Apple MAC OS X SERVER 10.5 User Management

Mac OS X Server
User Management
For Version 10.5 Leopard
K
Apple Inc.
© 2007 Apple Inc. All rights reserved.
The owner or authorized user of a valid copy of Mac OS X Server software may reproduce this publication for the purpose of learning to use such software. No part of this publication may be reproduced or transmitted for commercial purposes, such as selling copies of this publication or for providing paid-for support services.
Every effort has been made to ensure that the information in this manual is accurate. Apple Inc. is not responsible for printing or clerical errors.
Apple 1 Infinite Loop Cupertino, CA 95014-2084 408-996-1010 www.apple.com
Use of the “keyboard” Apple logo (Option-Shift-K) for commercial purposes without the prior written consent of Apple may constitute trademark infringement and unfair competition in violation of federal and state laws.
Apple, the Apple logo, AirPort, AppleShare, Bonjour, FireWire, iCal, iTunes, Mac, Mac OS, MacBook, Macintosh, QuickTime, SuperDrive, Xgrid, Xsan, and Xserve are trademarks of Apple Inc., registered in the U.S. and other countries. Apple Remote Desktop, Extensions Manager, Finder, iWork, and Safari are trademarks of Apple Inc. Mac is a service mark of Apple Inc.
Adobe and PostScript are trademarks of Adobe Systems Incorporated.
®
The Bluetooth trademarks owned by the Bluetooth SIG, Inc. and any use of such marks by Apple is under license.
Java and all Java-based trademarks and logos are trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. and other countries.
UNIX is a registered trademark of The Open Group.
Other company and product names mentioned herein are trademarks of their respective companies. Mention of third-party products is for informational purposes only and constitutes neither an endorsement nor a recommendation. Apple assumes no responsibility with regard to the performance of these products.
019-0938/2007-09-01
word mark and logos are registered
1

