mobile account, you can specify one be created for the user automatically during their next login. For more details about mobile accounts,
Managing Network Preferences
Network preferences let you select and configure proxy servers that can be used by users and groups. You can also specify hosts and domains for which to bypass proxy settings. This has the advantage of providing a customized browsing experience for the managed users and groups.
Configuring Proxy Servers by Port
You can configure specific types of proxies for a user or group to access and specify the exact port. The types of proxy servers modifiable individually are: FTP, Web (HTTP),
Secure Web (HTTPS), Streaming (RTSP), SOCKS, Gopher, and Automatic Proxy
Configuration.
The system administrator manages which users or groups get these proxies and specifies the proxy they are allowed to access in the Preferences pane of Workgroup
Manager. Only one proxy server per type can be specified for a user or a group.
To configure proxy servers for a user or a group:
1 In Workgroup Manager, click Preferences.
2 Make sure the right directory is selected and that you are authenticated for it.
To switch directories, click the small globe above the accounts list. If you are not authenticated, click the lock.
3 Select one or more users, groups, or computer lists.
4 Click Network.
Chapter 9 Managing Preferences
5 Select the specific type of proxy you want to configure, (FTP, Web, and so on).
6 Specify a URL and port of the form: proxyserver.apple.com:8080/.
7 Click Apply Now.
Managing Printing Preferences
Use Printing preferences to create printer lists and manage access to printers. The table below describes what settings on each Printing pane can do.
Printing preference pane
Printer List
Access
What you can control
Available printers and the user’s ability to add printers or access a printer connected directly to a computer
The default printer and access to specific printers
Making Printers Available to Users
To give users access to printers, you first need to set up a printer list. Then, you can allow specific users or groups to use printers in that list. You can also make printers available to computers. A user’s final list of printers is a combination of printers available to the user, the group selected at login, and the computer being used.
To create a printer list for users:
1 In Workgroup Manager, click Preferences.
2 Make sure the right directory is selected and that you are authenticated for it.
To switch directories, click the small globe above the accounts list. If you are not authenticated, click the lock.
3 Select one or more users, groups, or computer lists.
4 Click Printing.
5 Set the management setting to Always. This setting applies to all Printing preference options.
6 Click Printer List.
7 The Available Printers list is created from the list of available network printers in Printer
Setup Utility.
Select a printer in the Available Printers list, then click “Add to List” to make that printer available in the user’s printer list.
If the printer you want doesn’t appear in the Available Printers list, click Open Printer
Setup and add the printer to Printer Setup Utility’s printer list.
8 Click Apply Now.
Chapter 9 Managing Preferences 173
174
Preventing Users From Modifying the Printer List
You can prevent a user from changing the list of available printers (adding or removing printers).
To restrict access to the printer list:
1 In Workgroup Manager, click Preferences.
2 Make sure the right directory is selected and that you are authenticated for it.
To switch directories, click the small globe above the accounts list. If you are not authenticated, click the lock.
3 Select one or more users, groups, or computer lists.
4 Click Printing.
5 Set the management setting to Always. This setting applies to all Printing preference options.
6 Click Printer List.
7 To require an administrator to modify the printer list, deselect the “Allow user to modify the printer list” checkbox.
8 Click Apply Now.
Restricting Access to Printers Connected to a Computer
In some situations, you might want only certain users to print to a printer connected directly to their computers. For example, if you have a computer in a classroom with a printer attached, you can reserve that printer for teachers by making the teacher an administrator and requiring an administrator’s user name and password to access the printer.
To restrict access to a printer connected to a specific computer:
1 In Workgroup Manager, click Preferences.
2 Make sure the right directory is selected and that you are authenticated for it.
To switch directories, click the small globe above the accounts list. If you are not authenticated, click the lock.
3 Select one or more users, groups, or computer lists.
4 Click Printing.
5 Set the management setting to Always.
This setting applies to all Printing preference options.
6 If it’s a network printer you want the client computer to have access to, click Printer List, select the printer, and click “Add to List.”
Chapter 9 Managing Preferences
7 If don’t want users to access local printers, deselect “Allow printers that connect directly to the user’s computer.” To require an administrator password to use the printer, select
“Require an administrator password.”
8 Click Apply Now.
Setting a Default Printer
Once you have set up a printer list, you can specify one printer as the default printer.
Any time a user tries to print a document, this printer is the preferred selection in an application’s printer dialog.
To set the default printer:
1 In Workgroup Manager, click Preferences.
2 Make sure the right directory is selected and that you are authenticated for it.
To switch directories, click the small globe above the accounts list. If you are not authenticated, click the lock.
3 Select one or more users, groups, or computer lists.
4 Click Printing.
5 Set the management setting to Always. This setting applies to all Printing preference options.
6 Click Access.
7 Select a printer in the user’s printer list, then click Make Default.
8 Click Apply Now.
Restricting Access to Printers
You can require an administrator’s user name and password in order to print to certain printers.
To restrict access to a specific printer:
1 In Workgroup Manager, click Preferences.
2 Make sure the right directory is selected and that you are authenticated for it.
To switch directories, click the small globe above the accounts list. If you are not authenticated, click the lock.
3 Select one or more users, groups, or computer lists.
4 Click Printing.
5 Set the management setting to Always. This setting applies to all Printing preference options.
6 Click Access.
Chapter 9 Managing Preferences 175
176
7 Select a printer in the User’s Printer List, then select “Require an administrator password.”
8 Click Apply Now.
Managing Software Update Preferences
You can specify one software update server to use per user or group.
Mac OS X Server lets you stage your own software updates from a local server for a specific user population. This has the advantage of freeing up external network bandwidth while also giving the system administrator the ability to turn off or force specific updates.
To manage access to Software Update:
1 In Workgroup Manager, click Preferences.
2 Make sure the right directory is selected and that you are authenticated for it.
To switch directories, click the small globe above the accounts list. If you are not authenticated, click the lock.
3 Select one or more users, groups, or computer lists.
4 Click Software Update.
5 Set the management setting to Always.
6 Specify a URL of the form: someserver.apple.com:8080/.
7 Click Apply Now.
Managing Access to System Preferences
You can specify which System Preferences are visible to users and which preferences users can modify. Users can open any item that appears in System Preferences but they may not be able to change its settings. Some preferences, such as Startup Disk preferences, always require an administrator name and password.
The preferences that appear in Workgroup Manager are those installed on the computer you’re currently using. If your administrator computer is missing any System
Preferences, you should either install them or use Workgroup Manager on an administrator computer that has those preferences installed.
To manage access to System Preferences:
1 In Workgroup Manager, click Preferences.
2 Make sure the right directory is selected and that you are authenticated for it.
To switch directories, click the small globe above the accounts list. If you are not authenticated, click the lock.
Chapter 9 Managing Preferences
3 Select one or more users, groups, or computer lists.
4 Click System Preferences.
5 Set the management setting to Always.
6 Deselect the Show checkbox for each item you don’t want to display in a user’s System
Preferences.
7 Click Apply Now.
Managing Universal Access Preferences
Universal Access settings can help improve the user experience for certain users. For example, if a user is a person with a disability, has difficulty using a computer, or wants to work in a different way, you can choose settings that enable the user to work more effectively. Using Workgroup Manager, you may want to set up and manage Universal
Access settings for specific workgroups or computers dedicated to special needs.
The table below describes what settings on each Universal Access pane can do.
Universal Access preference pane
Seeing
Hearing
Keyboard
Mouse
Options
What you can control
The visual display and desktop zooming
The visual alert for users
How the keyboard responds to keystrokes and key combinations
How the pointer responds and whether users can use the numeric keypad instead of a mouse
Shortcut key combinations, the use of assistive devices, and whether the computer reads text in the Universal Access preference pane
Adjusting the User’s Display Settings
Workgroup Manager’s Seeing preferences allow users to adjust the appearance of the screen. The user can easily zoom in or out on the desktop using keyboard shortcuts
(specific key combinations). Changing to a grayscale or white-on-black display can make it easier to read text on the screen.
Note: If display settings are managed once, users can toggle between the zoom or color options using keyboard shortcuts. If the management setting is Always, users cannot toggle between options.
To manage Seeing preferences:
1 In Workgroup Manager, click Preferences.
2 Make sure the right directory is selected and that you are authenticated for it.
To switch directories, click the small globe above the accounts list. If you are not authenticated, click the lock.
Chapter 9 Managing Preferences 177
178
3 Select one or more users, groups, or computer lists.
4 Click Universal Access.
5 Click Seeing, then select a management setting (Once or Always).
6 Make changes as desired.
7 To fine-tune zoom settings, click Zoom Options.
Use the sliders to set a Maximum Zoom and Minimum Zoom.
To show a preview area, select “Show preview rectangle when zoomed out.”
To improve the appearance of zoomed graphics, deselect “Smooth images.”
8 Click Apply Now.
To further customize the user’s display, you can use Finder View preferences to control the size of icons in Finder windows and use Dock Display preferences to enlarge or magnify icons in the user’s Dock.
If you plan to manage dedicated computers, you may be able to use Display preferences to change the resolution of your display and the number of colors your display uses. If you want to keep the local Display preferences as you set them, you may want to remove the Display item from the list of available System Preferences using Workgroup Manager’s Applications preference.
To allow the use of an assistive device on a specific computer, such as a screen reader, click Preferences, select a computer list, click System Preferences, click Universal Access, click Options, click Always, and select “Enable access for assistive devices.”
Setting a Visual Alert
If users have trouble hearing a computer’s alert sounds (for example, the sound played when new mail arrives or an error occurs), you can flash the screen as an alternative.
To set a flashing alert:
1 In Workgroup Manager, click Preferences.
2 Make sure the right directory is selected and that you are authenticated for it.
To switch directories, click the small globe above the accounts list. If you are not authenticated, click the lock.
3 Select one or more users, groups, or computer lists.
4 Click Universal Access.
5 Click Hearing, then select a management setting (Once or Always).
6 Select “Flash the screen whenever an alert sound occurs.”
7 Click Apply Now.
Chapter 9 Managing Preferences
Adjusting Keyboard Responsiveness
If users have difficulties pressing multiple keys at once, you can use the Sticky Keys feature to allow the keyboard to recognize a sequence of individual keystrokes as a key combination. The computer can display each keystroke on the screen, and then respond with an alert when the key combination is complete.
Note: If you enable Universal Access Shortcuts, a user can press the Shift key five times to turn Sticky Keys on or off.
If the keyboard is too responsive for some users, causing problems with repeated keystrokes, you can use Slow Keys to increase the delay in response to a pressed key.
The computer can respond to pressed keys with a “click” sound to provide some feedback to the user.
To set how the keyboard responds to keystrokes:
1 In Workgroup Manager, click Preferences.
2 Make sure the right directory is selected and that you are authenticated for it.
To switch directories, click the small globe above the accounts list. If you are not authenticated, click the lock.
