The owner or authorized user of a valid copy of
Mac OS X Server software may reproduce this
publication for the purpose of learning to use such
software. No part of this publication may be reproduced
or transmitted for commercial purposes, such as selling
copies of this publication or for providing paid-for
support services.
Every effort has been made to ensure that the
information in this manual is accurate. Apple Inc. is not
responsible for printing or clerical errors.
Apple
1 Infinite Loop
Cupertino, CA 95014-2084
408-996-1010
www.apple.com
Use of the “keyboard” Apple logo (Option-Shift-K) for
commercial purposes without the prior written consent
of Apple may constitute trademark infringement and
unfair competition in violation of federal and state laws.
Apple, the Apple logo, AirPort, AppleShare, Bonjour,
FireWire, iCal, iTunes, Mac, Mac OS, MacBook, Macintosh,
QuickTime, SuperDrive, Xgrid, Xsan, and Xserve are
trademarks of Apple Inc., registered in the U.S. and other
countries. Apple Remote Desktop, Extensions Manager,
Finder, iWork, and Safari are trademarks of Apple Inc.
Mac is a service mark of Apple Inc.
Adobe and PostScript are trademarks of Adobe Systems
Incorporated.
®
The Bluetooth
trademarks owned by the Bluetooth SIG, Inc. and any
use of such marks by Apple is under license.
Java and all Java-based trademarks and logos are
trademarks or registered trademarks of Sun
Microsystems, Inc. in the U.S. and other countries.
UNIX is a registered trademark of The Open Group.
Other company and product names mentioned herein
are trademarks of their respective companies. Mention
of third-party products is for informational purposes
only and constitutes neither an endorsement nor a
recommendation. Apple assumes no responsibility with
regard to the performance of these products.
019-0938/2007-09-01
word mark and logos are registered
1
Contents
Preface13About This Guide
13
What’s New in Workgroup Manager
14
What’s in This Guide
15
Using Onscreen Help
16
Mac OS X Server Administration Guides
17
Viewing PDF Guides Onscreen
17
Printing PDF Guides
18
Getting Documentation Updates
18
Getting Additional Information
Chapter 119User Management Overview
19
Tools for User Management
19
20
21
21
21
22
22
23
24
25
25
26
26
26
27
Workgroup Manager
Server Admin
Server Preferences
NetBoot
NetInstall
Command-Line Tools
Accounts
Administrator Accounts
User Accounts
Group Accounts
Computer Accounts
Computer Groups
The User Experience
Authentication and Identity Validation
Information Access Control
Chapter 231Getting Started with User Management
31
Setup Overview
34
Planning Strategies for User Management
34
Analyzing Your Environment
3
35
35
36
37
38
38
Identifying Directory Services Requirements
Determining Server and Storage Requirements
Choosing a Home Folder Structure
Devising a Home Folder Distribution Strategy
Identifying Groups
Determining Administrator Requirements
Chapter 341Getting Started with Workgroup Manager
41
Configuring the Administrator’s Computer and Account
Setting Up an Administrator Computer
Creating a Domain Administrator Account
Using Workgroup Manager
Using Mac OS X Server v10.5 to Administer Earlier Versions of Mac OS X
Connecting and Authenticating to Directory Domains in Workgroup Manager
Major Workgroup Manager Tasks
Modifying Workgroup Manager Preferences
Finding and Listing Accounts
Working with Account Lists in Workgroup Manager
Listing Accounts in the Local Directory Domain
Listing Accounts in Search Policy Directory Domains
Listing Accounts in Available Directory Domains
Refreshing Account Lists
Finding Specific Accounts in a List
Using Advanced Search
Sorting Users and Groups
Shortcuts for Working with Accounts
Using Presets
Editing Multiple Accounts Simultaneously
Importing and Exporting Account Information
Chapter 455Setting Up User Accounts
55
About User Accounts
55
56
57
57
58
59
59
60
60
60
4
Where User Accounts Are Stored
Predefined User Accounts
Administering User Accounts
Creating User Accounts
Editing User Account Information
Working with Read-Only User Accounts
Working with Guest Users
Working with Windows User Accounts
Deleting a User Account
Disabling a User Account
Creating a Preset for User Accounts
Using Presets to Create Accounts
Renaming Presets
Editing Presets
Deleting a Preset
Working with Basic Settings
Modifying User Names
Modifying Short Names
Choosing Stable Short Names
Avoiding Duplicate Names
Modifying User IDs
Assigning a Password to a User
Assigning Administrator Privileges for a Server
Choosing a User’s Login Picture
Working with Privileges
Removing Administrative Privileges from a User
Giving a User Limited Administrative Capabilities
Giving a User Full Administrative Capabilities
Working with Advanced Settings
Enabling a User’s Calendar
Allowing a User to Log In to More Than One Computer At a Time
Choosing a Default Shell
Choosing a Password Type and Setting Password Options
Creating a Master List of Keywords
Applying Keywords to User Accounts
Editing Comments
Working with Group Settings
Choosing a User’s Primary Group
Reviewing a User’s Group Memberships
Adding a User to a Group
Removing a User from a Group
Working with Home Settings
Working with Mail Settings
Enabling Mail Service Account Options
Disabling a User’s Mail Service
Forwarding a User’s Mail
Working with Print Quota Settings
Enabling a User’s Access to All Available Print Queues
Enabling a User’s Access to Specific Print Queues
