Apple Apple Computer Server User Management

Mac OS X Server User Management

For Version 10.3.3 or Later

Apple Computer, Inc.

The owner or authorized user of a valid copy of Mac OS X Server software may reproduce this publication for the purpose of learning to use such software. No part of this publication may be reproduced or transmitted for commercial purposes, such as selling copies of this publication or for providing paid for support services.

Every effort has been made to ensure that the information in this manual is accurate. Apple Computer, Inc., is not responsible for printing or clerical errors.

Use of the “keyboard” Apple logo (Option-Shift-K) for commercial purposes without the prior written consent of Apple may constitute trademark infringement and unfair competition in violation of federal and state laws.

Apple, the Apple logo, AirPort, AppleShare, AppleTalk, FireWire, iBook, Keychain, LaserWriter, Mac, Mac OS, Macintosh, PowerBook, and QuickTime are trademarks of Apple Computer, Inc., registered in the U.S. and other countries. Extensions Manager, Finder, and SuperDrive are trademarks of Apple Computer, Inc.

Adobe and PostScript are trademarks of Adobe Systems Incorporated.

Java and all Java-based trademarks and logos are trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. and other countries.

PowerPC is a trademark of International Business Machines Corporation, used under license therefrom.

UNIX is a registered trademark in the United States and other countries, licensed exclusively through X/Open Company, Ltd.

034-2529/02-06-04

Preface 15 How to Use This Guide

Getting Help for Everyday Management Tasks

How to Use This Guide

This guide tells you how to use Workgroup Manager and Macintosh Manager to set up and manage home directories, accounts, preferences, and settings for clients.

This guide is organized as follows:

• Chapter 1, “User Management Overview,” highlights important concepts, introduces

the user management tools, and tells you where to find additional information about user management and related topics.

• Chapter 2, “Getting Started With User Management,” describes how to use features

and shortcuts to maximize efficiency when setting up and maintaining accounts and managed preferences.

• Chapter 3, “User Management for Mobile Clients,” discusses considerations for

managing portable computers.

• Chapters 4, 5, 6 tell you how to use Workgroup Manager to set up users, groups, and

computer lists.

• Chapter 7, “Setting Up Home Directories,” covers creating home directories.

• Chapter 8, “Client Management Overview,” introduces client management tools and

concepts such as how to customize a user’s working environment and provide user access to network resources.

• Chapter 9, “Managing Preferences,” describes how to use Workgroup Manager to

control preference settings for users, groups, and computers that use Mac OS X.

• Chapter 10, “Using Macintosh Manager for Mac OS 9,” covers how to use Macintosh

Manager to control privileges and settings for users, groups, and computers that use Mac OS 9.1.

• Chapter 11, “Solving Problems,” helps you address issues involving account creation,

home directory maintenance, preference management, or client setup and also helps you solve problems encountered by managed clients.

• Appendix, “Importing and Exporting Account Information,” provides information you’ll

need when you want to transfer account information to or from an external file.

• The Glossary defines terms you’ll encounter as you read this guide.

Preface

Getting Help for Everyday Management Tasks

If you want to work with accounts, change preference settings, set up new home directories, or do any other day-to-day administration task, you can find step-by-step procedures by using the onscreen help available with Workgroup Manager and Macintosh Manager. While all the administration tasks are also documented in this guide, sometimes it’s more convenient to retrieve information via onscreen help while using your server.

Where to Find More Information About User Management

Regardless of your server administration experience, you may want to take advantage of the wide range of Apple customer training courses. To learn more, go to train.apple.com.

If You’re New to Server and Network Management

To learn more about Mac OS X Server, see the website: www.apple.com/macosx/server/.

Online discussion groups can put you in touch with your peers. Many of the problems you encounter may have already been solved by other server administrators. To find the lists available through Apple, see the following site: www.lists.apple.com.

The AppleCare support site’s discussion boards are an additional source of information: www.info.apple.com/.

Consider obtaining some of the following reference materials. They contain background information, explanations of basic concepts, and ideas for getting the most out of your network.

• Teach Yourself Networking Visually, by Paul Whitehead and Ruth Maran (IDG Books

Worldwide, 1998).

• Internet and Intranet Engineering, by Daniel Minoli (McGraw-Hill, 1997).

If You’re an Experienced Server Administrator

If you’re already familiar with network administration and you’ve used, Linux, UNIX, or a similar operating system, you may find these additional references useful.

• You can obtain a variety of relevant books from O’Reilly & Associates See the O’Reilly

& Associates website: www.ora.com.

• For detailed information about Apache, go to: www.apache.org/.

Preface How to Use This Guide 17

1 User Management Overview

This chapter introduces important user management concepts and describes the applications you’ll use to manage accounts and privileges.

User management encompasses everything from setting up accounts for network access and creating home directories, to fine-tuning the user experience by managing preferences and settings for users, groups, and computers. Mac OS X Server provides tools for accomplishing all these tasks.

Tools for User Management

Primary user management tools and applications in Mac OS X Server include Workgroup Manager, Server Admin, NetBoot, and Network Install.

Workgroup Manager

Workgroup Manager is a powerful tool that delivers a range of features for comprehensive management of Macintosh clients. You can use Workgroup Manager directly from the server, or you can install Workgroup Manager independently of the Mac OS X Server software on a non-server client computer.

Workgroup Manager provides network administrators with a centralized method of managing Mac OS X workstations, controlling access to software and removable media, and providing a consistent, personalized experience for users at different levels, whether they’re beginners in a classroom or advanced users in an office. Mac OS X Server saves user documents and preferences in a home directory, so your users can access their files from any Mac on your network. Using Workgroup Manager, you can create user accounts and then set up groups to provide convenient and efficient access to resources. You can also use account settings and managed preferences to allow more or less flexibility to suit the level of administrative control you need.

When Workgroup Manager is used in conjunction with other Mac OS X Server services, you can:

• Connect users to one another, using services such as mail and file sharing.

• Share system resources, such as printers and computers, maximizing their availability

as users move about and making sure that disk space and printer usage remain equitably shared.

• Host Internet services, such as websites and streaming video.

• Customize working environments, such as desktop resources and personal files, of

network users.

Preference Management

You can use Mac OS X Server’s Workgroup Manager application to tailor the work environments of Mac OS X clients. Preferences you define for individual users, groups of users, and computers provide your Macintosh users with a consistent desktop, application, and network appearance regardless of the Macintosh computer to which they log in. Any preferences you define for a Mac OS X user are stored in the user’s account.

To manage Mac OS 9 clients, you use Macintosh Manager, described in Chapter 10, “Using Macintosh Manager for Mac OS 9.” Preferences you define for Mac OS 9 users are stored using Macintosh Manager.

To learn more about client management tools and concepts, read Chapter 8, “Client Management Overview.”

Home Directories

A home directory is a folder where a user’s files and preferences are stored. Other users can see a user’s home directory and read files in its Public folder, but they can’t (by default) access anything else in that directory.

When you create a user in a directory domain on the network, you specify the location of the user’s home directory on the network, and the location is stored in the user account and used by various services, including the login window and Mac OS X managed user services. Here are several examples of activities that use the location of the home directory:

• A user’s home directory appears when the user clicks Home in a Finder window or

chooses Home from the Finder’s Go menu.

• Home directories that are set up for mounting automatically in a network location,

such as /Network/Servers, appear in the Finder on the computer where the user logs in.

• System preferences and managed user settings for Mac OS X users are retrieved from

their home directories and used to set up their working environments when they log in.

20 Chapter 1 User Management Overview

You can set up a mobile account so that it has a local home directory on each client as well as a network home directory. That way a user can work offline and, when connected to the network, manually synchronize documents by copying them from the client to the network home directory. For more information about mobile accounts, see Chapter 3, “User Management for Mobile Clients.”

Mail Settings

You can create a Mac OS X Server mail service account for a user by setting up mail settings in the user’s account. To use the mail account, the user simply configures a mail client using the mail settings you specify.

Mail account settings let you control a user’s access to mail services running on a particular Mac OS X Server. For mail accounts residing on servers using versions of Mac OS X earlier than 10.3, you can also manage account characteristics such as how to handle automatic message arrival notification.

For details on settings for Mac OS X mail service, see the mail service administration guide.

Resource Usage

Disk, print, and mail quotas can be stored in a user account.

Mail and disk quotas limit the number of megabytes available for a user’s mail or files.

Print quotas limit the number of pages a user can print using Mac OS X Server print services. Print quotas also can be used to disable a user’s print service access altogether. User print settings work in conjunction with print server settings, which are explained in the print service administration guide.

Server Admin

The Server Admin application provides access to various tools and services that play a role in user management. Once you have installed the Mac OS X Server software, set up directory services, and established your network, you can start creating and managing accounts using Workgroup Manager. After setting up accounts and home directories, you can use Server Admin to set up additional services to provide mail service, host websites, share printers, or allow users to share folders and files.

Chapter 1 User Management Overview 21

For more information about using Server Admin tools, refer to the documents listed in the table below.

If you want to Read about In this document

Assign access privileges to folders and files within a share point

Share printers among users Print service Mac OS X Server Print Service

Set up websites or WebDAV support on the server

Provide email service for users Mail service Mac OS X Server Mail Service

Broadcast multimedia in real time from the server

Provide identical operating system and applications folders for client computers

Install applications across a network

Share information among multiple Mac OS X Servers or Mac OS X Computers

File sharing Mac OS X Server File Services

Administration For Version 10.3 or Later

Web service Mac OS X Server Web

Technologies Administration For Version 10.3 or Later

Administration For Version 10.3 or Later

QuickTime Streaming Service Mac OS X Server Quicktime

Streaming Server Administration For Version 10.3 or Later

NetBoot Mac OS X Server System Image

Administration For Version 10.3 or Later

Network Install Mac OS X Server System Image

Administration For Version 10.3 or Later

Directory services Mac OS X Server Open Directory

Administration For Version 10.3 or Later

Macintosh Manager

To manage Mac OS 9 client computers, you use Macintosh Manager, which you can use remotely from a Mac OS 9 or X computer.

For more information, see Chapter 10, “Using Macintosh Manager for Mac OS 9.”

NetBoot

With NetBoot, Mac OS 9 and X computers can start up from a network-based system disk image, providing quick and easy configuration of department, classroom, and individual systems as well as web and application servers throughout a network. When you update NetBoot images, all computers using NetBoot have instant access to the new configuration.

Macintosh clients can boot from a system disk image located on Mac OS X Server instead of from the client computer’s disk drive. You can set up multiple NetBoot disk images, so you can boot clients into Mac OS 9 or X or even set up customized Macintosh environments for different groups of clients.

22 Chapter 1 User Management Overview

NetBoot can simplify the administration and reduce the support normally associated with large-scale deployments of network-based Macintosh systems. NetBoot is ideal for an organization with a number of client computers that need to be identically configured. For example, NetBoot can be a powerful solution for a data center that needs multiple identically configured web and application servers.

With NetBoot, administrators can configure and update client computers instantly by simply updating a boot image stored on the server. Each image contains the operating system and application folders for all clients on the server. Any changes made on the server are automatically reflected on the clients when they reboot. Systems that are compromised or otherwise altered can be instantly restored by rebooting.

You use several other applications to administer NetBoot:

• NetBoot Desktop Admin (for modifying Mac OS 9 images)

• Network Image Utility (for creating and modifying Mac OS X images)

• The DHCP/NetBoot module (used to save NetBoot images)

For more information about these tools or about installing an operating system over a network, read the system image administration guide.

Network Install

Network Install is a centralized network software installation service. It lets you selectively and automatically install, restore, or upgrade network-based Macintosh systems anywhere in the organization. You use PackageMaker to create Network Install packages. Installation images can contain the latest release of Mac OS X, a software update, site-licensed or custom applications, and configuration scripts.

• Network Install is an excellent solution for operating system migrations, installing

software updates and custom software packages, restoring computer classrooms and labs, and reimaging desktop and portable computers.

• You can define custom installation images for various departments in an

organization, such as marketing, engineering, and sales.

With Network Install you don’t need to insert multiple CDs to configure a system. All the installation files and packages reside on the server and are installed on the client computer at one time. Network Install also includes pre- and post-installation scripts you can use to invoke actions prior to or after the installation of a software package or system image.

For more information about using Network Install, read the system image administration guide.

Chapter 1 User Management Overview 23

Accounts

There are three basic kinds of accounts you can set up with Workgroup Manager: user accounts, group accounts (also called workgroups—two or more users with managed preferences), and computer lists.

When you define a user’s account, you specify the information needed to prove the user’s identity: user name, password, and user identification number (user ID). Other information in a user’s account is needed by various services—to determine what the user is authorized to do and perhaps to personalize the user’s environment. Mac OS X Server uses several different kinds of users and groups. Most of these are userdefined—user and group accounts that you create. There are also some predefined user and group accounts, which are reserved for use by Mac OS X.

Administrator Accounts

Users with server or directory domain administration privileges are known as administrators. Administrators are always members of the predefined “admin” group.

A user’s administrator privileges are stored in the user’s account. Administrator privileges determine the extent to which the user can view information about or change the settings of a particular Mac OS X Server or a particular directory domain residing on Mac OS X Server.

Server Administration

Server administration privileges control the powers a user has when logged in to a particular Mac OS X Server. For example:

• A server administrator can use Server Admin and can make changes to a server’s

search policy using Directory Access.

• A server administrator can see all the AFP directories on the server (from a computer

other than the server), not just share points.

When you assign server administration privileges to a user, the user is added to the group named “admin” in the local directory domain of the server. Many Mac OS X applications—such as Server Admin, Directory Access, and System Preferences—use the admin group to determine whether a particular user can perform certain activities with the application.

Local Mac OS X Computer Administration

Any user who belongs to the group “admin” in the local directory domain of any Mac OS X computer has administrator rights on that computer.

24 Chapter 1 User Management Overview

Directory Domain Administration

You can allow certain users to manage specific accounts. For example, you may want to make a network administrator the server administrator for all your classroom servers, but give individual teachers the privileges to manage student accounts in particular directory domains. Any user who has a user account in a directory domain can be made a directory domain administrator (an administrator of that domain).

You can control the extent to which a directory domain administrator can change account data stored in a domain. For example, you may want to set up directory domain privileges so your network administrator can add and remove user accounts, but other users can change the information for particular users. Or you may want different users to be able to manage different groups.

When you assign directory domain administration privileges to a user, the user is added to the admin group of the server on which the directory domain resides.

Users and Managed Users

Depending on how you have your server and your user accounts set up, users can log in using Mac OS 9 and Mac OS X computers, Windows computers, or UNIX computers—stationary or portable—and be supported by Mac OS X Server in their work.

Most users have an individual account that is used to authenticate them and control their access to services. When you want to personalize a user’s environment, you define user, group, or computer preferences for the user. The term managed client or managed user designates a user who has administrator-controlled preferences associated with his or her account. Managed client is also used to refer to computer lists that have preferences defined for them.

When a managed user logs in, the preferences that take effect are a combination of the user’s preferences and preferences set up for any workgroup or computer list he or she belongs to. See Chapter 9, “Managing Preferences,” and Chapter 10, “Using Macintosh Manager for Mac OS 9,” for managed user information.

Guest Users

You may want to provide services for individuals who are anonymous—that is, they can’t be authenticated because they don’t have a valid user name or password. These users are known as guest users.

With some services, such as AFP, you can specify whether to let guest users access files. If you enable guest access, users who connect anonymously are restricted to files and folders with privileges set to Everyone. The guest user account is used when no matching user record is found during authentication.

Chapter 1 User Management Overview 25

Another kind of guest user is a managed user that you can define to allow easy setup of public computers or kiosk computers that use Mac OS 9. See Chapter 10, “Using Macintosh Manager for Mac OS 9,” for more about these kinds of users.

Groups, Primary Groups, and Workgroups

A group is simply a collection of users who have similar needs. For example, you can add all English teachers to one group and give the group access privileges to certain files or folders on a volume.

Groups simplify the administration of shared resources. Instead of granting access to various resources to each individual who needs them, you can add the users to a group and then grant access to everyone in the group at the same time.

Information in group accounts is used to help control user access to directories and files. See “Directory and File Access by Other Users” on page 30 for a description of how this works.

Group Folders

When you define a group, you can also specify a folder for storing files you want group members to share. The location of the folder is stored in the group account.