3 Select one or more users, groups, or computer lists.
4 Click Universal Access.
5 Click Keyboard, then select a management setting (Once or Always).
6 Select On to activate Sticky Keys.
To turn off the key combination alert, deselect “Beep when a modifier key is set.”
To turn off onscreen display for keystrokes, deselect “Show pressed keys on screen.”
If these options are not selected, users may not easily know when a key combination is in progress or completed.
7 Select On to activate Slow Keys.
8 If you don’t want the computer to respond to keystrokes with a “click,” deselect “Use click key sounds.”
9 Move the slider to adjust the amount of delay between when a key is pressed and when the computer accepts it.
10 Click Apply Now.
Chapter 9 Managing Preferences 179
180
Adjusting Mouse and Pointer Responsiveness
If users have difficulties using a mouse or prefer not to use a mouse, the Mouse Keys feature allows them to use the numeric keypad instead. Keys on the numeric keypad correspond to directions and mouse actions, so the user can move the pointer and hold, release, or click.
Note: If you enable Universal Access Shortcuts, a user can press the Option key five times to turn Mouse Keys on or off.
If the pointer moves too quickly for some users, you can adjust how soon the pointer begins to move and how fast it goes.
To control mouse and pointer settings:
1 In Workgroup Manager, click Preferences.
2 Make sure the right directory is selected and that you are authenticated for it.
To switch directories, click the small globe above the accounts list. If you are not authenticated, click the lock.
3 Select one or more users, groups, or computer lists.
4 Click Universal Access.
5 Click Mouse, then select a management setting (Once or Always).
6 Select On to activate Mouse Keys.
7 To control how long it takes for the pointer to begin moving, adjust the Initial Delay slider.
8 To control how fast the pointer moves, adjust the Maximum Speed slider.
9 Click Apply Now.
Enabling Universal Access Shortcuts
Universal Access Shortcuts are key combinations that activate an available access feature, such as zooming in on the screen or turning on Sticky Keys. If you choose not to allow Universal Access shortcuts, users may not be able to use features such as
Zoom and may not be able to turn off activated features such as Sticky Keys.
To allow Universal Access Shortcuts:
1 In Workgroup Manager, click Preferences.
2 Make sure the right directory is selected and that you are authenticated for it.
To switch directories, click the small globe above the accounts list. If you are not authenticated, click the lock.
3 Select one or more users, groups, or computer lists.
4 Click Universal Access.
Chapter 9 Managing Preferences
5 Click Options, then select a management setting (Once or Always).
6 Select Allow Universal Access Shortcuts.
7 Click Apply Now.
Allowing Devices for Users With Special Needs
If necessary, you can allow managed users to turn on assistive devices such as a text reader.
To allow assistive devices:
1 In Workgroup Manager, click Preferences.
2 Make sure the right directory is selected and that you are authenticated for it.
To switch directories, click the small globe above the accounts list. If you are not authenticated, click the lock.
3 Select one or more users, groups, or computer lists.
4 Click Universal Access.
5 Click Options, then select the Always management setting.
6 Select “Enable access for assistive devices.”
7 Click Apply Now.
Using the Preference Editor With Preference Manifests
The Preference Editor enables control over any well behaved Mac OS X application, utilities, and System Preferences not covered by the Overview Preferences pane of
Workgroup Manager. It also allows you to administer.
Some application developers provide preference manifests, which make it easier to decipher and modify the application’s preferences using the Preference Editor. You can edit an application’s preference key values even if the application doesn’t provide a preference manifest.
If an application has a preference manifest and you open the Preference Editor built in to Workgroup Manager to modify any key values in it, you’ll get better descriptions of the keys, making any modifications easier. For example if you use the preference editor with the Safari, which has preference manifest defined, you can easily find and change the home page a group sees when it opens Safari. The preference manifest enables the
Preference Editor to give appropriate descriptions of the keys and their effects instead of merely showing the key value names, which are not always decipherable.
Chapter 9 Managing Preferences 181
Preference manifests may be stored in application bundles (in /Contents/Resources) or they may be standalone files. They help you, the administer, in modifying and setting the managed preferences, (by providing names and descriptions, and telling you what preferences are managed and how to set them.) Preference manifests clarify what key values in the preference editor an application honors, and give you information as to how to set those keys to achieve your goal. Preference Manifests are merely a presentation layer over the Preference Editor, and get picked up automatically when they exist for an application.
The setting and modifications you make on an application’s keys are stored in directory services. When you modify an application’s preference key values in the Preference
Editor, any users, groups, or computer lists you have selected acquire these managed preferences.
Adding a Managed Preference by Importing it From an
Application
You can import preference keys and values via preference files for any application. This gives you the ability to set a user’s experience on an application to be identical to what yours already is.
To import a preference file into managed preferences:
1 In Workgroup Manager, click Preferences, then click Details.
2 Make sure the right directory is selected and that you are authenticated for it, and then select one or more users, groups, or computer lists.
3 Click Add.
4 Select the com.apple.<applicationname>.plist in the dialogue and click Add.
If the application provides a preference manifest, it appears in the list in Workgroup
Manager (in plain text). Managed preferences that don’t have a preference manifest associated with them are in italics.
Even if an application does not have a preference manifest, you can use the Preference
Editor to import and add existing preferences (from ~/Library/Preferences/) into directory services, and cause the end-user’s preferences to be set to these preferences.
Thus any application that uses Mac OS X preferences may be managed.
182 Chapter 9 Managing Preferences
Editing Preference Values for an Application
A well behaved application should respect the settings in a preference manifest. But if there is no preference manifest, it is up to you, the administrator, to see that these settings (modifiable in the Preference Editor) are effective. In general, preference management works best in Often mode. If you use Always mode, a preference may still take effect, but the application may probably still allow the preference to be changed by the end user.
To edit preference values for an application:
1 In Workgroup Manager, click Preferences, then click Details.
2 Make sure the right directory is selected and that you are authenticated for it, and then select one or more users, groups, or computer lists.
3 Double-click an item in the list (or select the item and click Edit).
4 Locate the values you want to modify and make the desired changes.
5 Click Apply Now and Done.
If you change key to a value that does not match the preference manifest for an application, the Preference Editor indicates that in the key edit screen. You are not forbidden from making such a change, merely advised against it.
Removing Preference Values With the Preferences Editor
You have the option of removing or deleting application preferences. This means that you can remove modified preference values for any and all applications that have been introduced into directory services. Doing so will not remove any preference manifests that may exist.
To clear preferences values from an application:
1 In Workgroup Manager, click Preferences, then click Details.
2 Select the application or bundle ID (this can only be done one application at a time.)
3 Click Remove.
Note: You don’t ever remove a preference manifest. You only remove the (existing) values that have been saved in directory services via the Preference Editor.
Chapter 9 Managing Preferences 183
184 Chapter 9 Managing Preferences
10
Managing Network Views
10
This chapter provides information about managing the network resources that users can view and access.
Using managed network views, you can control what users on a particular computer see when they click the Network icon in the sidebar of a Finder window, or when they choose Go > Network in the Finder.
A managed network view is a list of network resources that you customize to enhance a user's browsing and resource discovery experience. You can add network resources to what a user already sees, or specify exactly which items a user will see. You can customize network views for a single computer, a group of computers, or an entire subnet.
•
•
•
You can create managed network views that contain one or more of these components:
A network neighborhood, which is a collection of network resources that are grouped for easy access. A network neighborhood looks like a folder in the network view. A neighborhood can contain computers, other neighborhoods, and dynamic lists.
A computer is any computer on the network. You can add computers directly to a network view or you can add them to a neighborhood within a network view.
A dynamic list gives you the ability to automatically generate a list of network resources for display inside a neighborhood. For example, you can define a neighborhood called Marketing and show within it any active computer on the marketing network subnet.
•
Types of Managed Network Views
You can create three types of network views:
Named view. A named view, customized to address specific user requirements, is visible on only specific client computers. You associate a view with a computer by identifying the view in a computer record or by naming the view using an Ethernet address, an IP address, or a subnet string. The directory in which the named view is stored must be in the client computer’s search path.
185
186
•
•
Default view. A view named Default is visible on a client computer if the directory in which the view is stored is in its search path and no named view has been assigned to the computer.
Public view. A view named Public is visible on a client computer if the directory where the view is stored isn’t already providing a network view for the computer. The directory can be any directory that a computer is configured to access, on or off its search path.
If a Public view isn’t found in any such directory but a Default view is, the Default view is displayed.
Creating a Managed Network View
When you create a network view, you associate neighborhoods, computers, and dynamic lists with the view. You also define client-specific information, such as which client computers should use the view.
To create a network view:
1 Open Workgroup Manager, and click Network.
2 Click the small globe above the Network Views list to choose the network directory in which you want the view to reside.
3 Click the lock to authenticate as a domain administrator for the directory.
4 Choose Server > New Network View, select the type of view you want to create, and click Create.
5 If you’re defining a named view, enter a name for the view in the Layout pane.
If you want the named view to be used by all computers in a particular subnet, name the view using the subnet identifier (10.201.42.0/22).
If you want the named view to be visible by a particular computer, you can name the view using that computer’s IP address or Ethernet address. You can also specify the
view’s name in specific computer records, as “Enabling Managed Network View
Visibility” on page 193 describes.
6 In the Layout pane, add neighborhoods, computers, and dynamic lists to the view.
For instructions, see “Adding Neighborhoods to Managed Network Views” on page 188,
“Showing Computers in Managed Network Views” on page 189, and “Adding Dynamic
Lists to Managed Network Views” on page 191.
7 Finalize the neighborhood hierarchy. Drag elements up and down in the list in the
Layout pane to add them to neighborhoods or remove them from neighborhoods.
Items in the list are displayed alphabetically, as they are when viewed in the Finder. if your view contains computers and dynamic lists you haven’t put into a neighborhood, consider doing so. Displaying all resources within neighborhoods gives you the opportunity to assign a meaningful name to a collection of resources.
Chapter 10 Managing Network Views
8 Set up client computer settings for the view using the Settings pane.
For instructions, see “Defining Use of Managed Network Views by Client Computers” on page 192.
9 If you want to make the network view visible immediately on client computers, click
Layout, then select the Enabled checkbox.
10 Click Save.
Editing Managed Network Views
After you’ve created a managed network view, you can change its attributes and enable or disable it.
To edit a network view:
1 Open Workgroup Manager, and click Network.
2 Click the small globe above the Network Views list to choose the network directory in which the view resides.
3 Click the lock to authenticate as a domain administrator for the directory.
4 In the Network Views list, select the view you want to edit.
5 Use steps 6 through 9 as desired to make changes to the view objects using the Layout pane.
6 If you want to re-name the view, enter the new name in the Name field.
7 Use the Enabled checkbox to enable or disable availability of the view.
8 Edit the objects in the view hierarchy as desired.
Click Add (+) to add a neighborhood, computer, or dynamic list to the view. Drag the new object to the location in the view hierarchy where you want it to be visible.