Removing a Print Quota For a Queue
Contents
5
83
84
Resetting a User’s Print Quota
Disabling a User’s Access to Print Queues That Enforce Quotas
84Working with Info Settings
85Working with Windows Settings
85Changing a Windows User’s Profile Location
86Changing a Windows User’s Login Script Location
87Changing a Windows User’s Home Folder Drive Letter
87Changing a Windows User’s Home Folder Location
87Working with GUIDs
87Viewing GUIDs
Chapter 589Setting Up Group Accounts
89About Group Accounts
89How Group Accounts Track Membership
90Where Group Accounts Are Stored
90Predefined Group Accounts
91Administering Group Accounts
91Creating Group Accounts
92Creating a Preset for Group Accounts
92Editing Group Account Information
93Creating Hierarchical Groups
94Upgrading Legacy Groups
94Working with Read-Only Groups
95Deleting a Group
95Working with Basic Settings for Groups
95Naming a Group
96Defining a Group ID
97Choosing a Group’s Login Picture
98Enabling a Group’s Web Services
99Working with Member Settings for Groups
99Adding Users or Groups to a Group
10 0Removing Group Members
10 0Working with Group Folder Settings
101Specifying No Group Folder
101Creating a Group Folder
10 3Designating a Group Folder for Use by Multiple Groups
Chapter 6105Setting Up Computers and Computer Groups
10 5About Computer Accounts
10 6Creating Computer Accounts
10 7Working with Guest Computers
10 7Working with Windows Computers
6
Contents
10 8About Computer Groups
10 8Differences Between Computer Groups and Computer Lists
10 8Administering Computer Groups
10 8Creating a Computer Group
10 9Creating a Preset for Computer Groups
11 0Using a Computer Group Preset
111Adding Computers or Computer Groups to a Computer Group
111Removing Computers and Computer Groups from a Computer Group
112Deleting a Computer Group
112Upgrading Computer Lists to Computer Groups
Chapter 7113Setting Up Home Folders
113About Home Folders
11 4Hosting Home Folders for Mac OS X Clients
11 4Hosting Home Folders for Other Clients
11 5Distributing Home Folders Across Multiple Servers
11 6Administering Share Points
11 6Setting Up a Share Point
117Setting Up an Automountable AFP Share Point for Home Folders
11 8Setting Up an Automountable NFS Share Point for Home Folders
11 9Setting Up an SMB Share Point
121Administering Home Folders
121Specifying No Home Folder
12 2Creating a Home Folder for a Local User
12 3Creating a Network Home Folder
12 4Creating a Custom Location for Home Folders
12 7Setting Up a Home Folder for a Windows User
12 9Setting Disk Quotas
13 0Setting Disk Quotas for Windows Users to Avoid Data Loss
13 0Using Presets to Choose Default Home Folders
13 0Moving Home Folders
13 0Deleting Home Folders
Chapter 8131Managing Portable Computers
131About Mobile Accounts
13 2About Portable Home Directories
13 3Logging In to Mobile Accounts
13 4Resolving Sync Conflicts
13 4About External Accounts
13 5Logging In to External Accounts
13 6Considerations and Strategies for Deploying Mobile Accounts
13 6Advantages of Using Mobile Accounts
Contents7
13 7Considerations for Using Mobile Accounts
13 9Strategies for Syncing Content
14 0Setting Up Mobile Accounts for Use on Portable Computers
14 0Configuring Portable Computers
141Managing Mobile Clients Without Using Mobile Accounts
141Unknown Mac OS X Portable Computers
14 2Using Mac OS X Portable Computers with One Primary Local User
14 2Using Mac OS X Portable Computers with Multiple Users
14 4Securing Mobile Clients
14 4Optimizing the File Server for Mobile Accounts
Chapter 9147Client Management Overview
14 8Using Network-Visible Resources
14 9Customizing the User Experience
14 9The Power of Preferences
15 0Designing the Login Experience
151Choosing a Workgroup
15 2Working with Synced Homes
15 2Improving Workflow
Chapter 10155Managing Preferences
15 5Using Workgroup Manager to Manage Preferences
15 6Understanding Managed Preference Interactions
15 9Understanding Hierarchical Preference Management
15 9Setting the Permanence of Management
160Caching Preferences
160Preference Management Basics
161Managing User Preferences
162Managing Group Preferences
162Managing Computer Preferences
163Managing Computer Group Preferences
163Disabling Management for Specific Preferences
164Managing Access to Applications
165Controlling User Access to Specific Applications and Folders
167Allowing Specific Dashboard Widgets
168Disabling Front Row
168Allowing Legacy Users to Open Specific Applications and Folders
169Managing Classic Preferences
17 0Selecting Classic Startup Options
171Choosing a Classic System Folder
171Allowing Special Actions During Restart
17 2Controlling Access to Classic Apple Menu Items
8Contents
17 3Adjusting Classic Sleep Settings
174Maintaining Consistent User Preferences for Classic
174Managing Dock Preferences
174Controlling the User’s Dock
17 5Providing Easy Access to Group Folders
17 6Adding Items to a User’s Dock
17 7Preventing Users from Adding or Deleting Dock Items
17 7Managing Energy Saver Preferences
17 8Using Sleep and Wake Settings for Desktop Computers
17 9Setting Energy Saver Settings for Portable Computers
18 0Displaying Battery Status to Users
181Scheduling Automatic Startup, Shutdown, or Sleep
18 2Managing Finder Preferences
18 2Setting Up Simple Finder
183Keeping Disks and Servers from Appearing on the User’s Desktop
183Controlling the Behavior of Finder Windows
18 4Hiding the Alert Message When a User Empties the Trash
