Mac OS X Server User Management For Version 10.
K Apple Inc. © 2007 Apple Inc. All rights reserved. The owner or authorized user of a valid copy of Mac OS X Server software may reproduce this publication for the purpose of learning to use such software. No part of this publication may be reproduced or transmitted for commercial purposes, such as selling copies of this publication or for providing paid-for support services.
1 Contents Preface 13 13 14 15 16 17 17 18 18 About This Guide What’s New in Workgroup Manager What’s in This Guide Using Onscreen Help Mac OS X Server Administration Guides Viewing PDF Guides Onscreen Printing PDF Guides Getting Documentation Updates Getting Additional Information Chapter 1 19 19 19 20 21 21 21 22 22 23 24 25 25 26 26 26 27 User Management Overview Tools for User Management Workgroup Manager Server Admin Server Preferences NetBoot NetInstall Command-Line Tools Accounts Administrator
35 35 36 37 38 38 4 Identifying Directory Services Requirements Determining Server and Storage Requirements Choosing a Home Folder Structure Devising a Home Folder Distribution Strategy Identifying Groups Determining Administrator Requirements Chapter 3 41 41 41 42 42 42 43 44 45 46 46 46 47 48 48 48 49 50 50 50 51 53 Getting Started with Workgroup Manager Configuring the Administrator’s Computer and Account Setting Up an Administrator Computer Creating a Domain Administrator Account Using Workgroup Ma
61 61 62 62 62 63 63 63 64 65 66 67 68 68 69 70 70 70 72 72 72 73 73 74 75 75 76 77 77 78 78 79 79 80 80 81 81 81 82 82 83 Working with Presets Creating a Preset for User Accounts Using Presets to Create Accounts Renaming Presets Editing Presets Deleting a Preset Working with Basic Settings Modifying User Names Modifying Short Names Choosing Stable Short Names Avoiding Duplicate Names Modifying User IDs Assigning a Password to a User Assigning Administrator Privileges for a Server Choosing a User’s Login P
83 84 84 85 85 86 87 87 87 87 6 Resetting a User’s Print Quota Disabling a User’s Access to Print Queues That Enforce Quotas Working with Info Settings Working with Windows Settings Changing a Windows User’s Profile Location Changing a Windows User’s Login Script Location Changing a Windows User’s Home Folder Drive Letter Changing a Windows User’s Home Folder Location Working with GUIDs Viewing GUIDs Chapter 5 89 89 89 90 90 91 91 92 92 93 94 94 95 95 95 96 97 98 99 99 100 100 101 101 103 Setting Up Gr
108 108 108 108 109 110 111 111 112 112 About Computer Groups Differences Between Computer Groups and Computer Lists Administering Computer Groups Creating a Computer Group Creating a Preset for Computer Groups Using a Computer Group Preset Adding Computers or Computer Groups to a Computer Group Removing Computers and Computer Groups from a Computer Group Deleting a Computer Group Upgrading Computer Lists to Computer Groups Chapter 7 113 113 114 114 115 116 116 117 118 119 121 121 122 123 124 127 129 130
137 139 140 140 141 141 142 142 144 144 Considerations for Using Mobile Accounts Strategies for Syncing Content Setting Up Mobile Accounts for Use on Portable Computers Configuring Portable Computers Managing Mobile Clients Without Using Mobile Accounts Unknown Mac OS X Portable Computers Using Mac OS X Portable Computers with One Primary Local User Using Mac OS X Portable Computers with Multiple Users Securing Mobile Clients Optimizing the File Server for Mobile Accounts Chapter 9 147 148 149 149 150
173 174 174 174 175 176 177 177 178 179 180 181 182 182 183 183 184 184 185 185 185 186 186 187 187 188 189 189 191 192 193 194 196 197 198 199 200 200 201 201 202 Adjusting Classic Sleep Settings Maintaining Consistent User Preferences for Classic Managing Dock Preferences Controlling the User’s Dock Providing Easy Access to Group Folders Adding Items to a User’s Dock Preventing Users from Adding or Deleting Dock Items Managing Energy Saver Preferences Using Sleep and Wake Settings for Desktop Computers S
202 203 204 205 207 208 209 210 211 212 212 213 213 214 215 215 216 216 217 217 217 218 219 220 221 221 222 222 223 223 224 224 225 227 227 228 228 230 230 231 231 10 Creating a Mobile Account Preventing the Creation of a Mobile Account Manually Removing Mobile Accounts from Computers Enabling FileVault for Mobile Accounts Selecting the Location of a Mobile Account Creating External Accounts Setting Expiration Periods for Mobile Accounts Choosing Folders to Sync at Login and Logout, or in the Background S
232 234 235 236 237 Chapter 11 239 239 239 240 241 242 242 242 242 242 243 243 243 243 244 245 245 245 245 245 245 246 246 246 247 247 247 247 248 248 249 249 249 250 250 Adding to the Preference Editor’s List Editing Application Preferences with the Preference Editor Removing an Application’s Managed Preferences in the Preference Editor Using the Preference Editor to Manage Core Services Using the Preference Editor to Manage Safari Solving Problems Diagnosing Common Network Issues Testing Your Network’s
Appendix 251 251 252 252 253 253 254 255 256 Glossary 257 Index 267 Importing and Exporting Account Information Understanding What You Can Import and Export Limitations for Importing and Exporting Passwords Maintaining GUIDs When Importing from Earlier Versions of Mac OS X Server Archiving the Open Directory Master Using Workgroup Manager to Import Accounts Using Workgroup Manager to Export Accounts Using XML Files Created with Mac OS X Server v10.
Preface About This Guide This guide explains how to use Workgroup Manager to set up and manage accounts and preferences for clients. Mac OS X Server includes Workgroup Manager, a user management tool you can use to create and manage accounts. When managing accounts, you can define core account settings like name, password, home folder location, and group membership.
You can enable these features by managing Mobility preferences. For more information, see Chapter 8, “Managing Portable Computers.” Â New managed preferences. Preferences now let you manage Parental Controls, Dashboard, Front Row, and Time Machine. Existing preferences have been enhanced, using embedded and detached signatures to prevent the launching of unapproved applications, giving you more control over the login window, and letting you create page footers on printed documents.
Using Onscreen Help You can get task instructions onscreen in the Help Viewer application while you’re managing Leopard Server. You can view help on a server or an administrator computer. (An administrator computer is a Mac OS X computer with Leopard Server administration software installed on it.) To get help for an advanced configuration of Leopard Server: m Open Server Admin or Workgroup Manager and then: Â Use the Help menu to search for a task you want to perform.
Mac OS X Server Administration Guides Getting Started covers installation and setup for standard and workgroup configurations of Mac OS X Server. For advanced configurations, Server Administration covers planning, installation, setup, and general server administration. A suite of additional guides, listed below, covers advanced planning, setup, and management of individual services. You can get these guides in PDF format from the Mac OS X Server documentation website: www.apple.
This guide ... tells you how to: User Management Create and manage user accounts, groups, and computers. Set up managed preferences for Mac OS X clients. Web Technologies Administration Set up and manage web technologies, including web, blog, webmail, wiki, MySQL, PHP, Ruby on Rails, and WebDAV. Xgrid Administration and High Performance Computing Set up and manage computational clusters of Xserve systems and Mac computers.
Getting Documentation Updates Periodically, Apple posts revised help pages and new editions of guides. Some revised help pages update the latest editions of the guides. Â To view new onscreen help topics for a server application, make sure your server or administrator computer is connected to the Internet and click “Latest help topics” or “Staying current” in the main help page for the application. Â To download the latest guides in PDF format, go to the Mac OS X Server documentation website: www.apple.
1 User Management Overview 1 This chapter introduces user management concepts and describes the applications used to manage accounts and privileges. User management encompasses everything from setting up accounts for network access and creating home folders, to fine-tuning the user experience by managing preferences and settings for users, groups, computers and computer groups. Mac OS X Server provides tools for accomplishing these tasks and more.
Using Workgroup Manager with Mac OS X Server services, you can:  Customize the work environments of network users by organizing their desktop resources and personal files  Enable services that require user accounts, such as mail, file sharing, iChat service, and web service  Share system resources, such as printers and computers, maximizing their availability and ensuring that disk space and printer usage remains equitably shared To get started with Workgroup Manager, see Chapter 3, “Getting Started with
Server Preferences If you use the standard or workgroup configuration of Mac OS X Server, you can use Server Preferences to configure key features of collaboration and file services. Its streamlined approach allows novice system administrators to quickly configure a server without requiring much technical knowledge. You can also use Server Preferences to configure user and group accounts (such as setting passwords, enabling services, and assigning group membership).
You can use NetInstall to upgrade operating systems, install software updates and custom software packages, or re-image desktop and portable computers. You can create custom installation packages for various departments in an organization, such as marketing, engineering, and sales. Using NetInstall, it’s not necessary to use CDs or DVDs to configure a computer. All installation files and packages reside on the server.
Administrator Accounts Users with server administration or directory domain administration privileges are known as administrators. An administrator can be a server administrator, domain administrator, or both. Server administrator privileges determine whether a user can change the settings of a particular server. Domain administrator privileges determine the extent to which an administrator can change account settings for users, groups, computers, and computer groups in the directory domain.
When you assign full directory domain administration privileges to a user, the user is added to the “admin” group in the directory domain. This does not grant the user local admin privileges on the servers hosting this directory domain or on any other servers or clients bound to this directory domain. Each directory domain has a domain administrator account, and a domain administrator can create additional domain administrators in the same domain.
For some services, like Apple Filing Protocol (AFP), you can let guest users access files. Instead of authenticating with a name and a password, a guest user connects as a guest, not as a registered user. Guests are restricted to files and folders with permissions set to Everyone. Group Accounts To ease user administration, you can create group accounts. A group is a collection of users who have similar needs.
For more information about setting up computer accounts, see Chapter 6, “Setting Up Computers and Computer Groups.” To specify preferences for Mac OS X computer accounts, see Chapter 10, “Managing Preferences.” Guest Computers Most computers on your network should have a computer account. If an unknown computer (one that doesn’t have a computer account) connects to your network and attempts to access services, that computer is treated as a guest.
The following illustration shows a user logging in to an account in a directory domain in the computer’s search policy. Log in to Mac OS X Directory domains in search policy After login, the user can connect to a remote server to access its services (if the user’s account is located in the server’s search policy).
Prior to Mac OS X v10.4, Mac OS X used user ID and POSIX permissions to track folder and file permissions. In Mac OS X, folders or files include POSIX permissions for entities such as:  Owner  Group  Everyone else Because GUIDs are 128-bit values, duplicate GUIDs are extremely unlikely. Unlike ACL permissions, POSIX permissions can cause file-ownership and group-membership issues when multiple users have identical short names or user IDs.
ACLs and POSIX Permissions Every file and folder has POSIX permissions. Unless an administrator assigns ACL permissions, POSIX permissions continue to define user access. If you assign ACL permissions, they take precedence over standard POSIX permissions. If a file has ACL permissions, but none apply to the user, the POSIX permissions determine user access. If a file has multiple ACEs that apply to a user, the first applicable ACE takes precedence, and subsequent ACEs are ignored.
Chapter 1 User Management Overview
2 Getting Started with User Management 2 This chapter provides information about planning and setting up a user management environment. To create an effective user management environment, you must carefully plan your network. Then, when deploying the network, you must systematically and methodically set up your network resources. Setup Overview This section provides an overview of user management setup tasks, including the sequence of stages an administrator follows to create a managed environment.