Contents

Preface 13 About This Guide
13
What’s New in Workgroup Manager
14
What’s in This Guide
15
Using Onscreen Help
16
Mac OS X Server Administration Guides
17
Viewing PDF Guides Onscreen
17
Printing PDF Guides
18
Getting Documentation Updates
18
Getting Additional Information
Chapter 1 19 User Management Overview
19
Tools for User Management
19
20
21 21
21 22 22 23 24 25 25 26 26 26 27
Workgroup Manager Server Admin Server Preferences NetBoot NetInstall Command-Line Tools
Accounts
Administrator Accounts User Accounts Group Accounts Computer Accounts Computer Groups
The User Experience
Authentication and Identity Validation Information Access Control
Chapter 2 31 Getting Started with User Management
31
Setup Overview
34
Planning Strategies for User Management
34
Analyzing Your Environment
3
35 35 36 37 38 38
Identifying Directory Services Requirements Determining Server and Storage Requirements Choosing a Home Folder Structure Devising a Home Folder Distribution Strategy Identifying Groups Determining Administrator Requirements
Chapter 3 41 Getting Started with Workgroup Manager
41
Configuring the Administrator’s Computer and Account
41 42 42 42 43 44 45 46 46 46 47 48 48 48 49 50 50 50
51 53
Setting Up an Administrator Computer Creating a Domain Administrator Account
Using Workgroup Manager
Using Mac OS X Server v10.5 to Administer Earlier Versions of Mac OS X Connecting and Authenticating to Directory Domains in Workgroup Manager Major Workgroup Manager Tasks Modifying Workgroup Manager Preferences
Finding and Listing Accounts
Working with Account Lists in Workgroup Manager Listing Accounts in the Local Directory Domain Listing Accounts in Search Policy Directory Domains Listing Accounts in Available Directory Domains Refreshing Account Lists Finding Specific Accounts in a List Using Advanced Search Sorting Users and Groups
Shortcuts for Working with Accounts
Using Presets Editing Multiple Accounts Simultaneously Importing and Exporting Account Information
Chapter 4 55 Setting Up User Accounts
55
About User Accounts
55 56 57 57 58 59 59 60 60 60
4
Where User Accounts Are Stored Predefined User Accounts
Administering User Accounts
Creating User Accounts Editing User Account Information Working with Read-Only User Accounts Working with Guest Users Working with Windows User Accounts Deleting a User Account Disabling a User Account
Contents
61
Working with Presets
61 62 62 62 63 63 63 64 65 66 67 68 68 69 70 70 70 72 72 72 73 73 74 75 75 76 77 77 78 78 79 79 80 80
81
81
81 82 82 83
Creating a Preset for User Accounts Using Presets to Create Accounts Renaming Presets Editing Presets Deleting a Preset
Working with Basic Settings
Modifying User Names Modifying Short Names Choosing Stable Short Names Avoiding Duplicate Names Modifying User IDs Assigning a Password to a User Assigning Administrator Privileges for a Server Choosing a User’s Login Picture
Working with Privileges
Removing Administrative Privileges from a User Giving a User Limited Administrative Capabilities Giving a User Full Administrative Capabilities
Working with Advanced Settings
Enabling a User’s Calendar Allowing a User to Log In to More Than One Computer At a Time Choosing a Default Shell Choosing a Password Type and Setting Password Options Creating a Master List of Keywords Applying Keywords to User Accounts Editing Comments
Working with Group Settings
Choosing a User’s Primary Group Reviewing a User’s Group Memberships Adding a User to a Group
Removing a User from a Group Working with Home Settings Working with Mail Settings
Enabling Mail Service Account Options
Disabling a User’s Mail Service
Forwarding a User’s Mail Working with Print Quota Settings
Enabling a User’s Access to All Available Print Queues
Enabling a User’s Access to Specific Print Queues
Removing a Print Quota For a Queue
Contents
5
83 84
Resetting a User’s Print Quota
Disabling a User’s Access to Print Queues That Enforce Quotas
84 Working with Info Settings 85 Working with Windows Settings 85 Changing a Windows User’s Profile Location 86 Changing a Windows User’s Login Script Location 87 Changing a Windows User’s Home Folder Drive Letter 87 Changing a Windows User’s Home Folder Location 87 Working with GUIDs 87 Viewing GUIDs
Chapter 5 89 Setting Up Group Accounts
89 About Group Accounts 89 How Group Accounts Track Membership 90 Where Group Accounts Are Stored 90 Predefined Group Accounts
91 Administering Group Accounts
91 Creating Group Accounts 92 Creating a Preset for Group Accounts 92 Editing Group Account Information 93 Creating Hierarchical Groups 94 Upgrading Legacy Groups 94 Working with Read-Only Groups 95 Deleting a Group 95 Working with Basic Settings for Groups 95 Naming a Group 96 Defining a Group ID 97 Choosing a Group’s Login Picture 98 Enabling a Group’s Web Services 99 Working with Member Settings for Groups 99 Adding Users or Groups to a Group
10 0 Removing Group Members 10 0 Working with Group Folder Settings 101 Specifying No Group Folder 101 Creating a Group Folder 10 3 Designating a Group Folder for Use by Multiple Groups
Chapter 6 105 Setting Up Computers and Computer Groups
10 5 About Computer Accounts 10 6 Creating Computer Accounts 10 7 Working with Guest Computers 10 7 Working with Windows Computers
6
Contents
10 8 About Computer Groups 10 8 Differences Between Computer Groups and Computer Lists 10 8 Administering Computer Groups 10 8 Creating a Computer Group 10 9 Creating a Preset for Computer Groups
11 0 Using a Computer Group Preset
111 Adding Computers or Computer Groups to a Computer Group
111 Removing Computers and Computer Groups from a Computer Group 112 Deleting a Computer Group 112 Upgrading Computer Lists to Computer Groups
Chapter 7 113 Setting Up Home Folders
113 About Home Folders 11 4 Hosting Home Folders for Mac OS X Clients 11 4 Hosting Home Folders for Other Clients 11 5 Distributing Home Folders Across Multiple Servers 11 6 Administering Share Points 11 6 Setting Up a Share Point 117 Setting Up an Automountable AFP Share Point for Home Folders 11 8 Setting Up an Automountable NFS Share Point for Home Folders 11 9 Setting Up an SMB Share Point 121 Administering Home Folders 121 Specifying No Home Folder
12 2 Creating a Home Folder for a Local User 12 3 Creating a Network Home Folder 12 4 Creating a Custom Location for Home Folders 12 7 Setting Up a Home Folder for a Windows User 12 9 Setting Disk Quotas 13 0 Setting Disk Quotas for Windows Users to Avoid Data Loss 13 0 Using Presets to Choose Default Home Folders 13 0 Moving Home Folders 13 0 Deleting Home Folders
Chapter 8 131 Managing Portable Computers
131 About Mobile Accounts
13 2 About Portable Home Directories 13 3 Logging In to Mobile Accounts 13 4 Resolving Sync Conflicts 13 4 About External Accounts 13 5 Logging In to External Accounts 13 6 Considerations and Strategies for Deploying Mobile Accounts 13 6 Advantages of Using Mobile Accounts
Contents 7
13 7 Considerations for Using Mobile Accounts 13 9 Strategies for Syncing Content 14 0 Setting Up Mobile Accounts for Use on Portable Computers 14 0 Configuring Portable Computers
141 Managing Mobile Clients Without Using Mobile Accounts
141 Unknown Mac OS X Portable Computers 14 2 Using Mac OS X Portable Computers with One Primary Local User 14 2 Using Mac OS X Portable Computers with Multiple Users 14 4 Securing Mobile Clients 14 4 Optimizing the File Server for Mobile Accounts
