Apple 10.5 Leapard Model Vehicle User Manual
Contents
1. When you finish adding or removing keywords for the selected user account click Save Editing Comments You can save a comment in a user s account to provide information you might need to help administer a user A comment can contain no more than 32 767 bytes Note Some character sets use characters that occupy up to 4 bytes This reduces the total number of characters you can use You can use Workgroup Manager to add a comment to an account stored in an Open Directory domain the local directory domain or other read write directory domain You can also use Workgroup Manager to review the comment in any directory domain accessible from the server you re using To work with a comment using Workgroup Manager In Workgroup Manager click Accounts Select the user account you want to work with To select the account click the globe icon choose the directory domain where the account resides and then select the user account in the accounts list To authenticate click the lock and enter the name and password of a directory domain administrator Click Advanced and edit or review the contents of the Comment field Chapter 4 Setting Up User Accounts Working with Group Settings Group settings identify the groups a user belongs to In Workgroup Manager use the Group Settings pane in the user s account to work with group settings For information about how to administer group accounts see Chapter 5 Setting Up Group Accounts2. Choosing a User s Primary Group A primary group is the fastest way to determine whether a user has group permissions for a file The primary group ID is used by the file system when the user accesses a file that he or she doesn t own The file system checks the file s group permissions and if the primary group ID of the user matches the ID of the group associated with the file the user inherits group access permissions Important Don t rely on primary group membership when assigning file permissions Although you can make a primary group a hierarchical group or a parent of hierarchical groups the file permissions for the primary group do not propagate If a user s primary group is a hierarchical group or the parent of a hierarchical group the user is granted file permissions only for the primary group If the user does not belong to other groups the user belongs to the primary group If a user selects a different workgroup at login the user still retains access permissions from the primary group The primary group ID should be a unique string of digits By default the primary group ID is 20 which identifies the group as staff but you can change it The maximum value for a group ID is 2 147 483 647 Use Workgroup Manager to define the primary group ID of an account stored in an Open Directory domain the local directory domain or other read write directory domain You can also use Workgroup Manager to review the primar
3. Click Groups Except for the primary group all other groups the user belongs to are listed in the Other Groups list To view parent groups click Show Inherited Groups Parent groups are shown in italics Adding a User to a Group Add a user to a group when you want multiple users to have the same file permissions or when you want to manage their Mac OS X preferences using workgroups or computer groups For example you can have groups for students in a classroom who are not permitted to use a particular printer or for the quality control team in a factory that requires access to the internal reports of different groups Groups can include users and groups that are in an Open Directory domain or the local directory domain If you use an NFS directory there is a 16 group limitation You can also add users to a group using the Members pane in the group account If a user is a direct member of multiple groups he or she can choose which group to acquire managed preferences from when logging in You can manage Login preferences so that preferences are combined from all workgroups accessible by the user Note There is no limit to the number of groups a user can belong to Chapter 4 Setting Up User Accounts To add a user to a group using Workgroup Manager In Workgroup Manager click Accounts Select the user account you want to work with To select the account click the globe icon choose the directory domain where the
4. Click Options and then set the management setting to Always Click Every and drag the slider to set the frequency for background folder sync If you want background folders to sync only when users choose to sync click Manually The default frequency is 20 minutes The frequency you set also affects folders that users configure to sync automatically Click Apply Now Showing Mobile Account Status in the User s Menu Bar If your mobile account users run Mac OS X v10 5 or later you can add a mobile account status menu to their menu bar This status menu allows the user to do the following e View when he or she last synced e Initiate a sync e Change their home sync preferences Home sync preferences correspond to Mobility preferences in Workgroup Manager If you manage particular Mobility preferences users can t change those preferences Home sync preferences includes the following settings Setting the home folder location e Enabling FileVault Chapter 10 Managing Preferences N AO Ww A W e Enabling background login and logout sync e Selecting what is synced Setting the sync frequency e Enabling the mobile account status menu If you disable the mobile account status menu the user can still configure his or her mobile account in the Accounts pane of System Preferences To show mobile account status in the user s menu bar In Workgroup Manager click Preferences Make sure the correct directory is selected and yo
5. If you add an item that is on both the server and the user s computer clicking the icon opens the item on the user s computer or mounted volume Chapter 11 Solving Problems 249 250 If Users See a Message About an Unexpected Error When you manage Classic preferences and try to use the Extensions Manager File Sharing or Software Update control panels you might see a message that says The operation could not be completed An unexpected error occurred error code 1016 This message indicates that an administrator has restricted access to the item the user attempted to use such as an application the user is not allowed to open Users can t access the control panels mentioned above when Classic preferences are managed Users may also see this message if you select Hide Chooser and Network Browser and they attempt to use the Chooser The message also appears when a user tries to open an unapproved application one not listed in the Items pane of the Applications preference in Workgroup Manager in the Classic environment or in Mac OS X If You Can t Manage Network Views Mac OS X Server v10 5 doesn t support managed network views To manage network views hosted on servers running Mac OS X Server v10 4 use the Workgroup Manager included with Mac OS X Server v10 4 Chapter 11 Solving Problems Importing and Exporting Account Information Appendix Use Workgroup Manager to import and export accounts or use
6. Modifying User IDs on page 67 You can customize the login window to suit your needs For example to test a computer s ability to access the directory domain you could change the heading to Directory status and display a list of network users Or to prevent unauthorized access you could create a warning message display the name and password fields forcing intruders to know a user s name and password and disable showing the Restart and Shut Down buttons to help prevent intruders from bypassing the login window To change the appearance of the Login Window In Workgroup Manager click Preferences Make sure the correct directory is selected and you are authenticated To switch directories click the globe icon If you are not authenticated click the lock and enter the name and password of a directory domain administrator Select one or more computers or computer groups Click Login and then click Window Set the management setting to Always To change the default heading choose a heading from the Heading pop up menu Users can view other headings by clicking the heading in the login window To display a message below the login window s heading enter a message in Message To require the user to enter his or her user name and password select Name and password text fields To allow a user to select his or her name from a list select List of users able to use these computers Select categories of users yo