Make sure that read-only directory domains (such as LDAPv2, read-only LDAPv3, or BSD flat files) are configured to support Mac OS X Server and that they provide necessary account data. To make the directory compatible, you must add, modify, and reorganize directory information. Mac OS X offers various options for authenticating users (including Windows users) whose accounts are stored in directory domains on Mac OS X Server.
For information about setting up home folders using AFP, NFS, or SMB, see Chapter 7, “Setting Up Home Folders.” Step 5: Create user accounts and home folders You can use Workgroup Manager to create user accounts in directories that reside on Mac OS X Server or in other read/write directory domains. The following sections contain instructions for creating accounts and folders: Â To create user accounts, see Chapter 4, “Setting Up User Accounts.
 For information about how to work with Mac OS X group accounts and group folders, see Chapter 5, “Setting Up Group Accounts.”  For information about how to add a group folder to the dock to make it more accessible to users, see Chapter 10, “Managing Preferences.”  For information about setting up ACLs, see File Services Administration. Step 9: Define group account preferences You can manage preferences for a group account. A group account with managed preferences is called a workgroup.
 What services and resources users need (such as mail or access to data storage)  How to divide users into groups (for example, by class topic or job function)  How to group computers (such as all computers in a public lab) Identifying Directory Services Requirements Identify the directories where you’ll store user and group accounts, computers, and computer groups:  Set up an Open Directory master and replicas to host a Lightweight Directory Access Protocol (LDAP) directory for storing other user acco
If you use network home folders, they require one dedicated home folder server for every 150 concurrent connections. If you use mobile accounts with portable home directories, you need one dedicated home folder server for every 300 concurrent connections. For example, if you have 400 computers and 2000 users on network home folders, you need three dedicated home folders servers. If those users are deployed with portable home folders, you need two dedicated home folder servers.
When users save files in network home folders, the files are stored on the server. Additionally, when users access home folders, even for common tasks like caching webpages, the users’ computers must retrieve these files from the server. Using network home folders provides complete control over a user’s managed preferences. When users are not connected to the network, they can’t access their accounts or home folders.
A user’s network home folder doesn’t need to be stored on the same server as the directory containing the user’s account. In fact, distributing directory domains and home folders across multiple servers can help balance your network load. This scenario is described in “Distributing Home Folders Across Multiple Servers” on page 115. You may want to store home folders for users with last names beginning with A through F on one computer, G through J on another, and so on.
For example, you might want to give student lab assistants the ability to manage user passwords for a small group of students, while giving teachers the ability to manage user passwords, edit user information, and edit group information for all of their classes. Because users can be given limited administrator privileges, consider which users require domain administrator privileges.
Chapter 2 Getting Started with User Management
3 Getting Started with Workgroup Manager 3 This chapter provides instructions for setting up Workgroup Manager and using its core features. Workgroup Manager is the primary application for managing client computers. You can use Workgroup Manager to create accounts and manage preferences. Configuring the Administrator’s Computer and Account To use Workgroup Manager, you must first install the Mac OS X Server administration tools.
3 If you are managing preferences that use specific paths to find files (such as Dock preferences), make sure the administrator computer has the same file system structure as each managed client computer. This means that folder names, volumes, the location of applications, and so on should be the same. Creating a Domain Administrator Account Before creating and editing accounts in a shared directory, you need a domain administrator account in the directory.
Connecting and Authenticating to Directory Domains in Workgroup Manager When you install your server or set up an administrator computer, Workgroup Manager is installed in /Applications/Server/. Use the Finder to open the application, or click its icon in the Dock or in the toolbar of the Server Admin application. You can view a directory domain without authenticating by choosing Server > View Directories in Workgroup Manager.
Major Workgroup Manager Tasks After login, the Accounts pane appears (see below), showing a list of user accounts. Initially, the user accounts listed are those stored in the last directory domain of the server’s search policy.
 To view onscreen help, use the Help menu. The Help menu gives you access to help for administration tasks available through Workgroup Manager, as well as other Mac OS X Server topics.  To open Server Admin so you can monitor and work with services on a server, click the Server Admin icon in the Workgroup Manager toolbar. For information about Server Admin, see Server Administration.
Finding and Listing Accounts Workgroup Manager provides several methods for finding and listing user accounts, group accounts, computer accounts, and computer groups. Working with Account Lists in Workgroup Manager In Workgroup Manager, user accounts, group accounts, computer accounts, and computer groups are listed on the left side of the Workgroup Manager window.
User accounts from the server’s local directory domain can’t be used to authenticate in the login window on client computers, because the login window is a process running on the client computer. To list accounts in a server’s local directory domain: 1 In Workgroup Manager, connect to the server hosting the domain; then click the globe icon and choose Local. For servers running Mac OS X Server v10.5 or later, the local directory domain is listed as /Local/Default.
Listing Accounts in Available Directory Domains Using Workgroup Manager, you can list user accounts, group accounts, computer accounts, and computer groups residing in any available directory domain accessible from the server you’re connected to. Available directory domains are not the same as directory domains in a search policy. A search policy consists of the directory domains a server searches routinely when it needs to retrieve accounts.
        Name Starts With Name Ends With Name Is ID Is ID Is Greater Than ID Is Less Than Comment Contains Keyword Contains To filter items in the list of accounts: 1 After listing accounts, click the Users, Groups, Computers, or Computer Groups button. 2 Click the Search (magnifying glass) pop-up menu, choose an option to describe what you want to find, and then type search terms in the search field. The original list is replaced by items that satisfy your search criteria.
There are several field options:  Is less than  Is greater than  Is  Contains To locate users or groups in the Accounts or Preferences panes: 1 In the Workgroup Manager toolbar, click Search. You can also click the Search (magnifying glass) button in the search field above the accounts list and then choose Advanced Search. 2 Choose a field to search, a field option, and then enter the text you want to search. 3 Click the Add (+) button to add search criteria.
For more information about how to create presets, see “Creating a Preset for User Accounts” on page 61. Editing Multiple Accounts Simultaneously You can edit settings (if they don’t need to be unique) for multiple user accounts, group accounts, or computer groups at the same time. Simultaneously editing multiple accounts is referred to as batch editing.
For example, suppose you select three group accounts that each have different settings for the Dock size. When you look at the Dock Display preference pane for these accounts, the Dock Size slider is centered and has a dash on it. If you change the position of the Dock Size slider to Large, all selected accounts then have a large-size Dock. To batch-edit accounts that match specific criteria: 1 In Workgroup Manager, select Accounts or Preferences.
Importing and Exporting Account Information You can use XML or character-delimited text files to import and export user and group account information. Importing information can make it easier to set up many accounts quickly. Exporting information to a file is useful for record-keeping. To back up account information with passwords intact, archive the directory. For more information, see the appendix, “Importing and Exporting Account Information.
Chapter 3 Getting Started with Workgroup Manager
4 Setting Up User Accounts 4 This chapter tells you how to set up, edit, and manage user accounts. User accounts give users unique identities on your network and allow you to manage those users. You can use Workgroup Manager to view, create, edit, and delete user accounts. To view user accounts in Workgroup Manager, click the Users button above the accounts list. About User Accounts A user account stores data that Mac OS X Server uses to validate a user’s identity and provide services to the user.
A Windows user account that is not stored in the PDC server’s LDAP directory can be used to access other services. For example, Mac OS X Server can authenticate users with accounts in the server’s local directory domain for the server’s Windows file service. Mac OS X Server also authenticates users with accounts on other directory systems, such as an Open Directory master on another Mac OS X Server system, or Active Directory on a Windows server.
Administering User Accounts You can view, create, edit, and delete user accounts stored in various kinds of directory domains. Creating User Accounts To create a user account in a directory domain, you must have administrator privileges for the domain. To create user accounts in an LDAPv3 directory on a non-Apple server, use Directory Utility to map the LDAPv3 directory attributes to Open Directory user and group attributes.
3 Click the globe icon and then choose the domain where you want the user’s account to reside. For Mac OS X Server v10.5 or later, Local and /Local/Default refer to the local directory domain. 4 To authenticate, click the lock and enter the name and password of a directory domain administrator. 5 Choose Server > New User or click New User in the toolbar. 6 In the panes provided, specify settings for the user.
For details, see “Working with Basic Settings” on page 63 through “Working with Windows Settings” on page 85. From the Command Line You can also edit user account information using the dscl command in Terminal. For more information, see the users and groups chapter of Command-Line Administration. Working with Read-Only User Accounts Use Workgroup Manager to review information about user accounts stored in read-only directory domains.
Working with Windows User Accounts Use Workgroup Manager to change passwords, password policies, and other settings in Windows user accounts. The user accounts can reside in a server’s local directory domain, a Mac OS X Server PDC LDAP directory, or another directory system that allows read-write access (not read-only access) such as an Open Directory master LDAP directory or Active Directory on a Windows server.
From the Command Line You can also disable a user account using the dscl and pwpolicy commands in Terminal. For more information, see the users and groups chapter of Command-Line Administration. Working with Presets Presets are templates used to define attributes that apply to new user, group, or computer group accounts. Creating a Preset for User Accounts You can create presets to use when creating user accounts in a directory domain. Presets are stored in the directory domain you’re currently viewing.
Using Presets to Create Accounts Presets provide a quick way to apply settings to a new account. After applying the preset, you can continue to modify settings for the new account, if necessary. You can use presets with user, group, and computer group accounts. Presets are stored in the directory domain you’re viewing. If you change directory domains, the presets you created in the other directory domain are not available. When importing accounts, you can apply a preset to the imported account.
You edit a preset by using it to create an account, changing fields defined by the preset, and then saving the preset. To edit a preset: 1 In Workgroup Manager, click Accounts. 2 Click the globe icon and then choose the directory domain with the preset you want to edit. 3 To authenticate, click the lock and enter the name and password of a directory domain administrator. 4 Click the Users, Groups, or Computer Groups button. 5 From the Presets pop-up menu, choose a preset.
A user name can contain no more than 255 bytes. Because long user names support various character sets, the maximum number of characters for long user names ranges from 255 Roman characters to as few as 63 characters in character sets where characters occupy up to 4 bytes. Use Workgroup Manager to edit the user name of an account stored in an Open Directory domain, the local directory domain, or other read/write directory domain.
For the first short user name, use only these characters (subsequent short names can contain any Roman character):  a through z  A through Z  0 through 9  _ (underscore)  - (hyphen) Typically, short names contain eight or fewer characters. Initially, the value of the first short name is “untitled_#,” where # is the sequential number generated after the last generated number for an existing untitled user. Avoid assigning the same name to more than one user.
To change a user’s first short name, create a new account for the user in the same directory domain that contains the new first short name and retain all other account information (user ID, primary group, home folder, and so on). Make sure you use the same GUID for the new account. Then disable the login for the old user account.
Modifying User IDs A user ID is a number that uniquely identifies a user. Mac OS X computers use the user ID to track a user’s folder and file ownership. When a user creates a folder or file, the user ID is stored as the ID of the user who created the folder or file. This user ID has read and write permissions to the folder or file by default. The user ID should be a unique string of digits from 500 through 2,147,483,647.
Make sure the value is unique for all directory domains set in the search policy of computers that the user logs in to. Workgroup Manager warns you if you change the value to another user ID in the same directory domain. You can quickly find all existing user IDs by choosing View > “Show System Users and Groups,” and then clicking the UID column header in the accounts list to sort the accounts by user ID. Assigning a Password to a User When you create a user account, you must assign a password to the user.