Chapter 9 147 Client Management Overview
14 8 Using Network-Visible Resources 14 9 Customizing the User Experience 14 9 The Power of Preferences 15 0 Designing the Login Experience
151 Choosing a Workgroup 15 2 Working with Synced Homes 15 2 Improving Workflow
Chapter 10 155 Managing Preferences
15 5 Using Workgroup Manager to Manage Preferences 15 6 Understanding Managed Preference Interactions 15 9 Understanding Hierarchical Preference Management 15 9 Setting the Permanence of Management 160 Caching Preferences 160 Preference Management Basics
161 Managing User Preferences 162 Managing Group Preferences 162 Managing Computer Preferences 163 Managing Computer Group Preferences 163 Disabling Management for Specific Preferences 164 Managing Access to Applications 165 Controlling User Access to Specific Applications and Folders 167 Allowing Specific Dashboard Widgets 168 Disabling Front Row 168 Allowing Legacy Users to Open Specific Applications and Folders 169 Managing Classic Preferences 17 0 Selecting Classic Startup Options
171 Choosing a Classic System Folder
171 Allowing Special Actions During Restart 17 2 Controlling Access to Classic Apple Menu Items
8 Contents
17 3 Adjusting Classic Sleep Settings
174 Maintaining Consistent User Preferences for Classic
174 Managing Dock Preferences
174 Controlling the User’s Dock 17 5 Providing Easy Access to Group Folders 17 6 Adding Items to a User’s Dock 17 7 Preventing Users from Adding or Deleting Dock Items 17 7 Managing Energy Saver Preferences 17 8 Using Sleep and Wake Settings for Desktop Computers 17 9 Setting Energy Saver Settings for Portable Computers 18 0 Displaying Battery Status to Users
181 Scheduling Automatic Startup, Shutdown, or Sleep 18 2 Managing Finder Preferences 18 2 Setting Up Simple Finder 183 Keeping Disks and Servers from Appearing on the User’s Desktop 183 Controlling the Behavior of Finder Windows 18 4 Hiding the Alert Message When a User Empties the Trash 18 4 Making Filename Extensions Visible 185 Controlling User Access to Remote Servers 185 Controlling User Access to an iDisk 185 Preventing Users from Ejecting Discs 18 6 Hiding the Burn Disc Command in the Finder 18 6 Controlling User Access to Folders 187 Removing Restart and Shut Down from the Apple Menu 187 Adjusting the Appearance and Arrangement of Desktop Items 18 8 Adjusting the Appearance of Finder Window Contents 18 9 Managing Login Preferences 18 9 Changing the Appearance of the Login Window
191 Configuring Miscellaneous Login Options 19 2 Choosing Who Can Log In 19 3 Customizing the Workgroups Displayed at Login 19 4 Enabling the Use of Login and Logout Scripts 19 6 Choosing a Login or Logout Script 19 7 Automatically Opening Items After a User Logs In 19 8 Providing Access to a User’s Network Home Folder 19 9 Providing Easy Access to the Group Share Point
200 Managing Media Access Preferences 200 Controlling Access to CDs, DVDs, and Recordable Discs
201 Controlling Access to Hard Drives, Disks, and Disk Images 201 Ejecting Removable Media Automatically When a User Logs Out
202 Managing Mobility Preferences
Contents 9
202 Creating a Mobile Account 203 Preventing the Creation of a Mobile Account 204 Manually Removing Mobile Accounts from Computers 205 Enabling FileVault for Mobile Accounts 207 Selecting the Location of a Mobile Account 208 Creating External Accounts 209 Setting Expiration Periods for Mobile Accounts
210 Choosing Folders to Sync at Login and Logout, or in the Background
211 Stopping Files from Syncing for a Mobile Account 212 Setting the Background Sync Frequency 212 Showing Mobile Account Status in the User’s Menu Bar 213 Managing Network Preferences 213 Configuring Proxy Servers by Port 214 Allowing Users to Bypass Proxy Servers for Specific Domains 215 Enabling Passive FTP Mode 215 Disabling Internet Sharing 216 Disabling AirPort 216 Disabling Bluetooth 217 Managing Parental Controls Preferences 217 Hiding Profanity in Dictionary 217 Preventing Access to Adult Websites 218 Allowing Access Only to Specific Websites 219 Setting Time Limits and Curfews on Computer Usage
220 Managing Printing Preferences
221 Making Printers Available to Users
221 Preventing Users from Modifying the Printer List 222 Restricting Access to Printers Connected to a Computer 222 Setting a Default Printer 223 Restricting Access to Printers 223 Adding a Page Footer to All Printouts 224 Managing Software Update Preferences 224 Managing Access to System Preferences 225 Managing Time Machine Preferences 227 Managing Universal Access Preferences 227 Adjusting the User’s Display Settings 228 Setting a Visual Alert 228 Adjusting Keyboard Accessibility Options 230 Adjusting Mouse and Pointer Responsiveness 230 Enabling Universal Access Shortcuts
231 Allowing Devices for Users with Special Needs
231 Using the Preference Editor with Preference Manifests
10 Contents
232 Adding to the Preference Editor’s List 234 Editing Application Preferences with the Preference Editor
235 Removing an Application’s Managed Preferences in the Preference Editor 236 Using the Preference Editor to Manage Core Services
237 Using the Preference Editor to Manage Safari
Chapter 11 239 Solving Problems
239 Diagnosing Common Network Issues 239 Testing Your Network’s Time and Time Zones 240 Testing Your DNS Service
241 Testing Your DHCP Service 242 Solving Account Problems 242 If You Want to Use Earlier Versions of Workgroup Manager 242 If You Can’t Edit an Account Using Workgroup Manager 242 If Users Can’t See Their Names in the Login Window 242 If You Can’t Unlock an LDAP Directory 243 If You Can’t Modify a User’s Open Directory Password 243 If You Can‘t Change a User’s Password Type to Open Directory 243 If You Can’t Assign Server Administrator Privileges 243 If Users Can’t Log In or Authenticate 244 If Users Relying on a Password Server Can’t Log In 245 If Users Can’t Log In with Accounts in a Shared Directory Domain 245 If Users Can’t Access Their Home Folders 245 If Users Can’t Change Their Passwords 245 If Users Can’t Authenticate Using Single Sign-On or Kerberos 245 Problems with a Primary or Backup Domain Controller 245 If a Windows User Can’t Log in to the Windows Domain 246 If a Windows User Has No Home Folder 246 If a Windows User’s Profile Settings Revert to Defaults 246 If a Windows User Loses the Contents of the My Documents Folder 247 Solving Preference Management Problems 247 Testing Your Managed Client Settings 247 If Users Don’t See a List of Workgroups at Login 247 If Users Can’t Open Files 248 If Users Can’t Add Printers to a Printer List 248 If Login Items Added by a User Don’t Open 249 If Items Placed in the Dock by a User Are Missing 249 If a User’s Dock Has Duplicate Items 249 If Users See a Question Mark in the Dock 250 If Users See a Message About an Unexpected Error 250 If You Can’t Manage Network Views
Contents 11
Appendix 251 Importing and Exporting Account Information
251 Understanding What You Can Import and Export
252 Limitations for Importing and Exporting Passwords
252 Maintaining GUIDs When Importing from Earlier Versions of Mac OS X Server
253 Archiving the Open Directory Master
253 Using Workgroup Manager to Import Accounts 254 Using Workgroup Manager to Export Accounts
255 Using XML Files Created with Mac OS X Server v10.1 or Earlier 256 Using XML Files Created with AppleShare IP 6.3
Glossary 257
Index 267
12 Contents