You can grant administration privileges for a group folder to a user. A group folder administrator has owner privileges for the group folder and can change group folder attributes in the Finder.

Workgroups

When you define preferences for a group it is known as a workgroup. A workgroup provides you with a way to manage the working environment of group members.

Any preferences you define for a Mac OS X workgroup are stored in the group account. Preferences for Mac OS 8 and 9 workgroups are stored using Macintosh Manager. See Chapter 9, “Managing Preferences,” and Chapter 10, “Using Macintosh Manager for Mac OS 9,” for a description of workgroup preferences.

Computer Lists

A computer list comprises one or more computers that have the same preference settings and that are available to particular users and groups. You can create and modify computer lists in Workgroup Manager.

To learn more about how to set up computer lists for Mac OS X client computers, see Chapter 6, “Setting Up Computer Lists.” To specify preferences for Mac OS X computer lists, Chapter 9, “Managing Preferences.” For a description of how to set up computer lists and specify preferences for Mac OS 9 computers, Chapter 10, “Using Macintosh Manager for Mac OS 9.”

26 Chapter 1 User Management Overview

Guest Computers

Most computers on your network should be in a named computer list. If an unknown computer (one that isn’t already in a computer list) connects to your network and attempts to access services, that computer is treated as a guest. Settings chosen for a Guest Computers list apply to these unknown, or guest, computers.

A Guest Computers lists is automatically created for a server’s local directory domain. If the server is an Open Directory master or replica, a Guest Computers list is also created for its LDAP directory domain.

The User Experience

Once you have created an account for a user, the user can access server resources according to the privileges you have allowed. For most users, the typical flow of events from login to logout occurs as follows:

• Authentication The user enters a name and password.

• Identity Validation The user name and password are verified by directory services.

• Login The user is granted access to the server and network resources

• Access The user connects to and utilizes approved servers, share points, and

applications.

• Logout The user’s session is terminated.

Details of the user experience may vary depending upon the type of user, the access privileges allowed, the type of client computer (such as Windows or UNIX) currently in use, whether or not the user is a member of a group, and whether or not preference management has been implemented at the user, group, or computer level.

You’ll find information about the Mac OS X user experience in Chapter 8, “Client Management Overview.” The Mac OS 9 user experience is described in Chapter 10, “Using Macintosh Manager for Mac OS 9.” Basic information about authentication, password validation, and information access control is given in the sections that follow. For more detailed information about these topics, see the Open Directory administration guide.

Chapter 1 User Management Overview 27

Authentication

Before a user can log in to or connect with a Mac OS X computer, he or she must enter a name and password associated with a user account that the computer can find.

A Mac OS X computer can find user accounts that are stored in a directory domain of the computer’s search policy.

• A directory domain stores information about users and resources. It is like a database

that a computer is configured to access in order to retrieve configuration information.

• A search policy is a list of directory domains the computer searches when it needs

configuration information, starting with the local directory domain on the user’s computer.

The Open Directory administration guide describes the different kinds of directory domains and tells you how to configure search policies on any Mac OS X computer.

The following picture shows a user logging in to a Mac OS X computer that can locate the user’s account in a directory domain of its search policy.

Directory domains in search policy

After login, the user can connect to a remote Mac OS X computer if the user’s account can be located within the search policy of the remote computer.

Connect to

Mac OS X Server

Directory domains in search policy

28 Chapter 1 User Management Overview

If Mac OS X finds a user account containing the name entered by the user, it attempts to validate the password associated with the account. If the password can be validated, the user is authenticated and the login or connection process is completed.

After logging in to a Mac OS X computer, a user has access to all the resources, such as printers and share points, defined in directory domains of the search policy set up for the user’s computer. A share point is a hard disk (or hard disk partition), CD-ROM disc, or folder that contains files you want users to share. Users can access their home directories by clicking their home folder in a Finder window or choosing Home from the Finder’s Go menu.

A user doesn’t have to log in to a server to gain access to resources on a network. For example, when a user connects to a Mac OS X computer, the user can access files he or she is authorized to access on the computer, although the file system may prompt the user to enter a user name and password first. When a user accesses a server’s public resources without logging in to the server, the search policy of the user’s computer is still in force, not the search policy of the computer the user has connected to.

Identity Validation

When authenticating a user, Mac OS X first locates the user’s account and then uses the password strategy designated in the user’s account to validate the user’s password.

Open

Information Access Control

For any directory (folder) or file on a Mac OS X computer, you can specify access privileges for:

• the file’s owner

• the file’s group

• everyone else

Owner 127 can: Read & Write

MyDoc

Mac OS X uses a particular data item in a user’s account—the user ID—to keep track of directory and file access privileges.

Directory and File Owner Access

When a directory or file is created, the file system stores the user ID of the user who created it. When a user with that user ID accesses the directory or file, he or she has read and write privileges to it by default. In addition, any process started by the creator has read and write privileges to any files associated with the creator’s user ID.

If you change a user’s user ID, the user may no longer be able to modify or even access files and directories he or she created. Likewise, if the user logs in as a user whose user ID is different from the user ID he or she used to create the files and directories, the user will no longer have owner access privileges for them.

Group 2017 can: Read only Everyone else can: None

Directory and File Access by Other Users

The user ID, in conjunction with a group ID, is also used to control access by users who are members of particular groups.

Every user belongs to a primary group. The primary group ID for a user is stored in the user’s account. When a user accesses a directory or file and the user isn’t the owner, the file system checks the file’s group privileges.

• If the user’s primary group ID matches the ID of the group associated with the file,

the user inherits group access privileges.

• If the user’s primary group ID doesn’t match the file’s group ID, Mac OS X searches for

the group account that does have access privileges. The group account contains a list of the short names of users who are members of the group. The file system maps each short name in the group account to a user ID, and if the user’s ID matches the user ID of a group member, the user is granted group access privileges for the directory or file.

30 Chapter 1 User Management Overview

2 Getting Started With

User Management

This chapter provides information to use when first setting up a user management environment.

The chapter contains planning guidelines as well as tips for using the main user management tool, Workgroup Manager:

• The chapter starts with a setup overview to acquaint you with the sequence of major

user management setup activities.

• Some planning strategies for user management appear on page 37.

• Basic instructions for using Workgroup Manager start on page 40.

• Instructions for listing and finding accounts in Workgroup Manager start on page 42.

• Some shortcuts for working with accounts are provided starting on page 45.

• Finally, page 46 addresses backing up and restoring user management files.

Setup Overview

This section provides an overview of user management setup tasks, including instructions for where to find detailed instructions:

• Step 1: Before you begin, do some planning.

• Step 2: Set up the server infrastructure.

• Step 3: Set up an administrator computer.

• Step 3: Set up a home directory share point.

• Step 4: Create user accounts and home directories.

• Step 5: Set up client computers.

• Step 6: Define user account preferences.

• Step 7: Create group accounts and group folders.

• Step 8: Define group account preferences.

• Step 9: Define computer lists and preferences.

• Step 10: Perform ongoing account maintenance.

Step 1: Before you begin, do some planning

Planning for user management includes such tasks as analysis of user needs and development of a directory services and home directory strategy. See “Planning Strategies for User Management” on page 37 for some suggestions.

Step 2: Set up the server infrastructure

The purpose of this step is to make sure that one or more Mac OS X Servers are set up for hosting user accounts, group accounts, computer lists, home directories, group folders, and other shared folders:

If you purchased a new server, Mac OS X Server software is already installed. All you need to do is perform initial server setup. Turn the computer on and answer the questions posed by Server Assistant. If you need to install server software, use the getting started guide to understand system requirements and installation options. Then use Server Assistant after the server restarts to perform initial server setup. Server Assistant resides in /Applications/Server/.

Set up the server so that it hosts or provides access to shared directory domains. Shared directory domains (also called shared directories) contain user, group, and computer information you want many computers to be able to access. When you set up shared directories, client computers find it automatically, thanks to a few settings you make when setting up client computers (see step 6 on page 35). Users whose accounts reside in a shared directory are referred to as network users.

There are different kinds of shared directories and different ways to work with information stored in them. You can use Workgroup Manager to add and change accounts that reside in the LDAP directory of an Open Directory master, a NetInfo domain, or other read/write directory domain. If you’ll be using LDAPv2, read-only LDAPv3, BSD configuration files, or other read-only directories, make sure they are configured to support Mac OS X Server access and that they provide the data you need for accounts. It may be necessary to add, modify, or reorganize information in a directory to provide the information in the format needed.

The Open Directory administration guide provides instructions for setting up a shared directory on Mac OS X Server or configuring access to a shared directory on another computer. An appendix in the Open Directory administration guide describes account data formats that Mac OS X expects, information useful when you need to use directories that don’t reside on Mac OS X Server computers.

If some of your users will be using Windows computers, see the Windows services administration guide to learn how to set up the server for managing Windows users, groups, and computers. For example, the Windows services administration guide describes how to set up user accounts in a Mac OS X Server directory domain so the server can provide file services, domain login, and home directories to Windows users.

Open Directory offers a variety of options for authenticating users (including Windows users) whose accounts are stored in directory domains on Mac OS X Server. In addition, Open Directory can access accounts in existing directories on your network, such as a Windows server’s Active Directory. See the Open Directory administration guide for setup instructions.

32 Chapter 2 Getting Started With User Management

Mac OS X Server makes other important resources visible throughout the network. Key network-visible resources include network home directories, group folders, and other shared folders. Because these folders reside on the server, users can access them from different computers.

See the file services administration guide for information about setting up file services appropriate for the file sharing you want to implement. You can use AFP or NFS for home directories, AFP for group folders, and various protocols (AFP, Windows, NFS, and FTP) for other shared folders.

Step 3: Set up an administrator computer

Because servers are normally kept in a secure, locked location, administrators conduct user management tasks remotely, from an administrator computer. Most of the time an administrator computer is a Mac OS X computer with server administration software installed.

To set up an administrator computer:

1 Obtain a computer with Mac OS X version 10.3 or later installed.

Make sure it has at least 128 MB of RAM and 1 GB of unused disk space.

2 Insert the Mac OS X Server Administration Tools disc, then start the installer

(ServerAdmin.pkg).

3 Follow the onscreen instructions.

4 If you’ll be managing preferences that use specific paths to find files (such as Classic

and Dock preferences), make sure the administrator computer has the same file system structure as each of the managed client computers. This means that folder names, volumes, the location of applications, and so forth should be similar.

Before you can use the administrator computer to create and manage accounts in a shared directory, you need a user account in the shared directory and you need to be a domain administrator. A domain administrator can use Workgroup Manager to add and change accounts that reside in the LDAP directory of an Open Directory master, a NetInfo domain, or another read/write directory domain.

To create a domain administrator account:

1 On the administrator computer, open Workgroup Manager, authenticating as the

administrator user created during initial server setup.

2 Access the shared directory by clicking the small globe above the accounts list.

Choose the directory of interest. If you’re not authenticated, click the lock.

3 Click New User.

4 Click Basic to provide basic information for the administrator.

Chapter 2 Getting Started With User Management 33

5 If you want the domain administrator to have other responsibilities, such as setting up

file services to support shared folders, select “User can administer this directory domain.”

After you select the checkbox, a dialog appears in which you can disable specific privileges for the administrator account. For more information, see “Assigning Administrator Rights for a Directory Domain” on page 67.

6 Click Save.

Now the remaining steps can be conducted by the domain administrator from the administrator computer.

Step 4: Set up a home directory share point

Home directories for accounts stored in shared directories can reside in a network share point that the user’s computer can access. The share point must be automountable—it must have a network mount record in the directory domain where the user account resides.

An automountable share point ensures that the home directory is visible in /Network/Servers automatically when a user logs in to a Mac OS X computer configured to access the shared directory. It also lets other users access the home directory using the ~home-directory-name shortcut.

You can set up network home directories so they can be accessed using either AFP or NFS. You can also set up home directories for use by Windows users:

• For instructions on setting up AFP or NFS share points for network home directories

for Macintosh users see Chapter 7, “Setting Up Home Directories.”

• For information about setting up SBM share points for Windows user home

directories, see the Windows services administration guide.

Step 5: Create user accounts and home directories

You can use Workgroup Manager to create user accounts in directories that reside on Mac OS X Server and in non-LDAP directories that aren’t read-only. Detailed instructions appear in various locations in this guide:

• For information about how to create Mac OS X user accounts, see Chapter 4, “Setting

Up User Accounts.”

• For information about creating Mac OS X mobile user accounts, see Chapter 3, “User

Management for Mobile Clients.”

• See Chapter 7, “Setting Up Home Directories,” for information about home

directories.

• See “Working With Read-Only User Accounts” on page 57 for information about

working with read-only accounts.

34 Chapter 2 Getting Started With User Management

You can also create accounts on Mac OS X Server to manage Windows users and provide Windows domain login, roaming user profiles, home directories, file service, mail service, and so on. See the Windows services administration guide for instructions.

Mac OS 9 users can be managed using Macintosh Manager after you create accounts for them on the server. For details, see Chapter 10, “Using Macintosh Manager for Mac OS 9.”

Note: When a user uses both Mac OS 9 and Mac OS X computers, you can set up one computer account for the user in a shared directory. But be aware that the user will not be able to access the same set of group folders in both environments. Mac OS 9 and Mac OS X have unique group preferences and group folders.

Step 6: Set up client computers

Mac OS X Server can support users of Mac OS X, Mac OS 9, or Windows client computers.

For Mac OS X computers, configure the search policy of the computer so it can locate shared directory domains. See the Open Directory administration guide for instructions and supplemental information about search policies in onscreen help. Use the Automatic authentication option if you’ve set up a DHCP server to identify the location of the shared directory when it provides an IP address to Mac OS X client computers. Otherwise, use the Custom Path option to identify the server hosting the shared directory.

For setup instructions for mobile Mac OS X computers that will use AirPort to communicate with Mac OS X Server, see Designing AirPort Extreme Networks (accessible at www.apple.com/airport/).

For Mac OS 9 computer requirements and setup, see Chapter 10, “Using Macintosh Manager for Mac OS 9.”

Windows workstations that will be used for Windows domain login must join the Mac OS X Server PDC just as you would set up workstations to join a Windows NT server’s domain, as the Windows services administration guide explains.

If you have more than just a few Macintosh client computers to set up, consider using the Network Install feature of the NetBoot service to create a system image that automates client computer setup. See the system image administration guide for options and instructions.

Step 7: Define user account preferences

You can manage the working environment of Macintosh users whose accounts reside in a shared domain by defining user account preferences:

• For information about Mac OS X user preferences, see Chapter 8, “Client

Management Overview,” and Chapter 9, “Managing Preferences.”

Chapter 2 Getting Started With User Management 35

• For information about Mac OS 9 user preferences, see Chapter 10, “Using Macintosh

Manager for Mac OS 9.”

Step 8: Create group accounts and group folders

You can use Workgroup Manager to create group accounts in directories that reside on Mac OS X Server and in non-Apple Open Directory domains that aren’t read-only. Detailed instructions appear in various locations in this guide:

• For information about how to create Mac OS X group accounts, see Chapter 5,

“Setting Up Group Accounts.”

Although some group information doesn’t apply to Windows users, you can add Windows users to groups that you create. The procedures for managing group accounts for Windows users are the same as those for groups that contain only Mac OS X users.

• For information about working with read-only group accounts, see “Working With

Read-Only Group Accounts” on page 83.

• For information about using groups for Mac OS 9 users, see Chapter 10, “Using

Macintosh Manager for Mac OS 9.”

You can set up a group folder for use by group members. Use Workgroup Manager to define a share point for the group folder and associate the share point with the group. Create the group folder using the CreateGroupFolder command in the Terminal application. See “Working With Group Folder Settings” on page 86 for instructions.

For Mac OS X users, use Dock or Login preferences to make it easy to locate the group directory. For Windows users, share the group folder share point using SMB. Users can go to My Network Places (or Network Neighborhood) and access the contents of the group folder. Group folders for Mac OS 9 users are described in Chapter 10, “Using Macintosh Manager for Mac OS 9.”

Step 9: Define group account preferences

You can manage the preferences for a group of Macintosh users. A group with managed preferences is referred to as a workgroup:

• For information about Mac OS X workgroups, see Chapter 8, “Client Management

Overview,” and Chapter 9, “Managing Preferences.”

• For information about Mac OS 9 workgroups, see Chapter 10, “Using Macintosh

Manager for Mac OS 9.”