7. Some applications use ByHost preferences These preferences apply to a specific user for a specific computer For example if a network user sets screen saver preferences they are saved as ByHost preferences The user s screen saver preferences are saved for the current computer but are not applied when the user uses other computers If your users typically run Mac OS X v10 5 or later it s usually a good idea to import preferences as ByHost preferences If your users typically run earlier versions of Mac OS X don t import preferences as ByHost preferences Some applications use but don t properly respect ByHost preferences Test your settings with Import as ByHost preferences selected and deselected to see if the application you re managing respects ByHost preferences To add to the preference editor s list In Workgroup Manager click Preferences and then click Details Make sure the correct directory is selected and you are authenticated To switch directories click the globe icon If you are not authenticated click the lock and enter the name and password of a directory domain administrator Select one or more users groups computers or computer groups Click the Add button Select an application in Applications or a plist file located in Library Preferences Applications without preference manifests appear in italics If you ve selected an application and set preferences for it you can select Import my
8. To restrict access to a printer connected to a specific computer In Workgroup Manager click Preferences Make sure the correct directory is selected and you are authenticated To switch directories click the globe icon If you are not authenticated click the lock and enter the name and password of a directory domain administrator Select one or more users groups computers or computer groups Click Printing and then click Printers Set the management setting to Always Click Printer List If it s a network printer you want the client computer to have access to select the printer and then click Add to List If you don t want users to access local printers deselect Allow printers that connect directly to the user s computer To require an administrator password to use the printer select Require an administrator password Click Apply Now Setting a Default Printer After you set up a printer list you can specify a printer as the default printer When a user tries to print a document this printer is the preferred selection in an application s print dialog To set the default printer In Workgroup Manager click Preferences Make sure the correct directory is selected and you are authenticated To switch directories click the globe icon If you are not authenticated click the lock and enter the name and password of a directory domain administrator Select one or more users groups computers o
9. You can join Windows workstations to the Mac OS X Server primary domain controller PDC which is similar to the way you configure Windows workstations to join a Windows NT server domain If you have more than a few Macintosh client computers to set up consider using NetInstall to create a system image that automates client computer setup For instructions see System Imaging and Software Update Administration To prevent unauthorized access to client computers secure them from local and network threats For information see Mac OS X Security Configuration Step 7 Define user account preferences You manage the work environment of Macintosh users whose accounts reside in a shared domain by defining user account preferences For information about Mac OS X user preferences see Chapter 9 Client Management Overview and Chapter 10 Managing Preferences Step 8 Create group accounts and group folders Use Workgroup Manager to create group accounts in directories that reside on Mac OS X Server and in other read write directory domains You can create group folders to distribute documents and organize group member applications You can also set up ACLs and other access privileges to restrict a group s access to folders or files Chapter 2 Getting Started with User Management 33 34 e For information about how to work with Mac OS X group accounts and group folders see Chapter 5 Setting Up Group Accounts For in
10. e Login window settings e The version of Mac OS X installed on your computers e Whether the mobile account has a local home folder on the computer For more information see Changing the Appearance of the Login Window on page 189 An external account is a special type of mobile account that is different from typical mobile accounts in the way users log in For more information see the next section Chapter 8 Managing Portable Computers 133 134 Resolving Sync Conflicts When a user s files and folders sync a sync conflict can occur if a file in the user s local home folder and the network home folder have two versions of a file and it is not clear which one should be saved Sync conflicts usually occur when a mobile account user changes files on one or more computers When sync conflicts occur a dialog appears that allows the user to choose which version of a file to sync The user can keep the files in the local or network home folder or keep both files The user can reset the sync history by pressing and holding the Shift and Option keys while logging in When the sync information is reset and a sync conflict occurs the sync conflict dialog reappears asking which version of a file should be synced About External Accounts An external account is a mobile account that has its local home folder stored ona volume in an external drive The portable home directory is created from the local home folder stored on that externa
11. JS X Server ion 10 5 Leopard Apple Inc 2007 Apple Inc All rights reserved The owner or authorized user of a valid copy of Mac OS X Server software may reproduce this publication for the purpose of learning to use such software No part of this publication may be reproduced or transmitted for commercial purposes such as selling copies of this publication or for providing paid for support services Every effort has been made to ensure that the information in this manual is accurate Apple Inc is not responsible for printing or clerical errors Apple 1 Infinite Loop Cupertino CA 95014 2084 408 996 1010 www apple com Use of the keyboard Apple logo Option Shift K for commercial purposes without the prior written consent of Apple may constitute trademark infringement and unfair competition in violation of federal and state laws Apple the Apple logo AirPort AppleShare Bonjour FireWire iCal iTunes Mac Mac OS MacBook Macintosh QuickTime SuperDrive Xgrid Xsan and Xserve are trademarks of Apple Inc registered in the U S and other countries Apple Remote Desktop Extensions Manager Finder iWork and Safari are trademarks of Apple Inc Mac is a service mark of Apple Inc Adobe and PostScript are trademarks of Adobe Systems Incorporated The Bluetooth word mark and logos are registered trademarks owned by the Bluetooth SIG Inc and any use of such marks by Apple is under license Java a