3 Click the globe icon and choose Local. 4 Click the lock and enter the name and password of a local administrator. 5 Click the globe icon and choose the directory domain where the user’s account resides. 6 Click the lock and enter the name and password of a directory domain administrator. 7 To grant server administrator privileges, in the Basic pane, select “User can administer this server.” From the Command Line You can also set server administrator privileges using the dscl command in Terminal.
Working with Privileges You can give a user account full or limited control over domain administration. When giving limited administrative control, you can choose which users and groups the user can administer, and what kind of control the user has over those users and groups. You can change a user’s domain privileges for Open Directory domains. You can’t change privileges for a local user account or an account stored in domains that are not Open Directory.
The following tasks are available to limited administrators: Task Description Manage user passwords Change a user’s password in the user account’s Basic pane. A limited administrator can’t change a full administrator’s password. Edit managed preferences Change managed preference settings. Edit user information Edit the user account’s Info pane. Edit group membership Edit the user account’s Groups pane or the group account’s Members pane.
Giving a User Full Administrative Capabilities A user with full administrative capabilities is also known as a directory domain administrator. Directory domain administrators can modify any records in the directory domain and are the only users who can change the passwords of other directory domain administrators. You can change a user’s domain privileges for LDAPv3 directory domains. You can’t change privileges for a local user account or an account stored in a non-LDAPv3 directory domain.
Allowing a User to Log In to More Than One Computer At a Time You can allow a managed user to log in to more than one managed computer at a time, or you can prevent the user from doing so. Note: Simultaneous login is not recommended for most users. You may want to reserve simultaneous login privileges for technical staff, teachers, or other users with administrator privileges. (If a user has a network home folder, that’s where the user’s application preferences and documents are stored.
4 To specify the user’s default shell when logging in to a Mac OS X computer, choose a shell from the Login Shell pop-up menu. To specify a shell that doesn’t appear in the list, choose Custom and then enter the path to the shell. To ensure that a user can’t access the server remotely using the command line, choose None.
If you choose Shadow Password, you can also select authentication methods by clicking Security. 6 Click Save. Creating a Master List of Keywords You can define keywords that enable quick searching and sorting of user accounts. Using keywords can simplify tasks such as creating groups or editing multiple user accounts. Before you begin adding keywords to user records, you must create a master keyword list. The list of keywords shown in the Advanced pane for a selected user applies only to that user.
To work with keywords for a user account: 1 In Workgroup Manager, click Accounts. 2 Select the user account you want to work with. To select the account, click the globe icon, choose the directory domain where the account resides, and then select the user account in the accounts list. 3 To authenticate, click the lock and enter the name and password of a directory domain administrator.
Working with Group Settings Group settings identify the groups a user belongs to. In Workgroup Manager, use the Group Settings pane in the user’s account to work with group settings. For information about how to administer group accounts, see Chapter 5, “Setting Up Group Accounts.” Choosing a User’s Primary Group A primary group is the fastest way to determine whether a user has group permissions for a file.
Workgroup Manager displays long and short names for the group after you enter a primary group ID (if the group exists and is accessible in the search policy of the server you’re logged in to). Reviewing a User’s Group Memberships You can use Workgroup Manager to review the groups a user belongs to if the user account resides in a directory domain accessible from the server you’re using. You can view all groups the user belongs to and the parent groups of those groups.
To add a user to a group using Workgroup Manager: 1 In Workgroup Manager, click Accounts. 2 Select the user account you want to work with. To select the account, click the globe icon, choose the directory domain where the account resides, and then select the user account in the accounts list. 3 To authenticate, click the lock and enter the name and password of a directory domain administrator. 4 Click Groups and then click the Add (+) button.
Working with Mail Settings You can create a mail account by specifying mail settings in the user account. To use the mail service account, the user configures a mail client to identify the user name, password, mail service, and mail protocol you specify in the mail settings. In Workgroup Manager, use the Mail pane in the user account to work with mail settings. For information about how to set up and manage Mac OS X Server mail service, see Mail Service Administration.
Disabling a User’s Mail Service You can use Workgroup Manager to disable mail service for users whose accounts are stored in an Open Directory domain, the local directory domain, or other read/write directory domain. To disable a user’s mail service using Workgroup Manager: 1 In Workgroup Manager, click Accounts. 2 Select the user account you want to work with.
In Workgroup Manager, use the Print Quota pane in the user account to work with print quota settings. Enabling a User’s Access to All Available Print Queues You can use Workgroup Manager to allow a user to print to all or some of the accessible Mac OS X print queues that enforce quotas. To use Workgroup Manager to enable access to print queues, the user’s account must be stored in an Open Directory domain or the local directory domain.
6 To give the user unlimited printing rights to the queue, select “Unlimited printing”; otherwise, select “Limit to” and specify the maximum number of pages the user can print in a specific number of days. 7 Click Save. Removing a Print Quota For a Queue If you no longer require a print quota for a queue, you can use Workgroup Manager to delete the quota for specific users. To delete specific print quotas, you must manage print settings per queue.
3 To authenticate, click the lock and enter the name and password of a directory domain administrator. 4 Click Print Quota. 5 If you’re managing All Queues, click Restart Print Quota. 6 If you’re managing Per Queue, choose a print queue from the Queue Name pop-up menu and then click Restart Print Quota. 7 To increase or decrease a user’s page limit, enter a new number in the “Limit to ___ pages” field. 8 Click Save.
Other users can view the information in this pane when they view the user account in Workgroup Manager and Directory. To change a user’s info: 1 In Workgroup Manager, click Accounts. 2 Select the user account you want to work with. To select the account, click the globe icon, choose the directory domain where the account resides, and then select the user account in the accounts list. 3 To authenticate, click the lock and enter the name and password of a directory domain administrator.
To change the Windows roaming profile location for a user account: 1 In Workgroup Manager, click Accounts. 2 Open the user account whose profile location you want to change. To open a user account in the PDC, click the globe icon and choose the PDC server’s LDAP directory. 3 To authenticate, click the lock and enter the name and password of a directory domain administrator. 4 Click Windows and enter the new profile location in the User Profile Path field.
Enter the relative path to a login script in /etc/netlogon/ on the PDC server. For example, if an administrator places a script named setup.bat in /etc/netlogon/, the Login Script field should contain “setup.bat.” 5 Click Save. Changing a Windows User’s Home Folder Drive Letter You can use Workgroup Manager to change the Windows drive letter that a user’s home folder is mapped to. To change the Windows home folder drive letter for a user account: 1 In Workgroup Manager, click Accounts.
To view a user or group GUID: 1 In Workgroup Manager, click Accounts. 2 Make sure the directory services of the Mac OS X Server computer you’re using are configured to access the directory domain. 3 Click the globe icon and then choose the domain where the account resides. 4 To authenticate, click the lock and enter the name and password of a directory domain administrator. 5 Click the Users, Groups, Computers, or Computer Groups button and select the account.
5 Setting Up Group Accounts 5 This chapter tells you how to set up, edit, and manage group accounts. A group account offers a simple way to manage a collection of users with similar needs. You can also create group folders, which provide an easy way for group members to share files with each other. You can use Workgroup Manager to view, create, edit, and delete group accounts. To view group accounts in Workgroup Manager, click the Groups button above the accounts list.
Where Group Accounts Are Stored Group accounts can be stored in any Open Directory domain. A directory domain can reside on a Mac OS X computer (for example, an Open Directory domain) or it can reside on a non-Apple server (for example, an LDAP or Active Directory server). Workgroup Manager can work with accounts stored in any of these directory domains.
Predefined group name Group ID Use staff 20 A default group that UNIX users are traditionally placed. sys 3 A group that has no specific meaning. tty 4 A group that owns special files such as the device file associated with an SSH or telnet user. _unknown 99 A group used when the system doesn’t know about the hard drive. utmp 45 A group that controls who can update the system’s list of logged-in users. _uucp 66 A group used to control access to UUCP spool files.
You can also use a preset or an import file to create a group. For details, see “Creating a Preset for Group Accounts,” and the appendix, “Importing and Exporting Account Information.” From the Command Line You can also create a group account using the dseditgroup command in Terminal. For more information, see the users and groups chapter of Command-Line Administration. Creating a Preset for Group Accounts You can use presets to apply predetermined settings to a new group account.
4 To authenticate, click the lock and enter the name and password of a directory domain administrator. 5 Click the Groups button and select the group you want to work with. 6 Edit settings for the group in the panes provided. For details, see “Working with Basic Settings for Groups” on page 95, “Working with Member Settings for Groups” on page 99, and “Working with Group Folder Settings” on page 100. From the Command Line You can also edit a group account using the dseditgroup command in Terminal.
5 To create a group, click the Groups button. 6 In the Members pane, click the Add (+) button to open a drawer that lists the users and groups defined in the directory domain you’re working with. Make sure the group account resides in a directory domain specified in the search policy of computers the user logs in to. The drawer lists user and group accounts. Click the Groups button in the drawer to list group accounts. 7 Drag the group from the drawer to the Members list.
To work with read-only groups: 1 In Workgroup Manager, click Accounts. 2 Make sure that the directory services of the Mac OS X Server computer you’re using are configured to access the directory domain where the account resides. For information about using Directory Utility to configure server connections, see Open Directory Administration. For information about the group account elements that need to be mapped, see the appendix, “Importing and Exporting Account Information.
Because long group names support various character sets, the number of characters for long group names can range from 255 Roman characters to as few as 63 characters (for character sets in which characters occupy up to 4 bytes). Â A short group name contains as many as 255 Roman characters. However, for clients using Mac OS X v10.1.5 or earlier, the short group name must be eight characters or less.
You can use Workgroup Manager to edit the ID for a group account stored in an Open Directory domain or the local domain, or to review the group ID in any directory domain accessible from the server you’re using. The group ID is associated with group privileges and permissions. To work with a group ID using Workgroup Manager: 1 In Workgroup Manager, click Accounts. 2 Select the group account you want to work with.
Enabling a Group’s Web Services Mac OS X Server v10.5 includes Groups, a feature that allows groups to easily create a collaborative website. This website uses calendar, wiki, and blog technology to streamline group communication. You can also set up a mailing list so that mail sent to the list is sent to all group members and are archived on the group website. You can only enable the web calendar and mailing list archive if you first enable the wiki and blog service.
5 Select the services you want to enable. You can only select services that are not disabled by your web server. 6 Choose who can view the group website by using the “can view these services” pop-up menu. This option applies to viewing the wiki, blog, calendar, and mailing list archive. 7 Choose who can edit the group website by using the “can write to these services” popup menu. This option applies to editing the wiki, blog, and calendar. 8 Click Save.
3 To authenticate, click the lock and enter the name and password of a directory domain administrator. 4 In the Members pane, click the Add (+) button to open a drawer that lists the users and groups defined in the directory domain you’re working with. Make sure the group account resides in a directory domain specified in the search policy of computers that the user logs in to. 5 Select the user account, drag the user into the list, and then click Save.
For example, to set a multimedia lab computer specifically for a movie-editing class, you could set Dock preferences for the movie-editing workgroup to display only iMovie and the group folder. Because the group folder is in the Dock, it provides an easily accessible location for students to store and retrieve files. Group folders aren’t automatically mounted on Windows workstations when group members log in to the Windows domain.