About This Guide

This guide explains how to use Workgroup Manager to set up and manage accounts and preferences for clients.
Mac OS X Server includes Workgroup Manager, a user management tool you can use to create and manage accounts.
When managing accounts, you can define core account settings like name, password, home folder location, and group membership. You can also manage preferences, allowing you to customize the user’s experience, granting or restricting access to his or her own computer’s settings and to network resources.
Workgroup Manager works closely with a directory domain. Directory domains are like databases but are specifically designed for storing account information and handling authentication.
Preface

What’s New in Workgroup Manager

 Computer accounts and computer groups. You can create computer accounts for
individual computers. By managing computer accounts individually, you can fully customize preference management settings for those computers.
You can create computer groups composed of these individual computer accounts, or of hierarchical groups. Managed preferences for a parent computer group in a hierarchical group also apply to child computer groups.
The addition of computer accounts and computer groups eases administration and increases flexibility. For more information, see Chapter 6, “Setting Up Computers and Computer Groups.”
 Improved mobile accounts. Mobile accounts are now more secure, efficient, and
portable.
You can protect mobile accounts with FileVault. You can set account expiry options so that local home folders are deleted after a period of inactivity. You can also create mobile accounts on an external drive, so users can still access a synced home folder with cached managed preferences even when they don’t have their computers.
13
You can enable these features by managing Mobility preferences. For more information, see Chapter 8, “Managing Portable Computers.”
 New managed preferences. Preferences now let you manage Parental Controls,
Dashboard, Front Row, and Time Machine. Existing preferences have been enhanced, using embedded and detached signatures to prevent the launching of unapproved applications, giving you more control over the login window, and letting you create page footers on printed documents. For more information, see Chapter 10, “Managing Preferences.”

What’s in This Guide

This guide includes the following chapters: Â Chapter 1, “User Management Overview,” highlights important concepts, introduces
user management tools, and tells you where to find additional information about user management and related topics.
 Chapter 2, “Getting Started with User Management,” provides planning and setup
information to create a user management environment.
 Chapter 3, “Getting Started with Workgroup Manager,” describes how to set up
Workgroup Manager and use its core features.
 Chapters 4, 5, and 6 explain how to use Workgroup Manager to set up users, groups,
computers, and computer groups.
 Chapter 7, “Setting Up Home Folders,” covers creating home folders.
 Chapter 8, “Managing Portable Computers,” details considerations for managing
portable computers.
 Chapter 9, “Client Management Overview,” introduces client management tools and
concepts, such as how to customize a user’s work environment and provide user access to network resources.
 Chapter 10, “Managing Preferences,” describes how to use Workgroup Manager to
control preference settings for users, groups, computers, and computer groups that use Mac OS X.
 Chapter 11, “Solving Problems,” helps you address issues involving account creation,
home folder maintenance, preference management, and client setup, and also helps you solve problems encountered by managed clients.
In addition, the appendix, “Importing and Exporting Account Information,” provides information you’ll need when you want to transfer account information to or from an external file.
Finally, the glossary defines terms you’ll encounter as you read this guide.
Note: Because Apple periodically releases new versions and updates to its software, images shown in this book may be different from what you see on your screen.
14 Preface About This Guide