12. Step 4 Set up a home folder share point Home folders for accounts stored in shared directories can reside in a network share point accessible by the user s computer You can set up network home folders so they can be accessed using either AFP or NFS or you can set up home folders for exclusive use by Windows users using SMB Chapter 2 Getting Started with User Management For information about setting up home folders using AFP NFS or SMB see Chapter 7 Setting Up Home Folders Step 5 Create user accounts and home folders You can use Workgroup Manager to create user accounts in directories that reside on Mac OS X Server or in other read write directory domains The following sections contain instructions for creating accounts and folders e To create user accounts see Chapter 4 Setting Up User Accounts To create mobile user accounts see Chapter 8 Managing Portable Computers e To set up home folders see Chapter 7 Setting Up Home Folders Step 6 Set up client computers Mac OS X Server supports users of Mac OS X Windows and UNIX client computers For Mac OS X computers configure the search policy of the computers so it locates shared directory domains For instructions see Open Directory Administration For setup instructions for mobile Mac OS X computers that use AirPort to communicate with Mac OS X Server see Designing AirPort Extreme Networks at http www apple com support manuals airport
13. You can provide services for users who can t be authenticated because they don t have a valid user name or password These users are known as guest users If your computers run Mac OS X v10 5 or later you can enable a guest account which is specifically designed for guest users The guest account allows anonymous access to a computer The guest account has a local home folder that has its contents erased when the user logs in or out of the guest account The guest account is best used for common access computers such as those in a library or open lab where you may not need to log user access and where the user maintains his or her files separate from the local computer Chapter 1 User Management Overview For some services like Apple Filing Protocol AFP you can let guest users access files Instead of authenticating with a name and a password a guest user connects as a guest not as a registered user Guests are restricted to files and folders with permissions set to Everyone Group Accounts To ease user administration you can create group accounts A group is a collection of users who have similar needs For example you can add all English teachers to one group and allow that group to access certain files or folders on a volume Groups simplify the administration of shared resources Instead of granting access to various resources for each user who needs access you can add users to a group and then grant access to everyone in th
14. client 21 33 guest 26 107 hierarchical groups 109 view settings 188 See also portable computers configuration administrator 38 41 42 domains 31 43 earlier Mac OS X versions 42 home folders 36 37 79 login options 191 overview 31 portable computers 140 Server Admin 20 Server Preferences 21 share points 116 users 31 controllers BDC 55 57 114 245 PDC 55 57 114 245 core services bundle 236 CreateGroupFolder tool 103 createhomedir tool 123 crypt passwords 74 244 curfews on computer use 220 D Dashboard 165 167 Default View settings 188 desktop view 187 Details pane 149 DHCP Dynamic Host Configuration Protocol service 195 240 241 Dictionary hiding profanity in 217 digital signatures 164 165 dig tool 241 directories See directory services domains directory folders directory domain administrator 38 72 directory services Active Directory 29 35 37 57 132 administrators for 23 preferences 160 requirements 35 See also domains directory Open Directory Directory Utility 195 disk images 21 22 148 201 disks access control 183 185 201 ejecting 185 quotas 36 80 128 129 130 205 storage requirements 35 target disk mode 134 display settings 227 DNS Domain Name System service 45 240 241 Dock 149 174 175 176 249 documentation 18 Domain Name System See DNS domains directory Active Directory 29 35 37 57 132 administration of 23 38 41 72 connections 43 con
15. pop up menu This option applies to viewing the wiki blog calendar and mailing list archive 7 Choose who can edit the group website by using the can write to these services pop up menu This option applies to editing the wiki blog and calendar 8 Click Save Working with Member Settings for Groups In Workgroup Manager use the Members pane for a group to view add or remove group members When a user name in the Members list appears in italics the group is the user s primary group Adding Users or Groups to a Group When you want multiple users or groups to have the same file permissions or when you want to apply the same management settings to all users or groups add the users or groups to a group After assigning a user to a primary group you don t need to add the user to that group However you must specifically add users to other groups You can use Workgroup Manager to add a user to a group if the user and group accounts are in an Open Directory domain or the local directory domain Although some group information doesn t apply to Windows users you can also add Windows users to groups you create Mac OS X Server v10 5 and later supports hierarchical gioups groups composed of nested groups By managing preferences for a parent group child groups also receive these managed preferences For more information see Understanding Hierarchical Preference Management on page 159 To add a user to a grou
16. Apple Remote Desktop Administrator s Guide If you do not have Apple Remote Desktop installed you can perform the following task to test a single computer s ability to receive DNS service To test your network s DNS service on a single computer On a network computer that is not the server providing DNS service open Network Utility In the Lookup pane of Network Utility enter the domain name of your Open Directory master server and click Lookup Chapter 11 Solving Problems The resulting log should have an answer section which displays the IP address of your Open Directory master server If there is no answer section or if the IP address is incorrect perform further analysis on your DNS service In the Lookup pane of Network Utility enter the IP address of your Open Directory master server and click Lookup The resulting log should displays the domain name of your Open Directory master server If the domain name is incorrect perform further analysis on your DNS service Note Instead of using Network Utility you can use the dig tool in Terminal Enter the following command in Terminal dig name_or_address Replace name_or_address with the domain name or the IP address of your Open Directory master server The resulting log should have an answer section with the correct IP address or domain name Testing Your DHCP Service Your DHCP service should be configured to supply enough IP addresses to serve your network If a co
17. Click the globe icon to select a directory domain e Authenticat erver s search policy Computers Computer Currently Click the lock to button Groups button selected domain authenticate Workgroup 0 anager 192 168 1 13 Sot i ae wehbe d as diradmin to irectory LDAPv3 127 0 0 1 Users button An o f Basic Privileges Advanced Groups Home Mail Print Quota Info Windows Type here to search or gt Name Contain Name Anne Johnson filter the list below uD User ID 1025 AX Anne Johnson 1025 Short Names annejohneon A Bill James 1026 r f 7 A Directory Administ 1000 an a Accounts list 2 Gita Kumar 1028 inaa z A IT Professional 1033 amp Juan Chavez 1036 Password sesseses Verify ssssesss A Lab Assistant 1034 A Mail Administrator 1032 ZL Maria Ruiz 1029 User can _ administer this server J Mei Chen 1030 M access account A Ravi Patel 1031 A Tom Clark 1035 Account Summary Location od local LDAPv3 127 0 0 1 Home Volumes Data Users annejohnson Primary Group Open Directory Users 20 Mail Enabled at mail example com Print Quota Enabled 40 pages every 5 days Password Crypt Password Presets New Hire Es Save 1 of 12 users selected 4 Here is how to get started with the primary Workgroup Manager tasks id To specify the directory that stores accounts you want to work with click the globe icon To work with accounts in different d