To delete an object from the view, select it and click Delete (–).
To edit a view object, select it and click the Edit button.
9 To rearrange objects in the view hierarchy, drag them to locations where you want them to be visible.
10 Click Settings to work with client settings, then use steps 11 and 12 as needed.
11 Edit the list of client computers on which the view is visible as desired.
Click Add (+) to make the view visible on additional client computers. Using the popup list, you can create a new computer record or open the computer record drawer, from which you can drag computers into the client computer list.
To avoid showing the view on a client computer, select the computer and click
Delete (–).
Chapter 10 Managing Network Views 187
188
To change the view a computer sees, select the computer and click the Edit button.
Select a view from the Network View pop-up list, and click Save.
12 Optionally change the rate at which you want client computers to check for view changes.
13 Optionally change the way the Finder displays the view.
14 Click Save to save your changes or click Revert to back up to the most recently saved network view.
Defining Neighborhoods for Managed Network Views
You create network neighborhoods to organize and logically present network resources.
In the network view, a neighborhood looks like a folder. The neighborhood can contain other neighborhoods as well as computers and dynamic lists.
Adding Neighborhoods to Managed Network Views
You can add any number of neighborhoods to a network view. Neighborhoods enable you to group network resources in a logical manner and organize the presentation of your network resources.
To add a neighborhood to an existing network view:
1 Open Workgroup Manager, and click Network.
2 Click the small globe above the Network Views list to choose the network directory in which the view resides.
3 Click the lock to authenticate as a domain administrator for the directory.
4 In the Network Views list, select the view you want to work with.
5 In the Layout pane, click the Add (+) button, and choose New Neighborhood.
6 Type a name for the neighborhood and click Save.
Note: The Finder may not be able to display long (greater than 256 character) Managed
Network View names due to file/folder name length issues in the file system.
7 Add at least one computer, one dynamic list, or another neighborhood to the neighborhood.
Click the Add button, and choose the object you want to add to the neighborhood.
Then drag the object over the neighborhood.
8 Repeat steps 5 through 7 as required.
9 Click Save.
Chapter 10 Managing Network Views
Deleting Neighborhoods From Managed Network Views
Deleting neighborhoods from a managed network view removes them from the list of resources visible in the view. Exercise caution when deleting neighborhoods, as you do not receive any warnings if there are items within them.
To delete a neighborhood from a network view:
1 Open Workgroup Manager, and click Network.
2 Click the small globe above the Network Views list to choose the network directory in which the view resides.
3 Click the lock to authenticate as a domain administrator for the directory.
4 In the Network Views list, select the view you want to work with.
5 In the Layout pane, choose the neighborhood you want to delete.
6 Click the disclosure triangle to reveal everything in the neighborhood and confirm that you in fact want to delete it and all its contents.
Drag neighborhood objects outside the neighborhood if you want to keep them associated with the view.
7 Click the Delete (–) button or choose Server > Delete.
8 If you think you may have deleted objects inadvertently, click Revert. Otherwise click
Save.
Defining Computers for Managed Network Views
You add computers to a managed network view definition when you want to give users access to a specific computer in the view.
Showing Computers in Managed Network Views
You can show a computer in a network view if it has a computer record in the directory where the network view resides. The computer record may already exist, or you can define a new one.
•
•
•
A computer record may already exist because:
The computer is managed using computer list preferences.
The computer is already associated with another managed network view.
The computer has been designated to use another managed network view in the directory.
Chapter 10 Managing Network Views 189
190
To add a computer to a network view:
1 Open Workgroup Manager, and click Network.
2 Click the small globe above the Network Views list to choose the network directory in which the view resides.
3 Click the lock to authenticate as a domain administrator for the directory.
4 In the Network Views list, select the view you want to work with, and make sure the
Layout pane is selected.
5 To add a computer for which a computer record already exists in the current directory, go to step 6.
To create a new computer record, go to step 7.
To browse for a computer that may or may not have a computer record already, go to step 8.
6 To use an existing computer record, click the Add (+) button and select Show
Computers. Drag a computer from the drawer that appears into the Layout pane.
7 To create a new computer record, click the Add (+) button and choose New Computer.
In the dialog box that appears, enter information into two fields.
In the Name field, type the name you want to use to identify the computer when it’s displayed in the view.
In the URLs field, type one or more URLs by which the computer can be reached.
8 You can click the Browse button to browse for and identify a computer to add. The server initiates a URL-based search, which looks for services with the standard file service types (AFP, SMB/CIFS, FTP, and NFS). You are able to browse through all the computers you would normally see under /Network. Select a computer from the list.
If the computer you select already has a computer record, a warning appears and the computer isn’t added to the view. To add the computer, use step 6.
If the computer you select doesn’t have a computer record, one is created and the computer is added to the view.
9 Click Save.
Deleting Computers From Managed Network Views
Deleting a computer from a network view removes it from the list of available resources within that network view.
To delete a computer from a network view:
1 Open Workgroup Manager, and click Network.
2 Click the small globe above the Network Views list to choose the network directory in which the view resides.
3 Click the lock to authenticate as a domain administrator for the directory.
Chapter 10 Managing Network Views
4 In the Network Views list, select the view you want to work with.
5 In the Layout pane, select the computer record you wish to delete from the view. You may have to display the contents of neighborhoods, using the disclosure triangles, to see the computer in the list.
6 Click Delete (–), or choose Server > Delete.
7 If you think you may have deleted a computer inadvertently, click Revert. Otherwise click Save.
8 To delete other computers, repeat steps 4 through 6.
Alternatively, you can delete more than one computer at a time by pressing the
Command key as you select computers in a network view.
Defining Dynamic Lists for Managed Network Views
You can associate dynamic lists of network resources with a network view.
Mac OS X Server dynamically generates these lists when they’re selected by a user, using service discovery protocols the server is configured (in Directory Access) to use.
Adding Dynamic Lists to Managed Network Views
You can automate showing lists of network resources in a managed view by using dynamic lists.
Mac OS X and Mac OS X Server can use Open Directory to discover network services, such as file servers, that make themselves known with AppleTalk, SLP, or SMB/CIFS service discovery protocols. You use Directory Access on the server hosting your network views to enable or disable the various service discovery protocols you may want to use to provide dynamic lists.
To add a dynamic list to a network view:
1 Open Workgroup Manager, and click Network.
2 Click the small globe above the Network Views list to choose the network directory in which the view resides.
3 Click the lock to authenticate as a domain administrator for the directory.
4 In the Network Views list, select the view you want to work with.
5 In the Layout pane, click the Add (+) button and select Add Dynamic List.
6 In the list that appears, select a service discovery location. You can select multiple locations by holding down the Command key while selecting them.
7 Click Add.
8 Click Save.
Chapter 10 Managing Network Views 191
192
Deleting Dynamic Lists From Managed Network Views
Deleting a dynamic list from a network view removes it from the list of available resources within that network view.
To delete a dynamic list from a network view:
1 Open Workgroup Manager, and click Network.
2 Click the small globe above the Network Views list to choose the network directory in which the view resides.
3 Click the lock to authenticate as a domain administrator for the directory.
4 In the Network Views list, select the view you want to work with.
5 In the Layout pane, select the dynamic list you wish to delete from the view. You may have to display the contents of neighborhoods, using the disclosure triangles, to see the list.
6 Click Delete (–), or choose Server > Delete.
7 If you think you may have deleted a list inadvertently, click Revert. Otherwise click Save.
8 To delete other dynamic lists, repeat steps 4 through 7.
Alternatively, you can delete more than one dynamic list at a time by pressing the
Command key as you select lists.
Defining Use of Managed Network Views by Client
Computers
Several techniques are available for setting up computers to display managed network views and controlling how views behave on client computers.
How a Computer Finds Its Managed Network Views
When a Mac OS X computer starts, it searches through the directories in its search path.
If it detects a computer record for itself in one of the directories and the computer record has a managed network view associated with it, it uses that view and stops searching.
•
•
If the computer doesn’t find a computer record with an assigned network view, it searches through the directories in its search path for a network view whose name
• matches one of the following criteria, in the order listed:
The computer’s Ethernet address
The computer’s IP address
The computer’s subnet string
Chapter 10 Managing Network Views
If a network view matching one of these criteria is found, the computer uses that view and stops searching. But if no network view has been found so far, the computer searches through directories in its search path for a view named Default. The first
Default view found is used.
After the client’s search-path explorations are done, the client computer searches through all directories a client computer has been configured to access, on and off its search path. For each directory, if it finds a Public network view, it displays it in a folder named after the server hosting the directory. If it doesn’t find a Public view but does find a Default view in the directory, the Default view is displayed in a named folder.
Enabling Managed Network View Visibility
Use one of these techniques to make a named network view visible on a client
•
•
• computer:
Name the view using a subnet identifier that includes the computer.
Name the view using the computer’s Ethernet address or IP address.
Name the view something else and identify the view in a computer record for the computer.
Then make sure that the search path of the computer is configured to access the directory in which the view is stored.
Public and Default views are accessible on any client computer that’s configured to access the directories that store them.
To identify a managed network view in a computer record:
1 Open Workgroup Manager, and click Network.
2 Click the small globe above the Network Views list to choose the network directory in which the view resides.
3 Click the lock to authenticate as a domain administrator for the directory.
4 In the Network Views list, select the view, and then click Settings.
5 To assign the view to a computer for which a computer record already exists in the current directory, go to step 6.
To assign the view to a computer that currently has no computer record in the current directory, go to step 7.
To browse for a computer that may or may not have a computer record already, go to step 8.
6 To assign the view to a computer with an existing computer record, click the Add (+) button and select Show Computers. Drag a computer from the drawer that appears into the Settings pane.
Chapter 10 Managing Network Views 193
194
7 To assign the view to a computer in a new computer record, click the Add (+) button and choose New Computer.
In the dialog box that appears, enter information into two fields.
In the Name field, type the name you want to use to identify the computer.
In the Ethernet ID field, type the computer’s Ethernet address.
8 You can click the Browse button to browse for and identify a computer you want to use the view. The server searches for computers with the service type “workstation.“These are the computers that are usually displayed in /Network/My Network.
If the computer you select already has a computer record, a warning appears and the computer isn’t added to the Settings list. To add the computer, use step 6.
If the computer you select doesn’t have a computer record, one is created and the computer is added to the list.