Using Onscreen Help

You can get task instructions onscreen in the Help Viewer application while you’re managing Leopard Server. You can view help on a server or an administrator computer. (An administrator computer is a Mac OS X computer with Leopard Server administration software installed on it.)
To get help for an advanced configuration of Leopard Server:
m Open Server Admin or Workgroup Manager and then:
 Use the Help menu to search for a task you want to perform.
 Choose Help > Server Admin Help or Help > Workgroup Manager Help to browse
and search the help topics.
The onscreen help contains instructions taken from Server Administration and other advanced administration guides described in “Mac OS X Server Administration Guides,” next.
To see the most recent server help topics:
m Make sure the server or administrator computer is connected to the Internet while
you’re getting help.
Help Viewer automatically retrieves and caches the most recent server help topics from the Internet. When not connected to the Internet, Help Viewer displays cached help topics.
Preface About This Guide 15
Mac OS X Server Administration Guides
Getting Started covers installation and setup for standard and workgroup configurations of Mac OS X Server. For advanced configurations, Server Administration covers planning, installation, setup, and general server administration. A suite of additional guides, listed below, covers advanced planning, setup, and management of individual services. You can get these guides in PDF format from the Mac OS X Server documentation website:
www.apple.com/server/documentation
This guide ... tells you how to:
Getting Started and Installation & Setup Worksheet
Command-Line Administration Install, set up, and manage Mac OS X Server using UNIX command-
File Services Administration Share selected server volumes or folders among server clients
iCal Service Administration Set up and manage iCal shared calendar service.
iChat Service Administration Set up and manage iChat instant messaging service.
Mac OS X Security Configuration Make Mac OS X computers (clients) more secure, as required by
Mac OS X Server Security Configuration
Mail Service Administration Set up and manage IMAP, POP, and SMTP mail services on the
Network Services Administration Set up, configure, and administer DHCP, DNS, VPN, NTP, IP firewall,
Open Directory Administration Set up and manage directory and authentication services, and
Podcast Producer Administration Set up and manage Podcast Producer service to record, process,
Print Service Administration Host shared printers and manage their associated queues and print
QuickTime Streaming and Broadcasting Administration
Server Administration Perform advanced installation and setup of server software, and
System Imaging and Software Update Administration
Upgrading and Migrating Use data and service settings from an earlier version of Mac OS X
Install Mac OS X Server and set it up for the first time.
line tools and configuration files.
using the AFP, NFS, FTP, and SMB protocols.
enterprise and government customers.
Make Mac OS X Server and the computer it’s installed on more secure, as required by enterprise and government customers.
server.
NAT, and RADIUS services on the server.
configure clients to access directory services.
and distribute podcasts.
jobs.
Capture and encode QuickTime content. Set up and manage QuickTime streaming service to deliver media streams live or on demand.
manage options that apply to multiple services or to the server as a whole.
Use NetBoot, NetInstall, and Software Update to automate the management of operating system and other software used by client computers.
Server or Windows NT.
16 Preface About This Guide
This guide ... tells you how to:
User Management Create and manage user accounts, groups, and computers. Set up
managed preferences for Mac OS X clients.
Web Technologies Administration Set up and manage web technologies, including web, blog,
webmail, wiki, MySQL, PHP, Ruby on Rails, and WebDAV.
Xgrid Administration and High Performance Computing
Mac OS X Server Glossary Learn about terms used for server and storage products.
Set up and manage computational clusters of Xserve systems and Mac computers.

Viewing PDF Guides Onscreen

While reading the PDF version of a guide onscreen:
 Show bookmarks to see the guide’s outline, and click a bookmark to jump to the
corresponding section.
 Search for a word or phrase to see a list of places where it appears in the document.
Click a listed place to see the page where it occurs.
 Click a cross-reference to jump to the referenced section. Click a web link to visit the
website in your browser.

Printing PDF Guides

If you want to print a guide, you can take these steps to save paper and ink:
 Save ink or toner by not printing the cover page.
 Save color ink on a color printer by looking in the panes of the Print dialog for an
option to print in grays or black and white.
 Reduce the bulk of the printed document and save paper by printing more than one
page per sheet of paper. In the Print dialog, change Scale to 115% (155% for Getting Started). Then choose Layout from the untitled pop-up menu. If your printer supports two-sided (duplex) printing, select one of the Two-Sided options. Otherwise, choose 2 from the Pages per Sheet pop-up menu, and optionally choose Single Hairline from the Border menu. (If you’re using Mac OS X version 10.4 or earlier, the Scale setting is in the Page Setup dialog and the Layout settings are in the Print dialog.)
You may want to enlarge the printed pages even if you don’t print double sided, because the PDF page size is smaller than standard printer paper. In the Print dialog or Page Setup dialog, try changing Scale to 115% (155% for Getting Started, which has CD­size pages).
Preface About This Guide 17

Getting Documentation Updates

Periodically, Apple posts revised help pages and new editions of guides. Some revised help pages update the latest editions of the guides.
 To view new onscreen help topics for a server application, make sure your server or
administrator computer is connected to the Internet and click “Latest help topics” or “Staying current” in the main help page for the application.
 To download the latest guides in PDF format, go to the Mac OS X Server
documentation website:
www.apple.com/server/documentation

Getting Additional Information

For more information, consult these resources:
 Read Me documents—important updates and special information. Look for them on
the server discs.
 Mac OS X Server website (www.apple.com/server/macosx)—gateway to extensive
product and technology information.
 Mac OS X Server Support website (www.apple.com/support/macosxserver)—access to
hundreds of articles from Apple’s support organization.
 Apple Discussions website (discussions.apple.com)—a way to share questions,
knowledge, and advice with other administrators.
 Apple Mailing Lists website (www.lists.apple.com)—subscribe to mailing lists so you
can communicate with other administrators using email.
18 Preface About This Guide

1 User Management Overview

1
This chapter introduces user management concepts and describes the applications used to manage accounts and privileges.
User management encompasses everything from setting up accounts for network access and creating home folders, to fine-tuning the user experience by managing preferences and settings for users, groups, computers and computer groups. Mac OS X Server provides tools for accomplishing these tasks and more.

Tools for User Management

User management tools and technologies in Mac OS X Server include Workgroup Manager, Server Admin, NetBoot, and NetInstall.