18. See NFS network home folders 36 114 123 148 177 198 networks preferences 150 213 214 215 217 time and time zones 239 views troubleshooting 250 wired vs wireless mobile 143 network services DHCP 195 240 241 DNS 45 240 IP addresses 241 VPN 139 network users 31 136 Never setting for preferences 160 NFS Network File System 78 114 118 123 nodes directory See domains directory O Often setting for preferences 160 Once setting for preferences 160 164 Open Directory creating accounts 57 group accounts 90 Index modifying accounts 58 passwords 74 244 requirements 35 troubleshooting 242 243 244 See also Active Directory domains directory Open Directory master 253 Open Directory Password Server 244 opportunistic locking oplocks 121 Overview pane 149 Owner user category 28 P PackageMaker 22 Parental Controls 150 217 218 parent groups 25 93 159 passive FTP mode 215 passwords administrator 39 assigning 68 crypt 74 244 FileVault 205 hints 191 imported accounts 68 252 login process 27 74 Open Directory 74 244 shadow 74 troubleshooting 242 243 244 245 types 74 Password Server See Open Directory Password Server PDC primary domain controller 55 57 114 245 permissions access 28 29 administrator 23 38 68 70 243 files 93 group 77 91 guest 59 inheritance 93 mobile accounts 207 root 39 simultaneous login 73 sshd privilege separation 56 troubleshooting 243 user 70 pi
19. accounts or give specific users for example teachers or technical staff administrator privileges in certain directory domains Limited administrators can perform common administrative tasks for specified users and groups They can manage user preferences edit managed preferences edit user information and edit group membership Giving users limited administrative privileges helps them to be more self sufficient without putting your organization at risk Chapter 2 Getting Started with User Management For example you might want to give student lab assistants the ability to manage user passwords for a small group of students while giving teachers the ability to manage user passwords edit user information and edit group information for all of their classes Because users can be given limited administrator privileges consider which users require domain administrator privileges A well planned hierarchy of administrators and users with special administrator privileges helps you distribute system administration tasks and makes workflow and network management more efficient When you use Server Assistant to configure your server specify a password for the owner administrator This password also becomes the root password for your server Only a few server administrators need to know the root password but sometimes it s necessary when using command line tools such as createGroupFolder Administrators who don t need root access can us
20. applications for their use only Computer group level preferences are useful when you want to manage preferences for users regardless of group associations At the computer group level you might want to limit access to System Preferences manage Energy Saver and Time Machine preferences list particular users in the login window and prevent the saving of files and applications to recordable discs Chapter 10 Managing Preferences Computer group preferences also offer a way to manage the preferences of users who don t have a network account but who can log in to a Mac OS X computer using a local account The local account defined using the Accounts pane of System Preferences resides on the user s computer To manage local accounts set up a computer group that supports local only accounts Preferences associated with the computer group and with any workgroup a user selects during login take effect Understanding Hierarchical Preference Management Mac OS X Server v10 5 or later includes managed hierarchical groups groups composed of nested groups and computer groups composed of nested computer groups By managing preferences for a parent group or computer group child or computer groups also receive these managed preferences Child preferences take precedence and can override parent preferences For example Dock settings set for a child override Dock settings set for a parent Combined preferences come from the child and parent F
21. are on the same volume A user s profile directory is not subject to a disk quota if it s on a different volume from the user s home directory or the home directory is not subject to a disk quota Because a quota that covers the roaming profile directory also covers the home directory make sure the quota is adequate for an entire work session and the user s home folder A user s profile folder includes the My Documents folder and the Internet Explorer cache which often uses a considerable amount of disk space The recommended minimum quotas are e 10 MB for a user who logs in only from Windows workstations e 20 MB for a user who logs in from Windows and Mac OS X computers Using Presets to Choose Default Home Folders You can define default home folder settings to use for new users by using a preset to predefine them For information about defining and using presets see Using Presets to Create Accounts on page 62 Moving Home Folders To move a home folder create a new home folder copy the contents of the old home folder into the new home folder and then delete the old home folder Deleting Home Folders When you delete a user account the associated home folder is not deleted The administrator must delete the home folder manually by moving it to Trash Chapter 7 Setting Up Home Folders Managing Portable Computers This chapter provides information about tools available to manage portable computers Mac OS X Server a
22. not locally You can enable Time Machine to perform automatic hourly backups If you don t use automatic backup the user can manually back up using Time Machine Chapter 10 Managing Preferences 225 ao uu A W 10 11 226 Time Machine is most appropriate for backing up computers with primarily local accounts It is also useful if users have administrative control over the computer and can install their own applications You can limit the total backup storage per computer When you limit total backup storage for a computer group the limit applies to each computer in it If you limit a computer group to 2 GB and the computer group has five members the computer group can use up to 10 GB of backup storage Backup storage is not preallocated so the server can run out of space before the computers reach their backup storage limit If a user runs out of backup storage Time Machine stops backing up data To make sure Time Machine doesn t run out of space make the limit larger than the expected size of the data being backed up and don t back up system files You can save space on the file server by not backing up system files System files include files that are created when Mac OS X is installed If you don t back up system files and system files are corrupted you must use the Mac OS X Server installation discs to reinstall Mac OS X Server By not backing up system files you speed up the initial backup but you don t speed up s