Step 10: Define computer lists and preferences

Use computer lists if you want to manage client Macintosh or Windows computers:

• For information about creating Mac OS X computer lists, see Chapter 6, “Setting Up

Computer Lists.” For information about computer list preferences, see Chapter 8, “Client Management Overview,” and Chapter 9, “Managing Preferences.”

36 Chapter 2 Getting Started With User Management

• Every Windows computer supported by the Mac OS X Server primary domain

controller must be part of the Windows Computers computer list. See the Windows services administration guide for details.

Step 11: Perform ongoing account maintenance

As users come and go and the requirements for your servers change, you’ll update account information periodically:

• See the sections later in this chapter starting with “Listing and Finding Accounts” on

page 42 for information about locating existing accounts and shortcuts for maintaining them.

• Information in Chapter 3 through Chapter 6 will help you do common tasks such as

defining a guest account, disabling user accounts, adding and removing users from groups, and deleting accounts.

• For solutions to common problems, see Chapter 11, “Solving Problems.”

Planning Strategies for User Management

Here are some planning activities to undertake before you start to implement user management.

Analyzing Your Environment

Your user management settings need to complement your particular environment, including:

• The size and distribution of your network

• The number of users who will access your network

• The kind of computers users will use (Mac OS 9, Mac OS X, or Windows)

• How users will use client computers

• Which computers are mobile computers

• Which users should have administrator privileges

• Which users should have access to particular computers

• What services and resources users need (such as mail or access to data storage)

• How you might divide users into groups (for example, by class topic or job function)

• How you want to group sets of computers (such as all computers in a public lab)

Identifying Directory Services Requirements

Identify the directories in which you’ll store user and group accounts and computer lists.

• If you have an Active Directory or LDAP server already set up, you might be able to

take advantage of existing account records. See the Open Directory administration guide for details about accessing existing directories.

• If you have an earlier version of an Apple server, you might be able to migrate

existing records. See the migration guide for available options.

Chapter 2 Getting Started With User Management 37

• Set up Open Directory master and replicas to host LDAP directories to store other

user accounts, group accounts, and computer lists on your network. See the Open Directory administration guide for instructions and for complete information about password handling options.

Note: If all the domains have not been finalized when you’re ready to start adding user and group accounts, simply add the accounts to any directory domain that already exists on your server. (You can use the local directory domain—it’s always available.) You can move users and groups to another directory domain later by using your server’s export and import capabilities, described in the Appendix, “Importing and Exporting Account Information.”

Using Client Management

Take advantage of Macintosh client management if you want to:

• Provide users with a consistent, controlled interface while allowing them access to

their files from any computer

• Use mobile accounts

• Reserve certain resources for only specific groups or individuals

• Secure computer usage in key areas such as administrative offices, classrooms, or

open labs

Determine the users, groups, and computers whose preferences you want to manage. See Chapter 8, “Client Management Overview,” Chapter 9, “Managing Preferences,” and Chapter 10, “Using Macintosh Manager for Mac OS 9,” for planning guidelines.

Using Mobile Accounts

Determine whether mobile accounts might be useful.

Mobile accounts are well suited for users who carry their computers from location to location. But they’re useful for any users who don’t require ongoing access to the server for their day-to-day work. Using mobile accounts reduces network traffic by minimizing the need to mount network resources (such as network home directories).

Mobile accounts are documented in Chapter 3, “User Management for Mobile Clients.”

Devising a Home Directory Strategy

Determine which users need home directories and identify the computers on which you want user home directories to reside. For performance reasons, avoid using network home directories over network connections slower than 100 Mbps.

A user’s network home directory doesn’t need to be stored on the same server as the directory containing the user’s account. In fact, distributing directory domains and home directories among various servers can help you balance your network workload. “Distributing Home Directories Across Multiple Servers” on page 104 describes several such scenarios.

38 Chapter 2 Getting Started With User Management

You may want to store home directories for users with last names from A to F on one computer, G to J on another, and so on. Or you may want to store home directories on a Mac OS X Server but store user and group accounts on an Active Directory or LDAP server.

Pick a strategy before creating users. You can move home directories, but if you do, you may need to change a large number of user records.

Determine the access protocol to use for the home directories. Most of the time you will use AFP because it offers the greatest security. But you can use NFS (useful for UNIX clients) and SMB (for Windows clients).

Identifying Groups

Identify users with similar requirements and consider assigning them to groups.

For Mac OS X users, see Chapter 5, “Setting Up Group Accounts.” For Mac OS 9 users, see Chapter 10, “Using Macintosh Manager for Mac OS 9.”

Determining Administrator Requirements

Decide which users you want to be able to administer accounts and make sure they have domain administrator privileges.

The domain administrator has the greatest amount of control over other users and their privileges. The domain administrator can create user accounts, group accounts, and computer lists and assign settings, privileges, and managed preferences for them. He or she can also create other server administrator accounts, or give some users (for example, teachers or technical staff) administrative privileges within certain directory domains.

Give some thought to which users require domain administrative privileges. Managed users can be given various administrative privileges also, allowing them to manage specific groups of users or adjust certain account settings. A well-planned hierarchy of administrators and users with special administration privileges can help you distribute system administration tasks and make workflows and system management more efficient.

When you use Server Assistant to initially configure your server, you specify a password for the owner/administrator. The password you specify also becomes the root password for your server. Many server administrators don’t need knowledge of the root password, but sometimes it’s necessary when using command-line tools (such as CreateGroupFolder). For administrators who don’t need root access, use Workgroup Manager to create an administrator user with a password that is different from the root password.

Chapter 2 Getting Started With User Management 39

The root password should be used with extreme caution and stored in a secure location. The root user has full access to the system, including system files. If you need to, you can use Workgroup Manager to change the root password.

Using Workgroup Manager

Once you have installed the Mac OS X Server software, you can access Workgroup Manager. This section provides an introduction to the application.

Opening and Authenticating in Workgroup Manager

Workgroup Manager is installed in /Applications/Server/ when you install your server or set up an administrator computer. You can open it from that folder by using the Finder. You can also open Workgroup Manager by clicking its icon in the Dock or in the toolbar of the Server Admin application.

• To work with directory domains on a particular server, enter the server’s IP address or

DNS name in the Workgroup Manager Connect window, or click Browse to choose from a list of servers. Specify the user name and password for an administrator of the server, then click Connect. Use this approach when you’ll be working most of the time with a particular server.

• To open Workgroup Manager on the server you’re using without authenticating,

choose View Directories from the Server menu. You will have read-only access to information displayed in Workgroup Manager. To make changes, click the lock icon to authenticate as an administrator. This approach is most useful when you’re administering different servers and working with different directory domains.

After opening Workgroup Manager, you can open a Workgroup Manager window for a different computer by clicking Connect in the toolbar or choosing Server > Connect.

40 Chapter 2 Getting Started With User Management

Major Workgroup Manager Tasks

After login, the user account window appears, showing a list of user accounts.

Click small globe to

switch directories.

Users button

Type here to search or

filter the list below.

Accounts list

Groups

button

Computer Lists button

Currently selected domain

Click to be

authenticated.

Initially, the accounts listed are those stored in the last directory domain of the server’s search path. Here is how to get started with the major tasks you perform with this application:

• To specify the directory or directories that store accounts you want to work with,

click the small globe icon.

To work with accounts in different directories at the same time or to work with different views of accounts in a particular directory, open multiple Workgroup Manager windows by clicking the New Window icon in the toolbar.

• To administer accounts in the selected directory, click the Accounts icon in the

toolbar. Click the Users, Groups, or Computer Lists button on the left side of the window to list the accounts that currently exist in the directory or directories you are working with.

To filter the account list displayed, use the pop-up search list above the accounts list.

• To work with managed preferences, select the account list of interest and then click

the Preferences icon in the toolbar.

• To work with share points, click the Sharing icon in the toolbar.

• To import or export user and group accounts, choose Server > Import or Server >

Export, respectively.

• To retrieve online information, use the Help menu. The Help menu gives you access

to help for administration tasks you accomplish using Workgroup Manager as well as other Mac OS X Server topics.

Chapter 2 Getting Started With User Management 41

• To open Server Admin so you can monitor and work with services on particular

servers, click the Admin icon in the toolbar. See the getting started guide for information about Server Admin.

Listing and Finding Accounts

This section tells you about the various ways to view user accounts, group accounts, and computer lists in Workgroup Manager.

Working With Account Lists in Workgroup Manager

In Workgroup Manager, user accounts, group accounts, and computer lists are listed at the left side of the Workgroup Manager window.

There are several settings that influence the contents and appearance of the list:

• Workgroup Manager preferences control whether system users and groups are listed

and the order in which items are listed. Choose Workgroup Manager > Preferences to set up Workgroup Manager preferences.

• The list reflects the directory or directories you select using the small globe above

the accounts list. Initially, the parent directory domain accounts are listed if you’re connected to the network.

The domains available for selection are the local directory, all directory domains in the server’s search path, and all available directory domains (domains the server is configured to access which may or may not be in the search path). See the Open Directory administration guide for instructions for configuring a server to access directory domains.

After you choose directory domains, all the accounts residing in those domains are listed.

• To sort a list, click a column heading. An arrow shows the sort order (ascending or

descending), which you can reverse by clicking the column heading again.

• You can filter the list by using the pop-up search list above the accounts list.

• You can search for specific items in the list by typing in the field above the accounts

list.

To work with one or more of the accounts listed, select them. Settings for the selected accounts appear in the pane to the right of the list. Available settings vary, depending upon which pane you’re currently viewing.

42 Chapter 2 Getting Started With User Management

Listing Accounts in the Local Directory Domain

Services and programs running on a server can access the server’s local directory. Programs running on a client computer, such as the client computer’s login window, can’t access the server’s local directory. Therefore, a server’s file service can authenticate users with accounts from the server’s local directory. User accounts from the server’s local directory can’t be used to authenticate in the login window on client computers, because the login window is a process running on the client computer.

To list accounts in a server’s local directory domain:

1 In Workgroup Manager, connect to the server hosting the domain, then click the small

globe above the accounts list and choose Local.

The local domain might also be listed as /NetInfo/root/<host name> or /NetInfo/DefaultLocalNode.

2 To view user accounts, click the Users button (the leftmost button above the search

field). Click the Groups button (the middle button) to view group accounts, and click the Computer Lists button (the rightmost) to view computer lists.

3 To work with a particular account, select it. To change the account, which requires that

you have domain administrator privileges, you may need to click the lock to authenticate.

Listing Accounts in Search Path Directory Domains

The search path directory domains are those in the search policy defined for the Mac OS X Server you’re connected to. The Open Directory administration guide tells you how to set up search policies.

To list accounts in search path domains of the server you’re working with:

1 In Workgroup Manager, connect to a server whose search policy contains the directory

domains of interest.

2 Click the small globe above the accounts list and choose Search Path.

3 To view user accounts, click the Users button (the leftmost button above the search

field). Click the Groups button to view group accounts, and click the Computers button to view computer lists.

Listing Accounts in Available Directory Domains

You can list user accounts, group accounts, and computer lists residing in any specific directory domain accessible from the server you’re connected to using Workgroup Manager. You select the domain from a list of all the directory domains configured to be accessible from the server you’re using.

Chapter 2 Getting Started With User Management 43

Note that “available” directory domains are not the same as directory domains in a search policy. A search policy consists of the directory domains a server searches routinely when it needs to retrieve, for example, a user’s account. However, the same server might be configured to access directory domains that haven’t been added to its search policy.

See the Open Directory administration guide to learn how to configure access to directory domains.

To list accounts in directory domains accessible from a server:

1 In Workgroup Manager, connect to a server from which the directory domains of

interest are accessible.

2 Click the small globe above the accounts list and choose Other.

3 In the dialog that appears, select the domain(s), then click OK.

To view user accounts residing in selected directory domains click the Users button (the leftmost button above the search field). Click the Groups button to view group accounts, and click the Computer Lists button to view computer lists.

4 To work with a particular account, select it. To change an account that requires you to

have domain administrator privileges, you may need to click the lock to authenticate.

Refreshing Account Lists

If more than one administrator can make changes to directories, make sure you’re viewing the most current list of user accounts, group accounts, and computer lists by refreshing the lists. To refresh the lists, you can:

• Click Refresh.

• Type search terms in the field above the list to view a new filtered list.

• Delete terms in the field above the list to show the original unfiltered list.

• Click the small globe above the accounts list and choose another item in the list, and

then reselect the domain(s) with which you had been working.

Finding Specific Accounts in a List

After you’ve displayed a list of accounts in Workgroup Manager, you can filter the list to find particular users or groups of interest.

To filter items in the list of accounts:

1 After listing accounts, click the Users, Groups, or Computer Lists button.

2 In the pop-up menu above the account list (labeled with a magnifying glass), select an

option to describe what you want to find, then type search terms in the text field.

The original list is replaced by items that satisfy your search criteria. If you type a user name, both full and short names of users or groups are searched.

3 Choose Workgroup Manager > Preferences to make finding accounts more convenient

when the domains you work with contain thousands of accounts.

44 Chapter 2 Getting Started With User Management

To avoid listing any accounts until a filter is specified, select “Limit search results to requested records.” When the filter field is empty, no accounts are listed.

To list all accounts in the domains selected in the At pop-up menu, type “*” in the filter field.

To list accounts in those domains that satisfy filter criteria, select an option from the pop-up menu next to the filter field, then enter a filter string.

To specify the maximum number of accounts to list, select “List a maximum of n records,” and enter a number no greater than 25,000. Workgroup Manager can display as many as 25,000 accounts.

Sorting User and Group Lists

After displaying a list of accounts in Workgroup Manager, click a column heading to sort entries using the values in that column. Click the heading again to reverse the order of the entries in the list.

Shortcuts for Working With Accounts

There are a several techniques that let you manage accounts more efficiently. You can:

• Make changes to multiple accounts at once.

• Use presets, which are like templates for new accounts.

• Import user and group account information from a file.

Batch Editing

You can edit settings (if they don’t need to be unique) for multiple user accounts, group accounts, or computer lists at the same time. Multi-account editing is referred to as batch editing.

To select multiple accounts, press Shift-click to select a range of accounts and/or Command-click to select accounts individually. You can also choose Edit > Select All, then Command-click to deselect accounts individually.

An example of when batch editing can save you time is when you need to change preference settings for large numbers of accounts. See “Editing Preferences for Multiple Records” on page 131.

Using Presets

You can select settings for a user account, group account, or computer list and save them as a preset. Presets work like templates, allowing you to apply predefined settings to a new account. Using presets, you can easily set up multiple accounts with similar settings.

You can use presets only during account creation. You can’t use a preset to modify an existing account. You can use presets when creating accounts manually or when importing them from a file.

Chapter 2 Getting Started With User Management 45

If you change a preset after it has been used to create an account, accounts already created using the preset are

not

updated to reflect those changes.

Importing and Exporting Account Information

You can use XML or character-delimited text files to import and export user and group account information. Importing information this way can make it easier to set up large numbers of accounts quickly. Exporting information to a file can be useful for record keeping or backing up user data.

For more information, see the Appendix, “Importing and Exporting Account Information.”

Backing Up and Restoring User Management Data

Backing Up and Restoring Files

See onscreen help for information about backing up and restoring directory domains and authentication database files.

Backing Up Root and Administrator User Accounts

System files are owned by root or system administrator user IDs that exist at the time they’re created. Should you need to restore system files, the same IDs should exist on the server so that the original permissions are preserved.

To ensure that you can re-create these user IDs, periodically export the server’s user and group information to a file as described in the Appendix, “Importing and Exporting Account Information.”

46 Chapter 2

Getting Started With User Management

3 User Management for Mobile

Clients

This chapter provides suggestions for managing portable computers used by an individual user or multiple users.

Setting Up Mobile Clients

If you have the advantage of owning a number of portable computers slated for distribution to specific users or groups of users, you can implement a variety of management techniques to personalize the user environment and control the level of access a user has to both local and network resources.

Configuring Portable Computers

In preparing portable computers for use on your network, follow these guidelines.

Step 1: Install the OS, applications, and utilities

Most computers will already have an operating system installed. However, if you need to install a new one, be sure the computers meet the minimum requirements for installation of the operating system (either Mac OS X or Mac OS 9) and any additional applications or utilities you want to install.

Step 2: Create local accounts on Mac OS X computers

Create at least one local administrator account and any local user accounts as needed. Make sure the user’s local account name and password is not easily confused with the user’s network name and password. Mac OS 9 doesn’t require this step.