18 4Making Filename Extensions Visible
185Controlling User Access to Remote Servers
185Controlling User Access to an iDisk
185Preventing Users from Ejecting Discs
18 6Hiding the Burn Disc Command in the Finder
18 6Controlling User Access to Folders
187Removing Restart and Shut Down from the Apple Menu
187Adjusting the Appearance and Arrangement of Desktop Items
18 8Adjusting the Appearance of Finder Window Contents
18 9Managing Login Preferences
18 9Changing the Appearance of the Login Window
191Configuring Miscellaneous Login Options
19 2Choosing Who Can Log In
19 3Customizing the Workgroups Displayed at Login
19 4Enabling the Use of Login and Logout Scripts
19 6Choosing a Login or Logout Script
19 7Automatically Opening Items After a User Logs In
19 8Providing Access to a User’s Network Home Folder
19 9Providing Easy Access to the Group Share Point
200Managing Media Access Preferences
200Controlling Access to CDs, DVDs, and Recordable Discs
201Controlling Access to Hard Drives, Disks, and Disk Images
201Ejecting Removable Media Automatically When a User Logs Out
202Managing Mobility Preferences
Contents9
202Creating a Mobile Account
203Preventing the Creation of a Mobile Account
204Manually Removing Mobile Accounts from Computers
205Enabling FileVault for Mobile Accounts
207Selecting the Location of a Mobile Account
208Creating External Accounts
209Setting Expiration Periods for Mobile Accounts
210Choosing Folders to Sync at Login and Logout, or in the Background
211Stopping Files from Syncing for a Mobile Account
212Setting the Background Sync Frequency
212Showing Mobile Account Status in the User’s Menu Bar
213Managing Network Preferences
213Configuring Proxy Servers by Port
214Allowing Users to Bypass Proxy Servers for Specific Domains
215Enabling Passive FTP Mode
215Disabling Internet Sharing
216Disabling AirPort
216Disabling Bluetooth
217Managing Parental Controls Preferences
217Hiding Profanity in Dictionary
217Preventing Access to Adult Websites
218Allowing Access Only to Specific Websites
219Setting Time Limits and Curfews on Computer Usage
220Managing Printing Preferences
221Making Printers Available to Users
221Preventing Users from Modifying the Printer List
222Restricting Access to Printers Connected to a Computer
222Setting a Default Printer
223Restricting Access to Printers
223Adding a Page Footer to All Printouts
224Managing Software Update Preferences
224Managing Access to System Preferences
225Managing Time Machine Preferences
227Managing Universal Access Preferences
227Adjusting the User’s Display Settings
228Setting a Visual Alert
228Adjusting Keyboard Accessibility Options
230Adjusting Mouse and Pointer Responsiveness
230Enabling Universal Access Shortcuts
231Allowing Devices for Users with Special Needs
231Using the Preference Editor with Preference Manifests
10Contents
232Adding to the Preference Editor’s List
234Editing Application Preferences with the Preference Editor
235Removing an Application’s Managed Preferences in the Preference Editor
236Using the Preference Editor to Manage Core Services
237Using the Preference Editor to Manage Safari
Chapter 11239Solving Problems
239Diagnosing Common Network Issues
239Testing Your Network’s Time and Time Zones
240Testing Your DNS Service
241Testing Your DHCP Service
242Solving Account Problems
242If You Want to Use Earlier Versions of Workgroup Manager
242If You Can’t Edit an Account Using Workgroup Manager
242If Users Can’t See Their Names in the Login Window
242If You Can’t Unlock an LDAP Directory
243If You Can’t Modify a User’s Open Directory Password
243If You Can‘t Change a User’s Password Type to Open Directory
243If You Can’t Assign Server Administrator Privileges
243If Users Can’t Log In or Authenticate
244If Users Relying on a Password Server Can’t Log In
245If Users Can’t Log In with Accounts in a Shared Directory Domain
245If Users Can’t Access Their Home Folders
245If Users Can’t Change Their Passwords
245If Users Can’t Authenticate Using Single Sign-On or Kerberos
245Problems with a Primary or Backup Domain Controller
245If a Windows User Can’t Log in to the Windows Domain
246If a Windows User Has No Home Folder
246If a Windows User’s Profile Settings Revert to Defaults
246If a Windows User Loses the Contents of the My Documents Folder
247Solving Preference Management Problems
247Testing Your Managed Client Settings
247If Users Don’t See a List of Workgroups at Login
247If Users Can’t Open Files
248If Users Can’t Add Printers to a Printer List
248If Login Items Added by a User Don’t Open
249If Items Placed in the Dock by a User Are Missing
249If a User’s Dock Has Duplicate Items
249If Users See a Question Mark in the Dock
250If Users See a Message About an Unexpected Error
250If You Can’t Manage Network Views
Contents11
Appendix251Importing and Exporting Account Information
251Understanding What You Can Import and Export
252Limitations for Importing and Exporting Passwords
252Maintaining GUIDs When Importing from Earlier Versions of Mac OS X Server
253Archiving the Open Directory Master
253Using Workgroup Manager to Import Accounts
254Using Workgroup Manager to Export Accounts
255Using XML Files Created with Mac OS X Server v10.1 or Earlier
256Using XML Files Created with AppleShare IP 6.3
Glossary257
Index267
12Contents
About This Guide
This guide explains how to use Workgroup Manager to set up
and manage accounts and preferences for clients.