23. or computer level For more information about the Mac OS X user experience see Chapter 9 Client Management Overview Basic information about authentication identity validation and information access control is given in the following sections Authentication and Identity Validation Before a user can log in or connect to a Mac OS X computer he or she must enter a name and password associated with a user account accessible by the computer A Mac OS X computer can access user accounts that are stored in a directory domain of the computer s search policy e A directory domain stores information about users and resources It is like a database that a computer accesses to retrieve configuration information A search policy is a list of directory domains that the computer searches when it needs configuration information starting with the local directory domain on the user s computer Chapter 1 User Management Overview The following illustration shows a user logging in to an account in a directory domain in the computer s search policy 5 7 Log in to O lt TD Mac OS X m Directory domains in search policy After login the user can connect to a remote server to access its services if the user s account is located in the server s search policy Connect to i Mac OS X Server gt i Directory domains in search policy If Mac OS X finds a user account containing the name entered by the user it attempts to v
24. sleep mode Never The default setting for adapter power supplies is 10 minutes The default setting for battery power supplies is five minutes Use a different time interval for Select Put the display to sleep when the computer is inactive for the computer s display and move the slider The interval can t be longer than the computer s sleep setting The default setting for battery and adapter power supplies is five minutes Put the hard disks to sleep Select Put the hard disk s to sleep when possible during periods of inactivity To set wake and restart settings choose Options from the Settings pop up menu and do the following To do this Do this Wake the computer when the Select Wake when the modem detects a ring modem is activated Wake the computer when an Select Wake for Ethernet network administrator access administrator attempts remote access Make sure the computer restarts Select Restart automatically after a power failure Deselect this if the power fails option to disable automatic restart Choose the level of processor In the Processor Performance pop up menu select Highest performance Automatic or Reduced For computers using an adapter the recommended setting is Highest For computers using a battery the recommended setting is Automatic Click Apply Now To manually wake up a sleeping computer or display users can click the mouse or press a key on the
25. using Workgroup Manager Hierarchical computer groups are supported in Mac OS X Server v10 5 or later If you add computer groups containing client computers running Mac OS X v104 or earlier those clients don t receive managed preferences from parent computer groups To add computers or computer groups to a computer group In Workgroup Manager click Accounts Select the computer group To select the computer group click the globe icon choose the directory domain that contains the computer group click the Computer Groups button and then select the computer group To authenticate click the lock and enter the name and password of a directory domain administrator Click Members click the Add button and then drag computers or computer groups from the drawer to the list You can also click the Browse button select a computer and then click Add Continue adding computers and computer groups until the list is complete Click Save Removing Computers and Computer Groups from a Computer Group If you remove a computer from a computer group you can still manage it by managing its computer account or by adding it to another computer group To remove a computer or computer groups from a computer group In Workgroup Manager click Accounts Select the computer group the computer belongs to To select the computer group click the globe icon choose the directory domain that contains the computer group you want to modify clic
26. you are managing all individual computers within them There are two major differences between computer groups and computer lists e Computer groups allow you to include other computer groups You can then manage hierarchical groups by managing the parent computer group A computer can be a member of multiple computer groups However a computer can only be a member of a single computer list Ideally all members of a computer group are either computers running Mac OS X v10 5 or later or other computer groups Computer groups that include computers running Mac OS X v10 4 or earlier act like any other computer group of computers running Mac OS X v10 5 or later that is computers can belong to multiple computer groups and you can form hierarchical groups The computer group acts like a computer list for computers running earlier versions of Mac OS X Computers can only belong to one list and nesting the computer group has no effect on the computer Administering Computer Groups You can use Workgroup Manager to administer computer groups stored in various directory domains Creating a Computer Group When you create a computer group keep in mind the following Chapter 6 Setting Up Computers and Computer Groups 10 e A computer group is a group of computers that have the same preference settings and are available to the same users and groups e You can add up to 2000 computers to a computer group You can create hierarchical
27. Accounts There are several situations in which you should not use mobile accounts for portable computer users This section describes those situations and provides alternatives to using mobile accounts that allow you to manage portable computers Unknown Mac OS X Portable Computers If a computer is connected to your network but is not in a computer group it is considered to be an unknown or guest computer If you can identify the unknown computer by its Ethernet ID you can create a computer account for it so that it s no longer a guest computer You can use the guest computer account to manage guest computers on your network This allows you to manage Mac OS X portable computers joining your directory domain If guest computer users log in using network or mobile accounts their user and group managed preferences and account settings apply For more information about how managed preferences interact when applied to users groups computers and computer groups see Understanding Managed Preference Interactions on page 156 Chapter 8 Managing Portable Computers 141 142 For more information about setting up a guest computer account for Mac OS X users see Working with Guest Computers on page 107 Using Mac OS X Portable Computers with One Primary Local User You can also distribute portable computers with only local accounts and not assign mobile or network accounts to users This may reduce or eliminate the burden of mainta
28. Advanced pane to change their accounts User Password Type setting to Open Directory When you make this change you must also enter a new password Then you should instruct users to log in using this new password and change it in the Accounts pane of System Preferences If Users Can t Authenticate Using Single Sign On or Kerberos There are several ways to remedy Kerberos authentication failures You can find these solutions as well as a full description of how to reconfigure a server s computer record for single sign on and Kerberos authentication in Open Directory Administration Problems with a Primary or Backup Domain Controller Problems with a primary domain controller PDC or backup domain controller BDC can have several causes If a Windows User Can t Log in to the Windows Domain Verify the following e Make sure the user account has a password type of Open Directory e Make sure the workstation has joined the Windows domain of Mac OS X Server Chapter 11 Solving Problems 245 246 If a Windows User Has No Home Folder If a user s home folder isn t mounted in Windows verify the following Make sure the correct home folder location is selected in the Home pane of Workgroup Manager Make sure the home folder path is correct in the Windows pane of Workgroup Manager It should be blank to use the home folder specified in the Home pane Using Server Admin connect to the server where the user s home folder resides In the