Workgroup Manager

Workgroup Manager is a powerful tool that delivers features for comprehensive management of Macintosh clients.
You can use Workgroup Manager on a computer with Mac OS X or Mac OS X Server installed.
Workgroup Manager provides a centralized method of managing Mac OS X computers, controlling access to software and removable media, and providing a consistent, personalized experience for users at different levels, whether they’re beginners in a classroom or advanced users in an office.
You use Workgroup Manager to create user accounts and set up groups to provide convenient access to resources. You can:
 Use account settings and managed preferences to achieve the level of administrative
control you need, while making the user experience more efficient
 Manage Finder, login, media access, and print settings
 Control access to computers and restrict the applications allowed to run on them
19
Using Workgroup Manager with Mac OS X Server services, you can:
 Customize the work environments of network users by organizing their desktop
resources and personal files
 Enable services that require user accounts, such as mail, file sharing, iChat service,
and web service
 Share system resources, such as printers and computers, maximizing their availability
and ensuring that disk space and printer usage remains equitably shared
To get started with Workgroup Manager, see Chapter 3, “Getting Started with Workgroup Manager.”

Server Admin

The Server Admin application provides access to various tools and services that play a role in server management.
After installing the Mac OS X Server software, use Server Admin to set up directory services and establish your network. Then use Workgroup Manager to create and manage accounts. After that, use Server Admin to set up additional services to provide mail service, host websites, share printers, and create share points (which allow users to share folders and files).
For information about how to use the many services managed through Server Admin, see the service administration guides. The following table lists common server administration tasks and includes the location of related documentation.
To See this document
Assign permissions to folders and files in a share point
Share printers among users Print Service Administration
Set up websites or WebDAV support on the server
Provide email service for users Mail Service Administration
Broadcast multimedia from the server in real time
Provide identical operating system and applications folders for client computers
Install applications across a network System Imaging and Software Update Administration
Share information among multiple Mac OS X Server systems or Mac OS X computers
For a complete list of Mac OS X Server documentation, see “Mac OS X Server Administration Guides” on page 16.
20 Chapter 1 User Management Overview
File Services Administration
Web Technologies Administration
QuickTime Streaming Server Administration
System Imaging and Software Update Administration
Open Directory Administration

Server Preferences

If you use the standard or workgroup configuration of Mac OS X Server, you can use Server Preferences to configure key features of collaboration and file services. Its streamlined approach allows novice system administrators to quickly configure a server without requiring much technical knowledge.
You can also use Server Preferences to configure user and group accounts (such as setting passwords, enabling services, and assigning group membership). However, you can’t use Server Preferences to manage preferences.
For more information, see Getting Started and Server Preferences Help.

NetBoot

Mac OS X computers can start up from a network-based NetBoot image, providing quick and easy configuration of department, classroom, and individual systems, as well as web and application servers, throughout a network.
When you update a NetBoot image, all computers using NetBoot have instant access to the new configuration. To customize the computer setup for different groups of clients, you can set up multiple NetBoot images. These features provide quick setup and a customized user experience.
NetBoot simplifies administration and reduces the support normally associated with large-scale deployments of network-based Macintosh computers. It’s ideal for an organization with client computers that are identically configured. For example, NetBoot can be a powerful solution for a data center that needs multiple, identically configured web and application servers.
With NetBoot, you can quickly configure and update client computers by updating a NetBoot image stored on the server. NetBoot images contain the operating system and application folders for all clients on the server, so that changes made on the server are reflected on the clients when they restart. Systems that are compromised or otherwise altered can be instantly restored by restarting them.
You use System Image Utility to create and modify NetBoot images, and then use NetBoot to deploy NetBoot images.
For more information about these tools, or about installing an operating system over a network, see System Imaging and Software Update Administration.

NetInstall

NetInstall is a centralized software installation service that lets you use installation images to selectively and automatically install, restore, or upgrade network-based Macintosh systems. Those images can contain the latest version of Mac OS X, a software update, site-licensed or custom applications, or configuration scripts.
Chapter 1 User Management Overview 21
You can use NetInstall to upgrade operating systems, install software updates and custom software packages, or re-image desktop and portable computers. You can create custom installation packages for various departments in an organization, such as marketing, engineering, and sales.
Using NetInstall, it’s not necessary to use CDs or DVDs to configure a computer. All installation files and packages reside on the server.
Use NetInstall to run pre- and post-installation scripts to perform system commands before or after the installation of a software package or system image.
To create NetInstall packages, use System Image Utility or PackageMaker. Then use NetBoot to deploy NetInstall packages. For more information about using these tools with NetInstall, see System Imaging and Software Update Administration.

Command-Line Tools

Mac OS X Server v10.5 includes several client-management command-line tools. For example, the dscl tool allows you to view and edit account settings and manage preferences, while the mcxquery tool reports the managed preferences that are effective for a particular user.
Use the mcxquery tool to review how combined and overridden managed preferences interact at the user, group, computer, or computer group level. The tool also determines which directory domain stores those managed preference settings.
For more information about client-management command-line tools, see Command- Line Administration.