Mac OS X Server includes Workgroup Manager, a user management tool you can use to
create and manage accounts.
When managing accounts, you can define core account settings like name, password,
home folder location, and group membership. You can also manage preferences,
allowing you to customize the user’s experience, granting or restricting access to his or
her own computer’s settings and to network resources.
Workgroup Manager works closely with a directory domain. Directory domains are like
databases but are specifically designed for storing account information and handling
authentication.
Preface
What’s New in Workgroup Manager
 Computer accounts and computer groups. You can create computer accounts for
individual computers. By managing computer accounts individually, you can fully
customize preference management settings for those computers.
You can create computer groups composed of these individual computer accounts,
or of hierarchical groups. Managed preferences for a parent computer group in a
hierarchical group also apply to child computer groups.
The addition of computer accounts and computer groups eases administration and
increases flexibility. For more information, see Chapter 6, “Setting Up Computers and
Computer Groups.”
 Improved mobile accounts. Mobile accounts are now more secure, efficient, and
portable.
You can protect mobile accounts with FileVault. You can set account expiry options
so that local home folders are deleted after a period of inactivity. You can also create
mobile accounts on an external drive, so users can still access a synced home folder
with cached managed preferences even when they don’t have their computers.
13
You can enable these features by managing Mobility preferences. For more
information, see Chapter 8, “Managing Portable Computers.”
 New managed preferences. Preferences now let you manage Parental Controls,
Dashboard, Front Row, and Time Machine. Existing preferences have been enhanced,
using embedded and detached signatures to prevent the launching of unapproved
applications, giving you more control over the login window, and letting you create
page footers on printed documents. For more information, see Chapter 10,
“Managing Preferences.”
What’s in This Guide
This guide includes the following chapters:
 Chapter 1, “User Management Overview,” highlights important concepts, introduces
user management tools, and tells you where to find additional information about
user management and related topics.
 Chapter 2, “Getting Started with User Management,” provides planning and setup
information to create a user management environment.
 Chapter 3, “Getting Started with Workgroup Manager,” describes how to set up
Workgroup Manager and use its core features.
 Chapters 4, 5, and 6 explain how to use Workgroup Manager to set up users, groups,
computers, and computer groups.
 Chapter 7, “Setting Up Home Folders,” covers creating home folders.
 Chapter 8, “Managing Portable Computers,” details considerations for managing
portable computers.
 Chapter 9, “Client Management Overview,” introduces client management tools and
concepts, such as how to customize a user’s work environment and provide user
access to network resources.
 Chapter 10, “Managing Preferences,” describes how to use Workgroup Manager to
control preference settings for users, groups, computers, and computer groups that
use Mac OS X.
 Chapter 11, “Solving Problems,” helps you address issues involving account creation,
home folder maintenance, preference management, and client setup, and also helps
you solve problems encountered by managed clients.
In addition, the appendix, “Importing and Exporting Account Information,” provides
information you’ll need when you want to transfer account information to or from an
external file.
Finally, the glossary defines terms you’ll encounter as you read this guide.
Note: Because Apple periodically releases new versions and updates to its software,
images shown in this book may be different from what you see on your screen.
14Preface About This Guide
Using Onscreen Help
You can get task instructions onscreen in the Help Viewer application while you’re
managing Leopard Server. You can view help on a server or an administrator computer.
(An administrator computer is a Mac OS X computer with Leopard Server
administration software installed on it.)
To get help for an advanced configuration of Leopard Server:
m Open Server Admin or Workgroup Manager and then:
 Use the Help menu to search for a task you want to perform.
 Choose Help > Server Admin Help or Help > Workgroup Manager Help to browse
and search the help topics.
The onscreen help contains instructions taken from Server Administration and other
advanced administration guides described in “Mac OS X Server Administration Guides,”
next.
To see the most recent server help topics:
m Make sure the server or administrator computer is connected to the Internet while
you’re getting help.
Help Viewer automatically retrieves and caches the most recent server help topics from
the Internet. When not connected to the Internet, Help Viewer displays cached help
topics.
Preface About This Guide15
Mac OS X Server Administration Guides
Getting Started covers installation and setup for standard and workgroup configurations
of Mac OS X Server. For advanced configurations, Server Administration covers planning,
installation, setup, and general server administration. A suite of additional guides, listed
below, covers advanced planning, setup, and management of individual services. You
can get these guides in PDF format from the Mac OS X Server documentation website:
www.apple.com/server/documentation
This guide ...tells you how to:
Getting Started and
Installation & Setup Worksheet
Command-Line AdministrationInstall, set up, and manage Mac OS X Server using UNIX command-
File Services AdministrationShare selected server volumes or folders among server clients
iCal Service AdministrationSet up and manage iCal shared calendar service.
iChat Service AdministrationSet up and manage iChat instant messaging service.