29. Configuration Protocol DHCP services For more information about NTP DNS or DHCP see Network Services Administration Testing Your Network s Time and Time Zones The many technologies and services in Mac OS X Server rely on having accurate time settings on all networked computers Typically computers are connected to an NTP server that provides accurate time settings You should still check your networked computers time settings using Apple Remote Desktop not included with Mac OS X Server For more information about Apple Remote Desktop see www apple com remotedesktop You can send the commands in the following procedure using the ssh command You can also test and correct a computer s time settings in System Preferences Both methods allow you to test and correct one computer at a time but with Apple Remote Desktop you can test and correct many computers simultaneously To test your network computer time and time zones using Apple Remote Desktop In Apple Remote Desktop send the following UNIX command to all computers sudo systemsetup gettimezone 239 240 Your computers should be on the same time zone If they are not on the same time zone send the following UNIX command sudo systemsetup settimezone US Pacific For other time zones see the man page for systemsetup For instructions on sending UNIX commands through Apple Remote Desktop see the Apple Remote Desktop Administrator s Guide In Apple Remote D
30. Connect enter the server address in the Address field and authenticate as a server administrator If you re already connected you ll see Disconnect instead of Connect in the Server menu To view a list of available services use the disclosure triangle next to your server If Server Admin doesn t list the AFP service click the Add button choose Add Service select AFP and then click Save Select the AFP service and click Settings In Access select Enable Guest access and click Save then if AFP is not running click Start AFP For more information about administering AFP service see File Services Administration Select the server and click File Sharing Click Share Points and then select the share point In Share Point select Enable Automount When you select Enable Automount a configuration dialog appears If it doesn t click Edit Choose your directory domain from the Directory pop up menu choose AFP from the Protocol pop up menu select Use for User home folders and click OK In the dialog that appears authenticate as the directory administrator and then click OK Chapter 7 Setting Up Home Folders 117 118 12 13 14 15 16 Click Protocol Options In AFP select Share this item using AFP and Allow AFP guest access When you enable guest access it is enabled for all home folders in the share point By default in home folders guests can only access Public and Sites fo
31. Directory server Before creating users pick a distribution strategy If your distribution strategy fails while using it you can move home folders but doing so can require changing a large number of user records When determining the access protocol to use for home folders AFP offers the greatest level of security If you are hosting home folders on UNIX servers that do not support AFP you may want to use NFS If you are hosting home folders on Windows servers you may want to use SMB For more information about how to use these protocols for home folders see About Home Folders on page 113 Identifying Groups Identify users with similar requirements and consider assigning them to groups See Chapter 5 Setting Up Group Accounts Determining Administrator Requirements With Mac OS X v10 5 you don t need to give full domain administrator privileges to all users who need only some administrative control Instead you can give them limited administrative privileges Decide which users will have full administrative control over accounts and which users will perform only a few administrative duties The domain administrator has the greatest amount of control over other user accounts and privileges The domain administrator can create user accounts group accounts computer accounts and computer groups and can assign settings privileges and managed preferences for them He or she can also create other server administrator
32. Folder enter the name of the folder and click Create In Permissions select entries in the list click the Edit pencil button to change their name or permissions and change the settings as follows UNIX Class Name Permission Owner single silhouette admin Read and Write Group several silhouettes admin Read Others globe Others Read Click Share and then click Save Chapter 7 Setting Up Home Folders 10 Setting Up an Automountable AFP Share Point for Home Folders You can use Server Admin to set up an AFP share point for home folders Home folders for user accounts stored in shared directory domains such as an Open Directory domain can reside in any AFP share point that the user s computer can access This share point must be automountable that is it must have a network mount record in the directory domain where the user account resides Using an automountable share point ensures that the home folder appears in Network Servers when the user logs in to a Mac OS X computer configured to access the shared domain Users can access home folders on any automountable share point with guest access enabled To set up an automountable AFP share point for home folders If you do not have a share point to host home folders create one For instructions see Setting Up a Share Point on page 116 Open Server Admin and connect to the server that hosts the share point To connect to the server choose Server gt
33. Folders Moving Home Folders Deleting Home Folders Managing Portable Computers About Mobile Accounts About Portable Home Directories Logging In to Mobile Accounts Resolving Sync Conflicts About External Accounts Logging In to External Accounts Considerations and Strategies for Deploying Mobile Accounts Advantages of Using Mobile Accounts Contents Chapter 9 Chapter 10 137 139 140 140 141 141 142 142 144 144 147 148 149 149 150 151 152 152 155 155 156 159 159 160 160 161 162 162 163 163 164 165 167 168 168 169 170 171 171 172 Considerations for Using Mobile Accounts Strategies for Syncing Content Setting Up Mobile Accounts for Use on Portable Computers Configuring Portable Computers Managing Mobile Clients Without Using Mobile Accounts Unknown Mac OS X Portable Computers Using Mac OS X Portable Computers with One Primary Local User Using Mac OS X Portable Computers with Multiple Users Securing Mobile Clients Optimizing the File Server for Mobile Accounts Client Management Overview Using Network Visible Resources Customizing the User Experience The Power of Preferences Designing the Login Experience Choosing a Workgroup Working with Synced Homes Improving Workflow Managing Preferences Using Workgroup Manager to Manage Preferences Understanding Managed Preference Interactions Understanding Hierarchical Preference Management Setting the Permanence of Management Caching Preferences
34. For example you can set up Media Access preferences to prevent users from burning CDs and DVDs or making changes to a computer s internal disk The following table summarizes how preferences affect the appearance of the desktop and the activities a user can perform Tailors the work Limits access This preference environment and control By letting you manage Applications v Applications a user can open Classic v Classic environment startup Dock v Appearance and contents of the Dock Energy Saver y Startup shutdown wake sleep and performance settings Finder v v Appearance of desktop icons and Finder elements Login y Login experience Media Access v Ability to use recordable media Mobility v Creation of mobile accounts Chapter9 Client Management Overview 149 Limits access and control Tailors the work This preference environment By letting you manage Network v v Proxy settings for accessing servers through a firewall Parental Controls v Web access and time limits on computer use Printing v Printers a user can use and page footer settings Software Update Server to use for updates System v Preferences System preferences that are enabled on the user s computer Time Machine v Which volumes are backed up and how long the backup files are retained Universal Access Hardware settings for users with special visual auditory or other needs