 Setting up login preferences so that users can click Computer in the Finder to see the group folder share point and the group folders in it. For instructions, see “Providing Easy Access to the Group Share Point” on page 199. When setting up these preferences, make sure the group is defined in a shared domain in the search policy of the group member’s computer. For instructions on setting a computer’s search policy, see Open Directory Administration.
6 In the Owner Name fields, enter the short name and long name of the user you want to assign as the owner of the group folder so the user can act as group folder administrator. To choose an owner from a list of users in the current directory domain, click the Browse (...) button. Click the globe icon in the drawer to choose a different directory domain. The group folder owner is given read/write access to the group folder. 7 Click Save.
Chapter 5 Setting Up Group Accounts
6 Setting Up Computers and Computer Groups 6 This chapter tells you how to set up and manage individual computers and groups of computers. To manage an individual computer, you must create a computer account. To manage a group of computers, you must create a computer group composed of computer accounts or of other computer groups. Use Workgroup Manager to view, create, edit, and delete computers and computer groups.
When a computer starts up, Mac OS X tries to match the computer’s Ethernet address with a computer account. If a matching computer account is found, the computer uses the managed preferences for that computer account and the computer groups it belongs to. If no matching computer account is found, the computer uses the managed preferences for the Guest Computer account.
If keywords that you want to associate aren’t listed in the master keyword list, click Edit Keywords, click the Add (+) button, enter a name for the keyword, and click OK. Select the keywords you want to associate with the computer and click OK. 9 Click Network, enter the Ethernet ID for the computer and its IP address (if the computer receives a static IP), and then click Save. The Ethernet ID is required to identify the computer.
Important: Don’t create computer accounts for Windows 2000 or Windows XP computers. If you do so, they may not be usable for domain login. Instead, use the Windows software on these computers to join them to the Windows domain. For information, see Open Directory Administration. About Computer Groups A computer group comprises computers with the same preference settings. You can use Workgroup Manager create and modify computer groups.
 A computer group is a group of computers that have the same preference settings and are available to the same users and groups.  You can add up to 2000 computers to a computer group. You can create hierarchical groups to manage computers with Mac OS X v10.5 or later. Hierarchical groups inherit managed preferences. Computers in a hierarchical group have combined preferences managed by their computer group and by parent computer groups. They can also inherit preferences from parent computer groups.
Using presets, you can easily set up multiple computer groups that use similar settings. However, you can only use presets when creating a computer group. You can’t use a preset to change a computer group. To set up a preset for computer groups: 1 In Workgroup Manager, click Accounts. 2 Click the globe icon and choose the directory domain where you want to create a computer group using presets. 3 To authenticate, click the lock and enter the name and password of a directory domain administrator.
4 Click the Computer Groups button (on the left) and then click Basic. 5 From the Presets pop-up menu, choose a preset. 6 Choose Server > New Computer Group (or click New Computer Group in the toolbar). 7 Add or update settings as needed and then click Save. Adding Computers or Computer Groups to a Computer Group You can easily add computers and computer groups to an existing computer group using Workgroup Manager. Hierarchical computer groups are supported in Mac OS X Server v10.5 or later.
5 Click the Remove (–) button and then click Save. Deleting a Computer Group If you no longer need a computer group, you can use Workgroup Manager to delete it. WARNING: You cannot undo this action. To delete a computer group: 1 In Workgroup Manager, click Accounts. 2 Select the computer group. To select the computer group, click the globe icon, choose the directory domain that contains the computer group you want to delete, click the Computer Groups button, and then select the list.
7 Setting Up Home Folders 7 This chapter provides guidelines for setting up and managing home folders. Mac OS X uses the home folder—a folder for a user’s personal use—to store the user’s application preferences and personal files, like documents and music. To set up share points that host home folders, you can use Server Admin. After setting up share points, you can then use Workgroup Manager to set up home folders on the share points.
The home folder you designate in the Home pane can be used when logging in from a Windows workstation or a Mac OS X computer. This can be helpful for a user whose account resides on a server that is a Windows primary domain controller (PDC). WARNING: If the absolute path from the client to the network home folder on the server contains spaces or more than 89 characters, some types of clients won’t connect.
The default share point for Windows home folders is the same as the share point for Mac OS X home folders. The default share point for user profiles is the /Users/Profiles/ folder on the PDC and BDC servers. (This SMB share point is not shown in Workgroup Manager.) You can set up alternate SMB share points for home folders and user profiles on the PDC server or on domain member servers.
Step 3: Create the user accounts in the shared domain on the accounts server For information about specifying which share point is used for a user’s home folder, see “Administering Home Folders” on page 121. Step 4: Set up the directory services of the client computers so their search policy includes the shared directory domain on the accounts server For information about configuring search policies, see Open Directory Administration.
Setting Up an Automountable AFP Share Point for Home Folders You can use Server Admin to set up an AFP share point for home folders. Home folders for user accounts stored in shared directory domains (such as an Open Directory domain) can reside in any AFP share point that the user’s computer can access. This share point must be automountable—that is, it must have a network mount record in the directory domain where the user account resides.
11 Click Protocol Options. 12 In AFP, select “Share this item using AFP” and “Allow AFP guest access.” When you enable guest access, it is enabled for all home folders in the share point. By default, in home folders guests can only access /Public and /Sites folders. When a guest browses the home folder server, they can see who has home folders on that server but are restricted to opening guest-access-enabled folders. Guests can also use ~user-short-name/Public to access a user’s /Public folder.
3 To view a list of available services, use the disclosure triangle next to your server. If Server Admin doesn’t list the NFS service, click the Add (+) button, choose Add Service, select NFS, and then click Save. 4 Select the NFS service, then if NFS is not running, click Start NFS. For more information about administering NFS service, see File Services Administration. 5 Select the server and click File Sharing. 6 Click Share Points and then select the share point.
 Set the default permissions for new files and folders in the share point SMB share points can’t be used for Mac OS X home folders, but can be used for Windows home folders. Note: Don’t use a slash (/) in the name of a folder or volume you plan to share. Users trying to access the share point might have trouble seeing it. To create an SMB share point and set permissions: 1 If you do not have a share point to host home folders, create one. For instructions, see “Setting Up a Share Point” on page 116.
Important: Do not enable oplocks for a share point that’s using a protocol other than SMB. For more information on oplocks, see File Services Administration. Â To set standard locks on server files, select “Enable strict locking.” Note: For servers earlier than Mac OS X Server v10.2.4, opportunistic locking is always on and strict locking is always off. Avoid using Workgroup Manager from Mac OS X Server v10.3 or later to view locking settings for earlier servers.
To open a directory domain, click the globe icon and choose from the pop-up menu. To authenticate, click the lock. 3 Click the Users button and select one or more user accounts. 4 Click Home and select (None) from the list. 5 Click Save. Creating a Home Folder for a Local User You can use Workgroup Manager to define home folders for users whose accounts are stored in a server’s local directory domain.
8 Click Create Home Now and then click Save. If you do not click Create Home Now before clicking Save, the home folder is created the next time the user logs in remotely. However, only certain clients can connect to servers hosting share points in the local domain. For instructions on setting up a share point for Mac OS X clients, see “Creating a Network Home Folder” on page 123. From the Command Line You can also create a home folder for a local user using the createhomedir command in Terminal.
3 To authenticate, click the lock and enter the name and password of a directory domain administrator. 4 Click Home; then in the share points list select the share point you want to use. The list displays all automountable network-visible share points in the search policy of the server you are connected to, as well as custom home folder locations in the directory domain. If the share point you want to select is not listed, try clicking Refresh.
The share point for a local user account’s home folder should reside in an AFP share point on the server where the user account resides. This share point does not need to be automountable—that is, it does not require a network mount record in the directory domain. The share point for the home folder of a user account in a shared directory domain can reside in any share point that the user’s computer can access. This share point must be automountable.
For example, to create a home folder for a user named Smith, in a custom location of /Homes/Teachers/SecondGrade/, enter “Teachers/SecondGrade/Smith.” Make sure the custom location folder exists. Do not put a slash (/) at the beginning or the end of the path. 9 In the Full Path field, enter the full path to the home folder, including the home folder itself, in this format: [/Network/Servers/servers-host-name/][Volumes/[drive/]volume/]share-point/path The entries in brackets ([ ]) are optional.
Note: Home folders are created the first time a user logs in only on share points served through an AFP or SMB server. NFS home folders must be created manually. Setting Up a Home Folder for a Windows User Using Workgroup Manager, you can set up a network home folder that will be mounted when a Windows user logs in to a Windows domain. Normally, the same network home folder is also mounted if the user logs in on a Mac OS X computer. You can also set up separate home folders if you prefer.
 Optionally, enter a disk quota for the user’s home folder and specify megabytes (MB) or gigabytes (GB). Important: This quota also applies to the user’s roaming profile if it’s on the same volume as the home folder. Make sure the quota is adequate for both folders for an entire work session. A user’s profile folder includes the My Documents folder and the Internet Explorer cache, which often use considerable disk space.
Setting Disk Quotas You can limit the disk space users have available to store files in the volume where their home folders reside. This quota applies to all files that the user stores in the volume where his or her home folder resides, including all files stored in the user’s drop box.
Setting Disk Quotas for Windows Users to Avoid Data Loss A disk quota that applies to a Windows user’s roaming profile folder must be large enough to cover the user’s expected data storage needs for a work session. A Mac OS X Server PDC enforces quotas on a roaming profile folder only at the end of a work session when the user logs out and the Windows computer copies the local profile to the roaming profile on the server.
8 Managing Portable Computers 8 This chapter provides information about tools available to manage portable computers. Mac OS X Server allows you to create and manage mobile accounts for users of portable computers. About Mobile Accounts If your organization uses portable computers, assign mobile accounts to users. This allows you to manage their preferences and control their level of access to local and network resources.
About Portable Home Directories A portable home directory is a synced subset of a user’s local and network home folders. You can configure which folders to sync and how often to sync them. Users can also initiate syncing. By syncing key folders, a user can work on or off the network and experience the same work environment.
Logging In to Mobile Accounts If a user has created a portable home directory, logging in to a mobile account is similar to logging in to a local account. First, the user selects his or her account and then enters the correct password to complete the login. If the account is not displayed, the user must enter a login name and password. If you enabled login and logout syncing, the user’s folders sync and the user’s desktop appears.
Resolving Sync Conflicts When a user’s files and folders sync, a sync conflict can occur if a file in the user’s local home folder and the network home folder have two versions of a file and it is not clear which one should be saved. Sync conflicts usually occur when a mobile account user changes files on one or more computers. When sync conflicts occur, a dialog appears that allows the user to choose which version of a file to sync.
All mobile accounts on Mac OS X v10.5 or later (including external accounts) can use FileVault to encrypt the contents of the local home folder. For more information, see “Enabling FileVault for Mobile Accounts” on page 205. For information about creating external accounts, see “Creating External Accounts” on page 208.
Considerations and Strategies for Deploying Mobile Accounts Before you deploy mobile accounts, carefully weigh the advantages and disadvantages of using mobile accounts and strategize how you will configure them.
Mobile accounts cache temporary files locally, improving network and individual computer performance. Locally caching files like webpages helps reduce network traffic. You can also reduce network traffic by carefully planning user sync settings. For information about how to plan sync settings, see “Strategies for Syncing Content” on page 139.
Consider the following: Â Improperly set sync settings can cause long delays during login and logout and can create inconsistent home folders. Â If multiple users create a mobile account on the same computer, it could cause excessive proliferation of home folders. Â Mobile accounts can’t restore deleted files through syncing. Â You can’t create mobile accounts when connected to a network through a virtual private network (VPN) connection.