Mac OS X Security ConfigurationMake Mac OS X computers (clients) more secure, as required by
Mac OS X Server Security
Configuration
Mail Service AdministrationSet up and manage IMAP, POP, and SMTP mail services on the
Network Services AdministrationSet up, configure, and administer DHCP, DNS, VPN, NTP, IP firewall,
Open Directory AdministrationSet up and manage directory and authentication services, and
Podcast Producer AdministrationSet up and manage Podcast Producer service to record, process,
Print Service AdministrationHost shared printers and manage their associated queues and print
QuickTime Streaming and
Broadcasting Administration
Server AdministrationPerform advanced installation and setup of server software, and
System Imaging and Software
Update Administration
Upgrading and MigratingUse data and service settings from an earlier version of Mac OS X
Install Mac OS X Server and set it up for the first time.
line tools and configuration files.
using the AFP, NFS, FTP, and SMB protocols.
enterprise and government customers.
Make Mac OS X Server and the computer it’s installed on more
secure, as required by enterprise and government customers.
server.
NAT, and RADIUS services on the server.
configure clients to access directory services.
and distribute podcasts.
jobs.
Capture and encode QuickTime content. Set up and manage
QuickTime streaming service to deliver media streams live or on
demand.
manage options that apply to multiple services or to the server as a
whole.
Use NetBoot, NetInstall, and Software Update to automate the
management of operating system and other software used by
client computers.
Server or Windows NT.
16Preface About This Guide
This guide ...tells you how to:
User ManagementCreate and manage user accounts, groups, and computers. Set up
managed preferences for Mac OS X clients.
Web Technologies Administration Set up and manage web technologies, including web, blog,
webmail, wiki, MySQL, PHP, Ruby on Rails, and WebDAV.
Xgrid Administration and High
Performance Computing
Mac OS X Server GlossaryLearn about terms used for server and storage products.
Set up and manage computational clusters of Xserve systems and
Mac computers.
Viewing PDF Guides Onscreen
While reading the PDF version of a guide onscreen:
 Show bookmarks to see the guide’s outline, and click a bookmark to jump to the
corresponding section.
 Search for a word or phrase to see a list of places where it appears in the document.
Click a listed place to see the page where it occurs.
 Click a cross-reference to jump to the referenced section. Click a web link to visit the
website in your browser.
Printing PDF Guides
If you want to print a guide, you can take these steps to save paper and ink:
 Save ink or toner by not printing the cover page.
 Save color ink on a color printer by looking in the panes of the Print dialog for an
option to print in grays or black and white.
 Reduce the bulk of the printed document and save paper by printing more than one
page per sheet of paper. In the Print dialog, change Scale to 115% (155% for Getting Started). Then choose Layout from the untitled pop-up menu. If your printer supports
two-sided (duplex) printing, select one of the Two-Sided options. Otherwise, choose
2 from the Pages per Sheet pop-up menu, and optionally choose Single Hairline from
the Border menu. (If you’re using Mac OS X version 10.4 or earlier, the Scale setting is
in the Page Setup dialog and the Layout settings are in the Print dialog.)
You may want to enlarge the printed pages even if you don’t print double sided,
because the PDF page size is smaller than standard printer paper. In the Print dialog or
Page Setup dialog, try changing Scale to 115% (155% for Getting Started, which has CDsize pages).
Preface About This Guide17
Getting Documentation Updates
Periodically, Apple posts revised help pages and new editions of guides. Some revised
help pages update the latest editions of the guides.
 To view new onscreen help topics for a server application, make sure your server or
administrator computer is connected to the Internet and click “Latest help topics” or
“Staying current” in the main help page for the application.
 To download the latest guides in PDF format, go to the Mac OS X Server
documentation website:
www.apple.com/server/documentation
Getting Additional Information
For more information, consult these resources:
 Read Me documents—important updates and special information. Look for them on
the server discs.
 Mac OS X Server website (www.apple.com/server/macosx)—gateway to extensive
product and technology information.
 Mac OS X Server Support website (www.apple.com/support/macosxserver)—access to
hundreds of articles from Apple’s support organization.
 Apple Discussions website (discussions.apple.com)—a way to share questions,
knowledge, and advice with other administrators.
 Apple Mailing Lists website (www.lists.apple.com)—subscribe to mailing lists so you
can communicate with other administrators using email.
18Preface About This Guide
1User Management Overview
1
This chapter introduces user management concepts and
describes the applications used to manage accounts and
privileges.
User management encompasses everything from setting up accounts for network
access and creating home folders, to fine-tuning the user experience by managing
preferences and settings for users, groups, computers and computer groups. Mac OS X
Server provides tools for accomplishing these tasks and more.
Tools for User Management
User management tools and technologies in Mac OS X Server include Workgroup
Manager, Server Admin, NetBoot, and NetInstall.
Workgroup Manager
Workgroup Manager is a powerful tool that delivers features for comprehensive
management of Macintosh clients.
You can use Workgroup Manager on a computer with Mac OS X or Mac OS X Server
installed.
Workgroup Manager provides a centralized method of managing Mac OS X computers,
controlling access to software and removable media, and providing a consistent,
personalized experience for users at different levels, whether they’re beginners in a
classroom or advanced users in an office.
You use Workgroup Manager to create user accounts and set up groups to provide
convenient access to resources. You can:
 Use account settings and managed preferences to achieve the level of administrative
control you need, while making the user experience more efficient
 Manage Finder, login, media access, and print settings
 Control access to computers and restrict the applications allowed to run on them
19
Using Workgroup Manager with Mac OS X Server services, you can:
 Customize the work environments of network users by organizing their desktop
resources and personal files
 Enable services that require user accounts, such as mail, file sharing, iChat service,
and web service
 Share system resources, such as printers and computers, maximizing their availability
and ensuring that disk space and printer usage remains equitably shared
To get started with Workgroup Manager, see Chapter 3, “Getting Started with
Workgroup Manager.”