9 Click Save.
•
•
•
•
Disabling Managed Network View Visibility
If you no longer want a computer to use a particular network view, you can:
Disable the view
Delete the view
Disassociate the view from the related computer record
Change the view associated with the computer record
If you’ve named a view using a subnet identifier and want to avoid showing the view on any computer in the subnet, assign a different view to a computer record for the computer. The other view can be a different named view, or it can be a Default view.
To disable network view visibility
1 Open Workgroup Manager, and click Network.
2 Click the small globe above the Network Views list to choose the network directory in which the view resides.
3 Click the lock to authenticate as a domain administrator for the directory.
4 In the Network Views list, select the view.
5 To disable the view, go to step 6.
To delete the view, go to step 7.
To disassociate the view from a computer record, go to step 8.
To change the view assigned to a computer record, go to step 9.
6 To disable the view, use the Layout pane.
Deselect the Enabled checkbox, then click Save.
None of the computers configured to use the view will be able to see the view.
Chapter 10 Managing Network Views
7 To delete the network view, choose Server > Delete.
8 To remove a view from a computer record, use the Settings pane.
Select the computer or computers in the list for which you want to disable view visibility. Then click the Delete (–) button and click Save.
9 To change the view assigned to a computer record to another view in the same directory, use the Settings pane. Select the computer in the list, and click the Edit button. Select the new view from the Network View pop-up list, then click Save.
To change the view to a view in a different directory, click the small globe above the
Network Views list to choose the directory and authenticate as a domain administrator for the directory. Select the view, then use the Settings pane to associate a computer record for the computer with the network view.
Setting Managed Network View Refresh Rate
You can refresh the display of a network view every so many minutes, hours, or days.
To set the view refresh rate:
1 Open Workgroup Manager, and click Network.
2 Click the small globe above the Network Views list to choose the network directory in which the view resides.
3 Click the lock to authenticate as a domain administrator for the directory.
4 In the Network Views list, select the view.
5 In the Settings pane, set the values for how often you want the view refreshed.
6 Click Save.
Setting Finder Behavior With Managed Network Views
You can display a managed network view in a client computer’s Finder instead of or in addition to other network resources the Finder lists.
To set Finder network view display behavior:
1 Open Workgroup Manager, and click Network.
2 Click the small globe above the Network Views list to choose the network directory in which the view resides.
3 Click the lock to authenticate as a domain administrator for the directory.
4 In the Network Views list, select the view.
5 In the Settings pane, select “add to Network view” to retain the Finder’s default display of network resources. Select “replace Network view” to show only the managed network view in the Finder.
6 Click Save.
Chapter 10 Managing Network Views 195
196 Chapter 10 Managing Network Views
11
Solving Problems
11
If you encounter problems as you work with Workgroup
Manager, you may find a solution in this chapter.
Online Help and the Apple Service & Support website
If the answer to your question isn’t here, try searching Mac OS X Server online Help for new topics. You can also search the Apple Service & Support website for information and solutions: docs.info.apple.com/article.html?artnum=75178
Solving Account Problems
Follow the suggestions in this section when problems with user and group account administration arise.
•
•
You Can’t Modify an Account Using Workgroup Manager
Before you can modify an account using Workgroup Manager:
The directory domain must be the LDAP directory of an Open Directory master, a
NetInfo domain, or other read/write directory domain. Only these domains can be updated using Workgroup Manager.
You must have authenticated as an administrator of the directory domain. To authenticate, click the lock (near the top of the Workgroup Manager window).
You Can’t See Certain Users in the Login Window
When you upgrade to Mac OS X version 10.4 and migrate existing users to a shared directory on the new server, certain users might not show up in the login window. The login window does not list users with user IDs below 500, but they can still log in by entering a user name and password.
To set up a Mac OS X computer’s login window to show network users:
1 Set up a shared directory on Mac OS X Server.
2 In Workgroup Manager, click Accounts.
3 Select a computer list that resides in the shared directory.
4 Select “Define Guest computer preferences here,” and click Save.
197
5 Click Preferences, click Login, and click Login Window.
6 Select “List of users able to use these computers” and “Show network users.” Click Apply
Now.
7 Configure a Mac OS X version 10.4 computer associated with the computer list to use the shared directory.
You Can’t Unlock an LDAP Directory
To make changes in any directory domain, you must authenticate with the name and password of an administrator of that directory. Thus, to edit an entry in a shared
LDAPv3 directory, you must authenticate in Workgroup Manager with the name and password of an administrator account in that LDAPv3 directory. (An administrator account in /Netinfo/root, which is the computer’s local directory, can’t be used to authenticate as an administrator of a shared LDAP directory.)
You Can’t Modify a User’s Open Directory Password
To modify the password of a user whose password type is Open Directory, you must be an administrator of the directory domain in which the user’s record resides. In addition, your user account must have a password type of Open Directory. The user account specified when the Open Directory master was set up (using Server Assistant or the
Open Directory service settings in Server Admin) has an Open Directory password. This account can be used to set up other user accounts as directory domain administrators with Open Directory passwords.
You Can‘t Change a User’s Password Type to Open Directory
To change a user’s password type to Open Directory authentication, you must be an administrator of the directory domain in which the user’s record resides. In addition, your user account must be configured for Open Directory authentication. The user account specified when the Open Directory master was set up (using Server Assistant or the Open Directory service settings in Server Admin) has an Open Directory password. This account can be used to set up other user accounts as directory domain administrators with Open Directory passwords.
You Can’t Assign Server Administrator Privileges
In order to assign server administrator privileges to a user for a particular server, first connect to that server in Workgroup Manager. Select the user’s account (or create a new account for the user) in a directory domain on that server, and select “User can administer the server” on the Basic pane.
198 Chapter 11 Solving Problems
Users Can’t Log In or Authenticate
Try these techniques to determine whether the source of the authentication problem is
•
•
•
•
•
•
•
•
•
• configuration related or the password itself:
Reset the password to a known value, then determine whether there is still a problem. Try using a 7-bit ASCII password, which is supported by most clients.
Make sure that the password contains characters supported by the authentication protocol. Leading, embedded, and trailing spaces as well as special characters (for example, Option-8) are not supported by some protocols. For example, leading spaces work over POP or AFP, but not over IMAP.
Make sure that the user’s current keyboard can generate all the characters in the user’s password.
Basic authentication doesn’t support many authentication methods. To increase the possibility that a user’s client applications will be supported, set the user’s password type to Open Directory or suggest that the user try a different application.
If user’s account resides in a directory domain that is not available, you can create a user account in a directory domain that is available.
Make sure the client software encodes the password so that it is recognized correctly.
For example, Open Directory recognizes UTF-8 encoded strings, which may not be
•
•
• sent by some clients.
Make sure that the user’s current application and operating system support the user’s password length. For example, Windows applications that use the LAN
Manager authentication method support only 14-character passwords, so a password longer than 14 characters would cause an authentication failure even though
Mac OS X Server’s Windows service supports longer passwords.
If you disabled any of the Open Directory Password Server’s authentication methods, such as APOP or CRAM-MD5, then the user’s applications will be unable to authenticate with the disabled methods. The Open Directory administration guide explains how to disable and enable authentication methods with a command-line tool. After enabling or disabling Open Directory Password Server authentication methods, you may need to reset the user’s password.
For Kerberos troubleshooting tips, see “Users Can’t Authenticate Using Single Sign-
If a Mac OS 8.1–8.6 computer fails to authenticate for Apple file service, the computer’s AppleShare Client software may need upgrading.
Mac OS 8.6 computers should use AppleShare Client version 3.8.8.
Mac OS 8.1–8.5 clients should use AppleShare Client version 3.8.6.
Mac OS 8.1–8.6 client computers that have file server volumes mount automatically during startup should use AppleShare Client version 3.8.3 with the DHX UAM (User
Authentication Module) installed. The DHX UAM is included with the AppleShare
Client 3.8.3 installation software.
Chapter 11 Solving Problems 199
Users Relying on a Password Server Can’t Log In
If your network has a server with Mac OS X Server version 10.2, it could be configured to get authentication from an Open Directory Password Server hosted by another server. If the Password Server’s computer becomes disconnected from your network, for example because you unplug the cable from the computer’s Ethernet port, users whose passwords are validated using the Password Server can’t log in because its IP address isn’t accessible.
Users can log in to Mac OS X Server if you reconnect the Password Server’s computer to the network. Alternatively, while the Password Server’s computer is offline, users can log in with user accounts whose password type is crypt password or shadow password.
Users Can’t Log In With Accounts in a Shared Directory Domain
Users can’t log in using accounts in a shared directory domain if the server hosting the directory isn’t accessible. A server may become inaccessible due to a problem with the network, the server software, or the server hardware. Problems with the server hardware or software affect users trying to log in to Mac OS X computers and users trying to log in to the Windows domain of a Mac OS X Server PDC. Network problems may affect some users but not others, depending on where the network problem is.
Users with mobile user accounts can still log in to the Mac OS X computers they used previously. And users affected by these problems can log in by using a local user account defined on the computer, such as the user account created during initial setup after installing Mac OS X.
Users Can’t Access Their Home Directories
Make sure that users have access to the share point in which their home directories are located and to their home directories. Users need Read access to the share point and
Read & Write access to their home directories.
Users Can’t Change Their Passwords
Users who have accounts in the server’s LDAP directory with a password type of “crypt password” cannot change their passwords after logging in from a client computer with
Mac OS X version 10.3. These users can change their passwords if you use Workgroup
Manager’s Advanced pane to change their accounts’ User Password Type setting to
Open Directory. When you make this change, you must also enter a new password.
Then you should instruct users to log in using this new password and change it on the
Accounts pane of System Preferences.
200 Chapter 11 Solving Problems
A Mac OS X User in Shared NetInfo Domain Can’t Log In
This problem occurs when a user tries to log in to a Mac OS X computer using an account in a shared NetInfo domain, but the server hosting the domain isn’t accessible.
The user can log in to the Mac OS X computer by using the local user account created automatically when he or she set up the computer to use a NetInfo account. The user name defaults to “administrator” (short name defaults to “admin”) though both can be modified when the user ID and password is created at the time of account creation.
•
•
•
•
•
•
Users Can’t Authenticate Using Single Sign-On or Kerberos
When a user or service that uses Kerberos experiences authentication failures, try these remedies:
Kerberos authentication is based on encrypted time stamps. If there’s more than a 5 minute difference between the KDC, client, and service computers, authentication may fail. Make sure that the clocks for all computers are synchronized using the
Network Time Protocol (NTP) service of Mac OS X Server or another network time server. For information about the NTP service of Mac OS X Server, see the network services administration guide.
Make sure that Kerberos authentication is enabled for the service in question.
If a Kerberos server used for password validation is not available, reset the user’s password to use a server that is available.