Step 3: Set up computer lists on your server

For Mac OS X computers, use Workgroup Manager to add the computers to a computer list and enforce preference management at the computer level. You may also want to set user-level preference management settings for the user’s network account.

Details about configuring directory services are in the Open Directory administration guide. For more information about how to work with computer lists, see Chapter 6, “Setting Up Computer Lists.” For additional information and instructions about using managed preference settings, see Chapter 9, “Managing Preferences.”

For Mac OS 9 computers, use Macintosh Manager to set up computer lists and enforce preferred settings. To learn more about using Macintosh Manager, see Chapter 10, “Using Macintosh Manager for Mac OS 9.”

Using Mobile Accounts

A mobile account is a Mac OS X Server user account that has been copied to a local (usually portable) computer. The user may log in on the portable computer using the network account name and password, even if the computer isn’t connected to the network.

When a mobile account logs in to the network, account data—the account name, password, and managed preferences—is automatically synchronized with the server account so that both locations contain a matching set of data. (Mobile account users may want to manually copy files from their local home directory to the network home directory so that they may be accessed from other computers.) When the computer is disconnected from the network, any managed preference settings applied remain in force.

The home directory for the mobile account resides on the user’s computer, whereas the home directory for the network account resides on the server. When the computer is connected to the network, the user authenticates directly to the server account, bypassing the mobile account but still using a local home directory.

If users mainly use a mobile account, their AFP network home directory is created the first time they attempt to access their network home directory. You can create a shortcut to provide mobile users with easy access to their network home directory (see “Providing Access to a User’s Network Home Directory” on page 157). If you have mobile account users accessing a server hosting non-AFP network home directories, you need to create those network home directories manually (see Chapter 7, “Setting Up Home Directories,” on page 103).

Creating a Mobile Account

Once a mobile account is created, it appears in the account list in the Accounts system preference. The account type is labeled “Mobile,” and when you select it, most items in the Accounts pane are dimmed. You can use Workgroup Manager to create a mobile account automatically when a user logs in.

To create a mobile account using Workgroup Manager:

1 In Workgroup Manager, click Accounts.

2 Select a user account, then click Preferences.

3 Click Mobile Accounts and set the management setting to Always.

4 Select “Create Mobile Account at login.”

48 Chapter 3 User Management for Mobile Clients

5 Select “Require confirmation before creating a mobile account” if you want to allow the

user to decide whether to create a mobile account at login.

If this option is selected, the user sees a confirmation dialog when logging in. The user can click Create to create the mobile account immediately, or can click Continue to log in as a network user without creating the mobile account.

6 Click Apply Now.

You can use Workgroup Manager to make changes to the corresponding server account as needed. Any changes are applied to the mobile account the next time the user connects the portable computer to the network.

Deleting a Mobile Account

If a user no longer requires a mobile account, you can delete the account. Both the mobile account and its local home directory are deleted. You must have a local administrator account and password to delete a mobile account.

To delete a mobile account:

1 Open System Preferences on the client computer.

2 Click Accounts, then select the user in the list.

3 Select the account you want to delete.

The mobile account should have the word “Mobile” listed in the Type column.

4 Click the Delete (–) button, then click OK.

The User Experience for Mobile Accounts

If the computer is configured to display a list of users at login, the mobile account is displayed with local users. The user selects his or her account and then enters the correct password to complete login. For managed clients, if the network administrator has designated mobile accounts to be created at login for a particular user, group, or computer, the login window account list displays all users. After the user selects his or her account and types the correct password, a local cached network account is created immediately, behind the scenes. The user can now disconnect from the network and log in using his or her mobile account.

Managing Mobile Clients

After setting up the portable computers, you can use various features of Workgroup Manager or Macintosh Manager to apply restrictions or permit access to network services for users.

Chapter 3 User Management for Mobile Clients 49

If a user has a network account and the computer is recognized by Open Directory, the user can log in using the network account name and password to gain access to available resources. For optimum performance, be sure Mac OS X computers are configured to use DHCP (in the Network pane of System Preferences) and an automatic search policy (in the Authentication pane of Directory Access). This is the default configuration for Mac OS X versions 10.2 and later. If you change the default configuration, users may experience delays in operating system performance when disconnected from the network. For more information about using DHCP and an automatic search policy to bind a computer to Open Directory service, see the Open Directory administration guide.

For users without network accounts who have portable computers of their own but still require access to your network resources, you can use Workgroup Manager or Macintosh Manager features to apply settings for unknown or guest computers.

Unknown Mac OS X Portable Computers

To manage users who have their own personal portable computers running Mac OS X system software, you can use the Guest Computers account to apply computer-level management for unknown or guest computers on your network. If these users log in using a Mac OS X Server user account, user and group managed preferences and account settings also apply.

For more information about setting up the Guest Computers account for Mac OS X users, see “Managing Guest Computers” on page 99. For information about managing unknown portable computers that use Mac OS 9 system software, see “Providing Quick Access to Unimported Users” on page 191.

Mac OS X Portable Computers With Multiple Local Users

One example of shared portable computers is an iBook Wireless Mobile Lab. An iBook Wireless Mobile Lab contains either 10 or 15 student iBooks (plus an additional iBook for an instructor), an AirPort Base Station, and a printer, all on a mobile cart. The cart lets you take the computers to your users (for example, from one classroom to another).

To manage the iBooks on your cart, create identical generic local user accounts on each computer (for example, all the accounts could use “Math” as the user name and “student” as the password). You might want to create different generic local accounts for different purposes, such as an account for a History class, one for a Biology class, and so on. Each account should have a local home directory and should not have administrative privileges. Use a separate local administrator account on each computer to allow server administrators (or other individuals) to perform maintenance tasks and upgrades, install software, and administer the local user accounts.

50 Chapter 3 User Management for Mobile Clients

After creating the local user accounts, add each of the computers to a computer list, then manage preferences for that list. Because multiple users can store items in the local home directory for the generic account, you may want to periodically clean out that folder as part of your maintenance routine.

You can also create mobile accounts for users or use Workgroup Manager preference management to create a mobile account automatically when a user logs in.

Mac OS X Portable Computers With One Primary Local User

There are two ways set up portable computers for a single user who doesn’t use a mobile account.

• The user doesn’t have administrator privileges, but has a local account.

Set up a local administrator account on the computer (don’t give the user any information about this account), then set up a local account for the user. Users with local accounts that don’t have administrator privileges can’t install software and can add or delete items only in their own home directories. A local user can share items with other local users by using the Public folder in his or her local home directory.

If this user had a mobile account, it would function as a local account but could be managed like a network account. If the user has an existing network account, you can change managed preference settings so that a mobile account is created during the user’s first login.

• The user is the administrator for the computer.

If the user is the local administrator, he or she can choose during login whether or not to be managed. For example, to access servers at school, the user should choose to be managed at login, but at home the user may prefer not to be managed since access to the school servers may not be available.

If the user also has a Mac OS X Server user account and network access is available, it may still be preferable to log in using the local account to reduce network traffic. The user can connect to his or her network home directory (to store or retrieve documents, for example) via the “Go to Folder” command in the Finder’s Go menu.

Managing Mac OS 9 Portable Computers

You can set up and manage portable computers that use Mac OS 9. Users can have either network accounts or local user accounts. Macintosh Manager has a “check out” feature that allows users to take home an assigned portable computer and work while not on a managed network.

For details about using Macintosh Manager to manage portable computers, see “Managing Portable Computers” on page 223.

Chapter 3 User Management for Mobile Clients 51

Using Wireless Services

You can provide wireless network service to managed clients using AirPort, for example. When a user with a portable computer leaves the wireless area or changes to a different network directory server (by moving out of one wireless area and into another), client management settings may be different. Users may notice that some network services, such as file servers, printers, shared group volumes, and so forth, are unavailable from the new location. Users can purge these unavailable resources by logging out and logging in again.

If you need more information about using AirPort, consult AirPort documentation or visit the website: www.apple.com/airport/.

52 Chapter 3 User Management for Mobile Clients

4 Setting Up User Accounts

This chapter tells you how to set up, edit, and manage user accounts.

About User Accounts

A user account stores data that Mac OS X Server needs to validate the user’s identity and provide services for the user. This section provides an overview of user accounts.

Where User Accounts Are Stored

User accounts, as well as group accounts and computer lists, can be stored in any Open Directory domain accessible from the Mac OS X computer that needs access to the account. A directory domain can reside on a Mac OS X computer (for example, the LDAP directory of an Open Directory master, a NetInfo domain, or other read/write directory domain) or it can reside on a non-Apple server (for example, an LDAP or Active Directory server).

You can use Workgroup Manager to work with accounts in all kinds of directory domains, but you can update only the LDAP directory of an Open Directory master, a NetInfo domain, or other read/write directory domain using Workgroup Manager.

See the Open Directory administration guide for complete information about the different kinds of Open Directory domains.

Predefined User Accounts

The following table describes some of the user accounts that are created automatically when you install Mac OS X Server (unless otherwise indicated).

Predefined user name Short name User ID Use

Anonymous FTP User ftp 98 The user name given to anyone

using FTP as an anonymous user. This user is created the first time the FTP server is accessed if the FTP server is turned on, if anonymous FTP access is enabled, and if the anonymous ftp user doesn’t already exist.

Macintosh Manager User mmuser -17 The user created by Macintosh

Management Server when the application is first started on a particular server. This user has no home directory, and the password is changed periodically.

My SQL Server mysql 74 The user that the MySQL

database server uses for its processes that handle requests.

Sendmail User smmsp 25 The user that sendmail runs as.

sshd Privilege separation sshd 75 The user for the sshd child

processes that process network data.

System Administrator root 0 The most powerful user.

System Services daemon 1 A legacy UNIX user.

Unknown User unknown 99 The user that is used when the

system doesn’t know about the hard disk.

Unprivileged User nobody -2 This user was originally created

so that system services don’t have to run as System Administrator. Now, however, service-specific users, such as World Wide Web Server, are often used for this purpose.

World Wide Web Server www 70 The nonprivileged user that

Apache uses for its processes that handle requests.

Administering User Accounts

This section describes how to administer user accounts stored in various kinds of directory domains.

54 Chapter 4 Setting Up User Accounts

Creating Mac OS X Server User Accounts

You need administrator privileges for a directory domain to create a new user account in it.

To create a user account:

1 In Workgroup Manager, click Accounts.

2 Ensure that the directory services of the Mac OS X Server you’re using has been

configured to access the domain of interest.

See the Open Directory administrator’s guide for instructions.

3 Click the small globe above the accounts list, then choose the domain in which you

want the user’s account to reside.

For example, Local, /NetInfo/root/<host name>, and /NetInfo/DefaultLocalNode all refer to the local directory domain. /NetInfo/root refers to a shared NetInfo domain if the server is set up to access one; otherwise, /NetInfo/root is the local domain.

4 To authenticate, click the lock.

5 Choose Server > New User or click New User in the toolbar.

6 Specify settings for the user in the tabs provided.

See “Working With Basic Settings for Users” on page 61 through “Working With Print Settings for Users” on page 75 for details.

You can also use a preset or an import file to create a new user.

For details, see “Using Presets to Create New Accounts” on page 59 and Appendix, “Importing and Exporting Account Information.”

Creating Read-Write LDAPv3 User Accounts

You can create a user account on a non-Apple LDAPv3 server if it has been configured for write access.

To create an LDAPv3 user account:

1 In Workgroup Manager, click Accounts.

2 Ensure that the directory services of the Mac OS X Server you’re using has been

configured to use the LDAP server for user accounts.

See the Open Directory administration guide for details about how to use Directory Access to configure an LDAP connection and Appendix, “Importing and Exporting Account Information,” for information about the user account elements that may need to be mapped.

3 Click the small globe above the accounts list, then choose the LDAPv3 domain in which

you want the user’s account to reside.

4 To authenticate, click the lock.

5 Choose Server > New User or click New User in the toolbar.

Chapter 4 Setting Up User Accounts 55

6 Specify settings for the user in the tabs provided. See “Working With Basic Settings for

Users” on page 61 through “Working With Print Settings for Users” on page 75 for details.

You can also use a preset or an import file to create a new user. For details, see “Using Presets to Create New Accounts” on page 59 and Appendix, “Importing and Exporting Account Information.”

Editing User Account Information

You can use Workgroup Manager to change a user account that resides in the LDAP directory of an Open Directory master, a NetInfo domain, or other read/write directory domain.

To make changes to a user account:

1 In Workgroup Manager, click Accounts.

2 Ensure that the directory services of the Mac OS X Server you’re using has been

configured to access the desired directory domain.

See the Open Directory administrator’s guide for instructions.

3 Click the small globe above the accounts list, then choose the domain in which the

user’s account resides.

4 To authenticate, click the lock.

5 Click the Users button and select the user.

6 Edit settings for the user in the tabs provided. See “Working With Basic Settings for

Users” on page 61 through “Working With Print Settings for Users” on page 75 for details.

Editing Multiple Users Simultaneously

You can use Workgroup Manager to make the same change to multiple user accounts in the LDAP directory of an Open Directory master, a NetInfo domain, or other read/ write directory domain at the same time.

To edit multiple users:

1 In Workgroup Manager, click Accounts.

2 Select the user accounts you want to change.

Click the globe icon below the toolbar and choose the directory domain, and Command-click to select each user.

3 To authenticate, click the lock.

4 Click to display the pane you want to work with and make desired changes in fields

that Workgroup Manager lets you update.

56 Chapter 4 Setting Up User Accounts

Modifying Accounts in an Open Directory Master When You’re a Domain Administrator But Not a Server Administrator

If you are authorized to administer a directory domain but not the server, you can still modify accounts.

To modify accounts:

1 Use an administrator computer that has been set up (using the Services pane of

Directory Access) to access the server hosting the Open Directory master.

2 Open Workgroup Manager on the administrator computer.

3 When the login window appears, choose Server > View Directories.

4 Click the small globe icon above the accounts list and choose Other from the pop-up

menu.

5 Open the directory domain you want to administer, and then click the lock to be

authenticated as a domain administrator.

Working With Read-Only User Accounts

You can use Workgroup Manager to review information for user accounts stored in read-only directory domains. Read-only directory domains include LDAPv2 domains, LDAPv3 domains not configured for write access, and BSD configuration files.

To work with a read-only user account:

1 In Workgroup Manager, click Accounts.

2 Ensure that the directory services of the Mac OS X Server you’re using has been

configured to access the directory domain in which the account resides.

See the Open Directory administration guide for information about using Directory Access to configure server connections and the Appendix, “Importing and Exporting Account Information,” for information about the user account elements that need to be mapped.

3 Click the small globe above the accounts list and choose the directory domain in which

the user’s account resides.

4 Use the tabs provided to review the user’s account settings.

See “Working With Basic Settings for Users” on page 61 through “Working With Print Settings for Users” on page 75 for details.

Chapter 4 Setting Up User Accounts 57

Defining a Guest User

You can set up some services to support “anonymous” users, who can’t be authenticated because they don’t have a valid user name or password. The following services can be set up to support anonymous users:

• Windows services (see the Windows Services guide for information about

configuring guest access)

• Apple file service (see the file services administration guide for information about

configuring guest access)

• FTP service (see the file services administration guide for information about

configuring guest access)

• Web service (see the web technologies administration guide for information about

configuring guest access)

Users who connect to a server anonymously are restricted to files, folders, and websites with privileges set to Everyone.

Another kind of guest user is a managed user that you can define to allow easy setup of public computers or kiosk computers. See Chapter 9, “Managing Preferences,” and Chapter 10, “Using Macintosh Manager for Mac OS 9,” for more about these kinds of users.

Deleting a User Account

You can use Workgroup Manager to delete a user account stored in the LDAP directory of an Open Directory master or a NetInfo domain.

Warning: You cannot undo this action.

To delete a user account using Workgroup Manager:

1 In Workgroup Manager, click Accounts.

2 Select the user account you want to delete.

To locate the account, click the small globe above the accounts list and choose the directory domain where the account resides, then select the user.

3 To be authenticated, click the lock.

4 Choose Server > Delete Selected User or click the Delete icon in the toolbar.

Disabling a User Account

To disable a user account, you can:

• Deselect the “User can log in” option on the Basic pane in Workgroup Manager.

• Delete the account.

• Change the user’s password to an unknown value.