Server Admin
The Server Admin application provides access to various tools and services that play a
role in server management.
After installing the Mac OS X Server software, use Server Admin to set up directory
services and establish your network. Then use Workgroup Manager to create and
manage accounts. After that, use Server Admin to set up additional services to provide
mail service, host websites, share printers, and create share points (which allow users to
share folders and files).
For information about how to use the many services managed through Server Admin,
see the service administration guides. The following table lists common server
administration tasks and includes the location of related documentation.
ToSee this document
Assign permissions to folders and files in a
share point
Share printers among usersPrint Service Administration
Set up websites or WebDAV support on the
server
Provide email service for usersMail Service Administration
Broadcast multimedia from the server in real
time
Provide identical operating system and
applications folders for client computers
Install applications across a networkSystem Imaging and Software Update Administration
Share information among multiple Mac OS X
Server systems or Mac OS X computers
For a complete list of Mac OS X Server documentation, see “Mac OS X Server
Administration Guides” on page 16.
20Chapter 1 User Management Overview
File Services Administration
Web Technologies Administration
QuickTime Streaming Server Administration
System Imaging and Software Update Administration
Open Directory Administration
Server Preferences
If you use the standard or workgroup configuration of Mac OS X Server, you can use
Server Preferences to configure key features of collaboration and file services. Its
streamlined approach allows novice system administrators to quickly configure a server
without requiring much technical knowledge.
You can also use Server Preferences to configure user and group accounts (such as
setting passwords, enabling services, and assigning group membership). However, you
can’t use Server Preferences to manage preferences.
For more information, see Getting Started and Server Preferences Help.
NetBoot
Mac OS X computers can start up from a network-based NetBoot image, providing
quick and easy configuration of department, classroom, and individual systems, as well
as web and application servers, throughout a network.
When you update a NetBoot image, all computers using NetBoot have instant access to
the new configuration. To customize the computer setup for different groups of clients,
you can set up multiple NetBoot images. These features provide quick setup and a
customized user experience.
NetBoot simplifies administration and reduces the support normally associated with
large-scale deployments of network-based Macintosh computers. It’s ideal for an
organization with client computers that are identically configured. For example,
NetBoot can be a powerful solution for a data center that needs multiple, identically
configured web and application servers.
With NetBoot, you can quickly configure and update client computers by updating a
NetBoot image stored on the server. NetBoot images contain the operating system and
application folders for all clients on the server, so that changes made on the server are
reflected on the clients when they restart. Systems that are compromised or otherwise
altered can be instantly restored by restarting them.
You use System Image Utility to create and modify NetBoot images, and then use
NetBoot to deploy NetBoot images.
For more information about these tools, or about installing an operating system over a
network, see System Imaging and Software Update Administration.
NetInstall
NetInstall is a centralized software installation service that lets you use installation
images to selectively and automatically install, restore, or upgrade network-based
Macintosh systems. Those images can contain the latest version of Mac OS X, a
software update, site-licensed or custom applications, or configuration scripts.
Chapter 1 User Management Overview21
You can use NetInstall to upgrade operating systems, install software updates and
custom software packages, or re-image desktop and portable computers. You can
create custom installation packages for various departments in an organization, such as
marketing, engineering, and sales.
Using NetInstall, it’s not necessary to use CDs or DVDs to configure a computer. All
installation files and packages reside on the server.
Use NetInstall to run pre- and post-installation scripts to perform system commands
before or after the installation of a software package or system image.
To create NetInstall packages, use System Image Utility or PackageMaker. Then use
NetBoot to deploy NetInstall packages. For more information about using these tools
with NetInstall, see System Imaging and Software Update Administration.
Command-Line Tools
Mac OS X Server v10.5 includes several client-management command-line tools. For
example, the dscl tool allows you to view and edit account settings and manage
preferences, while the mcxquery tool reports the managed preferences that are
effective for a particular user.
Use the mcxquery tool to review how combined and overridden managed preferences
interact at the user, group, computer, or computer group level. The tool also
determines which directory domain stores those managed preference settings.
For more information about client-management command-line tools, see Command-Line Administration.
Accounts
To manage accounts, you use an administrator account. With an administrator account,
you can set up and manage the following account types:
 User accounts
 Group accounts
 Computer accounts
 Computer groups
When creating a user account, you must specify a user name and password, which is
needed to prove the user’s identity. You can also specify a user identification number
(user ID), which is useful for folder and file permissions. Other user account information
is used by various services to determine what the user is authorized to do and to
personalize the user’s environment.
In addition to the accounts you create, Mac OS X Server also has predefined user and
group accounts, some of which are reserved for use by Mac OS X.
22Chapter 1 User Management Overview
Administrator Accounts
Users with server administration or directory domain administration privileges are
known as administrators. An administrator can be a server administrator, domain
administrator, or both.
Server administrator privileges determine whether a user can change the settings of a
particular server.
Domain administrator privileges determine the extent to which an administrator can
change account settings for users, groups, computers, and computer groups in the
directory domain.