Accounts

To manage accounts, you use an administrator account. With an administrator account, you can set up and manage the following account types:
 User accounts
 Group accounts
 Computer accounts
 Computer groups
When creating a user account, you must specify a user name and password, which is needed to prove the user’s identity. You can also specify a user identification number (user ID), which is useful for folder and file permissions. Other user account information is used by various services to determine what the user is authorized to do and to personalize the user’s environment.
In addition to the accounts you create, Mac OS X Server also has predefined user and group accounts, some of which are reserved for use by Mac OS X.
22 Chapter 1 User Management Overview

Administrator Accounts

Users with server administration or directory domain administration privileges are known as administrators. An administrator can be a server administrator, domain administrator, or both.
Server administrator privileges determine whether a user can change the settings of a particular server.
Domain administrator privileges determine the extent to which an administrator can change account settings for users, groups, computers, and computer groups in the directory domain.
Server Administration
Server administration privileges determine the functions available to a user when logged in to a particular Mac OS X Server. For example, a server administrator can use Directory Utility to make changes to a server’s search policy.
When you assign server administration privileges to a user, the user is added to the “admin” group in the server’s local directory domain. Many Mac OS X applications— such as Server Admin, Directory Utility, and System Preferences—use the admin group to determine whether a particular user can perform certain administrative activities with the application.
Local Mac OS X Computer Administration
Any user who belongs to the admin group in the local directory domain of any Mac OS X computer has administrator privileges on that computer.
Limited Administration
You can control the extent to which a limited administrator can use Workgroup Manager to change account data stored in a domain. For example, you can set up directory domain privileges so your network administrator can add and remove user accounts, but allow limited administrators to change the information for particular users. Or, you can designate multiple limited administrators to manage different groups.
For more information, see “Giving a User Limited Administrative Capabilities” on page 70.
Directory Domain Administration
When you create a directory domain in Mac OS X Server, a domain administrator account is created and added to the admin group in the domain. If you plan to connect your directory domain to other directory domains, make sure you choose a unique name and user ID for each domain.
Chapter 1 User Management Overview 23
When you assign full directory domain administration privileges to a user, the user is added to the “admin” group in the directory domain. This does not grant the user local admin privileges on the servers hosting this directory domain or on any other servers or clients bound to this directory domain.
Each directory domain has a domain administrator account, and a domain administrator can create additional domain administrators in the same domain. Any user with a user account in a directory domain can be made a directory domain administrator (an administrator of that domain).
For more information, see “Giving a User Full Administrative Capabilities” on page 72.

User Accounts

Depending on how you set up server and user accounts, you can use Mac OS X Server to support users who log in using Mac OS X computers, Windows computers, or UNIX computers.
Most users have an individual account used to authenticate them and control their access to services. When you want to personalize a user’s environment, you define user, group, computer, or computer group preferences for that user.
The term managed client or managed user refers to a user who has administrator­controlled preferences associated with his or her account. Managed client is also used to refer to computers or computer groups that have preferences defined for them.
To learn more about how to set up user accounts, see Chapter 4, “Setting Up User Accounts.” To specify the preferences for user accounts, see Chapter 10, “Managing Preferences.”
Guest Account
You can provide services for users who can’t be authenticated because they don’t have a valid user name or password. These users are known as guest users. If your computers run Mac OS X v10.5 or later, you can enable a guest account, which is specifically designed for guest users.
The guest account allows anonymous access to a computer. The guest account has a local home folder that has its contents erased when the user logs in or out of the guest account.
The guest account is best used for common-access computers, such as those in a library or open lab where you may not need to log user access and where the user maintains his or her files separate from the local computer.
24 Chapter 1 User Management Overview
For some services, like Apple Filing Protocol (AFP), you can let guest users access files. Instead of authenticating with a name and a password, a guest user connects as a guest, not as a registered user. Guests are restricted to files and folders with permissions set to Everyone.

Group Accounts

To ease user administration, you can create group accounts. A group is a collection of users who have similar needs. For example, you can add all English teachers to one group and allow that group to access certain files or folders on a volume.
Groups simplify the administration of shared resources. Instead of granting access to various resources for each user who needs access, you can add users to a group and then grant access to everyone in the group.
Use group account settings to control user access to folders and files. For more information, see “Folder and File Access by Other Users” on page 28.
A group can be a member of another group. A group that contains another group is called a parent group. The group contained in the parent group is called a hierarchical group. Hierarchical groups are useful for inheriting access permissions and managed preferences.
To learn more about how to set up group accounts, see Chapter 5, “Setting Up Group Accounts.” To specify preferences for group accounts, see Chapter 10, “Managing Preferences.”
Workgroups
When you define preferences for a group, it becomes a workgroup. A workgroup lets you manage the work environment of group members.
Workgroup preferences are stored in the group account. For a description of workgroup preferences, see Chapter 10, “Managing Preferences.”
Group Folders
When you define a group, you can also specify a folder for storing files that you want group members to share. The location of the folder is stored in the group account.
You can give users permission to write to a group folder, or to change group folder attributes in the Finder.

Computer Accounts

Computer accounts allow you to identify and manage individual computers.
To create a computer account, you need the computer’s Ethernet ID. When creating the account, you can also associate it with an IP address. After creating the account, you can manage its preferences or add it to a computer group.
Chapter 1 User Management Overview 25
For more information about setting up computer accounts, see Chapter 6, “Setting Up Computers and Computer Groups.” To specify preferences for Mac OS X computer accounts, see Chapter 10, “Managing Preferences.”
Guest Computers
Most computers on your network should have a computer account. If an unknown computer (one that doesn’t have a computer account) connects to your network and attempts to access services, that computer is treated as a guest. Settings chosen for the Guest Computer account apply to unknown guest computers.