• Set a password policy that disables login (for a user account whose password type is

Open Directory).

58 Chapter 4 Setting Up User Accounts

Working With Presets for User Accounts

Presets are like templates with which you define attributes that automatically apply to new user or group accounts.

Creating a Preset for User Accounts

You can create one or more presets to choose from when creating new user accounts in a particular directory domain.

To create a preset for user accounts:

1 Open Workgroup Manager on the server from which you will be creating user

accounts.

Ensure that the server has been configured to access the Mac OS X directory domain or non-Apple LDAPv3 domain in which the preset will be used to create new accounts. To access a different domain, click the small globe above the accounts list.

2 Click Accounts.

3 To create a preset using data in an existing user account, open the account. To create a

preset using an empty user account, create a new user account.

4 Fill in the fields with values you want new user accounts to inherit. Delete any values

you don’t want to prespecify if you’re basing the preset on an existing account.

The following attributes can be defined in a user account preset: password settings, administrator privileges, home directory settings, quotas, default shell, primary group ID, group membership list, comment, login settings, print settings, and mail settings.

5 Click Preferences, configure settings that you want the preset to define, and then click

Accounts.

After configuring preference settings for a preset, you must return to the Accounts settings to save the preset.

6 Choose Save Preset from the Presets pop-up menu, enter a name for the preset, then

click OK.

The preset is saved to the current directory domain.

Using Presets to Create New Accounts

Presets provide a quick way to apply settings to a new account. After you apply the preset, you can continue to modify settings for the new account, if necessary.

To create a new account using a preset:

1 Open Workgroup Manager on a server configured to access the Mac OS X directory

domain or non-Apple LDAPv3 domain in which the preset will be used to create the new account.

2 Click Accounts.

3 Click the small globe above the accounts list, then choose the directory domain in

which you want the new account to reside.

Chapter 4 Setting Up User Accounts 59

4 To authenticate, click the lock.

5 Choose an item from the Presets pop-up menu. If you plan to import a file, you choose

a preset in the import options dialog.

6 Create a new account, either interactively or using an import file.

If a setting is specified in both the preset and an import file, the value in the file is used. If a setting is specified in the preset but not in the import file, the value in the preset is used.

7 Add or update attribute values if required, either interactively or using an import file.

Renaming Presets

Name your presets to help remind you of the template settings or identify the type of user account, group account, or computer list for which that preset is best suited.

To rename a preset:

1 Open Workgroup Manager on the server where the preset has been defined.

2 Click Accounts.

3 Choose Rename Preset from the Presets pop-up menu.

4 Enter the new name and click OK.

Changing Presets

When you change a preset, existing accounts created using it are not updated to reflect your changes.

To change a preset:

1 Open Workgroup Manager on the server where the preset has been defined.

2 Click Accounts.

3 Choose an item from the Presets pop-up menu.

4 After completing your changes, choose Save Preset from the Presets pop-up menu.

You can also change a preset while using it to create a new account by changing any of the fields defined by the preset, then saving the preset.

Deleting a Preset

If you no longer need a particular preset, you can delete it.

To delete a preset:

1 Open Workgroup Manager on the server where the preset has been defined.

2 Click Accounts.

3 Choose Delete Preset from the Presets pop-up menu.

4 Select the preset you want to delete and click Delete.

60 Chapter 4 Setting Up User Accounts

Working With Basic Settings for Users

Basic settings are a collection of attributes that must be defined for all users.

In Workgroup Manager, you use the Basic pane in the user account window to work with basic settings.

Defining Long User Names

The user name is the long name for a user, such as Ellen Brown or Dr. Arnold T. Smith. Sometimes the user name is referred to as the “full name” or the “real” name. Users can log in using the user name or a short name associated with their accounts.

Long user names are case-sensitive in the login window; so if an account has the user name Mary Smith, login fails if MARY SMITH is entered in the login window. However, user names are not case-sensitive when used to authenticate a user for file server access or to log in from Macintosh Manager Mac OS 9 clients.

A long user name can contain no more than 255 bytes. Since long user names support various character sets, the maximum number of characters for long user names can range from 255 Roman characters to as few as 85 characters (for character sets in which characters occupy up to 3 bytes).

You can use Workgroup Manager to edit the user name of an account stored in the LDAP directory of an Open Directory master, a NetInfo domain, or other read/write directory domain. You can also use Workgroup Manager to review the user name in any directory domain accessible from the server you’re using.

To work with the user name using Workgroup Manager:

1 In Workgroup Manager, click Accounts.

2 Select the account you want to work with.

To select the account, click the small globe above the accounts list and choose the directory domain where the account resides, then select the user in the user list.

3 To be authenticated, click the lock.

4 In the Name field (on the Basic pane), review or edit the user name.

Initially, the value of user name is “Untitled <some-number>.” After changing the name, Workgroup Manager doesn’t check to verify that the user name is unique.

Avoid assigning the same name to more than one user. Workgroup Manager doesn’t let you assign the same name to different users in any particular domain or in any domain in the search path (search policy) of the server you’re using, but has no way of detecting whether duplicates might exist in other domains.

Chapter 4 Setting Up User Accounts 61

Defining Short User Names

A short name is an abbreviated name for a user, such as ebrown or arnoldsmith. Users can log in using the short name or the user name associated with their accounts. The short name is used by Mac OS X for home directories and groups:

• When Mac OS X automatically creates a user’s local or network AFP home directory, it

names the directory after the user’s short name. For more information about home directories see Chapter 7, “Setting Up Home Directories.”

• When Mac OS X checks to see whether a user belongs to a group authorized to

access a particular file, it uses short names to find user IDs of group members. See “Avoiding Duplicate Short Names” on page 64 for an example.

You can have as many as 16 short names associated with a user account. You might want to use multiple short names as aliases for email accounts, for example. The first short name is the name used for home directories and group membership lists; don’t reassign that name after you save the user account.

A short user name can contain as many as 255 Roman characters. However, for clients using Mac OS X version 10.1.5 and earlier, the first short user name must be 8 characters or fewer.

Use only these characters for the first short user name (subsequent short names can contain any Roman character):

• a through z

• A through Z

• 0 through 9

• _ (underscore)

• - (hyphen)

Typically, short names contain eight or fewer characters.

You can use Workgroup Manager to edit the short name of an account stored in the LDAP directory of an Open Directory master, a NetInfo domain, or other read/write directory domain. You can also use Workgroup Manager to review the short name in any directory domain accessible from the server you’re using.

To work with a user’s short name using Workgroup Manager:

1 In Workgroup Manager, click Accounts.

2 Select the account you want to work with.

To select the account, click the small globe above the accounts list and choose the directory domain where the account resides, then select the user account.

3 To be authenticated, click the lock.

4 In the Short Names field (on the Basic pane), review or edit the short names.

62 Chapter 4 Setting Up User Accounts

Initially, the value of the short name is “untitled_<some-number>.” If you specify multiple short names, each should be on its own line.

Avoid assigning the same short name to more than one user. Workgroup Manager doesn’t let you assign the same short name to different users in any particular domain or in any domain in the search path (search policy) of the server you’re using, but has no way of detecting whether duplicates might exist in other domains.

After the user’s account has been saved, you can’t change the first short name, but you can change others in a list of short names.

Choosing Stable Short Names

When you create groups, Mac OS X identifies users in them by their first short name, which can’t be changed.

If a short name change is unavoidable, you can create a new account for the user (in the same directory domain) that contains the new short name, but retains all other information (user ID, primary group, home directory, and so forth). You can then disable login for the old user account. Now the user can log in using the changed name, yet have the same access to files and other network resources as before. (See “Disabling a User Account” on page 58 for information on disabling use of an account for login.)

Avoiding Duplicate Names

If separate user accounts have the same name (user name or short name) and password, a Mac OS X computer may authenticate a user different from the one you want it to authenticate. Or it may mask the user record that should be used for authentication.

Consider an example that consists of three shared directory domains. Tony Smith has an account in the Students domain, and Tom Smith has an account in the root domain. Both accounts contain the short name “tsmith” and the password “smitty.”

Tom Smith (tsmith,smitty)

ony Smith (tsmith,smitty)

Chapter 4 Setting Up User Accounts 63

Tony’s computer

Students Faculty

Tom’s computer

When Tony logs in to his computer with a user name “tsmith” and the password “smitty,” he is authenticated using the record in the Students domain. Similarly, Tom can use the same login entries at his computer and be authenticated using his record in the root domain. If Tony and Tom ever logged in to each other’s computers using tsmith and smitty, they would both be authenticated, but not with the desired results. Tony could access Tom’s files, and vice versa.

Now let’s say that Tony and Tom have the same short name, but different passwords.

Tom Smith (tsmith, smitty)

Tony Smith (tsmith, tony)

Tony’s computer

Students Faculty

Tom’s computer

If Tom attempts to log in to Tony’s computer using the short name “tsmith” and his password (smitty), his user record is masked by Tony’s user record in the Students domain. Mac OS X finds “tsmith” in Students, but its password doesn’t match the one Tom used to log in. Tom is denied access to Tony’s computer, and his record in the root domain is never found.

If Tony has a user record in his local directory domain that has the same names and password as his record in the Students domain, the Students domain’s record for Tony would be masked. Tony’s local domain should offer a name/password combination that distinguishes it from the Students domain’s record. If the Students domain is not accessible (when Tony works at home, for example), he can log in using the local name and continue using his computer. Tony can still access local files created when he logged in using the Students domain if the user ID in both records is the same.

Duplicate short names also have undesirable effects in group records, described in the next section.

Avoiding Duplicate Short Names

Since short names are used to find user IDs of group members, duplicate short names can result in file access being granted to users you hadn’t intended to give access.

64 Chapter 4 Setting Up User Accounts

Return to the example of Tony and Tom Smith, who have duplicate short names. Assume that the administrator has created a group in the root domain to which all students belong. The group—AllStudents—has a GID of 2017.

Tom Smith (tsmith, smitty, UID 2000)

AllStudents (tsmith, GID 2017)

(tsmith, smitty, UID 3000)

Tony Smith

Tony’s compu

Students Faculty

MyDoc

ter

Owner 127 can: Read & Write Group 2017 can: Read only Everyone else can: None

Tom’s computer

Now suppose that a file, MyDoc, resides on a computer accessible to both Tony and Tom. The file is owned by a user with the user ID 127. It has read-only access privileges for AllStudents. Tony, not Tom, was added as a member of AllStudents, but because a group’s member list consists of short names, not user IDs, and the short name tsmith is listed as a member of AllStudents, both Tony and Tom are effectively members of AllStudents.

When Tom attempts to access MyDoc, Mac OS X determines that the owner permissions do not apply for Tom, and moves on to check if group permissions apply for Tom. Mac OS X searches the login hierarchy for user records with short names that match those associated with AllStudents. Tom’s user record is found (short name tsmith) because it resides in the login hierarchy, and the user ID in the user record is compared with Tom’s login user ID. They match, so Tom is allowed to read MyDoc, even though he’s not actually a member of AllStudents.

Defining User IDs

A user ID is a number that uniquely identifies a user. Mac OS X computers use the user ID to keep track of a user’s directory and file ownership. When a user creates a directory or file, the user ID is stored as the creator ID. A user with that user ID has read and write privileges to the directory or file by default.

The user ID should be a unique string of digits from 500 through 2,147,483,648. Assigning the same user ID to different users is risky, since two users with the same user ID have identical directory and file access privileges.

Chapter 4 Setting Up User Accounts 65

The user ID 0 is reserved for the root user. User IDs below 100 are reserved for system use; users with these User IDs should not be deleted and should not be modified except to change the password of the root user.

In general, once user IDs have been assigned and users start creating files and directories throughout a network, you shouldn’t change user IDs. One possible scenario in which you may need to change a user ID is when merging users created on different servers into one new server or cluster of servers. The same user ID may have been associated with a different user on the previous server.

When you create a new user account in any shared directory domain, Workgroup Manager automatically assigns a user ID; the value assigned is an unused user ID (1025 or greater) in the server’s search path. (New users created using the Accounts Preferences pane on Mac OS X Desktop computers are assigned user IDs starting at

501.)

You can use Workgroup Manager to edit the user ID of an account stored in the LDAP directory of an Open Directory master or a NetInfo domain. You can also use Workgroup Manager to review the user ID in any directory domain accessible from the server you’re using.

To change a user ID in Workgroup Manager:

1 In Workgroup Manager, click Accounts.

2 Select the account you want to work with.

To select an account, click the small globe above the accounts list and choose the directory domain where the user’s account resides, and select the user.

3 To authenticate, click the lock.

4 In the Basic pane, specify a value in the User ID field.

Make sure the value is unique in the search policy (search path) of computers the user will log in to.

Defining Passwords

For information about defining passwords, see the Open Directory administration guide.

Setting Password Options for Imported Users

You can’t set Open Directory password options in an import file or in a preset used during import.

To set password options for imported users:

1 Import the users by using Workgroup Manager or the dsimportexport command-line

tool.

2 In Workgroup Manager, click Accounts.

66 Chapter 4 Setting Up User Accounts

3 Open the directory into which the users were imported.

4 Select the users whose password options you want to set.

5 Click Advanced.

6 Make sure the User Password Type is set to Open Directory, click Options, set password

options, and click OK.

7 Click Save.

For more information about importing users, see the appendix. For additional information about Open Directory passwords, see the Open Directory administration guide.

Assigning Administrator Rights for a Server

A user who has server administration privileges can control most of the server’s configuration settings and use applications, such as Server Admin, that require a user to be a member of the server’s admin group.

You can use Workgroup Manager to assign server administrator privileges to the LDAP directory of an Open Directory master or a NetInfo domain. You can also use Workgroup Manager to review the server administrator privileges in any directory domain accessible from the server you’re using.

To set server administrator privileges in Workgroup Manager:

1 Log in to Workgroup Manager by specifying the name or IP address of the server for

which you want to grant administrator privileges.

2 Click Accounts.

3 Click the small globe above the accounts list and choose the directory domain in which

the user’s account resides.

4 To authenticate, click the lock.

5 In the Basic pane, select “User can administer the server” to grant server administrator

privileges.

Assigning Administrator Rights for a Directory Domain

A user who has administrator privileges for an Apple directory domain can make changes to user accounts, group accounts, and computer lists stored in that domain using Workgroup Manager. The changes the user can make are limited to those you specify.

You can use Workgroup Manager to assign directory domain administrator privileges for an account stored in the LDAP directory of an Open Directory master or a NetInfo domain. You can also use Workgroup Manager to review these privileges in any directory domain accessible from the server you’re using.

Chapter 4 Setting Up User Accounts 67

To set directory domain administrator privileges in Workgroup Manager:

1 Make sure the user has an account in the directory domain.

2 In Workgroup Manager, click Accounts.

3 Select the user account.

To select the account, click the small globe above the accounts list and choose the directory domain in which the user’s account resides, and select the account.

4 To be authenticated, click the lock.

5 In the Basic pane, select “User can administer this directory domain.”

6 To specify what the user should be able to administer in the domain, click Privileges.

By default, the user has no directory domain privileges.

7 Click the Users, Groups, or Computer Lists button and make the desired settings.

If you don’t select a checkbox (such as “The administrator can edit user preferences”), the user can view the account or preference information in Workgroup Manager, but not change it.

To add an item the “listed below” area (on the right), drag it from the Available list (on the left). To remove an item, select it and press the Delete key on the keyboard.

Working With Advanced Settings for Users

Advanced settings include login settings, keywords, password validation policy, and a comment.

In Workgroup Manager, use the Advanced pane in the user account window to work with advanced settings.

Defining Login Settings

By specifying user login settings, you can:

• Control whether the user can be authenticated using the account.

• Allow a managed user to simultaneously log in to more than one managed

computer at a time or prevent the user from doing so.

• Indicate whether a user of a managed computer can or must select a workgroup

during login or whether you want to avoid showing workgroups when the user logs in.

• Identify the default shell the user will use for command-line interactions with

Mac OS X, such as /bin/csh or /bin/tcsh. The default shell is used by the Terminal application on the computer the user is logged in to, but Terminal has a preference that lets you override the default shell. The default shell is used by SSH (Secure Shell) or Telnet when the user logs in to a remote Mac OS X computer.

68 Chapter 4 Setting Up User Accounts

You can use Workgroup Manager to define login settings of an account stored in the LDAP directory of an Open Directory master, a NetInfo domain, or other read/write directory domain. You can also use Workgroup Manager to review login settings in any directory domain accessible from the server you’re using.