Server Administration
Server administration privileges determine the functions available to a user when
logged in to a particular Mac OS X Server. For example, a server administrator can use
Directory Utility to make changes to a server’s search policy.
When you assign server administration privileges to a user, the user is added to the
“admin” group in the server’s local directory domain. Many Mac OS X applications—
such as Server Admin, Directory Utility, and System Preferences—use the admin group
to determine whether a particular user can perform certain administrative activities
with the application.
Local Mac OS X Computer Administration
Any user who belongs to the admin group in the local directory domain of any
Mac OS X computer has administrator privileges on that computer.
Limited Administration
You can control the extent to which a limited administrator can use Workgroup
Manager to change account data stored in a domain. For example, you can set up
directory domain privileges so your network administrator can add and remove user
accounts, but allow limited administrators to change the information for particular
users. Or, you can designate multiple limited administrators to manage different
groups.
For more information, see “Giving a User Limited Administrative Capabilities” on
page 70.
Directory Domain Administration
When you create a directory domain in Mac OS X Server, a domain administrator
account is created and added to the admin group in the domain. If you plan to connect
your directory domain to other directory domains, make sure you choose a unique
name and user ID for each domain.
Chapter 1 User Management Overview23
When you assign full directory domain administration privileges to a user, the user is
added to the “admin” group in the directory domain. This does not grant the user local
admin privileges on the servers hosting this directory domain or on any other servers
or clients bound to this directory domain.
Each directory domain has a domain administrator account, and a domain
administrator can create additional domain administrators in the same domain. Any
user with a user account in a directory domain can be made a directory domain
administrator (an administrator of that domain).
For more information, see “Giving a User Full Administrative Capabilities” on page 72.
User Accounts
Depending on how you set up server and user accounts, you can use Mac OS X Server
to support users who log in using Mac OS X computers, Windows computers, or UNIX
computers.
Most users have an individual account used to authenticate them and control their
access to services. When you want to personalize a user’s environment, you define user,
group, computer, or computer group preferences for that user.
The term managed client or managed user refers to a user who has administratorcontrolled preferences associated with his or her account. Managed client is also used
to refer to computers or computer groups that have preferences defined for them.
To learn more about how to set up user accounts, see Chapter 4, “Setting Up User
Accounts.” To specify the preferences for user accounts, see Chapter 10, “Managing
Preferences.”
Guest Account
You can provide services for users who can’t be authenticated because they don’t have
a valid user name or password. These users are known as guest users. If your computers
run Mac OS X v10.5 or later, you can enable a guest account, which is specifically
designed for guest users.
The guest account allows anonymous access to a computer. The guest account has a
local home folder that has its contents erased when the user logs in or out of the guest
account.
The guest account is best used for common-access computers, such as those in a
library or open lab where you may not need to log user access and where the user
maintains his or her files separate from the local computer.
24Chapter 1 User Management Overview
For some services, like Apple Filing Protocol (AFP), you can let guest users access files.
Instead of authenticating with a name and a password, a guest user connects as a
guest, not as a registered user. Guests are restricted to files and folders with
permissions set to Everyone.
Group Accounts
To ease user administration, you can create group accounts. A group is a collection of
users who have similar needs. For example, you can add all English teachers to one
group and allow that group to access certain files or folders on a volume.
Groups simplify the administration of shared resources. Instead of granting access to
various resources for each user who needs access, you can add users to a group and
then grant access to everyone in the group.
Use group account settings to control user access to folders and files. For more
information, see “Folder and File Access by Other Users” on page 28.
A group can be a member of another group. A group that contains another group is
called a parent group. The group contained in the parent group is called a hierarchical group. Hierarchical groups are useful for inheriting access permissions and managed
preferences.
To learn more about how to set up group accounts, see Chapter 5, “Setting Up Group
Accounts.” To specify preferences for group accounts, see Chapter 10, “Managing
Preferences.”
Workgroups
When you define preferences for a group, it becomes a workgroup. A workgroup lets
you manage the work environment of group members.
Workgroup preferences are stored in the group account. For a description of
workgroup preferences, see Chapter 10, “Managing Preferences.”
Group Folders
When you define a group, you can also specify a folder for storing files that you want
group members to share. The location of the folder is stored in the group account.
You can give users permission to write to a group folder, or to change group folder
attributes in the Finder.
Computer Accounts
Computer accounts allow you to identify and manage individual computers.
To create a computer account, you need the computer’s Ethernet ID. When creating the
account, you can also associate it with an IP address. After creating the account, you
can manage its preferences or add it to a computer group.
Chapter 1 User Management Overview25
For more information about setting up computer accounts, see Chapter 6, “Setting Up
Computers and Computer Groups.” To specify preferences for Mac OS X computer
accounts, see Chapter 10, “Managing Preferences.”
Guest Computers
Most computers on your network should have a computer account. If an unknown
computer (one that doesn’t have a computer account) connects to your network and
attempts to access services, that computer is treated as a guest. Settings chosen for the
Guest Computer account apply to unknown guest computers.
Computer Groups
A computer group is composed of one or more computer accounts or computer
groups. By combining these into a single computer group, you can apply the same
managed preferences to all its members.
To learn more about how to set up computer groups for Mac OS X client computers,
see Chapter 6, “Setting Up Computers and Computer Groups.” To specify preferences
for Mac OS X computer groups, see Chapter 10, “Managing Preferences.”