Mobile accounts can’t restore deleted files through syncing Although mobile accounts keep user files stored in two locations—in local and network home folders—they do not eliminate the need for a formal backup system. When you configure the user’s portable home directory, you choose a subset of their folders to sync. This syncing affects files that are new, modified, or deleted since the last sync. If users save files in locations that are not synced, the files remain local.
 The user uses the same mobile account to log in to two computers simultaneously. This might create sync issues with the two computers, causing the computers to display error messages. Login and logout syncing should be carefully managed because a user’s login and logout is delayed while files are syncing. If a user has a slow network connection or is syncing many files or large files, the user must wait for syncing to complete before using the system.
Create at least one local administrator account and create local user accounts as needed. Make sure the users’ local account names are not easily confused with the users’ network names. By creating an administrator account, you are preventing the user from having administrator access unless you specify it for that user. Administrator access allows the user to override many managed settings. 3 Set up computers and computer groups on your server.
For more information about setting up a guest computer account for Mac OS X users, see “Working with Guest Computers” on page 107. Using Mac OS X Portable Computers with One Primary Local User You can also distribute portable computers with only local accounts and not assign mobile or network accounts to users. This may reduce or eliminate the burden of maintaining dedicated directory domain servers and servers that store home folders.
When using a wireless mobile lab, it is very difficult to control who uses specific computers. Unlike personal portable computers (where you know who uses which computer), or with stationary computers (where you can assign seating charts), it is hard to consistently use a distribution scheme for a wireless mobile lab. You could use stickers to label the computers and control distribution, but teachers would still need to monitor distribution to ensure students don’t take the wrong computer.
Because multiple users can store items in the local home folder for a generic account, you might want to periodically clean out that folder as part of your maintenance routine. You might also recommend that students save files to a network drop box to ensure their files are not deleted, and to allow them to access those files regardless of who uses the computer next.
If you enable the option, a server daemon updates the database of changed files. The user’s computer scans only the folders in the local home folder that have been modified since the last time the database was updated. To enable the option, TCP port 2336 must be open on your file server’s firewall. To optimize the file server for mobile accounts: 1 In Server Admin, click the disclosure triangle for the server hosting network home folders for mobile accounts.
Chapter 8 Managing Portable Computers
9 Client Management Overview 9 This chapter provides an introduction to Mac OS X client management. Client management is the centralized administration of your users’ computer experience, as shown in the following illustration. It’s usually implemented by: Â Managing access to network printers and to server-resident home folders, group folders, and other folders.
Using Network-Visible Resources Mac OS X Server lets you make various resources visible throughout your network so users can access them from different computers and various locations. There are several key network-visible resources: Â Network home folders. A home folder, often referred to as a home directory or simply home, is a place for each Mac OS X user to keep personal files.
Customizing the User Experience You manage a network user’s work environment by defining preferences—settings that customize and control the user’s computer experience. There are two panes in Workgroup Manager Preferences: Overview and Details. To manage predefined system preferences, use the Overview pane. To manage preferences for any application or utility that has a preference manifest, use the Details pane.
This preference Tailors the work Limits access environment and control Network % By letting you manage % Proxy settings for accessing servers through a firewall Parental Controls % Web access and time limits on computer use Printing % Printers a user can use, and page footer settings Software Update % Server to use for updates % System Preferences System preferences that are enabled on the user’s computer Time Machine % Which volumes are backed up and how long the backup files are retain
Environment Desired effect Key login settings Corporate workstation Users must enter their name and password to log in. Users should be able to work without being logged out. Except for primary users, no one can log in unless they have a network or local account. Â Message: “If you have issues, contact the IT help desk at ...
Any preferences associated with the user, the chosen workgroup, parent workgroups, and the computer being used, take effect upon login. If you manage login access preferences, you can customize the workgroup choosing process. For example, you could: Â Ensure that the workgroup chooser is always shown (by selecting “Always show workgroup dialog during login,” and in login options, deselecting “Local administrators may refresh or disable management”).
Applications can be stored locally on a computer’s hard disk or on a server in a share point. If applications are stored locally, users can find them in the Applications folder. If applications are stored in a share point and you don’t add the share point as a login item, the user must connect to the server by choosing Go > Connect to Server in the Finder to locate and use applications. Applications can also be made available through an automounted share point as the /Network/Applications mount record.
Chapter 9 Client Management Overview
10 Managing Preferences 10 This chapter provides information about managing preferences for users, workgroups, computers, and computer groups. By managing preferences for users, workgroups, computers, and computer groups, you can customize the user’s experience and restrict user access to only the applications and network resources you choose. To manage preferences, use the Preferences pane in Workgroup Manager.
Preference pane What you can manage Dock Dock location, behavior, and items. For more information, see “Managing Dock Preferences” on page 174. Energy Saver Performance options for Mac OS X client and server computers, battery usage for portable computers, and sleep or wake options. For more information, see “Managing Energy Saver Preferences” on page 177. Finder Finder behavior, desktop appearance and items, and availability of Finder menu commands.
A user whose account has defined preferences is referred to as a managed user. An individual computer, or a computer that is a member of a computer group with defined preferences, is called a managed computer. A group with defined preferences is called a workgroup. Energy Saver, Time Machine, and Login preferences can be defined only for computers and computer groups, but other preferences can be defined for users, workgroups, computers, and computer groups.
You could set up Media Access preferences for workgroups or computer groups to limit all students’ access but override these restrictions for lab assistants using Media Access settings at their user account level. You could also designate a specific computer for media recording by overriding the restrictions at the computer level. Â Inherited preferences are preferences set at only one level. In some cases, you may find it easier and more useful to set certain preferences at only one level.
Computer group preferences also offer a way to manage the preferences of users who don’t have a network account but who can log in to a Mac OS X computer using a local account. (The local account, defined using the Accounts pane of System Preferences, resides on the user’s computer.) To manage local accounts, set up a computer group that supports local-only accounts. Preferences associated with the computer group and with any workgroup a user selects during login take effect.
 Once is available for some preferences. You can create default preferences, which users can then modify and keep the modifications. These preferences are effectively unmanaged. For example, you could set up a group of computers to display the Dock in a certain way the first time users log in. A user can change these preferences (you’ve set to Once) and the selected changes always apply to that user.
Managing preferences means you can control settings for certain system preferences in addition to controlling user access to system preferences, applications, printers, and removable media. Information about settings and preferences in user, group, or computer records is stored in a directory domain accessible to Workgroup Manager, such as an Open Directory domain. Preferences are stored in a record, which is either a user, group, or computer record.
5 In each Preference pane, select a Manage option. In Media Access, the management setting applies to all preferences rather than to individual panes. 6 Select preference settings or fill in information you want to use. Some management settings are not available for some preferences, and some preferences are not available for some types of accounts. 7 When you finish, click Apply Now. Managing Group Preferences Group preferences are shared among all users in the group.
2 Make sure the correct directory is selected and you are authenticated. To switch directories, click the globe icon. If you are not authenticated, click the lock and enter the name and password of a directory domain administrator. 3 Click the Computers button and select one or more computers. 4 Click the icon for the preference you want to manage. 5 In each preference pane, select a Manage option. In Media Access, the management setting applies to all preferences rather than to individual panes.
You can use the Once setting to create default settings. These are settings that, when saved, take effect the next time users log in. Users can then modify their settings and save their modified settings for future use. To selectively disable preference management: 1 In Workgroup Manager, click Preferences. 2 Make sure the correct directory is selected and you are authenticated. To switch directories, click the globe icon.
 If you don’t manage the Applications pane, Legacy settings take effect for any version of Mac OS X.  If your users run Mac OS X v10.4 or earlier, only Legacy settings take effect. You can also use settings in Applications preferences to allow only specific widgets in Dashboard or to disable Front Row. The table below describes what the settings in each Applications pane can do.
Applications that include helper applications are denoted by a disclosure triangle. When you click the disclosure triangle, you’ll see a list of helper applications. By default, these helper applications are allowed to open. You can disable individual helper applications, but the application may behave erratically if it requires the helper applications. To allow or prevent users from launching an application, add the application or application path to one of three lists: Â Always allow these applications.
6 Select “Restrict which applications are allowed to launch.” 7 Click the Applications tab (within the Applications pane), click the Add (+) button, choose an application you want to always allow, and then click Add. When you allow an application, you also allow all helper applications included with that application. You can deselect helper applications to disallow them. 8 If you’re asked to sign the application, click Sign; if you’re asked to authenticate, authenticate as a local administrator.
8 To prevent users from opening specific widgets, select the widget and click the Remove (–) button. 9 Click Apply Now. Disabling Front Row With Workgroup Manager, you can disable Front Row. To disable Front Row: 1 In Workgroup Manager, click Preferences. 2 Make sure the correct directory is selected and you are authenticated. To switch directories, click the globe icon. If you are not authenticated, click the lock and enter the name and password of a directory domain administrator.
Allowing UNIX tools enhances application compatibility and efficient operation, but may decrease security. If you don’t manage Applications settings for computers running Mac OS X v10.5 or later, Legacy settings are used. To set up a list of accessible applications: 1 In Workgroup Manager, click Preferences. 2 Make sure the correct directory is selected and you are authenticated. To switch directories, click the globe icon.
The table below describes what settings in each Classic pane can do. Classic preference pane What you can control Startup Which folder is the Classic System Folder and what occurs when Classic starts Advanced Items in the Apple menu, Classic sleep settings, and the user’s ability to turn off extensions or rebuild the Classic desktop file during startup Selecting Classic Startup Options Workgroup Manager provides a number of ways to control how and when the Classic environment starts.
8 Click Apply Now. Choosing a Classic System Folder In most cases, there is only one Mac OS 9 System Folder on a computer, and it is on the Mac OS X startup disk. In this case, you don’t need to specify a Classic System Folder. If a computer has multiple Mac OS 9 System Folders on the startup disk and you haven’t set a specific path to one folder, users receive an error message and can’t use Classic.
You can allow users to perform special actions, such as turning off extensions, starting or restarting Classic, or rebuilding the Classic desktop file, from the Advanced pane of Classic system preferences. You might want to allow this for specific users, such as members of your technical staff. To allow special actions during restart: 1 In Workgroup Manager, click Preferences. 2 Make sure the correct directory is selected and you are authenticated. To switch directories, click the globe icon.
To switch directories, click the globe icon. If you are not authenticated, click the lock and enter the name and password of a directory domain administrator. 3 Select one or more users, groups, computers, or computer groups. 4 Click Classic. 5 Click Advanced and then set the management setting to Always. 6 To remove the Chooser and Network Browser from the Apple menu, select “Hide Chooser and Network Browser.” Deselect this option to show Chooser and Network Browser.
Maintaining Consistent User Preferences for Classic Ordinarily, Classic looks for a user’s Mac OS 9 preferences data in the Mac OS 9 System Folder. If a user has more than one computer, or if multiple users work on the same computer, make sure Classic uses preferences from the Home folder in ~/Library/ Classic/ so that preferences remain consistent for each user.
To switch directories, click the globe icon. If you are not authenticated, click the lock and enter the name and password of a directory domain administrator. 3 Select one or more users, groups, computers, or computer groups. 4 Click Dock and then click Dock Display. 5 Set the management setting to Once or Always. 6 Drag the Dock Size slider to make the Dock smaller or larger.