To work with login settings using Workgroup Manager:

1 In Workgroup Manager, click Accounts.

2 Select the account you want to work with.

To select the account, click the small globe above the accounts list and choose the directory domain where the account resides, and select the user in the user list.

3 To be authenticated, click the lock.

4 Click Advanced.

5 Select “Allow simultaneous login” to let a user log in to more than one managed

computer at a time.

Note: Simultaneous login is not recommended for most users. You may want to reserve simultaneous login privileges for technical staff, teachers, or other users with administrator privileges. (If a user has a network home directory, that’s where the user’s application preferences and documents are stored. Simultaneous login may modify these items; many applications don’t support such modification while they are open.)

You cannot disable simultaneous login for users with NFS home directories.

6 Choose a shell from the Login Shell pop-up menu to specify the default shell for the

user when logging in to a Mac OS X computer.

To enter a shell that doesn’t appear in the list, click Custom. To make sure a user can’t access the server remotely using a command line, choose None.

Defining a Password Type

For details about setting up and managing passwords, see the Open Directory administration guide.

Creating a Master List of Keywords

You can define keywords that enable quick searching and sorting of users. Using keywords can simplify tasks such as creating groups or editing multiple users.

Before you begin adding keywords to user records, you must create a master keyword list. The list of keywords shown in the Advanced pane for a selected user apply only to that user.

To edit the master keyword list:

1 In Workgroup Manager, click Accounts.

2 Select the account you want to work with.

Chapter 4 Setting Up User Accounts 69

To select the account, click the small globe above the accounts list and choose the directory domain where the account resides, and select the user in the user list.

3 To be authenticated, click the lock.

4 Click Advanced.

5 Click Define to view the master keyword list.

The master list shows all terms available for use as keywords. You can access and edit the master keyword list from any selected user account.

6 To add a keyword to the master list, type terms in the text field and click (+).

7 To remove a keyword from the master list and all user records where it appears, select

the keyword, select Remove Deleted Keywords From Users, and click (–).

If you only want to remove a keyword from the master list, make sure Remove Deleted Keywords From Users is not selected, then select the keyword you want to remove and click (–).

8 When you’ve finished editing the master list, click OK.

Applying Keywords to User Accounts

You can’t add keywords to more than one user at a time; however, you can remove a keyword from all users that are tagged with that keyword if necessary.

To work with keywords for an individual user account:

1 In Workgroup Manager, click Accounts.

2 Select the account you want to work with.

To select the account, click the small globe above the accounts list and choose the directory domain where the account resides, then select the user in the user list.

3 To be authenticated, click the lock.

4 Click Advanced.

5 To add a keyword to the selected account, Click (+) to view the list of available

keywords. Select one or more terms in the list, then click OK.

6 To remove a keyword from a specific user, select the term you want to remove and

click (–).

7 When you’ve finished adding or removing keywords for the selected user, click Save.

Editing Comments

You can save a comment in a user’s account to provide whatever documentation might help with administering the user. A comment can be as long as 32,676 characters.

You can use Workgroup Manager to define the comment of an account stored in the LDAP directory of an Open Directory master, a NetInfo domain, or other read/write directory domain. You can also use Workgroup Manager to review the comment in any directory domain accessible from the server you’re using.

70 Chapter 4 Setting Up User Accounts

To work with a comment using Workgroup Manager:

1 In Workgroup Manager, click Accounts.

2 Select the account you want to work with.

To select the account, click the small globe above the accounts list and choose the directory domain where the account resides, then select the user in the user list.

3 To be authenticated, click the lock.

4 Click Advanced.

5 Edit or review the contents of the Comment field.

Working With Group Settings for Users

Group settings identify the groups a user is a member of.

In Workgroup Manager, use the Groups pane in the user account window to work with group settings.

See Chapter 5, “Setting Up Group Accounts,” for information on administering groups.

Defining a User’s Primary Group

A primary group is the group to which a user belongs by default.

The ID of the primary group is used by the file system when the user accesses a file he or she doesn’t own. The file system checks the file’s group privileges, and if the primary group ID of the user matches the ID of the group associated with the file, the user inherits group access privileges. The primary group offers the fastest way to determine whether a user has group privileges for a file.

The primary group ID should be a unique string of digits. By default, it is 20 (which identifies the group named “staff”), but you can change it. The maximum value is 2,147,483,648.

You can use Workgroup Manager to define the primary group ID of an account stored in the LDAP directory of an Open Directory master, a NetInfo domain, or other read/ write directory domain. You can also use Workgroup Manager to review the primary group information in any directory domain accessible from the server you’re using.

To work with a primary group ID using Workgroup Manager:

1 In Workgroup Manager, click Accounts.

2 Select the account you want to work with.

To select the account, click the small globe above the accounts list and choose the directory domain where the account resides, then select the user in the user list.

3 To be authenticated, click the lock.

4 Click the Groups button.

Chapter 4 Setting Up User Accounts 71

5 Edit or review the contents of the Primary Group ID field. Workgroup Manager displays

the full and short names of the group after you enter a primary group ID if the group exists and is accessible in the search path of the server you’re logged into.

Adding a User to Groups

Add a user to a group when you want multiple users to have the same file access privileges or when you want to manage their Mac OS X preferences using workgroups or computer lists.

You can use Workgroup Manager to add a user to a group if the user and group accounts are in the LDAP directory of an Open Directory master or a NetInfo domain.

To add a user to a group using Workgroup Manager:

1 In Workgroup Manager, click Accounts.

2 Select the user account you want to work with.

To select the account, click the small globe above the accounts list and choose the directory domain where the account resides, then select the user in the user list.

3 To be authenticated, click the lock.

4 Click the Groups button.

5 Click the Add (+) button to open a drawer listing the groups defined in the directory

domain you’re working with. (To include system groups in the list, choose Preferences on the Workgroup Manager menu, then select “Show system users and groups.”)

6 Select the group, then drag it into the Other Groups list on the Groups pane.

You can also add users to a group by using the Members pane of group accounts.

Removing a User From a Group

You can use Workgroup Manager to remove a user from a group if the user and group accounts reside in the LDAP directory of an Open Directory master or a NetInfo domain.

To remove a user from a group using Workgroup Manager:

1 In Workgroup Manager, click Accounts.

2 Select the account you want to work with.

To select the account, click the small globe above the accounts list and choose the directory domain where the account resides, then select the user in the user list.

3 To be authenticated, click the lock.

4 Click the Groups button.

5 Select the group or groups from which you want to remove the user, then click the

Remove (–) button.

You can also add users to a group by using the Members pane of group accounts.

72 Chapter 4 Setting Up User Accounts

Reviewing a User’s Group Memberships

You can use Workgroup Manager to review the groups a user belongs to if the user account resides in a directory domain accessible from the server you’re using.

To review group memberships using Workgroup Manager:

1 In Workgroup Manager, click Accounts.

2 Select the account you want to work with.

To select the account, click the small globe above the accounts list and choose the directory domain where the account resides, then select the user in the user list.

3 To be authenticated, click the lock.

4 Click the Groups button.

The primary group to which the user belongs is displayed, and other groups the user belongs to are listed in the Other Groups list.

Working With Home Settings for Users

Home settings describe a user’s home directory attributes. For information about using and setting up home directories, see Chapter 7, “Setting Up Home Directories.”

Working With Mail Settings for Users

You can create a Mac OS X Server mail service account for a user by specifying mail settings for the user in the user’s account. To use the account, the user configures a mail client to identify the user name, password, mail service, and mail protocol you specify in the mail settings.

In Workgroup Manager, use the Mail pane in the user account window to work with a user’s mail service settings.

See the mail service administration guide for information about how to set up and manage Mac OS X Server mail service.

Disabling a User’s Mail Service

You can use Workgroup Manager to disable mail service for a user whose account is stored in the LDAP directory of an Open Directory master, a NetInfo domain, or other read/write directory domain.

To disable a user’s mail service using Workgroup Manager:

1 In Workgroup Manager, click Accounts.

2 Select the account you want to work with.

To select the account, click the small globe above the accounts list and choose the directory domain where the account resides, then select the user in the user list.

Chapter 4 Setting Up User Accounts 73

3 To be authenticated, click the lock.

4 Click Mail.

5 Select None.

Enabling Mail Service Account Options

You can use Workgroup Manager to enable mail service and set mail options for a user account stored in the LDAP directory of an Open Directory master, a NetInfo domain, or other read/write directory domain. You can also use Workgroup Manager to review the mail settings of accounts stored in any directory domain accessible from the server you’re using.

To work with a user’s mail account options using Workgroup Manager:

1 In Workgroup Manager, click Accounts.

2 Select the account you want to work with.

To select the account, click the small globe above the accounts list and choose the directory domain where the account resides, then select the user in the user list.

3 To be authenticated, click the lock.

4 Click Mail.

5 To allow the user to use mail service, select Enabled.

6 Enter a valid mail server name or address in the Mail Server fields for the DNS name or

IP address of the server to which the user’s mail should be routed. Workgroup Manager doesn’t verify this information.

7 Enter a value in the Mail Quota field to specify the maximum number of megabytes for

the user’s mailbox.

A 0 or empty value means no quota is used. When the user’s message space approaches or surpasses the mail quota you specify, mail service displays a message prompting the user to delete unwanted messages to free up space. The message shows quota information in kilobytes (KB) or megabytes (MB).

8 Select a Mail Access setting to identify the protocol used for the user’s mail

account: Post Office Protocol (POP) and/or Internet Message Access Protocol (IMAP).

9 The following features are supported only for mail accounts that reside on a server

using Mac OS X Server software earlier than version 10.3.

Select an Options setting to determine inbox characteristics for mail accounts that access email using both POP and IMAP.

“Use separate inboxes for POP and IMAP” creates an inbox for POP mail and a separate inbox for IMAP mail. “Show POP Mailbox in IMAP folder list” shows an IMAP folder named POP Inbox.

74 Chapter 4 Setting Up User Accounts

Select “Enable NotifyMail” to automatically notify the user’s mail application when new mail arrives. The IP address to which the notification is sent can be either the last IP address from which the user logged in or an address you specify.

Forwarding a User’s Mail

You can use Workgroup Manager to set up email forwarding for a user whose account is stored in the LDAP directory of an Open Directory master or a NetInfo domain.

To forward a user’s mail using Workgroup Manager:

1 In Workgroup Manager, click Accounts.

2 Select the account you want to work with.

To select the account, click the small globe above the accounts list and choose the directory domain where the account resides, then select the user in the user list.

3 To be authenticated, click the lock.

4 Click Mail.

5 Select Forward and enter the forwarding email address in the Forward To field.

Make sure you enter the correct address. Workgroup Manager doesn’t verify that the address exists.

Working With Print Settings for Users

Print settings associated with a user’s account define the ability of a user to print to accessible Mac OS X Server print queues for which print service enforces print quotas. The print service administration guide tells you how to set up quota-enforcing print queues.

In Workgroup Manager, use the Print pane in the user account window to work with a user’s print quotas:

• Select None (the default) to disable a user’s access to print queues enforcing print

quotas.

• Select All Queues to let a user print to all accessible print queues that enforce quotas.

• Select Per Queue to let a user print to specific print queues that support quotas.

Disabling a User’s Access to Print Queues Enforcing Quotas

You can use Workgroup Manager to prevent a user from printing to any accessible Mac OS X print queue that enforces quotas. To use Workgroup Manager, the user’s account must be stored in the LDAP directory of an Open Directory master or a NetInfo domain.

Chapter 4 Setting Up User Accounts 75

To disable a user’s access to print queues enforcing quotas:

1 In Workgroup Manager, click Accounts.

2 Select the account you want to work with.

To select the account, click the small globe above the accounts list and choose the directory domain where the account resides, then select the user in the user list.

3 To be authenticated, click the lock.

4 Click Print.

5 Select None.

Enabling a User’s Access to Print Queues Enforcing Quotas

You can use Workgroup Manager to allow a user to print to all or only some accessible Mac OS X print queues that enforce quotas. To use Workgroup Manager, the user’s account must be stored in the LDAP directory of an Open Directory master or a NetInfo domain.

To set a user’s print quota for print queues enforcing quotas:

1 In Workgroup Manager, click Accounts.

2 Select the account you want to work with.

To select the account, click the small globe above the accounts list and choose the directory domain where the account resides, then select the user in the user list.

3 To be authenticated, click the lock.

4 Click Print.

To set up a quota that applies to all queues, go to step 5. Alternatively, to set up quotas for specific print queues, go to step 6.

5 Click “All Queues,” then specify the maximum number of pages the user should be able

to print in a certain number of days for any print queue enforcing quotas.

6 Click “Per Queue,” then use the Queue Name pop-up menu to select the print queue

for which you want to define a user quota. If the print queue you want to specify is not on the Queue Name pop-up menu, click Add to enter the queue name and specify, in the Print Server field, the IP address or DNS name of the server where the queue is defined.

To give the user unlimited printing rights to the queue, click “Unlimited printing.” Otherwise, specify the maximum number of pages the user should be able to print in a certain number of days. Then click Save.

76 Chapter 4 Setting Up User Accounts

Deleting a User’s Print Quota for a Specific Queue

If you no longer require a print quota for a particular queue, you can delete that quota for specific users.

To delete a user’s print quota using Workgroup Manager:

1 In Workgroup Manager, click Accounts.

2 Select the user account you want to work with.

To select the account, click the small globe above the accounts list and choose the directory domain where the account resides, then select the user in the list.

3 To be authenticated, click the lock.

4 Click Print.

5 Use the Queue Name pop-up menu and the Print Server field to identify the print

queue to which you want to disable a user’s access.

6 Click Delete.

Resetting a User’s Print Quota

On some occasions, a user may exceed his or her print quota but needs to print additional pages. For example, an administrator may want to print a 200-page manual, but her print quota is only 150 pages. Or, a student may exceed his quota by printing an essay but needs to print a new revised copy. You can use Workgroup Manager to reset a user’s print quota and allow the user to continue printing.

To restart a user’s print quota using Workgroup Manager:

1 In Workgroup Manager, click Accounts.

2 Select the account you want to work with.

To select the account, click the small globe above the accounts list and choose the directory domain where the account resides, then select the user in the user list.

3 To be authenticated, click the lock.

4 Click Print.

5 If the user is set up for printing to all print queues supporting quotas, click Restart Print

Quota.

If the user’s print quotas are print queue–specific, use the Queue Name pop-up menu and the Print Server field to identify a print queue, then click Restart Print Quota.

You can also extend a user’s page limit without resetting the quota period by changing the number of pages allowed for the user. In this way, the time period for the quota remains the same and is not reset, but the number of pages the user can print during that period is adjusted for both the current and future print quota periods. To extend or decrease a selected user’s page limit, type a new number in the “Limit to ___ pages” field and click Save.

Chapter 4 Setting Up User Accounts 77

Choosing Settings for Windows Users

Computers that use the Windows operating system can be integrated into your Mac OS X Server network. You can set up user accounts and select settings in the Windows pane of Workgroup Manager for individuals who need access to the Windows computers.

For detailed instructions about how to use settings for users accessing Windows computers, see the Windows Services guide.

78 Chapter 4 Setting Up User Accounts

5 Setting Up Group Accounts

A group account offers a simple way to manage a collection of users with similar needs. This chapter tells you how to set up and manage group accounts.

About Group Accounts

Group accounts store the identities of users who belong to the group as well as information that lets you customize the working environment for members of a group. When you define preferences for a group, the group is known as a workgroup.

A primary group is the user’s default group. Primary groups can expedite the checking done by the Mac OS X file system when a user accesses a file.

Administering Group Accounts

This section describes how to administer group accounts stored in various kinds of directory domains.

Where Group Accounts Are Stored

Group accounts, as well as user accounts and computer lists, can be stored in any Open Directory domain accessible from the Mac OS X computer that needs to access the account. A directory domain can reside on a Mac OS X computer (for example, the LDAP directory of an Open Directory master or a NetInfo domain) or it can reside on a non-Apple server (for example, an LDAP or Active Directory server).

You can use Workgroup Manager to work with accounts in all kinds of directory domains. See the Open Directory administration guide for complete information about the different kinds of Open Directory domains.

Predefined Group Accounts

The following table characterizes the group accounts that are created automatically when you install Mac OS X Server.