The User Experience
After you create an account for a user, the user can access server resources according
to the permissions you set.
The user experience depends on the type of user, permissions set, type of client
computer in use (such as Windows or UNIX), whether the user is a member of a group,
and whether preference management is implemented at the user, group, or computer
level.
For more information about the Mac OS X user experience, see Chapter 9, “Client
Management Overview.” Basic information about authentication, identity validation,
and information-access control is given in the following sections.
Authentication and Identity Validation
Before a user can log in or connect to a Mac OS X computer, he or she must enter a
name and password associated with a user account accessible by the computer.
A Mac OS X computer can access user accounts that are stored in a directory domain of
the computer’s search policy:
 A directory domain stores information about users and resources. It is like a database
that a computer accesses to retrieve configuration information.
 A search policy is a list of directory domains that the computer searches when it
needs configuration information, starting with the local directory domain on the
user’s computer.
26Chapter 1 User Management Overview
The following illustration shows a user logging in to an account in a directory domain
in the computer’s search policy.
Log in to
Mac OS X
Directory domains
in search policy
After login, the user can connect to a remote server to access its services (if the user’s
account is located in the server’s search policy).
Connect to
Mac OS X Server
Directory domains
in search policy
If Mac OS X finds a user account containing the name entered by the user, it attempts
to validate the password associated with the account. If the password is validated, the
user is authenticated and the login or connection process is completed.
Mac OS X Server validates passwords using Kerberos, Open Directory Password Server,
shadow passwords, and crypt passwords.
For more information about types of directory domains and instructions for
configuring search policies, see Open Directory Administration. This guide also discusses
authentication methods and provides instructions for setting up user authentication
options.
Information Access Control
To control access to information, a universal ID called a globally unique identifier (GUID)
provides user and group identity for access control list (ACL) permissions.
An ACL is a list of access control entries (ACEs), each specifying the permissions to be
granted or denied to a group or user, and how these permissions are propagated
throughout a folder hierarchy. The GUID also associates a user with group and
hierarchical group memberships.
Chapter 1 User Management Overview27
Prior to Mac OS X v10.4, Mac OS X used user ID and POSIX permissions to track folder
and file permissions. In Mac OS X, folders or files include POSIX permissions for entities
such as:
 Owner
 Group
 Everyone else
Because GUIDs are 128-bit values, duplicate GUIDs are extremely unlikely. Unlike ACL
permissions, POSIX permissions can cause file-ownership and group-membership
issues when multiple users have identical short names or user IDs. When using GUIDs,
users with the same short name or user ID can have different ACL permissions.
The introduction of GUIDs does not change or remove POSIX permissions, so it does
not affect the interoperability of Mac OS X with legacy UNIX systems or other operating
systems.
Folder and File Owner Access
When a folder or file is created, the file system stores the user ID of the user who
created the file or folder as its owner. By default, when a user with that user ID accesses
the folder or file, he or she can read and write to it. Also, any process started by the
user who creates the file or folder can read and write to any files associated with that
same user ID.
If you change a user ID, the user may not be able to modify or access files and folders
he or she created. Likewise, if the user logs in as a user whose user ID is different from
the user ID he or she used to create the files and folders, the user no longer has owner
permissions for those files and folders.
Folder and File Access by Other Users
The use of GUIDs in conjuction with ACLs determines the files that users and groups
can access. Also, the user ID, in conjunction with a group ID, is used to control access.
Every user belongs to a primary group. The primary group ID for a user is stored in the
user’s account. When a user accesses a folder or file and the user isn’t the owner, the file
system checks the file’s group permissions, and the following occurs:
 If the user’s primary group ID matches the ID of the group associated with the file,
the user inherits group permissions.
 If the user’s primary group ID doesn’t match the file’s group ID, Mac OS X searches for
the group account that has permission to access the file. When the group is found, all
members of that group and subsequent hierarchical groups are given permission to
that file.
 If neither of these cases apply, the user’s access permissions default to the generic
“everyone.”
28Chapter 1 User Management Overview
ACLs and POSIX Permissions
Every file and folder has POSIX permissions. Unless an administrator assigns ACL
permissions, POSIX permissions continue to define user access. If you assign ACL
permissions, they take precedence over standard POSIX permissions.
If a file has ACL permissions, but none apply to the user, the POSIX permissions
determine user access. If a file has multiple ACEs that apply to a user, the first
applicable ACE takes precedence, and subsequent ACEs are ignored.
For more information about ACL and POSIX permissions, see File Services Administration.
SIDs and Windows Interoperability
Mac OS X computers work seamlessly with Windows computers because Mac OS X
assigns a security identifier (SID) to a process or file when it assigns a GUID to the
process or file. A SID is a Windows identifier that has similar functionality to a GUID on
a Mac OS X computer.
When Windows users access share points using Server Message Block (SMB), they
transfer SIDs, not GUIDs. When Mac OS X Server receives SIDs, it retrieves the user
accounts with the corresponding GUIDs.
Windows servers use Active Directory as their directory domain. If a user account is
moved to a different Active Directory domain, it receives a new SID but not a new
GUID. The user still has access permissions assigned to old SIDs because Active
Directory keeps track of SID history in user accounts.
Chapter 1 User Management Overview29
30Chapter 1 User Management Overview
Loading...
+ 245 hidden pages
You need points to download manuals.
1 point = 1 manual.
You can buy points or you can get point for every manual you upload.