Make sure that the server providing the Kerberized service has access to directory domains containing accounts for users who are authenticated using Kerberos. AFP, mail, and other Kerberized services of ProductName always have access to user accounts in the server’s local directory domain and its LDAP directory domain, if it has one. For information about configuring access to directory domains on other servers, see the Open Directory administration guide.
Refer to the KDC log (kdc.log) for information that can help you solve problems.
Incorrect setup information such as wrong configuration file names can be detected using the logs.
If users can’t authenticate using single sign-on or Kerberos for services provided by a server that is joined to an Open Directory master’s Kerberos domain, the server’s computer record might be incorrectly configured in the Open Directory master’s
LDAP directory. In particular, the server’s name in the computer list must be the server’s fully qualified DNS name, not just the server’s host name. For example, the name could be server2.example.com but not just server2.
To reconfigure a server’s computer record for single sign-on and Kerberos authentication:
1 Delete the server from the computer list in the LDAP directory.
2 Add the server to the computer list again.
3 Delegate authority again for joining the server to the Open Directory master’s Kerberos domain.
Chapter 11 Solving Problems 201
202
4 Rejoin the server to the Open Directory master for single sign-on and Kerberos authentication.
For detailed instructions, see “Adding Computers to an Existing Computer List” on
page 104, “Deleting Computers From a Computer List” on page 106, and the Open
Directory administration guide.
Solving Preference Management Problems
This section describes some problems you may encounter while using Workgroup
Manager to set up accounts or manage Mac OS X clients. It also provides troubleshooting tips and possible solutions. If your problem is not addressed here, you may want to check Workgroup Manager help or consult the Apple Service & Support website (www.apple.com/support/).
You Can’t Enforce Default Web Settings
If you manage Internet preferences using Workgroup Manager and set up a default web browser, a default home page or search page, or a specific location to store downloaded files, some applications may not accept these settings. You may need to set a default home page using the application’s own preference settings instead.
You Can’t Enforce Default Mail Settings
If you manage Internet preferences using Workgroup Manager and set up a default email reader, email address, or mail servers, some applications may not accept these settings. You may need to use the client computer’s email application’s own preference settings instead.
•
Users Don’t See a List of Workgroups at Login
•
If a user with a network account doesn’t see a list of workgroups at login:
The user may not be in a group or may be in only one group. Hold down the Option key during login to show the list of workgroups.
The user’s computer may not be in a computer list. Add the computer to a computer list or include it in the Guest Computers list.
•
•
If a user with a local account doesn’t see a list of workgroups at login:
The user’s computer may not have any workgroups assigned to it. Assign one or more groups to the computer list (or Guest Computers list) to which that computer belongs.
The user’s computer may not be in a computer list. Add the computer to a computer list or include it in the Guest Computers list.
Users Can’t Open Files
Ordinarily, when users double-click a file in the Finder, or choose a file to Open from the Finder’s File menu, an appropriate default application will open the file for them. If the user works in a managed environment, this method may not always work.
Chapter 11 Solving Problems
For example, suppose the default application for viewing PDF files is Preview. A user logs in and double-clicks a PDF file on his or her desktop. If the management settings that apply to that user don’t provide access to Preview, the file will not open. If the user has access to a different application that can handle PDF files, the user can open that application and then open the file.
To make sure commonly used applications are available to users, groups, or lists of computers, use Workgroup Manager to add the application to the list of permitted applications in the Applications pane of Preferences.
Users Can’t Add Printers to a Printer List
Users are able to add printers to the list of printers in Printer Setup Utility if you select
Always as the management setting for Printer preferences and select “Allow user to add printers to the printer list.” However, when a user tries to print a document from an application, any printer the user added doesn’t appear in the list of available printers.
In Workgroup Manager, an administrator can prohibit or make available any number of printers to specific users, groups, or lists of computers using the Printer List pane of
Printer preferences.
Note: If “Allow user to add printers to printer list” is not selected, an administrator password is required to add or remove printers in Printer Setup Utility.
Login Items Added by a User Don’t Open
In Workgroup Manager, you can use Login Items settings to specify items that open automatically when a user logs in. The set of items that open at login is a combination of items specified for the user, the computer being used, and the group chosen at login.
A user can add additional login items if allowed to do so. However, if you select Once as the management setting for Login Items, any items the user added will be removed the next time the user logs in. Afterward, the user may add additional login items if allowed to do so.
Items Placed in the Dock by a User Are Missing
In Workgroup Manager, you can use Dock Items settings to specify items that appear in a user’s Dock. The set of items in a user’s Dock is a combination of items specified for the user, the computer being used, and the group chosen at login.
A user can add additional items to his or her Dock if allowed to do so. However, if you select Once as the management setting for Dock Items, any items the user added will be removed the first time the user logs in. Afterward, users may still place additional items in the Dock if allowed to do so.
Chapter 11 Solving Problems 203
A User’s Dock Has Duplicate Items
When you use Workgroup Manager to set up the same Dock item preferences for more than one kind of account (user, group, or computer), a managed user’s Dock may contain duplicate items. For example, an application icon may appear more than once in the user’s Dock.
This behavior does not affect any Dock items; all of them work as expected when selected. You may be able to correct this behavior by removing Dock item settings from all affected accounts, then re-specifying them.
Users See a Question Mark in the Dock
You can use Workgroup Manager to control what items a user sees in his or her Dock.
Items in the Dock are actually aliases to original items stored elsewhere, such as on the computer’s hard disk or on a remote server. If the original items are located on a remote server and the user is not connected to that server, the corresponding Dock items will appear as question mark icons.
A user can click a question mark icon to reconnect to a server (the server prompts the user for a password if needed). Once connected to the server containing the original items, the user’s Dock icons will return to normal and open the appropriate item when clicked.
Users See a Message About an Unexpected Error
When you manage Classic preferences and try to use the Extensions Manager, File
Sharing, and Software Update control panels, you may see a message that says “The operation could not be completed. An unexpected error occurred (error code 1016).”
This message indicates that an administrator has restricted access to the item the user attempted to use, such as an application the user is not allowed to open.
Users are not allowed to access the control panels mentioned above when Classic preferences are managed. Users may also see the message if you have selected “Hide
Chooser and Network Browser” and they attempt to use the Chooser.
The message also appears when a user tries to open an unapproved application (one that is not listed in the Items pane of the Applications preference in Workgroup manager) in either the Classic environment or Mac OS X.
204 Chapter 11 Solving Problems
A
Importing and Exporting
Account Information
A
Appendix A provides guidelines for importing and exporting account information.
Several tools—Workgroup Manager and dsimport —are available to help you export and import accounts.
Understanding What You Can Export and Import
Mac OS X Server incorporates export functionality built into Workgroup Manager.
Exporting is now a two-steps process from any of the three Accounts panes in
Workgroup Manager: Users, Groups, and Computer Lists. You can export any information you are able to highlight within Workgroup Manager Accounts by selecting Server > Export. This includes one or more users from the Users pane, one or more groups from the Groups pane, or one or more computers or lists from the
Computer Lists pane of Accounts in Workgroup Manager.
The Open Directory administration guide lists numerous record types and their wellknown attributes and describes how to see and change the permitted attributes for each record type in a particular LDAP directory.
You can import all record types that are tracked in Workgroup Manager, including, but not limited to: users, groups, computer lists, computers, and so on. Starting in Mac OS X v10.4, you can even import partial attributes of individual records, such as UserName,
UserData, FirstName, MiddleName, LastName, AllNames, ENetAddress, NetDomains,
NetGroups, HostServices, People, Locations, SharePoints, and so on. You can also combine attributes from different records to import any set of information you are able to manually generate. You can use the dsimport tool to import any number of records from a flexible text delimited file that uses any of the attributes defined in this file:
/System/Library/Frameworks/DirectoryService.framework/Headers/DirServicesConst.h
205
206
The only attribute that a record must have is the record name.
Note: You will need to reset the password for user accounts whose password type is
Open Directory. Importing passwords generally works only if the password is stored as a text string in the import file, because the password format stored in standard password files cannot be recovered from the hash form in which it is stored.
•
•
•
The Open Directory administration guide describes how the user and group account attributes you can import vary depending upon the type of import file, such as:
XML files created with Mac OS X Server 10.1 or earlier
XML files created with AppleShare IP 6.3
Character-delimited files
You cannot use an import file to change these predefined users: daemon, root, nobody, unknown, or www. Nor can you use an import file to change these predefined groups: admin, bin, daemon, dialer, mail, network, nobody, nogroup, operator, staff, sys, tty unknown, utmp, uucp, wheel, or www. You can, however, add users to the wheel and admin groups.
Note: Passwords cannot be exported via Workgroup Manager or by any other method.
If you are importing user accounts from an exported file, remember to manually set the passwords or default the password attribute to a known value from which it can be changed later.
Using Workgroup Manager to Import Users and Groups
You can use Workgroup Manager to import user and group accounts into the LDAP directory of an Open Directory master or a NetInfo domain. When a file is imported,
Workgroup Manager identifies the record format automatically.
•
•
•
For information on creating files to import, see the following topics:
“Using XML Files Created With Mac OS X Server v10.1 or Earlier” on page 208
“Using XML Files Created With AppleShare IP 6.3” on page 209
“Using Character-Delimited Files” on page 209
To import accounts using Workgroup Manager:
1 Create a character-delimited or XML file containing the accounts to import, and place it in a location accessible from the server on which you will use Workgroup Manager. The
LDAP directory of an Open Directory master supports up to 100,000 records. For local
NetInfo databases, ensure the file contains no more than 10,000 records.
2 In Workgroup Manager, click Accounts, then click the globe icon below the toolbar and choose the directory domain into which you want to import accounts.
3 Click the lock to authenticate as domain administrator.
Appendix A Importing and Exporting Account Information
4 Optionally, you can define a user account preset in the server’s LDAP directory.
When you create a preset for importing user accounts, set up password options so that users are forced to change their passwords the next time they log in. This approach means you don’t have to specify individual passwords for each user in the export file or in Workgroup Manager after importing the users. To access password option settings,
click Advanced, then Options. See “Creating a Preset for User Accounts” on page 63.
5 You also have the option of defining a group account preset in the server's LDAP directory.
See “Creating a Preset for Group Accounts” on page 88.
6 Choose Import from the Server menu, then select the import file.
7 Select one of the Duplicate Handling options to indicate what to do when the short name of an account being imported matches that of an existing account.
“Overwrite existing record” overwrites any existing record in the directory domain.
“Ignore new record” ignores an account in the import file.
“Add to empty fields” merges data from the import file into the existing account when the data is for an attribute that currently has no value.
“Append to existing record” appends data to existing data for a particular multivalue attribute in the existing account. Duplicates are not created. This option might be used, for example, when importing new members into an existing group.
8 Optionally choose a user preset and/or group preset from the “Presets for Users” or the
“Presets for Groups” pop-up menus.