Predefined group name

admin 80 The group to which users with administrator privileges belong.

bin 7 A group that owns all binary files.

daemon 1 A group used by system services.

dialer 68 A group for controlling access to modems on a server.

guest 31

kmem 2 A legacy group used to control access to reading kernel memory.

mail 6 The group historically used for access to local UNIX mail.

mysql 74 The group that the MySQL database server uses for its processes

network 69 This group has no specific meaning.

nobody -2 A group used by system services.

nogroup -1 A group used by system services.

operator 5 This group has no specific meaning.

smmsp 25 The group used by sendmail.

sshd 75 The group for the sshd child processes that process network data.

staff 20 The default group into which UNIX users are traditionally placed.

sys 3 This group has no specific meaning.

tty 4 A group that owns special files, such as the device file associated

unknown 99 The group used when the system doesn’t know about the hard

utmp 45 The group that controls what can update the system’s list of

uucp 66 The group used to control access to UUCP spool files.

wheel 0 Another group (in addition to the admin group) to which users

www 70 The nonprivileged group that Apache uses for its processes that

Group ID Use

that handle requests.

with an SSH or telnet user.

disk.

logged-in users.

with administrator privileges belong.

handle requests.

80 Chapter 5 Setting Up Group Accounts

Creating Mac OS X Server Group Accounts

You need administrator privileges for a directory domain to create a new group account in it.

To create a group account:

1 In Workgroup Manager, click Accounts.

2 Ensure that the directory services of the Mac OS X Server you’re using has been

configured to access the domain of interest.

See the Open DIrectory administration guide for instructions.

3 Click the small globe above the accounts list and open the domain in which you want

the group account to reside.

4 Click the lock to be authenticated as a directory domain administrator.

5 Click the Groups button.

6 Click New Group, then specify settings for the group in the tabs provided.

You can also use a preset or an import file to create a new group. For details, see “Creating a Preset for Group Accounts” and the appendix.

Creating Read-Write LDAPv3 Group Accounts

You can create a group account on a non-Apple LDAPv3 server if it has been configured for write access.

To create an LDAPv3 group account:

1 In Workgroup Manager, click Accounts.

2 Ensure that the directory services of the Mac OS X Server you’re using has been

configured to use the LDAP server for group accounts.

See the Open Directory administration guide for information about using Directory Access to configure an LDAP connection and the appendix for information about the group account elements that may need to be mapped.

3 Click the small globe above the accounts list and open the LDAPv3 domain in which

you want the group account to reside.

4 To be authenticated, click the lock.

5 Choose Server > New Group.

6 Specify settings for the group in the tabs provided.

See “Working With Member Settings for Groups” on page 83 and “Working With Group Folder Settings” on page 86 for details.

You can also use a preset or an import file to create a new group. For details, see “Creating a Preset for Group Accounts” and the appendix.

Chapter 5 Setting Up Group Accounts 81

Creating a Preset for Group Accounts

Group account presets can be used to apply predetermined settings to a new group account.

To create a preset for group accounts:

1 Open Workgroup Manager on the server from which you will be creating group

accounts.

2 Click Accounts.

3 Ensure that the server has been configured to access the Mac OS X directory domain or

non-Apple LDAPv3 domain in which the preset will be used to create new accounts.

4 To create a preset using data in an existing group account, open the account. To create

a preset using an empty group account, create a new group account.

5 Fill in the fields with values you want new user groups to inherit. Delete any values you

don’t want to prespecify if you’re basing the preset on an existing account.

6 Click Preferences, configure settings that you want the preset to define, and then click

Accounts.

After configuring preference settings for a preset, you must return to the Accounts settings to save the preset.

7 Choose Save Preset from the Presets pop-up menu, enter a name for the preset, and

click OK.

Editing Group Account Information

You can use Workgroup Manager to change a group account that resides in the LDAP directory of an Open Directory master, a NetInfo domain, or other read/write directory domain.

To make changes to a group account:

1 In Workgroup Manager, click Accounts.

2 Ensure that the directory services of the Mac OS X Server you’re using has been

configured to access the directory domain of interest.

See the Open Directory administration guide for instructions.

3 Click the small globe above the accounts list and open the domain in which the group

account resides.

4 To be authenticated, click the lock.

5 Click the Groups button and select the group you want to work with.

6 Edit settings for the group in the tabs provided.

See “Working With Member Settings for Groups” on page 83 and “Working With Group Folder Settings” on page 86 for details.

82 Chapter 5 Setting Up Group Accounts

Working With Read-Only Group Accounts

You can use Workgroup Manager to review information for group accounts stored in read-only directory domains. Read-only directory domains include LDAPv2 domains, LDAPv3 domains not configured for write access, and BSD configuration files.

To work with a read-only group account:

1 In Workgroup Manager, click Accounts.

2 Ensure that the directory services of the Mac OS X Server you’re using has been

configured to access the directory domain in which the account resides.

See the Open Directory administration guide for information about using Directory Access to configure server connections and the appendix for information about the group account elements that need to be mapped.

3 Click the small globe above the accounts list and open the directory domain in which

the group account resides.

4 Use the tabs provided to review the group account settings.

See “Working With Member Settings for Groups” and “Working With Group Folder Settings” on page 86 for details.

Working With Member Settings for Groups

Member settings include a group’s names, its ID, and a list of the users who are members of the group.

In Workgroup Manager, you use the Members pane in the group account window to work with member settings.

When the name of a user in the Members list appears in italics, the group is the user’s primary group.

Adding Users to a Group

Add users to a group when you want multiple users to have the same file access privileges or when you want to make them managed users.

When you create a user account and assign the new user a primary group, the user is automatically added to the group you specify; you don’t need to explicitly do so. Otherwise, you explicitly add users to a group.

You can use Workgroup Manager to add users to a group if the user and group accounts are in the LDAP directory of an Open Directory master or a NetInfo domain.

Chapter 5 Setting Up Group Accounts 83

To add users to a group using Workgroup Manager:

1 In Workgroup Manager, click Accounts.

2 Select the group account you want to work with.

To select an account, click the small globe above the accounts list and open the directory domain where the account resides, click the Groups button, and select the group.

3 To be authenticated, click the lock.

4 Click Members.

5 Click the Add (+) button to open a drawer listing the users defined in the directory

domain you’re working with.

6 To include system users in the list, choose Workgroup Manager > Preferences, then

select “Show system users and groups.”

Make sure that the group account resides in a directory domain specified in the search policy (search path) of computers the user will log in to.

7 Select the user, then drag it into the Members list on the Members pane.

Removing Users From a Group

You can use Workgroup Manager to remove a user from a group that is not the user’s primary group if the user and group accounts reside in the LDAP directory of an Open Directory master or a NetInfo domain.

To remove a user from a group using Workgroup Manager:

1 In Workgroup Manager, click Accounts.

2 Select the group account you want to work with.

To select an account, click the small globe above the accounts list and open the directory domain where the account resides, click the Groups button, and select the group.

3 To be authenticated, click the lock.

4 Click Members.

5 Select the user or users you want to remove from the group, then click the Remove (–)

button.

84 Chapter 5 Setting Up Group Accounts

Naming a Group

A group has two names: a long name and a short name.

• The long group name (for example, English Department Students) is used for display

purposes only and can contain no more than 255 bytes. Since full group names support various character sets, the maximum number of characters for full group names can range from 255 Roman characters to as few as 85 characters (for character sets in which characters occupy up to 3 bytes).

• A short group name can contain as many as 255 Roman characters. However, for

clients using Mac OS X version 10.1.5 and earlier, the short group name must be eight characters or fewer. Use only these characters in a short group name:

• a through z

• A through Z

• 0 through 9

• _ (underscore)

The short name, typically eight or fewer characters, is used by Mac OS X to find user IDs of group members when determining whether a user can access a file as a result of his or her group membership.

You can use Workgroup Manager to edit the names of a group account stored in the LDAP directory of an Open Directory master, a NetInfo domain, or other read/write directory domain. You can also use Workgroup Manager to review the names in any directory domain accessible from the server you’re using.

To work with group names using Workgroup Manager:

1 In Workgroup Manager, click Accounts.

2 Select the group account you want to work with.

To select an account, click the small globe above the accounts list and open the directory domain where the account resides, click the Groups button, and select the group.

3 To be authenticated, click the lock.

4 In the Name or “Short name” field (on the Members pane), review or edit the names.

Before saving a new name, Workgroup Manager checks to ensure that the name is unique.

Chapter 5 Setting Up Group Accounts 85

Defining a Group ID

A group ID is a string of ASCII digits that uniquely identifies a group. The maximum value is 2,147,483,648.

You can use Workgroup Manager to edit the ID for a group account stored in the LDAP directory of an Open Directory master or a NetInfo domain, or to review the group ID in any directory domain accessible from the server you’re using.

To work with a group ID using Workgroup Manager:

1 In Workgroup Manager, click Accounts.

2 Select the group account you want to work with.

To select an account, click the small globe above the accounts list and open the directory domain where the account resides, click the Groups button, and select the group.

3 To be authenticated, click the lock.

4 In the Group ID field (on the Members pane), review or edit the ID.

Before saving a new group ID, Workgroup Manager checks to ensure that it is unique in the directory domain you’re using.

Working With Group Folder Settings

You can set up a folder for use by members of a particular group. A group folder offers a way to organize documents and applications of special interest to group members and gives group members a way to pass information back and forth among themselves.

To set up a group folder:

1 In Workgroup Manager, click Accounts.

2 Select the group account you want to work with.

To select an account, click the small globe above the accounts list and open the directory domain where the account resides, click the Groups button, and select the group.

3 To be authenticated, click the lock.

4 Click the Groups button and select a group.

5 Click Group Folder.

6 To set up a group folder in a subfolder of a share point, click the Add (+) button or the

Duplicate button (copy icon).

See “Creating a Group Folder in a Subfolder of an Existing Share Point” on page 90 for instructions.

86 Chapter 5 Setting Up Group Accounts

Specifying No Group Folder

You can use Workgroup Manager to change a group account that has a group folder to have none. By default, a new group has no group directory.

To define no group folder:

1 In Workgroup Manager, click Accounts.

2 Select the group account you want to work with.

To select an account, click the small globe above the accounts list and open the directory domain where the account resides, click the Groups button, and select the group.

3 To be authenticated, click the lock.

4 Click the Groups button and select a group.

5 Click Group Folder.

6 Select (None) in the list.

Creating a Group Folder in an Existing Share Point

You can create a group folder for a group in any existing share point, or you can create the group folder in the /Groups folder—a predefined share point.

To set up a group folder in the /Groups folder or in another existing share point:

1 In Workgroup Manager, click Accounts.

2 Select the group account you want to work with.

To select a group account, connect to the server where the account resides. Click the small globe above the accounts list and open the directory domain where the group account is stored, click the Groups button, and select the group.

3 To be authenticated, click the lock.

4 Click Group Folder.

5 To add an existing share point to the list, click the Add (+) button and enter the

requested information.

In the URL field, enter the full URL to the share point where you want the group folder to reside. For example, enter “AFP://myserver.example.com/SchoolGroups” to identify an AFP share point named “SchoolGroups” on a server whose DNS name is “myserver.example.com”. If you are not using DNS, replace the DNS name of the server hosting the group folder with the server’s IP address: “AFP://192.168.2.1/SchoolGroups”.

In the Path field, enter the path from the share point to the group folder, including the group folder but excluding the share point. Do not put a slash at the beginning or the end of the path. For example, if the share point is SchoolGroups and the full path to the group folder is SchoolGroups/StudentGroups/SecondGrade, enter “StudentGroups/ SecondGrade” in the Path field.

Chapter 5 Setting Up Group Accounts 87

Note: Configuring a group folder share point to have a network mount record does not make the group folder mount automatically when a group member logs in. You can provide easy access to a group folder by managing Dock preferences or Login preferences for the group.

6 In the Owner Name field, enter the name of the user you want to own the group folder

so the user can act as group folder administrator.

Click the Browse (...) button to choose an owner from a list of users in the current directory domain.

The group folder owner will be given read/write access to the group folder.

7 Click Save.

8 To create the folder, use the CreateGroupFolder command in Terminal.

You must be the root user to use the command. For more information, type “man CreateGroupFolder” in Terminal to see the man page.The group folder is named using the short name of the group with which it is associated.

You can automate a group member’s access to the group folder when the user logs in:

• You can set up Dock Preferences to make the group folder visible in the Dock. See

“Providing Easy Access to Group Folders” on page 141 for instructions.

• You can set up login preferences so that users can click Computer in the Finder to

see the group folder share point and the group folders within it. See “Providing Easy Access to the Group Share Point” on page 158 for instructions.

When using these preferences, make sure the group is defined in a shared domain in the search policy of the group member’s computer. See the Open Directory administration guide for instructions on setting a computer’s search policy.

If you don’t automate group folder access, group members can use the “Connect to Server” command in the Finder’s Go menu to navigate to the server where the group folder resides to access the group folder.

Creating a Group Folder in a New Share Point

You can use Workgroup Manager to create a group folder in a new share point.

To create a group folder in a new share point:

1 On the server where you want the group folder to reside, create a folder that will serve

as the share point for the group folder.

2 In Workgroup Manager, connect with the server in step 1 and click Sharing.

3 Click All (above the list on the left) and select the folder you created for the share point.

4 In the General pane, select “Share this item and its contents.”

88 Chapter 5 Setting Up Group Accounts

5 Set Group privileges to Read & Write, set Everyone privileges to Read Only, and change

the name in the Group field to “admin.”

Ignore the Owner privileges for now.

6 Click Save.

7 Click Accounts and select the group account you want to work with.

To select a group account, connect to the server where the account resides. Click Accounts. Click the small globe above the accounts list and open the directory domain where the group account is stored. Click the Groups button and select the group.

8 To be authenticated, click the lock.

9 In the Owner Name field, enter the name of the user you want to own the group folder

so the user can act as group folder administrator.

Click the Browse (...) button to choose an owner from a list of users in the current directory domain.

The group folder owner will be given read/write access to the group folder.

10 To create the folder, use the CreateGroupFolder command in Terminal.

You must be the root user to use the command. For more information, type “man CreateGroupFolder” in Terminal to see the man page. The group folder is named using the short name of the group with which it is associated.

The group folder is named using the short name of the group with which it is associated.

You can automate a group member’s access to the group folder when the user logs in:

• You can set up Dock Preferences to make the group folder visible in the Dock. See

“Providing Easy Access to Group Folders” on page 141 for instructions.

• You can set up login preferences so that users can click Computer in the Finder to

see the group folder share point and the group folders within it. See “Providing Easy Access to the Group Share Point” on page 158 for instructions.

Chapter 5 Setting Up Group Accounts 89

Creating a Group Folder in a Subfolder of an Existing Share Point

In Workgroup Manager, you can create group folders that don’t reside immediately below a share point. For example, you may want to organize group folders into several subfolders under a share point that you define. If Groups is the share point, you may want to place student groups’ folders in /Groups/StudentGroups and teacher groups’ folders in /Groups/TeacherGroups. The full path to a group folder for second-grade students could be /Groups/StudentGroups/SecondGrade.

The procedure detailed here assumes the share point exists. If the share point does not yet exist, follow the instructions in “Creating a Group Folder in a New Share Point” on page 88 but don’t create the folder in the last step. Then follow the procedure here.

To set up a group folder in a subfolder of an existing share point:

1 In Workgroup Manager, click Accounts.

2 Select the group account you want to work with.

3 To be authenticated, click the lock.

4 Click Group Folder.

5 Click the Add (+) button to add a custom group folder location or click Duplicate (copy

icon) to copy an existing location.

To remove a group folder location, select it and click the Delete (–) button. You can delete only locations that were added with the Add or Duplicate buttons.

6 In the URL field, enter the full URL to the share point where you want the group folder

to reside.

For example, enter “AFP://myserver.example.com/SchoolGroups” to identify an AFP share point named “SchoolGroups” on a server whose DNS name is “myserver.example.com.” If you are not using DNS, replace the DNS name of the server hosting the group folder with the server’s IP address: “AFP://192.168.2.1/SchoolGroups.”

7 In the Path field, enter the path from the share point to the group folder, including the

group folder but excluding the share point.

For example, if the share point is SchoolGroups and the full path to the group folder is SchoolGroups/StudentGroups/SecondGrade, enter “StudentGroups/SecondGrade” in the Path field.

Do not put a slash at the beginning or the end of the path.