Computer Groups

A computer group is composed of one or more computer accounts or computer groups. By combining these into a single computer group, you can apply the same managed preferences to all its members.
To learn more about how to set up computer groups for Mac OS X client computers, see Chapter 6, “Setting Up Computers and Computer Groups.” To specify preferences for Mac OS X computer groups, see Chapter 10, “Managing Preferences.”

The User Experience

After you create an account for a user, the user can access server resources according to the permissions you set.
The user experience depends on the type of user, permissions set, type of client computer in use (such as Windows or UNIX), whether the user is a member of a group, and whether preference management is implemented at the user, group, or computer level.
For more information about the Mac OS X user experience, see Chapter 9, “Client Management Overview.” Basic information about authentication, identity validation, and information-access control is given in the following sections.

Authentication and Identity Validation

Before a user can log in or connect to a Mac OS X computer, he or she must enter a name and password associated with a user account accessible by the computer.
A Mac OS X computer can access user accounts that are stored in a directory domain of the computer’s search policy:
 A directory domain stores information about users and resources. It is like a database
that a computer accesses to retrieve configuration information.
 A search policy is a list of directory domains that the computer searches when it
needs configuration information, starting with the local directory domain on the user’s computer.
26 Chapter 1 User Management Overview
The following illustration shows a user logging in to an account in a directory domain in the computer’s search policy.
Log in to Mac OS X
Directory domains
in search policy
After login, the user can connect to a remote server to access its services (if the user’s account is located in the server’s search policy).
Connect to
Mac OS X Server
Directory domains
in search policy
If Mac OS X finds a user account containing the name entered by the user, it attempts to validate the password associated with the account. If the password is validated, the user is authenticated and the login or connection process is completed.
Mac OS X Server validates passwords using Kerberos, Open Directory Password Server, shadow passwords, and crypt passwords.
For more information about types of directory domains and instructions for configuring search policies, see Open Directory Administration. This guide also discusses authentication methods and provides instructions for setting up user authentication options.

Information Access Control

To control access to information, a universal ID called a globally unique identifier (GUID) provides user and group identity for access control list (ACL) permissions.
An ACL is a list of access control entries (ACEs), each specifying the permissions to be granted or denied to a group or user, and how these permissions are propagated throughout a folder hierarchy. The GUID also associates a user with group and hierarchical group memberships.
Chapter 1 User Management Overview 27
Prior to Mac OS X v10.4, Mac OS X used user ID and POSIX permissions to track folder and file permissions. In Mac OS X, folders or files include POSIX permissions for entities such as:
 Owner
 Group
 Everyone else
Because GUIDs are 128-bit values, duplicate GUIDs are extremely unlikely. Unlike ACL permissions, POSIX permissions can cause file-ownership and group-membership issues when multiple users have identical short names or user IDs. When using GUIDs, users with the same short name or user ID can have different ACL permissions.
The introduction of GUIDs does not change or remove POSIX permissions, so it does not affect the interoperability of Mac OS X with legacy UNIX systems or other operating systems.
Folder and File Owner Access
When a folder or file is created, the file system stores the user ID of the user who created the file or folder as its owner. By default, when a user with that user ID accesses the folder or file, he or she can read and write to it. Also, any process started by the user who creates the file or folder can read and write to any files associated with that same user ID.
If you change a user ID, the user may not be able to modify or access files and folders he or she created. Likewise, if the user logs in as a user whose user ID is different from the user ID he or she used to create the files and folders, the user no longer has owner permissions for those files and folders.
Folder and File Access by Other Users
The use of GUIDs in conjuction with ACLs determines the files that users and groups can access. Also, the user ID, in conjunction with a group ID, is used to control access.
Every user belongs to a primary group. The primary group ID for a user is stored in the user’s account. When a user accesses a folder or file and the user isn’t the owner, the file system checks the file’s group permissions, and the following occurs:
 If the user’s primary group ID matches the ID of the group associated with the file,
the user inherits group permissions.
 If the user’s primary group ID doesn’t match the file’s group ID, Mac OS X searches for
the group account that has permission to access the file. When the group is found, all members of that group and subsequent hierarchical groups are given permission to that file.
 If neither of these cases apply, the user’s access permissions default to the generic
“everyone.”
28 Chapter 1 User Management Overview
ACLs and POSIX Permissions
Every file and folder has POSIX permissions. Unless an administrator assigns ACL permissions, POSIX permissions continue to define user access. If you assign ACL permissions, they take precedence over standard POSIX permissions.
If a file has ACL permissions, but none apply to the user, the POSIX permissions determine user access. If a file has multiple ACEs that apply to a user, the first applicable ACE takes precedence, and subsequent ACEs are ignored.
For more information about ACL and POSIX permissions, see File Services Administration.
SIDs and Windows Interoperability
Mac OS X computers work seamlessly with Windows computers because Mac OS X assigns a security identifier (SID) to a process or file when it assigns a GUID to the process or file. A SID is a Windows identifier that has similar functionality to a GUID on a Mac OS X computer.
When Windows users access share points using Server Message Block (SMB), they transfer SIDs, not GUIDs. When Mac OS X Server receives SIDs, it retrieves the user accounts with the corresponding GUIDs.
Windows servers use Active Directory as their directory domain. If a user account is moved to a different Active Directory domain, it receives a new SID but not a new GUID. The user still has access permissions assigned to old SIDs because Active Directory keeps track of SID history in user accounts.
Chapter 1 User Management Overview 29
30 Chapter 1 User Management Overview
Loading...
+ 245 hidden pages