9 In the First User ID field, you have the option to enter the user ID at which to begin assigning user IDs to new user accounts for which the import file contains no user ID.
10 In the Primary Group ID field, you have the option to enter the group ID to assign to new user accounts for which the import file contains no primary group ID.
11 Click Import to start the import operation.
Using Workgroup Manager to Export Users and Groups
You can use Workgroup Manager to export user and group accounts from the LDAP directory of an Open Directory master or a NetInfo domain into a character-delimited file that you can import into a different NetInfo or LDAP domain.
To export accounts using Workgroup Manager:
1 In Workgroup Manager, click Accounts, then click the globe icon below the toolbar and choose the directory domain from which you want to export accounts.
2 Click the lock to authenticate as domain administrator.
3 Click the Users button to export users or the Groups button to export groups.
Appendix A Importing and Exporting Account Information 207
208
4 To export all accounts listed, select all of them. To export a specific account, select it. To export multiple accounts, select them while holding down the Command or Shift key.
5 Choose Export from the Server menu.
6 Specify the name to assign to the export file and the location where you want it created.
7 Click Export.
Using dsimport to Import Users and Groups
You can use the dsimport
command-line tool to import user and group accounts into a directory. dsimport permits logging at three levels with the -l switch. See the man page for instructions, or the command-line administration guide.
Using XML Files Created With Mac OS X Server v10.1 or
Earlier
You can use Server Admin to create an export file from Mac OS X Server versions 10.1 or earlier, and import that file into the LDAP directory of an Open Directory master or a
NetInfo domain using Workgroup Manager or dsimport .
•
•
•
•
•
•
•
•
•
•
•
The following user account attributes are exported into these XML files. Attributes in angle brackets (<>) are required and will generate an error if absent when you use the file as an import file: indication of whether user can log in indication of whether user is a server administrator
<User ID>
<primary group ID> shell comment
<short name>
<long name>
<password format> and <password text>
Apple mail data ara (Apple Remote Access; this data is ignored)
•
•
•
•
The following group account attributes might be present in these XML files:
<group name>
<group ID>
<one member’s short name> other members’ short names
Appendix A Importing and Exporting Account Information
Using XML Files Created With AppleShare IP 6.3
You can use the Web & File Admin application to create an export file on an AppleShare
IP 6.3 server and import that file into the LDAP directory of an Open Directory master or a NetInfo domain using Workgroup Manager or dsimport
.
•
•
•
•
•
•
The following user account attributes are exported into these XML files. Attributes in angle brackets (<>) are required and will generate an error if absent when you use the
• file as an import file:
<name> (mapped to a long name) inetAlias (mapped to a short name) comment indication of whether user can log in
<password format> and <password text>
Apple mail data indicator for whether the user is a server administrator, password change data, and indicator for forcing a password to change (this data is ignored)
The dsimport
tool generates user IDs when you import this XML file, using the
-s parameter to determine the user ID to start with and incrementing each subsequently imported account’s user ID by one. It generates primary group IDs using the
-r parameter. When you import using Workgroup Manager, user IDs and primary group
IDs are generated as you indicate in the dialog provided.
•
•
•
The following group account attributes might be present in these XML files:
<group name>
<one member’s short name> other members’ short names dsimport generates group IDs when you import this XML file, using the -r parameter to determine the group ID to start with and incrementing each subsequently imported group’s ID by one. When you import using Workgroup Manager, group IDs are generated using the information you provide for primary group IDs in the import dialog.
Using Character-Delimited Files
You can create a character-delimited file by using Workgroup Manager or dsimport
to export accounts in the LDAP directory of an Open Directory master or a NetInfo domain into a file. You can also create a character-delimited file by hand or by using a database or spreadsheet application.
Appendix A Importing and Exporting Account Information 209
210
•
•
The first record in the file must characterize the format of each account in the file.
•
There are three options:
Write a full record description.
Use the shorthand “StandardUserRecord.”
Use the shorthand “StandardGroupRecord.”
The other records in the file describe user or group accounts, encoded in the format described by the first record.
Writing a Record Description
A record description identifies the fields in each record you want to import from a
•
•
•
•
•
•
• character-delimited file; it indicates how records, fields, and values are separated; and it describes the escape character that precedes special characters in a record. Encode the record description using the following elements in the order specified, separating them using a space:
End-of-record indicator (in hex notation)
Escape character (in hex notation)
Field separator (in hex notation)
Value separator (in hex notation)
Type of accounts in the file (dsRecTypeStandard:Users or dsRecTypeStandard:Groups)
Number of attributes per account
List of attributes
•
•
•
•
•
For user accounts, the list of attributes must have a record name and should include
• the following in order to be complete:
RecordName (the user’s short name)
RealName (the user’s long name)
NFSHomeDirectory
Password
UniqueID (the User ID) 1
•
•
•
In addition, you can include:
UserShell (the default shell)
NFSHomeDirectory (the path to the user’s home directory on the user’s computer)
Other user data types described in the Open Directory administration guide
•
•
•
For group accounts, the list of attributes must include:
RecordName (the group name)
PrimaryGroupID (the group ID)
GroupMembership
1.
You can omit these if you specify a starting user ID and a default primary group ID when you import the file.
Appendix A Importing and Exporting Account Information
Here is an example of a record description:
0x0A 0x5C 0x3A 0x2C dsRecTypeStandard:Users 7
RecordName Password UniqueID PrimaryGroupID
RealName NFSHomeDirectory UserShell
Here is an example of a record encoded using the description: jim:Adl47E$:408:20:J. Smith, Jr., M.D.:/Network/Servers/somemac/
Homes/jim:/bin/csh
The record consists of values, delimited by colons. Use a double colon (::) to indicate a value is missing.
When importing user passwords, you can insert the following in the list of attributes to set the user’s password type to Open Directory: dsAttrTypeStandard:AuthMethod
The method for setting an imported user’s password type to Open Directory requires that the imported data actually have a password value. If the password value is missing for a user, then the corresponding user record will be created with a password type of crypt or shadow password.
Then insert the following in the formatted record (in this example, the user ‘s password is “password”): dsAuthMethodStandard\:dsAuthClearText:password
Note: In this example, the colon (:) is the field separator. Because there is a colon in the description for this attribute, the escape character must be used to indicate the colon should not be treated as a delimiter. The backslash ( \ ) is the escape character in this example. If the field separator is anything other than the colon, the escape character is not needed.
This is an example of a header from a standard users import file with users who use the
Password Server. It must be typed as one line of text in which the elements are separated by spaces and without line breaks, as presented here. Although your browser will wrap the text for presentation, you can see that it contains no line breaks if you copy and paste it into a text editor that has wrapping turned off:
0x0A 0x5C 0x3A 0x2C dsRecTypeStandard:Users 8 dsAttrTypeStandard:RecordName dsAttrTypeStandard:AuthMethod dsAttrTypeStandard:Password dsAttrTypeStandard:UniqueID dsAttrTypeStandard:PrimaryGroupID dsAttrTypeStandard:Comment dsAttrTypeStandard:RealName dsAttrTypeStandard:UserShell
Appendix A Importing and Exporting Account Information 211
This is an example of a formatted record with the following attributes and values:
<Attribute>: <Value>
Record Name (short name): tuser
Authentication Method: dsAuthClearText
Password: password1
Unique ID: 1242
Primary Group ID: 20
Comment: <blank>
Real Name (long name): Terri User
User Shell: /bin/tcsh tuser:dsAuthMethodStandard\:dsAuthClearText:password1:1242:20::Tom
User:/bin/tcsh
Note: This example also uses the colon (:) as the field separator and the backslash (\) as the escape character.
As these examples illustrate, you can use the prefix dsAttrTypeStandard: when referring to an attribute, or you can omit the prefix. When you use Workgroup Manager to export character-delimited files, it uses the prefix in the generated file.
212 Appendix A Importing and Exporting Account Information
B
ACL Permissions and Group
Memberships Using GUID
B
Mac OS X Server version 10.4 introduces a new user and group attribute for determining file system permissions and group membership.
•
•
Mac OS X version 10.4 departs from the historical UNIX practices of:
Basing file system permissions only on the UID and GID attributes
Basing group membership on the user short name
This departure allows Mac OS X version 10.4 to augment standard POSIX file system permissions with access control lists (ACLs). It also allows Mac OS X version 10.4 to maintain group memberships when user short names are changed and to support nested group membership.
This improvement in functionality does not remove or change POSIX permissions, nor does it affect interoperability of Mac OS X with legacy UNIX systems or other operating systems.
Important: After upgrading or migrating your server to Mac OS X Server version 10.4, it is highly advisable to create a new backup by exporting existing user and group accounts, which now have GUID attributes. If you need to restore user or group accounts in the future, this new export file will enable you to import the users and groups with their GUIDs intact.
Understanding GUIDs
Beginning with Mac OS X version 10.4, a universal ID called a globally unique identifier
(GUID, pronounced GOO-id) provides user and group identity for ACL permissions. The
GUID also associates a user with group and nested group memberships.
The administration tools in Mac OS X Server version 10.2 and later automatically assign a new GUID to every new user account and to every user account that’s imported, but
Mac OS X version 10.4 is the first version to use GUIDs and to include GUIDs in export files. The GUID is a hidden attribute. To view the GUID attribute, use Inspector in
Workgroup Manager.
213
214
Now, two users can have identical long name, short name, UID, and GID, but will have different GUIDs. Thus they can have different ACL permissions and can belong to different groups. Since the GUID is a 128-bit value, duplicate GUIDs are extremely unlikely.
As an administrator you must now make sure you can restore user accounts with GUIDs intact. Restoring user accounts with UID, GID, and short name but no GUID will not restore ACL permissions or group membership in Mac OS X version 10.4 or later.
ACLs Augment POSIX Permissions
An ACL is a list of access control entries (ACEs), each specifying permissions to be granted or denied to a user or group for accessing a folder and its contents. An ACL also specifies how its permissions propagate through a folder hierarchy. You can set
ACL permissions in addition to standard POSIX permissions.
Every file and folder always has POSIX permissions. Unless an administrator assigns ACL permissions, the POSIX permissions continue to determine user access in a Mac OS X v10.4 system. If you assign ACL permissions, they take precedence over the standard
POSIX permissions. For more information about ACL and POSIX permissions, review the file services guide.
GUIDs and Groups
Mac OS X version 10.4 verifies group and nested group membership by checking
GUIDs. A group’s GUID is also used by file system ACLs and is stored on disk in the ACE.
The legacy user short name is used only if there’s no GUID present in the group record.
File Permissions and Synchronization
Having the same POSIX permissions for files synchronized between two computers requires having the same UID on both machines. Having the same ACL permissions on both computers requires matching GUIDs as well. This can be done using Workgroup
Manager or command-line directory editing tools, or simply by having both machines share the same directory.