5 Click Dock and then click Dock Items. 6 Set the management setting to Once or Always. If you select Once, the group folder icon appears in the user’s Dock initially, but the user can remove it. 7 Select “Add group folder.” 8 Click Apply Now. If you change the location of the group share point, update the Dock item for the group in Workgroup Manager. Adding Items to a User’s Dock You can add applications, folders, or documents to a user’s Dock for easy access.
The My Applications folder contains aliases for approved applications listed in the Applications preference pane. If you do not manage the Applications preference, available applications are shown. If you enable Simple Finder, you should display the My Applications folder. 8 To add the Documents folder, select Documents. The Documents folder is located in the user’s home folder. 9 To add the Network Home folder, select Network Home.
The table below summarizes what you can control with settings in each Energy Saver pane.
7 To set wake and restart settings, choose Options from the Settings pop-up menu and do the following: To do this Do this Wake the computer when the modem is activated Select “Wake when the modem detects a ring.” Wake the computer when an administrator attempts remote access Select “Wake for Ethernet network administrator access.” Alllow users to press the power (For client computers with Mac OS X v10.3 or later) Select “Allow button (without holding it down power button to sleep the computer.
6 To adjust sleep settings, choose Sleep from the Settings pop-up menu and do the following: To do this Do this Set the length of time the Move the “Put the computer to sleep when it is inactive for” slider. desktop computer waits to enter The computer does not enter sleep mode if the slider is set to sleep mode Never. The default setting for adapter power supplies is 10 minutes. The default setting for battery power supplies is five minutes.
Users should be encouraged to monitor battery status when not connected to external power and use a power adapter when possible to maintain a fully charged battery. To show battery status in the menu bar: 1 In Workgroup Manager, click Preferences. 2 Make sure the correct directory is selected and you are authenticated. To switch directories, click the globe icon. If you are not authenticated, click the lock and enter the name and password of a directory domain administrator.
8 Click Apply Now. Managing Finder Preferences You can control various aspects of Finder menus and windows, which can help improve or control workflow. For example, you can simplify the user experience by enabling Simple Finder. You can also prevent users from writing to or ejecting disks. The table below summarizes what you can do with each Finder preference pane.
To turn on Simple Finder: 1 In Workgroup Manager, click Preferences. 2 Make sure the correct directory is selected and you are authenticated. To switch directories, click the globe icon. If you are not authenticated, click the lock and enter the name and password of a directory domain administrator. 3 Select one or more users, groups, computers, or computer groups. 4 Click Finder, click the Preferences tab, and then select a management setting.
4 Click Finder, click the Preferences tab, and then select a management setting. 5 Under “New Finder window shows,” choose the default folder for the Finder window. Select Home to show items in the user’s home folder. Select Computer to show the top-level folder, which includes local disks and mounted volumes. 6 To display folder contents in a separate window when a user opens a folder, select “Always open folders in a new window.
5 Select “Always show file extensions.” 6 Click Apply Now. Controlling User Access to Remote Servers Users can connect to a remote server by choosing the “Connect to Server” command in the Finder Go menu and providing the server’s name or IP address. If you don’t want users to access this menu item, you can hide the command. To hide the “Connect to Server” command: 1 In Workgroup Manager, click Preferences. 2 Make sure the correct directory is selected and you are authenticated.
To switch directories, click the globe icon. If you are not authenticated, click the lock and enter the name and password of a directory domain administrator. 3 Select one or more users, groups, computers, or computer groups. 4 Click Finder, click Commands, and then set the management setting to Always. 5 Deselect Eject. 6 Click Apply Now. Hiding the Burn Disc Command in the Finder On computers with appropriate hardware, users can burn discs (write information to recordable CDs or DVDs).
4 Click Finder, click Commands, and then set the management setting to Always. 5 Deselect “Go to Folder.” 6 Click Apply Now. Removing Restart and Shut Down from the Apple Menu If you don’t want to allow users to restart or shut down the computer they’re using, you can remove the Restart and Shut Down commands from the Apple menu. To hide the Restart and Shut Down commands: 1 In Workgroup Manager, click Preferences. 2 Make sure the correct directory is selected and you are authenticated.
8 Click Apply Now. Adjusting the Appearance of Finder Window Contents Items in Finder windows can be viewed in a list or as icons. You can control aspects of how these items look, as well as whether to show the toolbar in a Finder window. Default View settings control the overall appearance of all Finder windows. Computer View settings control the view for the top-level computer folder, showing hard disks and disk partitions, external hard drives, mounted volumes, and removable media (such as CDs or DVDs).
Managing Login Preferences Use Login preferences to set options for user login, to provide password hints, and to control the user’s ability to restart and shut down the computer from the login window. You can also mount a group volume or set applications to open when a user logs in. The table below summarizes what you can do with settings in each Login pane.
List setting Mac OS X version Effect Show mobile accounts 10.5 Lists mobile accounts with a local home folder and external accounts Show network users 10.4 and 10.5 Lists network accounts and mobile accounts without a local home folder Show computer administrators 10.4 and 10.5 Lists local system administrators Show “Other...” 10.4 and 10.
To ensure that a type of user doesn’t show up in the list, deselect the corresponding setting. To display mobile accounts on client computers with Mac OS X v10.5 or later, select “Show mobile accounts.” To display mobile accounts on client computers with Mac OS X v10.4 installed, select “Show local users.” To allow unlisted users to log in, select “Show Other.” 11 To allow the user to restart the computer, select “Show Restart button.
Option What this does when enabled Set computer name to computer record name For computers with Mac OS X v10.5 or later: You can set the computer name. This name affects the client computer’s Bonjour name, which other computers on the local subnet use to access the client computer. The new Bonjour name is name-#.local where name is the computer record name you specify and # uniquely identifies the computer if there are several computers with the same Bonjour name.
Note: A user with an administrator account in a client computer’s local directory domain can always log in. To choose who can log in: 1 In Workgroup Manager, click Preferences. 2 Make sure the correct directory is selected and you are authenticated. To switch directories, click the globe icon. If you are not authenticated, click the lock and enter the name and password of a directory domain administrator. 3 Select one or more computers or computer groups.
The following access options control workgroup settings at login. Option What this does when enabled Local-only users use available workgroup settings For computers with Mac OS X v10.4 or later: Local users must choose a workgroup when logging in. The user can choose from all workgroups that can access the computer. The user’s environment is the same as if he or she was a member of the workgroup. Ignore workgroup nesting For computers with Mac OS X v10.
When enabling the use of login and logout scripts, you can set a trust value for the client. Trust values determine the required level of authentication before a client trusts a server enough to run its scripts. Most trust values directly correlate to LDAP security policy settings that are configured in Directory Utility. The trust value of DHCP doesn’t correlate to a security policy. Instead, it correlates to whether Directory Utility is configured to use a DHCP-supplied LDAP server.
4 Click Edit. 5 If the local host name contains special nonalphabetic or non-numeric characters such as spaces, dashes, and underscores, remove the special characters and then click OK. For example, change local host names like “Anne-Johnson’s-Computer” to “AnneJohnsonsComputer.” 6 Optionally, determine the trust level by entering the following command in Terminal: dscl localhost -read /LDAPv3/www.apple.com dsAttrTypeStandard:TrustInformation Replace www.apple.com with the address of your LDAP directory.
You can’t run scripts that are larger than 30 KB. To choose login or logout scripts: 1 In Workgroup Manager, click Preferences. 2 Make sure the correct directory is selected and you are authenticated. To switch directories, click the globe icon. If you are not authenticated, click the lock and enter the name and password of a directory domain administrator. 3 Select one or more computers or computer groups. 4 Click Login and then click Scripts. 5 Set the management setting to Always.
The application remains open but its windows and menu bar remain hidden until the user activates the application (for example, by clicking its icon in the Dock). 8 To automatically connect the user to a server, select the server and then select “Mount share point with user’s name and password.” The server must use the same directory domain as the one the user logs in to. 9 If you don’t want users to have the ability to add and remove items, deselect “User may add and remove additional items.
To automatically mount the Network Home: 1 In Workgroup Manager, click Preferences. 2 Make sure the correct directory is selected and you are authenticated. To switch directories, click the globe icon. If you are not authenticated, click the lock and enter the name and password of a directory domain administrator. 3 Select a mobile user account in the account list. 4 Click Login and then click Items. 5 Select a management setting. 6 Select “Add network home share point.” 7 Click Apply Now.
If you don’t want the group share point to appear in the Dock, select the Hide checkbox. 9 Make sure “Mount share point with user’s name and password” is selected. 10 Click Apply Now. Managing Media Access Preferences Media Access preferences let you control settings for and access to CDs, DVDs, the local hard disk, and external disks (for example, floppy disks and FireWire drives). The table below describes what you can do with the settings in each Media Access pane.
Controlling Access to Hard Drives, Disks, and Disk Images You can control access to internal or external disk drives such as floppy disk drives, Zip drives, and FireWire drives. You can also control access to disk images (files with the .dmg extension). If you disallow external disks, external disks are not displayed in the Finder. If you disallow disk images, the images are visible in the Finder but users can’t open them.
6 In Disc Media or Other Media, select “Eject all removable media at logout.” 7 Click Apply Now. Managing Mobility Preferences You can automatically create mobile accounts for users during their next login. If your computers have Mac OS X v10.5 or later, you can also encrypt the contents of the mobile account’s portable home directory, restrict its size, choose its location, or set an expiration date on the account. The table below describes what you can do with the settings in each Mobility pane.
Note: When a mobile account is enabled, it appears in the login window and in the Accounts pane of System Preferences with the label Mobile. When the account is selected in the Accounts pane, some settings may appear dimmed. To create a mobile account using Workgroup Manager: 1 In Workgroup Manager, click Preferences. 2 Make sure the correct directory is selected and you are authenticated. To switch directories, click the globe icon.
After a user creates a mobile account, the local home folder for that account stays on the computer until it’s deleted. You can delete the local home folders to save disk space, or you can set an expiration period on the mobile account so the local home folders are deleted when the account expires. For instructions, see “Manually Removing Mobile Accounts from Computers” on page 204, and “Setting Expiration Periods for Mobile Accounts” on page 209.
6 Choose one of the following home folder options and then click OK. Option Effect Save the home folder in a disk image Removes a user account from the local directory domain but preserves the local home folder in /Users/username.dmg, where username is the short name of the deleted user. Do not change the home folder Removes a user account from the local directory domain but preserves the local home folder in /Users as “username (Deleted),” where username is the short name of the deleted user.
Additionally, if you make the maximum size of the local home folder smaller than the network home disk quota, you can provide more flexibility for handling files with sync conflicts. If a mobile account is protected with FileVault, the user must be logged in to share files using File Sharing. To enable FileVault for mobile accounts: 1 In Workgroup Manager, click Preferences. 2 Make sure the correct directory is selected and you are authenticated. To switch directories, click the globe icon.
Selecting the Location of a Mobile Account You can select the location of a mobile account’s local home folder or you can let the user select the location. If you select the location, choose from one of the following. Home folder location Description on startup volume The local home folder is located on the startup volume in /Users/. This is the default location where the local home folders of mobile accounts on computers with Mac OS X v10.4 and earlier are stored.
4 Click Mobility, click Account Creation, click Creation, and then set the management setting to Always. 5 Select “Create mobile account when user logs in to network account.” This option must be selected to enable a mobile account for the selected account. 6 Click Options and then set the management setting to Always. 7 Select a “Home folder location” option.