8 Click OK.

90 Chapter 5 Setting Up Group Accounts

9 In the Owner Name field, enter the name of the user you want to own the group folder

so the user can act as group folder administrator.

Click the Browse (...) button to choose an owner from a list of users in the current directory domain.

The group folder owner will be given read/write access to the group folder.

10 To create the folder, use the CreateGroupFolder command in Terminal.

11 Set up access to the group folder for users who log in as group members.

• You can automate a group member’s access to the group folder when the user logs

in.

• You can set up Dock Preferences to make the group folder visible in the Dock.

See “Providing Easy Access to Group Folders” on page 141 for instructions.

• You can set up login preferences so users can click Computer in the Finder to see the

group folder share point and the group folders within it. See “Providing Easy Access to the Group Share Point” on page 158 for instructions.

If you don’t automate group folder access, group members can use the “Connect to Server” command on the Finder’s Go menu to navigate to the server where the group folder resides to access the group folder.

Designating a Group Folder for Use by Multiple Groups

To permit a group folder to be accessed by multiple groups, you identify the folder for each group separately

To configure more than one group to use the same group folder:

1 In Workgroup Manager, click Accounts.

2 Select the first group account you want to use the folder.

3 Click Group Folder, select the folder you want the group to use, and click Save.

4 Repeat for each group you want to use the same group folder.

Chapter 5 Setting Up Group Accounts 91

Deleting a Group Account

You can use Workgroup Manager to delete a group account stored in the LDAP directory of an Open Directory master, a NetInfo domain, or other read/write directory domain.

Warning: You cannot undo this action.

To delete a group account using Workgroup Manager:

1 In Workgroup Manager, click Accounts.

2 Select the group account you want to delete.

To select the account, click the small globe above the accounts list and open the directory domain where the account resides, click the Groups button, and select the group.

3 To be authenticated, click the lock.

4 Choose Server > Delete Selected Group or click the Delete icon in the toolbar.

92 Chapter 5 Setting Up Group Accounts

6 Setting Up Computer Lists

This chapter tells you how to set up and manage groups of computers.

About Computer Lists

A computer list comprises one or more computers that have the same preference settings and that are available to particular users and groups. You create and modify computer lists in Workgroup Manager.

There are two preset computer lists, Guest Computers and Windows Computers. These two lists, along with the computer lists that you set up, appear on the left side of the Workgroup Manager window. Settings appear on the List, Access, and Cache panes on the right side of the window.

Before you set up a computer list, determine the names and addresses of the computers that will be included. In this context, you customarily use the computer name specified in a computer’s Sharing preferences. If you prefer, you can use a descriptive name that you find more suitable.

A computer’s address must be the “on board,” or built-in, Ethernet address, which is unique to each computer. (A computer’s Ethernet address is also known as its MAC address.) You can browse for a computer and Workgroup Manager will enter the computer’s name and Ethernet address for you. A client computer uses this data to find preference information when a user logs in.

Note: For Windows Computers lists, you need to know the NetBIOS name of each Windows client computer. You don’t need to know the Ethernet address of Windows client computers.

When a client computer starts up, directory services check for a computer list that contains the computer’s Ethernet address, and uses preference information for that computer list. If no record is found, the client computer uses preference information for the Guest Computers computer list.

To edit computer lists or computer list preferences, you must have an administrator with privileges to edit computer lists. You can have administration privileges for all computer lists or for a set of specific computer lists. For more information about assigning administrative privileges, see Chapter 4, “Setting Up User Accounts.”

Creating a Computer List

A computer list is a group of computers that have the same preference settings and are available to the same users and groups. You can use a computer list to assign the same privileges and preferences to multiple computers. You can add up to 2000 computers to a computer list.

A computer cannot belong to more than one list, and you cannot add computers to the Guest Computers list.

To set up a computer list:

1 In Workgroup Manager, click Accounts.

2 Click the small globe above the accounts list and choose the directory domain where

you want to store the new computer list.

3 To authenticate, click the lock.

4 Click the Computer Lists button (on the left), then click List (on the right).

5 Choose Server > New Computer List (or click New Computer List in the toolbar), then

type a name for the computer list.

6 To use a preset, choose one from the Presets pop-up menu.

7 To add a computer to the list, click the Add (+) button and enter the computer’s

Ethernet address and name. Or click the Browse (...) button and choose a computer, and Workgroup Manager will enter the computer’s Ethernet address and name for you.

A computer’s address must be the unique built-in Ethernet address, even if the client is connected to the network using AirPort. (A computer’s Ethernet address is also known as its MAC address.) If you manually add a computer, be sure to use the built-in Ethernet address for each client.

8 Add a comment (optional).

Comments are useful for providing information about a computer’s location, configuration (for example, a computer set up for individuals with special needs), or attached peripherals. You could also use the comment for identification information such as the computer’s model or serial number.

9 Continue adding computers until your computer list is complete.

10 Fill in the information requested on the Access and Cache panes.

11 Save the computer list.

94 Chapter 6 Setting Up Computer Lists

After you set up a computer list, you can manage preferences for it if you wish. For more information about using managed preferences, see “Defining Preferences” on page 117 and Chapter 9, “Managing Preferences.”

Creating a Preset for Computer Lists

You can select settings for a computer list and save them as a “preset.” Presets work like templates, allowing you to apply preselected settings and information to new computer lists. Using presets, you can easily set up multiple computers to use similar settings. You can use presets only when creating a new computer list; you can’t use a preset to modify an existing computer list.

Settings in the List pane are specific to individual computers and don’t apply to presets.

To set up a preset for computer lists:

1 In Workgroup Manager, click Accounts.

2 Click the small globe above the accounts list and choose the directory domain where

you want to create a computer list using presets.

3 To authenticate, click the lock.

4 Click the Computer Lists button (on the left), then click List (on the right).

5 To create a completely new preset, first create a computer list by clicking New

Computer List. To create a preset using data in an existing computer list, select it (on the left).

6 Fill in the information requested on the Access and Cache panes.

7 Choose Save Preset from the Presets pop-up menu.

After you create a preset, you can no longer change its settings, but you can delete it or change its name.

To change a preset’s name, choose the preset from the Presets pop-up menu, then choose Rename Preset.

To delete a preset, choose a preset from the Presets pop-up menu, then choose Delete Preset.

Using a Computer List Preset

When you create a new computer list, you can choose any preset from the Presets pop-up menu to apply initial settings; you can further modify the computer list settings before you save the list. When you save the computer list, you can’t use the Preset menu again for that list (for example, you can’t switch the list to a different preset).

To use a preset for computer lists:

1 In Workgroup Manager, click Accounts.

2 Click the small globe above the accounts list and choose the directory domain where

you want to store the new list.

Chapter 6 Setting Up Computer Lists 95

3 To authenticate, click the lock.

4 Click the Computer Lists button (on the left), then click List (on the right).

5 Choose a preset from the Presets pop-up menu.

6 Create a new list (click New Computer List).

7 Add or update settings as needed, then save the list.

Adding Computers to an Existing Computer List

You can easily add more computers to an existing list. You can’t add computers to the Guest Computers list, however, because it is predefined to include any computer that’s not part of another computer list.

To add computers to a list:

1 In Workgroup Manager, click Accounts.

2 Select the computer list.

To select the list, click the small globe above the accounts list and choose the directory domain that contains the list, click the Computer Lists button, and select the list.

3 To authenticate, click the lock.

4 Click List.

5 To use a preset, choose one from the Presets pop-up menu.

6 Click the Add (+) button and enter the requested information.

Or click the Browse (...) button, select the computer you want, and Workgroup Manager will enter the computer’s Ethernet address and name for you.

A computer’s address must be the “on board,” or built-in, Ethernet address, which is unique to each computer. (A computer’s Ethernet address is also known as its MAC address.)

7 Add a comment (optional).

Comments are useful for providing additional information about a computer’s location, configuration (for example, a computer set up for individuals with special needs), or attached peripherals. You could also use the comment for identification information such as the computer’s model or serial number.

8 Click Save.

9 Continue adding computers and information until your list is complete.

Changing Information About a Computer

After you add a computer to a computer list, you can edit information when necessary.

To change computer information:

1 In Workgroup Manager, click Accounts.

2 Select the list to which the computer belongs.

96 Chapter 6 Setting Up Computer Lists

To select the list, click the small globe above the accounts list and choose the directory domain that contains the computer you want to modify, click the Computer Lists button, and select the list.

3 To authenticate, click the lock.

4 On the List pane, select the computer whose information you want to edit and click the

Edit (pencil) button.

Or double-click the Address, Description, or Comment of a computer in the list to edit the information directly in the list.

5 Change information as needed, then click Save.

Moving a Computer to a Different Computer List

Occasionally, you may want to group computers differently. You can easily move computers from one list to another.

Note: A computer can belong to only one list. You can’t add computers to the Guest Computers list.

To move a computer from one list to another:

1 In Workgroup Manager, click Accounts.

2 Select the list to which the computer belongs.

To select the list, click the small globe above the accounts list and choose the directory domain that contains the computer list you want to modify, click the Computer Lists button, and select the list.

3 To authenticate, click the lock.

4 On the List pane, select the computer you want to move and click the Edit (pencil)

button.

5 Choose a list from the “Move to list” pop-up menu and click OK.

6 Click Save.

Deleting Computers From a Computer List

After you delete a computer from a computer list, that computer is managed by using the Guest Computers list.

To delete a computer from a list:

1 In Workgroup Manager, click Accounts.

2 Select the list to which the computer belongs.

3 To authenticate, click the lock.

Chapter 6 Setting Up Computer Lists 97

4 On the List pane, select one or more computers.

5 Click the Remove (–) button, then click Save.

Deleting a Computer List

If you no longer need any computers in a computer list, you can delete the entire list. You can’t delete the Guest Computers list or the Windows Computers list.

Warning: You can’t undo this action.

To delete a computer list:

1 In Workgroup Manager, click Accounts.

2 Select the list.

To select the list, click the small globe above the accounts list and choose the directory domain that contains the computer list you want to delete, click the Computer Lists button, and select the list.

3 To authenticate, click the lock.

4 Choose Server > Delete Selected Computer List or click Delete in the toolbar.

Searching for Computer Lists

Workgroup Manager has a search feature that allows you to find specific computer lists quickly. You can search within a selected domain and filter search results.

To search for a computer list:

1 In Workgroup Manager, click Accounts, click the Computer Lists button (on the left),

then click List (on the right).

2 To limit your search, click the small globe above the accounts list and choose a

directory domain:

Local: Search for computer lists in the local directory domain.

Search Path: Search for computer lists in all directories of the server’s search path (for example, myserver.mydomain.com).

Other: Browse and select an available directory domain to search for computer lists.

3 To authenticate, click the lock.

4 Select an additional filter from the filter pop-up menu next to the search field, if you

wish.

5 Type search terms in the search field.

98 Chapter 6 Setting Up Computer Lists

Managing Guest Computers

If an unknown computer (one that isn’t already in a computer list) connects to your network and attempts to access services, that computer is treated as a “guest.” Settings for the Guest Computers list apply to these unknown, or “guest,” computers.

The Guest Computers list is not recommended for large numbers of computers; most computers should belong to regular computer lists.

Note: You cannot add or move computers to the Guest Computers list, and you cannot change the list name.

To set up a Guest Computers list:

1 In Workgroup Manager, click Accounts.

2 Click the small globe above the accounts list and choose the directory domain that

contains the Guest Computers list you want to modify.

3 To authenticate, click the lock.

4 Click the Computer Lists button (on the left) and select Guest Computers in the list.

5 Click List (on the right), then select a setting for preferences.

To set up managed preferences, select “Define Guest Computer preferences here.” If you select this option, click Save and continue with the next step.

To make guest computers have the same managed preference settings as the parent server (a server whose LDAP directory or shared NetInfo directory is listed in the search policy of the server you’re configuring), select “Inherit preferences for Guest Computers.” If you select this option, click Save; the next step is not necessary.

6 If you selected Define, click Access and select the settings you want to use. Click Cache,

set an interval for clearing the preferences, then click Save.

After you set up the Guest Computers list, you can manage preferences for it if you wish. For more information about using managed preferences, see “Defining Preferences” on page 117 and Chapter 9, “Managing Preferences.”

If you don’t select settings or preferences for the Guest Computers list, guest computers are not managed. However, if the person using the guest computer has a Mac OS X Server user account with managed user or group preferences, those settings still apply when the person logs in with that user account.

If the user has an administrator account in a client computer’s local directory, the user can choose not to be managed at login. Unmanaged users can still use the “Go to Folder” command to access a home directory on the network.

Chapter 6 Setting Up Computer Lists 99

Working With Access Settings

Settings in the Access pane let you make computers in a list available to users in groups. You can allow only certain groups to access computers in a list, or you can allow all groups (and therefore, all users) to access the computers in a list. You can also control certain aspects of local user access.

Restricting Access to Computers

You can reserve computers so that only certain users have access to them. For example, if you have two computers with video-editing hardware and software, you can reserve them for users doing video production. First, create a computer list of those computers, make sure the users have user accounts, add the users to a “video production” group, and then give only that group access to the video-production computer list.

Note: A user with an administrator account in a client computer’s local directory can always log in.

To reserve a set of computers for specific groups:

1 In Workgroup Manager, click Accounts.

2 Select the computer list.

To select the list, click the small globe above the accounts list and choose the directory domain that contains the computer list, click the Computer Lists button, and select the list.

3 To authenticate, click the lock.

4 Click Access.

5 Select “Restrict to groups below.”

6 Click the Add (+) button, then select one or more groups in the drawer and drag them

to the list in the Access pane.

To remove an allowed group, select it and click the Remove (–) button.

7 Click Save.

Making Computers Available to All Users

You can make computers in a list available to any user in any group account you set up.

To make computers available to all users:

1 In Workgroup Manager, click Accounts.

2 Select the computer list.

To select the list, click the small globe above the accounts list and choose the directory domain that contains the computer list, click the Computer Lists button, and select the list.

3 To authenticate, click the lock.

4 Click the Computer Lists button and select one or more computer lists.

100 Chapter 6 Setting Up Computer Lists

Apple Apple Computer Server User Management

Specifications and Main Features

Frequently Asked Questions

User Manual

Contents

How to Use This Guide

Getting Help for Everyday Management Tasks

Related Documents

Where to Find More Information About User Management

If You’re New to Server and Network Management

If You’re an Experienced Server Administrator

1 User Management Overview

Tools for User Management

Workgroup Manager

Server Admin

Macintosh Manager

NetBoot

Network Install

Accounts

Administrator Accounts

Users and Managed Users

Guest Users

Groups, Primary Groups, and Workgroups

Computer Lists

The User Experience

Authentication

Identity Validation

Information Access Control

Setup Overview

Planning Strategies for User Management

Analyzing Your Environment

Identifying Directory Services Requirements

Using Client Management

Using Mobile Accounts

Devising a Home Directory Strategy

Identifying Groups

Determining Administrator Requirements

Using Workgroup Manager

Opening and Authenticating in Workgroup Manager

Major Workgroup Manager Tasks

Listing and Finding Accounts

Working With Account Lists in Workgroup Manager

Listing Accounts in the Local Directory Domain

Listing Accounts in Search Path Directory Domains

Listing Accounts in Available Directory Domains

Refreshing Account Lists

Finding Specific Accounts in a List

Sorting User and Group Lists

Shortcuts for Working With Accounts

Batch Editing

Using Presets

Importing and Exporting Account Information

Backing Up and Restoring User Management Data

Backing Up and Restoring Files

Backing Up Root and Administrator User Accounts

Setting Up Mobile Clients

Configuring Portable Computers

Using Mobile Accounts

Creating a Mobile Account

Deleting a Mobile Account

The User Experience for Mobile Accounts

Managing Mobile Clients

Unknown Mac OS X Portable Computers

Mac OS X Portable Computers With Multiple Local Users

Mac OS X Portable Computers With One Primary Local User

Managing Mac OS 9 Portable Computers

Using Wireless Services

4 Setting Up User Accounts

About User Accounts

Where User Accounts Are Stored

Predefined User Accounts

Administering User Accounts

Creating Mac OS X Server User Accounts

Creating Read-Write LDAPv3 User Accounts

Editing User Account Information

Editing Multiple Users Simultaneously

Working With Read-Only User Accounts

Defining a Guest User

Deleting a User Account

Disabling a User Account