35. If several dozen users create local home folders on a computer you could run out of hard disk space for their files You might have to set strict account expiry settings depending on the amount of hard disk space on the computers and how many users use them Another consideration when using a wireless mobile lab is that the total network throughput is much more limited than a wired lab If users have network accounts any time they open or save files it requires using the network possibly slowing the network connections of other users Although mobile accounts help alleviate these issues frequent syncing can also slow the network Creating mobile accounts without synced folders efficiently utilizes the network However users must still copy and store files in their network home folders if they want to access their files from other computers To manage your cart s MacBooks you might create generic local user accounts on each computer For example you could create identical generic local user accounts on each computer such as all accounts could have Math as the user name and student as the password and then create different generic local accounts for each class such as an account for a history class one for a biology class and so on Each account has a local home folder but does not have administrator privileges To perform maintenance tasks and upgrades install software and administer local user accounts you would u
36. Interfaces Set the management setting to Always Select Disable Bluetooth Click Apply Now Chapter 10 Managing Preferences N AO Ww A W Managing Parental Controls Preferences Parental Controls preferences allow you to hide profanity in Dictionary limit access to websites or set time limits or other contraints on computer usage To manage Parental Controls preferences computers must have Mac OS X v10 5 or later The table below describes what settings in each Parental Controls pane can do Parental Controls preference pane What you can control Content Filtering Whether profanity is allowed in Dictionary and limitations on which websites users can view Time Limits How long and when users can log in to their accounts Hiding Profanity in Dictionary You can hide profane terms from the Dictionary application included with Mac OS X v10 5 or later When you hide profane terms entirely profane terms are removed from search results If you search for a profane term that has an alternate nonprofane definition Dictionary only displays the nonprofane definition To hide profanity in Dictionary In Workgroup Manager click Preferences Make sure the correct directory is selected and you are authenticated To switch directories click the globe icon If you are not authenticated click the lock and enter the name and password of a directory domain administrator Select one or more users groups computers or computer groups C
37. Log in to Workgroup Manager by specifying the name or IP address of the server you want to grant administrator privileges for Click Accounts Chapter 4 Setting Up User Accounts N AO Ww A W Click the globe icon and choose Local Click the lock and enter the name and password of a local administrator Click the globe icon and choose the directory domain where the user s account resides Click the lock and enter the name and password of a directory domain administrator To grant server administrator privileges in the Basic pane select User can administer this server From the Command Line You can also set server administrator privileges using the dscl command in Terminal For more information see the users and groups chapter of Command Line Administration Choosing a User s Login Picture You can change a user s login picture using Workgroup Manager This picture represents the user in the login window in the Directory application and in group web services and is the default buddy icon for the user in iChat Although you can use an image file of any size you should use an image that is 64 x 64 pixels in size If you use a larger image resize and crop it in Workgroup Manager To change a user s login picture In Workgroup Manager click Accounts Select the user account you want to work with To select an account click the globe icon above the accounts list choose the directory domain where the user s account r
38. Mac OS X client management Client management is the centralized administration of your users computer experience as shown in the following illustration It s usually implemented by e Managing access to network printers and to server resident home folders group folders and other folders e Customizing the computer work environment of users groups and computers by defining preferences for user accounts group accounts computers and computer groups Computers i A A E i and desktops j rinters an 2 volumes m f Client management Users and A j Applications groups gt folders and files This chapter introduces each of these client management topics as they apply to users of Mac OS X computers 147 148 Using Network Visible Resources Mac OS X Server lets you make various resources visible throughout your network so users can access them from different computers and various locations There are several key network visible resources e Network home folders A home folder often referred to as a home directory or simply home is a place for each Mac OS X user to keep personal files A user with a record in a shared Open Directory domain may have a home folder that resides on the network often on the same server where the user account resides A home folder contains several folders such as Desktop Documents and Public to help organize information After logging in users access the
39. Manager gt Preferences Select the preferences you want to change To reset the warning messages you ve marked as Don t show again click Reset Don t show again messages Click OK Chapter 3 Getting Started with Workgroup Manager 45 46 Finding and Listing Accounts Workgroup Manager provides several methods for finding and listing user accounts group accounts computer accounts and computer groups Working with Account Lists in Workgroup Manager In Workgroup Manager user accounts group accounts computer accounts and computer groups are listed on the left side of the Workgroup Manager window The following settings influence the contents and appearance of the list e Workgroup Manager preferences control the maximum number of records shown and whether you want to enable the Inspector which allows you to view or edit raw directory data To set up Workgroup Manager preferences choose Workgroup Manager gt Preferences e The list reflects the directory you ve chosen from the globe icon If you connect to the directory server the accounts in the parent directory domain are listed If you do not connect to the directory server local accounts are listed The listed domains are the local directory domain all directory domains in the server s search policy and all available directory domains domains the server is configured to access even if not in the search policy For instructions on configuring a ser