Portable Home Directories (PHDs) rely on a user having the same GUID in the local user account on the user’s computer and in the network user account on an Open Directory server. This ensures that file permissions are the same whether the user logs in using the local user account (while disconnected from the network) or the network user account.
For information about GUID implementation across directories refer to the Open
Directory admin guide.
Appendix B ACL Permissions and Group Memberships Using GUID
SIDs and Windows Interoperability
Security identifiers (SIDs) for Windows systems have similar functions to GUIDs on Mac
OS X systems. Every time Mac OS X assigns a GUID to a process or a file, a SID is assigned as well. This allows Mac OS X systems to work seamlessly across Windows systems.
Importing and Exporting Users
Having an export file that contains a GUID for every user and group enables you to quickly restore users and groups with file permissions and group memberships unchanged. The GUID attribute is automatically included when you export user records from Workgroup Manager or the command line in Mac OS X Server version 10.4.
If you lose user accounts and create new accounts with the same UID, GID, and short names as the lost accounts, the replacement accounts will have new GUIDs assigned. A user’s new GUID won’t match the previous GUID, so the user won’t retain prior ACL permissions or group memberships. Similarly, If you import users or groups from a file that doesn’t include the GUID attribute, Mac OS X Server will assign new GUIDs to every imported user and group.
Appendix B ACL Permissions and Group Memberships Using GUID 215
216 Appendix B ACL Permissions and Group Memberships Using GUID
Glossary
This glossary defines terms and spells out abbreviations you may encounter while working with online help or the various reference manuals for Mac OS X Server.
References to terms defined elsewhere in the glossary appear in italics.
administrator A user with server or directory domain administration privileges.
Administrators are always members of the predefined “admin” group.
administrator computer A Mac OS X computer onto which you’ve installed the server administration applications from the Mac OS X Server Admin CD.
AFP Apple Filing Protocol. A client/server protocol used by Apple file service on
Macintosh-compatible computers to share files and network services. AFP uses TCP/IP and other protocols to communicate between computers on a network.
authentication authority attribute A value that identifies the password validation scheme specified for a user and provides additional information as required.
BIND Berkeley Internet Name Domain. The program included with Mac OS X Server that implements DNS. The program is also called the name daemon, or named, when the program is running.
boot ROM Low-level instructions used by a computer in the first stages of starting up.
BSD Berkeley System Distribution. A version of UNIX on which Mac OS X software is based.
canonical name The “real” name of a server when you’ve given it a “nickname” or alias.
For example, mail.apple.com might have a canonical name of MailSrv473.apple.com.
CGI Common Gateway Interface. A script or program that adds dynamic functions to a website. A CGI sends information back and forth between a website and an application that provides a service for the site.
child A computer that gets configuration information from the shared directory domain of a parent.
computer account See computer list.
217
218
computer list A list of computers that have the same preference settings and are available to the same users and groups.
DHCP Dynamic Host Configuration Protocol. A protocol used to dynamically distribute
IP addresses to client computers. Each time a client computer starts up, the protocol looks for a DHCP server and then requests an IP address from the DHCP server it finds.
The DHCP server checks for an available IP address and sends it to the client computer along with a lease period—the length of time the client computer may use the address.
directory domain A specialized database that stores authoritative information about users and network resources; the information is needed by system software and applications. The database is optimized to handle many requests for information and to find and retrieve information quickly. Also called a directory node or simply a directory.
directory domain hierarchy A way of organizing local and shared directory domains. A hierarchy has an inverted tree structure, with a root domain at the top and local domains at the bottom.
directory node See directory domain.
directory services Services that provide system software and applications with uniform access to directory domains and other sources of information about users and resources.
disk image A file that, when opened, creates an icon on a Mac OS desktop that looks and acts like an actual disk or volume. Using NetBoot, client computers can start up over the network from a server-based disk image that contains system software. Disk image files have a filename extension of either .img or .dmg. The two image formats are similar and are represented with the same icon in the Finder. The .dmg format cannot be used on computers running Mac OS 9.
DNS Domain Name System. A distributed database that maps IP addresses to domain names. A DNS server, also known as a name server, keeps a list of names and the IP addresses associated with each name.
drop box A shared folder with privileges that allow other users to write to, but not read, the folder’s contents. Only the owner has full access. Drop boxes should be created only using AFP. When a folder is shared using AFP, the ownership of an item written to the folder is automatically transferred to the owner of the folder, thus giving the owner of a drop box full access to and control over items put into it.
dynamic IP address An IP address that’s assigned for a limited period of time or until the client computer no longer needs it.
everyone Any user who can log in to a file server: a registered user or guest, an anonymous FTP user, or a website visitor.
Glossary
export In the Network File System (NFS), a way of sharing a directory with clients on a network. TBD for RAID context.
filter A “screening” method used to control access to a server. A filter is made up of an
IP address and a subnet mask, and sometimes a port number and access type. The IP address and the subnet mask together determine the range of IP addresses to which the filter applies.
firewall Software that protects the network applications running on your server. IP firewall service, which is part of Mac OS X Server software, scans incoming IP packets and rejects or accepts these packets based on a set of filters you create.
FTP File Transfer Protocol. A protocol that allows computers to transfer files over a network. FTP clients using any operating system that supports FTP can connect to a file server and download files, depending on their access privileges. Most Internet browsers and a number of freeware applications can be used to access an FTP server.
full name See long name.
group A collection of users who have similar needs. Groups simplify the administration of shared resources.
group folder A directory that organizes documents and applications of special interest to group members and allows group members to pass information back and forth among themselves.
guest computer An unknown computer that isn’t included in a computer list on your server.
guest user A user who can log in to your server without a user name or password.
home directory A folder for a user’s personal use. Mac OS X also uses the home directory, for example, to store system preferences and managed user settings for
Mac OS X users.
HTML Hypertext Markup Language. The set of symbols or codes inserted in a file to be displayed on a World Wide Web browser page. The markup tells the web browser how to display a webpage’s words and images for the user.
HTTP Hypertext Transfer Protocol. The client/server protocol for the World Wide Web.
The HTTP protocol provides a way for a web browser to access a web server and request hypermedia documents created using HTML.
IANA Internet Assigned Numbers Authority. An organization responsible for allocating
IP addresses, assigning protocol parameters, and managing domain names.
Glossary 219
220
ICMP Internet Control Message Protocol. A message control and error-reporting protocol used between host servers and gateways. For example, some Internet software applications use ICMP to send a packet on a round-trip between two hosts to determine round-trip times and discover problems on the network.
idle user A user who is connected to the server but hasn’t used the server volume for a period of time.
IGMP Internet Group Management Protocol. An Internet protocol used by hosts and routers to send packets to lists of hosts that want to participate in a process known as multicasting. QuickTime Streaming Server (QTSS) uses multicast addressing, as does
Service Location Protocol (SLP).
IMAP Internet Message Access Protocol. A client-server mail protocol that allows users to store their mail on the mail server rather than download it to the local computer.
Mail remains on the server until the user deletes it.
IP Internet Protocol. Also known as IPv4. A method used with Transmission Control
Protocol (TCP) to send data between computers over a local network or the Internet. IP delivers packets of data, while TCP keeps track of data packets.
IP subnet A portion of an IP network, which may be a physically independent network segment, that shares a network address with other portions of the network and is identified by a subnet number.
ISP Internet service provider. A business that sells Internet access and often provides web hosting for ecommerce applications as well as mail services.
Kerberos A secure network authentication system. Kerberos uses tickets, which are issued for a specific user, service, and period of time. Once a user is authenticated, it’s possible to access additional services without retyping a password (this is called single sign-on) for services that have been configured to take Kerberos tickets. Mac OS X
Server uses Kerberos v5.
Kerberos realm The authentication domain comprising the users and services that are registered with the same Kerberos server. The registered services and users trust the
Kerberos server to verify each other’s identities.
LDAP Lightweight Directory Access Protocol. A standard client-server protocol for accessing a directory domain.
lease period A limited period of time during which IP addresses are assigned. By using short leases, DHCP can reassign IP addresses on networks that have more computers than available IP addresses.
load balancing The process of distributing client computers’ requests for network services across multiple servers to optimize performance.
Glossary
local domain A directory domain that can be accessed only by the computer on which it resides.
local home directory A home directory that resides on disk on the computer a user is logged in to. It’s accessible only by logging directly in to the computer where it resides unless you log in to the computer using SSH.
local hostname A name that designates a computer on a local subnet. It can be used without a global DNS system to resolve names to IP addresses. It consists of lowercase letters, numbers, or hyphens (except as the last characters), and ends with “.local” (for example, bills-computer.local). Although the name is derived by default from the computer name, a user can specify this name in the Network pane of System
Preferences. It can be changed easily, and can be used anywhere a DNS name or fully qualified domain name is used. It can only resolve on the same subnet as the computer using it.
long name The long form of a user or group name. See also user name.
LPR Line Printer Remote. A standard protocol for printing over TCP/IP.
mail host The computer that provides your mail service.
managed client A user, group, or computer whose access privileges and/or preferences are under administrative control.
managed network The items managed clients are allowed to “see” when they click the
Network icon in a Finder window. Administrators control this setting using Workgroup
Manager. Also called a “network view.”
managed preferences System or application preferences that are under administrative control. Workgroup Manager allows administrators to control settings for certain system preferences for Mac OS X managed clients.
MBONE Multicast backbone. A virtual network that supports IP multicasting. An
MBONE network uses the same physical media as the Internet, but is designed to repackage multicast data packets so they appear to be unicast data packets.
MIB Management information base. A virtual database that allows a device to be monitored using SNMP applications.
MIME Multipurpose Internet Mail Extensions. An Internet standard for specifying how a web browser handles a file with certain characteristics. A file’s suffix describes its type.
You determine how the server responds when it receives files with certain suffixes.
Each suffix and its associated response make up a MIME type mapping.
Glossary 221
222
MTA Mail Transfer Agent. A mail service that sends outgoing mail, receives incoming mail for local recipients, and forwards incoming mail of nonlocal recipients to other
MTAs.
multicast DNS A protocol developed by Apple for automatic discovery of computers, devices, and services on IP networks. This proposed Internet standard protocol is sometimes referred to as “ZeroConf.” For more information, visit www.apple.com or www.zeroconf.org. To see how this protocol is used in Mac OS X Server, see local
hostname.
multihoming The ability to support multiple network connections. When more than one connection is available, Mac OS X selects the best connection according to the order specified in Network preferences.
MX record Mail exchange record. An entry in a DNS table that specifies which computer manages mail for an Internet domain. When a mail server has mail to deliver to an Internet domain, the mail server requests the MX record for the domain. The server sends the mail to the computer specified in the MX record.
name server A server on a network that keeps a list of names and the IP addresses associated with each name. See also DNS, WINS.