To switch directories, click the globe icon. If you are not authenticated, click the lock and enter the name and password of a directory domain administrator. 3 Select one or more users, groups, computers, or computer groups. 4 Click Mobility, click Account Creation, click Creation, and then set the management setting to Always. 5 Select “Create mobile account when user logs in to network account.” This option must be selected to enable a mobile account for the selected account.
To set an expiration period: 1 In Workgroup Manager, click Preferences. 2 Make sure the correct directory is selected and you are authenticated. To switch directories, click the globe icon. If you are not authenticated, click the lock and enter the name and password of a directory domain administrator. 3 Select one or more users, groups, computers, or computer groups. 4 Click Mobility and then click Account Expiry. 5 Set the management setting to Always.
Precede the folder with ~/ to denote the location of the synced folder in the user’s home folder. For example, to sync the user’s Documents folder, enter ~/Documents. 8 Alternatively, click the Browse (...) button for the “Sync at login and logout” and “Sync in the background” lists to browse to a folder. Because you are browsing the computer currently running Workgroup Manager, you might choose a folder that is not located in the user’s account.
9 Click Apply Now. Setting the Background Sync Frequency You can change the frequency of syncing for background folders. By default, background folders sync every 20 minutes. You can set frequencies from 5 minutes to 8 hours. If you set the frequency to a long interval, you run a higher risk of users loading older, outdated files. If users save files and log off before the background files sync, when they load the same file on another computer, they might get either an older synced file or no file at all.
    Enabling background, login, and logout sync Selecting what is synced Setting the sync frequency Enabling the mobile account status menu If you disable the mobile account status menu, the user can still configure his or her mobile account in the Accounts pane of System Preferences. To show mobile account status in the user’s menu bar: 1 In Workgroup Manager, click Preferences. 2 Make sure the correct directory is selected and you are authenticated. To switch directories, click the globe icon.
You must assign a single server for every type of proxy server (for example, you can’t have multiple FTP proxy servers). To configure proxy servers for a user or a group: 1 In Workgroup Manager, click Preferences. 2 Make sure the correct directory is selected and you are authenticated. To switch directories, click the globe icon. If you are not authenticated, click the lock and enter the name and password of a directory domain administrator. 3 Select one or more users, groups, computers, or computer groups.
 A domain name, such as apple.com. This bypasses apple.com but not subdomains such as store.apple.com.  An entire website including all subdomains, such as *.apple.com.  A subnet in Classless Inter-Domain Routing (CIDR) notation. For example, to add a subnet of 192.168.2.x, you would name that view 192.168.2.0/24. For a detailed description of subnet masks and CIDR notation, see Network Services Administration. 7 Click Apply Now.
5 Set the management setting to Always. 6 Select Disable Internet Sharing. 7 Click Apply Now. Disabling AirPort If you disable AirPort, it is disabled the next time a computer retrieves managed preferences. If the computer had active AirPort connections, they are immediately disconnected. To reenable AirPort, you must log in to the computer locally and enable it in the Network pane of System Preferences. To disable AirPort: 1 In Workgroup Manager, click Preferences.
Managing Parental Controls Preferences Parental Controls preferences allow you to hide profanity in Dictionary, limit access to websites, or set time limits or other contraints on computer usage. To manage Parental Controls preferences, computers must have Mac OS X v10.5 or later. The table below describes what settings in each Parental Controls pane can do.
To switch directories, click the globe icon. If you are not authenticated, click the lock and enter the name and password of a directory domain administrator. 3 Select one or more users, groups, computers, or computer groups. 4 Click Parental Controls and then click Content Filtering. 5 Set the management setting to Always. 6 Select “Limit access to websites by” and choose “trying to limit access to adult websites.
2 Make sure the correct directory is selected and you are authenticated. To switch directories, click the globe icon. If you are not authenticated, click the lock and enter the name and password of a directory domain administrator. 3 Select one or more users, groups, computers, or computer groups. 4 Click Parental Controls and then click Content Filtering. 5 Set the management setting to Always. 6 Select “Limit access to websites by” and choose “allowing access to the following websites only.
If you set a time limit for computer usage, users who meet their daily time limits can’t log in until the next day when their quota is reset. You can set different time limits for weekdays (Monday through Friday) and weekends (Saturday and Sunday). The time limit can range from 30 minutes to 8 hours. If you set a curfew, users can’t log in during the days and times you specify. If a user is logged in when their curfew starts, the user is immediately logged out.
Making Printers Available to Users To give users access to printers, you must first set up a printer list. Then you can allow specific users or groups to use printers in that list. You can also make printers available to computers. A user’s list of printers is a combination of printers available to the user, the group selected at login, and the computer used. To create a printer list for users: 1 In Workgroup Manager, click Preferences.
6 Click Printer List. 7 Deselect “Allow user to modify the printer list.” 8 Click Apply Now. Restricting Access to Printers Connected to a Computer In some situations, you might want only certain users to print to a printer connected directly to their computer. For example, if you have a computer in a classroom with a printer attached, you can reserve that printer for teachers by making the teacher an administrator and requiring an administrator’s user name and password to access the printer.
4 Click Printing and then click Printers. 5 Set the management setting to Always. 6 Click Access. 7 Select a printer listed in User’s Printer List and then click Make Default. 8 Click Apply Now. Restricting Access to Printers You can require an administrator user name and password to print to specific printers. To restrict access to a specific printer: 1 In Workgroup Manager, click Preferences. 2 Make sure the correct directory is selected and you are authenticated.
To switch directories, click the globe icon. If you are not authenticated, click the lock and enter the name and password of a directory domain administrator. 3 Select one or more users, groups, computers, or computer groups. 4 Click Printing and then click Footer. 5 Set the management setting to Always. 6 Select “Print page footer (user name and date).” 7 To print the Ethernet ID, select “Include MAC address.” 8 Choose a font for the footer from the Font name pop-up menu.
If a user can see a particular preference, it does not mean the user can modify that preference. Some preferences, such as Startup Disk preferences, require an administrator name and password before a user can modify its settings. The preferences that appear in Workgroup Manager are those installed on the computer you’re currently using.
Time Machine is most appropriate for backing up computers with primarily local accounts. It is also useful if users have administrative control over the computer and can install their own applications. You can limit the total backup storage per computer. When you limit total backup storage for a computer group, the limit applies to each computer in it. If you limit a computer group to 2 GB, and the computer group has five members, the computer group can use up to 10 GB of backup storage.
Managing Universal Access Preferences Universal Access settings can help improve the user experience for some users. For example, if a user has difficulty using a computer or wants to work in a different way, you can choose settings that enable the user to work more effectively. Using Workgroup Manager, you can set up and manage Universal Access settings for specific workgroups or computers dedicated to users with special needs.
To adjust screen appearance: 1 In Workgroup Manager, click Preferences. 2 Make sure the correct directory is selected and you are authenticated. To switch directories, click the globe icon. If you are not authenticated, click the lock and enter the name and password of a directory domain administrator. 3 Select one or more users, groups, computers, or computer groups. 4 Click Universal Access. 5 Click Seeing and then select a management setting.
Sticky Keys help users who can’t press multiple keys simultaneously. It treats a sequence of modifier keys (Shift, Command, Option, and Control) like a key combination. For example, to press Command-O, users can press Command and then O. To hold down a key with multiple keystrokes, users can press the key twice. For example, pressing Shift twice is like using Caps Lock, except that it also presses Shift when entering commands.
To turn off the key-combination alert, deselect “Beep when a modifier key is set.” To turn off onscreen display of keystrokes, deselect “Show pressed keys on screen.” 7 To activate Slow Keys, select Slow Keys On. If you don’t want audio feedback during keystrokes, deselect “Use click key sounds.” Move the slider to adjust the amount of delay between when a key is pressed and when the computer accepts it. 8 Click Apply Now.
To allow Universal Access Shortcuts: 1 In Workgroup Manager, click Preferences. 2 Make sure the correct directory is selected and you are authenticated. To switch directories, click the globe icon. If you are not authenticated, click the lock and enter the name and password of a directory domain administrator. 3 Select one or more users, groups, computers, or computer groups. 4 Click Universal Access. 5 Click Options and then set the management setting to Once or Always.
For example, in Safari you can disable JavaScript by setting the JavaScript Enabled key to “false.” If you save this key in the Often group, the user can enable JavaScript during their current login session but JavaScript is disabled when the user logs out and logs in again. Some application developers provide preference manifests. A preference manifest simplifies modification of preferences by providing names and descriptions of keys that are honored by an application, and tells you how to set them.
When you use your own application preferences, you can choose the management frequency applied to those preferences: Frequency Description Once Similar to the Once setting in the main interface. Sets a preference but allows the user to change that preference and retain his or her changes. Often Only available in the preference editor. Allows users to modify their preferences but the preferences revert to your managed setting every time the user begins a new session.
8 Click Add. 9 If you’re asked to replace the manifest, click Replace to replace the manifest. Replacing the manifest changes the underlying manifest file for the application but it doesn’t change existing managed preferences. 10 If you’re asked to replace the managed preferences, click Replace to remove existing managed preferences and replace them with preferences from the application you’re adding.
3 Select one or more users, groups, computers, or computer groups. 4 Select an item in the list and click the Edit (pencil) button. 5 To locate the keys you want to change, click the disclosure triangles. 6 To add a key to the application’s preferences file, click the disclosure triangle for the frequency, select the frequency, click New Key, click the New Item entry that is created, and choose a key from the pop-up menu, or choose Edit and enter a new key.
Using the Preference Editor to Manage Core Services You can add several important manifests by adding a single core services bundle. These manifests allow management of many features that are unavailable through the main preference editing interface. For example, you can disable Bluetooth, lock iTunes parental controls, and set the license number and registration key for all iWork ‘08 installations.
To add the core services bundle to the preference editor list: 1 In Workgroup Manager, click Preferences and then click Details. 2 Make sure the correct directory is selected and you are authenticated. To switch directories, click the globe icon. If you are not authenticated, click the lock and enter the name and password of a directory domain administrator. 3 Select one or more users, groups, computers, or computer groups. 4 Click the Add (+) button. 5 Select /System/Library/CoreServices/ManagedClient.
4 Click the Add (+) button, select /Applications/Safari, and then click Add. The preference manifests included with older versions of Safari don’t have as many configurable preferences as the Safari version included with Mac OS X v10.5 or later. You can replace old Safari preference manifests by adding the new Safari application, and then clicking Replace in the dialog that appears. 5 To edit Safari preferences, select Safari (with the Preference ID com.apple.
11 Solving Problems 11 If you encounter problems as you work with Workgroup Manager, you may find a solution in this chapter. If the answer to your question isn’t here, try searching Workgroup Manager Help for new topics. You can also search the Apple Service & Support website for information and solutions at www.apple.com/support/. Diagnosing Common Network Issues Before you try the solutions in this chapter, make sure your network is properly configured.
Your computers should be on the same time zone. If they are not on the same time zone, send the following UNIX command: sudo systemsetup -settimezone ‘US/Pacific’ For other time zones, see the man page for systemsetup. For instructions on sending UNIX commands through Apple Remote Desktop, see the Apple Remote Desktop Administrator’s Guide.
The resulting log should have an answer section, which displays the IP address of your Open Directory master server. If there is no answer section, or if the IP address is incorrect, perform further analysis on your DNS service. 3 In the Lookup pane of Network Utility, enter the IP address of your Open Directory master server and click Lookup. The resulting log should displays the domain name of your Open Directory master server. If the domain name is incorrect, perform further analysis on your DNS service.