NetBIOS Network Basic Input/Output System. A program that allows applications on different computers to communicate within a local area network.
NetBoot server A Mac OS X server on which you’ve installed NetBoot software and have configured to allow clients to start up from disk images on the server.
NetInfo One of the Apple protocols for accessing a directory domain.
NFS Network File System. A client/server protocol that uses Internet Protocol (IP) to allow remote users to access files as though they were local. NFS exports shared volumes to computers according to IP address, rather than user name and password.
nfsd daemon An NFS server process that runs continuously behind the scenes and processes read and write requests from clients. The more daemons that are available, the more concurrent clients can be served.
Open Directory The Apple directory services architecture, which can access authoritative information about users and network resources from directory domains that use LDAP, NetInfo, or Active Directory protocols; BSD configuration files; and network services.
Open Directory master A server that provides LDAP directory service, Kerberos authentication service, and Open Directory Password Server.
Glossary
open relay A server that receives and automatically forwards mail to another server.
Junk mail senders exploit open relay servers to avoid having their own mail servers blacklisted as sources of junk mail.
ORBS Open Relay Behavior-modification System. An Internet service that blacklists mail servers known to be or suspected of being open relays for senders of junk mail.
ORBS servers are also known as “black-hole” servers.
owner The owner of an item can set Read & Write, Read only, or No Access permissions for Owner; Group; and Others. The owner also can assign ownership of an item to another user, and Group privileges to another group. By default the owner has Read &
Write permissions.
parent A computer whose shared directory domain provides configuration information to another computer.
PHP PHP Hypertext Preprocessor (originally Personal Home Page). A scripting language embedded in HTML that’s used to create dynamic webpages.
POP Post Office Protocol. A protocol for retrieving incoming mail. After a user retrieves
POP mail, it’s stored on the user’s computer and is usually deleted automatically from the mail server.
predefined accounts User accounts that are created automatically when you install
Mac OS X. Some group accounts are also predefined.
preferences cache A storage place for computer preferences and preferences for groups associated with that computer. Cached preferences help you manage local user accounts on portable computers.
presets Initial default attributes you specify for new accounts you create using
Workgroup Manager. You can use presets only during account creation.
primary group A user’s default group. The file system uses the ID of the primary group when a user accesses a file he or she doesn’t own.
primary group ID A unique number that identifies a primary group.
print queue An orderly waiting area where print jobs wait until a printer is available.
The print service in Mac OS X Server uses print queues on the server to facilitate management.
privileges The right to access restricted areas of a system or perform certain tasks
(such as management tasks) in the system.
proxy server A server that sits between a client application, such as a web browser, and a real server. The proxy server intercepts all requests to the real server to see if it can fulfill the requests itself. If not, it forwards the request to the real server.
Glossary 223
224
QTSS QuickTime Streaming Server. A technology that lets you deliver media over the
Internet in real time.
realm Definition TBD; general term with multiple applications. See WebDAV realm,
Kerberos realm.
relay In QuickTime Streaming Server, a relay receives an incoming stream and then forwards that stream to one or more streaming servers. Relays can reduce Internet bandwidth consumption and are useful for broadcasts with numerous viewers in different locations. In Internet mail terms, a relay is a mail SMTP server that sends incoming mail to another SMTP server, but not to its final destination.
relay point See open relay.
RTSP Real Time Streaming Protocol. An application-level protocol for controlling the delivery of data with real-time properties. RTSP provides an extensible framework to enable controlled, on-demand delivery of real-time data, such as audio and video.
Sources of data can include both live data feeds and stored clips.
RTP Real-Time Transport Protocol. An end-to-end network-transport protocol suitable for applications transmitting real-time data (such as audio, video, or simulation data) over multicast or unicast network services.
scope A group of services. A scope can be a logical grouping of computers, such as all computers used by the production department, or a physical grouping, such as all computers located on the first floor. You can define a scope as part or all of your network.
SDP Session Description Protocol. A text file used with QuickTime Streaming Server that provides information about the format, timing, and authorship of a live streaming broadcast and gives the user’s computer instructions for tuning in.
search path See search policy.
search policy A list of directory domains searched by a Mac OS X computer when it needs configuration information; also the order in which domains are searched.
Sometimes called a search path.
shadow image A file created by the NetBoot daemon process for each NetBooted client where applications running on the client can write temporary data.
share point A folder, hard disk (or hard disk partition), or CD that’s accessible over the network. A share point is the point of access at the top level of a group of shared items.
Share points can be shared using AFP, Windows SMB, NFS (an “export”), or FTP protocols.
Glossary
short name An abbreviated name for a user. The short name is used by Mac OS X for home directories, authentication, and email addresses.
Simplified Finder A user environment featuring panels and large icons that provide novice users with an easy-to-navigate interface. Mounted volumes or media to which users are allowed access appear on panels instead of on the standard desktop.
SLP DA Service Location Protocol Directory Agent. A protocol that registers services available on a network and gives users easy access to them. When a service is added to the network, the service uses SLP to register itself on the network. SLP/DA uses a centralized repository for registered network services.
SMB/CIFS Server Message Block/Common Internet File System. A protocol that allows client computers to access files and network services. It can be used over TCP/IP, the
Internet, and other network protocols. Windows services use SMB/CIFS to provide access to servers, printers, and other network resources.
SMTP Simple Mail Transfer Protocol. A protocol used to send and transfer mail. Its ability to queue incoming messages is limited, so SMTP usually is used only to send mail, and POP or IMAP is used to receive mail.
SNMP Simple Network Management Protocol. A set of standard protocols used to manage and monitor multiplatform computer network devices.
spam Unsolicited email; junk mail.
SSL Secure Sockets Layer. An Internet protocol that allows you to send encrypted, authenticated information across the Internet. More recent versions of SSL are known as TLS (Transport Level Security).
static IP address An IP address that’s assigned to a computer or device once and is never changed.
subnet A grouping on the same network of client computers that are organized by location (different floors of a building, for example) or by usage (all eighth-grade students, for example). The use of subnets simplifies administration. See also IP subnet.
system-less client A computer that doesn’t have an operating system installed on its local hard disk. System-less computers can start up from a disk image on a NetBoot server.
TCP Transmission Control Protocol. A method used along with the Internet Protocol
(IP) to send data in the form of message units between computers over the Internet. IP takes care of handling the actual delivery of the data, and TCP takes care of keeping track of the individual units of data (called packets) into which a message is divided for efficient routing through the Internet.
Glossary 225
226
Tomcat The official reference implementation for Java Servlet 2.2 and JavaServer Pages
1.1, two complementary technologies developed under the Java Community Process.
TTL Time-to-live. The specified length of time that DNS information is stored in a cache. When a domain name-IP address pair has been cached longer than the TTL value, the entry is deleted from the name server’s cache (but not from the primary DNS server).
UDP User Datagram Protocol. A communications method that uses the Internet
Protocol (IP) to send a data unit (called a datagram) from one computer to another in a network. Network applications that have very small data units to exchange may use
UDP rather than TCP.
UID User ID. A number that uniquely identifies a user within a file system. Mac OS X computers use the UID to keep track of a user’s directory and file ownership.
Unicode A standard that assigns a unique number to every character, regardless of language or the operating system used to display the language.
URL Uniform Resource Locator. The address of a computer, file, or resource that can be accessed on a local network or the Internet. The URL is made up of the name of the protocol needed to access the resource, a domain name that identifies a specific computer on the Internet, and a hierarchical description of a file location on the computer.
USB Universal Serial Bus. A standard for communicating between a computer and external peripherals using an inexpensive direct-connect cable.
user name The long name for a user, sometimes referred to as the user’s “real” name.
See also short name.
user profile The set of personal desktop and preference settings that Windows saves for a user and applies each time the user logs in.
virtual user An alternate email address (short name) for a user. Similar to an alias, but it involves creating another user account.
VPN Virtual Private Network. A network that uses encryption and other technologies to provide secure communications over a public network, typically the Internet. VPNs are generally cheaper than real private networks using private lines but rely on having the same encryption system at both ends. The encryption may be performed by firewall software or by routers.
WebDAV Web-based Distributed Authoring and Versioning. A live authoring environment that allows client users to check out webpages, make changes, and then check the pages back in while a site is running.
Glossary
WebDAV realm A region of a website, usually a folder or directory, that’s defined to provide access for WebDAV users and groups.
wildcard A range of possible values for any segment of an IP address.
WINS Windows Internet Naming Service. A name resolution service used by Windows computers to match client names with IP addresses. A WINS server can be located on the local network or externally on the Internet.
workgroup A set of users for whom you define preferences and privileges as a group.
Any preferences you define for a group are stored in the group account.
Glossary 227
228 Glossary
Index
A
access
to group folders (adding a Dock item) 149
to group share point 166 to home directory 166
to menu items (Restart, Shut Down) 160
accounts
finding specific 45 refreshing the list of 45
See also user accounts, group accounts, computer lists, guest accounts 34
addresses
AFP (Apple Filing Protocol)
setting up share points using 119
applications
authentication
B
C
client management, Mac OS X
comments
computer lists
deleting 106 deleting computers from 106
switching computers between 105
computers
D
data
adding personal information for users 14
desktop
appearance of desktop items 160
Dock
domain administrator account 33
dsimport
importing users and groups 208 import parameters 208
duplicating settings See presets
E
Energy Saver preferences 151–154
229
230
extensions
F
finding
folders
G
group accounts
defining a user’s primary group 77
seeing which a user belongs to 79
group folders
making accessible to multiple groups 98
setting up 93 specifying no group folder 93
H
home directories
Index
specifying no home directory 113
I
importing and exporting
creating character-delimited files 209 creating XML files using AppleShare IP 209
creating XML files using Server Admin 208
K
Kerberos
L
logging in
solving problems 199, 200, 201
M
Mac OS X Server
managed preferences
menus
controlling access (Classic) 146
N
names
NFS (Network File System)
setting up share points using 120
O
Open Directory passwords
P
permissions 25–30, 48, 62, 70–78, 90, 95, 114, 171
phone numbers
portable computers
preference cache
preference management, Mac OS X
Classic Advanced preferences 144
Media Access Disk Media settings 170
Media Access Other Media settings 170
Printing Printer List settings 173
Universal Access preference 177
presets
printing
privileges
directory domain administrator 73
R
resources
S
server administrators
server management
startup and shutdown settings 154
synchronizing
System Folder
T
troubleshooting 197–204 users and groups 197
U
Universal Access preferences 177–181
UNIX tools
user accounts
user data
user preferences
users and groups
W
Index 231
wireless service
Workgroup Manager
exporting users and groups in 207
importing users and groups in 206
workgroups
232 Index
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Related manuals
advertisement