3 On a client computer, open Network Utility, click Info, and then select the network interface that connects to your network. If the displayed IP address is not in your range of supplied addresses, the computer is not receiving an IP address through your DHCP service. If the IP address is 169.254.x.x, it is a self-assigned IP address. This means your computer is not receiving DHCP service. If the IP address is not an assigned address and is not 169.254.x.
An administrator account in the computer’s local directory domain can’t be used to authenticate as an administrator of a shared LDAP directory. If You Can’t Modify a User’s Open Directory Password To modify the password of a user whose password type is Open Directory, you must be an administrator of the directory domain where the user’s record resides. In addition, your user account must have a password type of Open Directory.
 If the user’s account resides in a directory domain that is not available, create a user account in a directory domain that is available.  Make sure the client software encodes the password so it is recognized correctly. For example, Open Directory recognizes UTF-8 encoded strings, which may not be sent by some clients.  Make sure the user’s current application and operating system support the user’s password length.
If Users Can’t Log In with Accounts in a Shared Directory Domain Users can’t log in using accounts in a shared directory domain if the server hosting the directory isn’t accessible. A server can become inaccessible due to a problem with the network, the server software, or the server hardware. Problems with the server hardware or software affect users trying to log in to Mac OS X computers and users trying to log in to the Windows domain of a Mac OS X Server primary domain controller (PDC).
If a Windows User Has No Home Folder If a user’s home folder isn’t mounted in Windows, verify the following: Â Make sure the correct home folder location is selected in the Home pane of Workgroup Manager. Â Make sure the home folder path is correct in the Windows pane of Workgroup Manager. It should be blank to use the home folder specified in the Home pane. Â Using Server Admin, connect to the server where the user’s home folder resides.
 If the drive letter chosen for the user might be conflicting with a drive letter in use on the Windows workstation, change the drive letter setting in the Windows pane of Workgroup Manager or change the mappings of other drive letters on the workstation. Solving Preference Management Problems This section describes problems you might encounter while using Workgroup Manager to set up accounts or manage Mac OS X clients. It also provides troubleshooting tips and possible solutions.
For example, suppose the default application for viewing PDF files is Preview. A user logs in and double-clicks a PDF file on his or her desktop. If the management settings that apply to the user don’t provide access to Preview, the file does not open. If the user has access to a different application that can handle PDF files, the user can open that application first and then open the file.
 If the user’s login list does not include any items, all managed login items will open. If you do not select “Merge with user’s items,” all login items on either list will open. If you select Once, a user can remove any items added to their login list. For details about managing automatically opened items, see “Automatically Opening Items After a User Logs In” on page 197.
If Users See a Message About an Unexpected Error When you manage Classic preferences and try to use the Extensions Manager, File Sharing, or Software Update control panels, you might see a message that says “The operation could not be completed. An unexpected error occurred (error code 1016).” This message indicates that an administrator has restricted access to the item the user attempted to use, such as an application the user is not allowed to open.
Appendix Importing and Exporting Account Information Use Workgroup Manager to import and export accounts, or use the dsimport command-line tool to import accounts. You can quickly import or export user, group, computer, and computer group accounts using Workgroup Manager. You can also use the dsimport command-line tool to import user and group accounts. Understanding What You Can Import and Export You can import all record types that are tracked in Workgroup Manager.
Limitations for Importing and Exporting Passwords When creating or overwriting records, you must reset passwords for user accounts with Open Directory or shadow passwords. Importing passwords generally works if the password is a plain-text string in the import file. Additionally, you must set the AuthMethod attribute so Workgroup Manager can import the password. Encrypted passwords in hash format in the import file can’t be recovered. Passwords can’t be exported using Workgroup Manager or any other method.
Archiving the Open Directory Master Instead of exporting and importing records as a backup of directory data, you can archive and restore the Open Directory master’s directory and authentication data. By archiving a copy of the Open Directory master’s directory, you can later restore the directory with passwords intact. For more information and instructions on archiving the Open Directory master, see Open Directory Administration.
6 To indicate what to do when the short name of an account being imported matches that of an existing account, select one of the Duplicate Handling options: Â “Overwrite existing record” overwrites any existing record in the directory domain. Â “Ignore new record” ignores an account in the import file. Â “Add to empty fields” merges data from the import file into the existing account when the data is for an attribute that has no value.
To export accounts using Workgroup Manager: 1 In Workgroup Manager, click Accounts. 2 Make sure that the directory services of the Mac OS X Server you’re using are configured to access the desired directory domain. For instructions, see Open Directory Administration. 3 Click the globe icon and then choose the domain where you want to import accounts. 4 To authenticate, click the lock and enter the name and password of a directory domain administrator. 5 Select the accounts to export.
The following group account attributes might be present in the XML files: Â Group name (required) Â Group ID (required) Â One member’s short name (required) Â Other members’ short names Using XML Files Created with AppleShare IP 6.3 You can use the Web & File Admin application on an AppleShare IP 6.3 server to create an export file and then use Workgroup Manager or dsimport to import that file into an Open Directory domain. The following user account attributes are exported into the XML files.
Glossary Glossary This glossary defines terms and spells out abbreviations you may encounter while working with online help or the various reference manuals for Mac OS X Server. References to terms defined elsewhere in the glossary appear in italics. access control list See ACL. ACE Access Control Entry. An entry within the ACL that controls access rights. See ACL. ACL Access Control List. A list, maintained by a system, that defines the rights of users and groups to access resources on the system.
computer account A computer account stores data that allows Mac OS X Server to identify and manage an individual computer. You create a computer account for each computer that you intend to add to a computer group. See also computer group. computer group A set of computers and computer groups, which all receive the managed preference settings defined for the group. New in Mac OS X Server version 10.5. See also computer list.
DNS Domain Name System. A distributed database that maps IP addresses to domain names. A DNS server, also known as a name server, keeps a list of names and the IP addresses associated with each name. drop box A shared folder with privileges that allow other users to write to, but not read, the folder’s contents. Only the owner has full access. Drop boxes should be created only using AFP.
GUID Globally unique identifier. A hexadecimal string that uniquely identifies a user account, group account, or computer list. Also used to provide user and group identity for access control list (ACL) permissions, and to associate particular users with group and nested group memberships. GUIDs are 128-bit values, which makes the generation of duplicate GUIDs extremely unlikely. home directory See home folder. home folder A folder for a user’s personal use.
local directory domain A directory of identification, authentication, authorization, and other administrative data that’s accessible only on the computer where it resides. The local directory domain isn’t accessible from other computers on the network. local domain A directory domain that can be accessed only by the computer it resides on. local home directory See local home folder. local home folder A home folder that resides on disk on the computer a user is logged in to.
multicast DNS A protocol developed by Apple for automatic discovery of computers, devices, and services on IP networks. Called Bonjour (previously Rendezvous) by Apple, this proposed Internet standard protocol is sometimes referred to as ZeroConf or multicast DNS. For more information, visit www.apple.com or www.zeroconf.org. To see how this protocol is used in Mac OS X Server, see local hostname. name server A server on a network that keeps a list of names and the IP addresses associated with each name.
POP Post Office Protocol. A protocol for retrieving incoming mail. After a user retrieves POP mail, it’s stored on the user’s computer and is usually deleted automatically from the mail server. portable home directory A portable home directory provides a user with both a local and network home folder. The contents of these two home folders, as well as the user's directory and authentication information, can be automatically kept in sync. POSIX Portable Operating System Interface for UNIX.
scope A group of services. A scope can be a logical grouping of computers, such as all computers used by the production department, or a physical grouping, such as all computers located on the first floor. You can define a scope as part or all of your network. search path See search policy. search policy A list of directory domains searched by a Mac OS X computer when it needs configuration information; also, the order in which domains are searched. Sometimes called a search path.
TCP Transmission Control Protocol. A method used with the Internet Protocol (IP) to send data in the form of message units between computers over the Internet. IP handles the actual delivery of the data, and TCP keeps track of the units of data (called packets) into which a message is divided for efficient routing through the Internet. UID User ID. A number that uniquely identifies a user within a file system. Mac OS X computers use the UID to keep track of a user’s folder and file ownership.
Glossary
A access ACLs 27, 29 Apple menu 172, 187 application 149, 153, 164, 165, 168, 177 control process 27, 32 disk 183, 185, 201 file 28, 247 folder 28, 38, 153, 186, 245 group 28, 103, 153, 199 guest 117 login 192, 194, 199 media 149, 186, 200, 201, 202 mobile account 134, 135, 136 preferences 149 printing 81, 82, 83, 84, 220, 221, 222, 223 server 183, 185 share point 117, 199 user 23, 24, 70 website 98, 217, 218 Windows users 29 workgroup 193, 247 Workgroup Manager 23 See also LDAP; permissions; Universal Acce
B background synchronization 139, 212 backup account 252 Time Machine 150, 157, 225 vs. synchronization 139 backup domain controller. See BDC batch editing 51 batteries 177, 180 BDC (backup domain controller) 55, 57, 114, 245 Bluetooth 216 boot process. See startup browsers, Safari 237 bundle IDs 164 Burn Disc command 186 C calendar service.
directories.
command-line tools 103, 123 My Applications 177 synchronization of 210, 212 System 169, 171 See also group folders; home folders Front Row 165, 168 FTP (File Transfer Protocol) service 215 full name. See long name G GID (group ID) 27, 96 globally unique identifier.
iDisk 185 images, disk. See disk images; NetBoot; NetInstall importing accounts 53, 68 authentication 252, 253 command-line tools 251 groups 253 GUID maintenance 252 overview 251 passwords 68, 252 users 253 XML files 255, 256 See also exporting Info settings 84 inheritance, file permission 93 inherited preferences 158 install images.
expiration periods 209 external accounts 134, 208 home folders 37, 121, 132, 133, 134, 135, 138, 152, 202, 204, 205, 207 local 136, 142 login 133, 134, 135, 140, 198, 202 overview 13, 131 portable home directories 37, 132 preferences overview 149, 152, 202 removing 204 security 131, 144, 205 setup 140 synchronization 131, 132, 136, 138, 139, 210, 212 wireless considerations 143 See also portable computers mouse preferences 230 multiple-account editing 51 My Applications folder 177 MySQL Server account 56 N
ports, proxy server 213, 214 POSIX (Portable Operating System Interface) 28, 29 power settings.
shutdown, controlling 181, 187 SID (Security Identifier) 29 Simple Finder 182 simultaneous login privileges 73 single sign-on authentication 245 sleep settings 173, 177, 181 Slow Keys 229 SMB (Server Message Block) protocol service 29, 114, 119, 127 Software Update 150, 224 sshd privilege separation 56 ssh tool 103, 239 startup 21, 148, 170, 181 Sticky Keys 229 streaming media 149 synchronization directories 37 home folders 152 mobile account data 131, 132, 136, 138, 139, 210, 212 System Administrator accou
mail service 80, 81 network 31, 136 overview 55 permissions 70 planning for 34, 35 preferences control 149, 157, 161, 174 primary group for 28, 77, 89 print service 81, 82, 83, 84, 220, 221, 222, 223 remote 185, 239, 241 searching for 45, 49, 75 setup 31 sorting 75 tools overview 19 workgroup choice 151 See also clients; groups; home folders; managed preferences; user accounts; Windows users V view settings 187, 227, 250 visual preferences 228 VPN (Virtual Private Network) 139 W wake settings 179, 180 web