40. Manager or change the mappings of other drive letters on the workstation If a Windows User Loses the Contents of the My Documents Folder Verify the following e Make sure the correct home folder location is selected in the Home pane of Workgroup Manager e Make sure the user profile path is correct in the Windows pane of Workgroup Manager If the user profile path is blank the default profile folder is used The contents of My Documents are stored in the user profile Chapter 11 Solving Problems _ If the drive letter chosen for the user might be conflicting with a drive letter in use on the Windows workstation change the drive letter setting in the Windows pane of Workgroup Manager or change the mappings of other drive letters on the workstation Solving Preference Management Problems This section describes problems you might encounter while using Workgroup Manager to set up accounts or manage Mac OS X clients It also provides troubleshooting tips and possible solutions If your problem is not addressed here check Workgroup Manager Help or consult the Apple Service amp Support website www apple com support Testing Your Managed Client Settings If your managed computers use Mac OS X v10 5 or later you can view managed settings in System Profiler on the computers Settings are organized by preference For example all managed Finder settings are listed in com apple finder To view managed client settings in System P
41. Managing Dock Preferences on page 174 If you plan to manage dedicated computers you may be able to use local Display System Preferences to change the resolution and number of colors computers use After setting the resolution and number of colors you can prevent changes to the Display System Preferences by removing Display from the list of available System Preferences For more information see Managing Access to System Preferences on page 224 For more information about enabling assistive devices like screen readers see Allowing Devices for Users with Special Needs on page 231 Chapter 10 Managing Preferences 227 228 ao uu A W N A wu A W To adjust screen appearance In Workgroup Manager click Preferences Make sure the correct directory is selected and you are authenticated To switch directories click the globe icon If you are not authenticated click the lock and enter the name and password of a directory domain administrator Select one or more users groups computers or computer groups Click Universal Access Click Seeing and then select a management setting To enable zooming select Turn on Zoom to fine tune zoom settings click Zoom Options Use the sliders to set a maximum and minimum zoom To show a preview area select Show preview rectangle when zoomed out To improve the appearance of zoomed graphics deselect Smooth images To change the color scheme to white on blac
42. Printing PDF Guides If you want to print a guide you can take these steps to save paper and ink Save ink or toner by not printing the cover page e Save color ink on a color printer by looking in the panes of the Print dialog for an option to print in grays or black and white e Reduce the bulk of the printed document and save paper by printing more than one page per sheet of paper In the Print dialog change Scale to 115 155 for Getting Started Then choose Layout from the untitled pop up menu If your printer supports two sided duplex printing select one of the Two Sided options Otherwise choose 2 from the Pages per Sheet pop up menu and optionally choose Single Hairline from the Border menu If you re using Mac OS X version 104 or earlier the Scale setting is in the Page Setup dialog and the Layout settings are in the Print dialog You may want to enlarge the printed pages even if you don t print double sided because the PDF page size is smaller than standard printer paper In the Print dialog or Page Setup dialog try changing Scale to 115 155 for Getting Started which has CD size pages Preface About This Guide 17 Getting Documentation Updates Periodically Apple posts revised help pages and new editions of guides Some revised help pages update the latest editions of the guides To view new onscreen help topics for a server application make sure your server or administrator computer is connected to the Internet
43. Restart automatically after a power failure Deselect this if the power fails option to disable automatic restart 8 Click Apply Now To manually wake up a sleeping computer or display the user can click the mouse or press a key on the keyboard Setting Energy Saver Settings for Portable Computers You can use Energy Saver Portable settings to vary sleep and wake responses in addition to processor performance settings depending upon what power source a portable computer is using either an adapter or a battery You can also set the computer to restart if power suddenly fails To manage portable computer settings 1 In Workgroup Manager click Preferences 2 Make sure the correct directory is selected and you are authenticated To switch directories click the globe icon If you are not authenticated click the lock and enter the name and password of a directory domain administrator Select one or more computers or computer groups 4 Click Energy Saver and then click Portable From the Power Source pop up menu choose Adapter or Battery and set the management setting to Always Chapter 10 Managing Preferences 179 180 6 To adjust sleep settings choose Sleep from the Settings pop up menu and do the following To do this Do this Set the length of time the Move the Put the computer to sleep when it is inactive for slider desktop computer waits to enter The computer does not enter sleep mode if the slider is set to
44. Servers list select SMB click Advanced and then make sure Enable virtual share points is selected If the drive letter chosen for the user might be conflicting with a drive letter that s in use on the Windows workstation change the drive letter setting in the Windows pane of Workgroup Manager or the mappings of other drive letters on the workstation If a Windows User s Profile Settings Revert to Defaults There are several reasons why a user s profile settings may revert to default If the user profile location is not blank in the Windows pane of Workgroup Manager the default share point for user profiles is not used In this case the user profile location must specify a valid SMB share point Make sure the user profile location specifies an existing share point For more information see Setting Up an SMB Share Point on page 119 Make sure the home folder is specified correctly in the Windows and Home panes of Workgroup Manager These panes should be configured in one of the following ways e If the home folder path in the Windows pane is blank make sure the correct home folder location is selected in the Home pane If the home folder path is not blank in the Windows pane make sure the home folder path specifies a valid SMB share point If the drive letter chosen for the user might be conflicting with a drive letter in use on the Windows workstation change the drive letter setting in the Windows pane of Workgroup
45. User s Password Type to Open Directory To change a user s password type to Open Directory authentication you must be an administrator of the directory domain where the user s record resides In addition your user account must be configured for Open Directory authentication When the Open Directory master was set up using the Open Directory service settings in Server Admin the initial user account is a domain administrator account with an Open Directory password This account can be used to set up other user accounts as domain administrators with Open Directory passwords If You Can t Assign Server Administrator Privileges To assign server administrator privileges to a user on a particular server connect to the server in Workgroup Manager and authenticate in the directory domain Select the user s account or create an account for the user and then select User can administer this server in the Basic pane If Users Can t Log In or Authenticate If a user can t log in or authenticate to his or her account a number of approaches might be required to determine whether the source of the authentication problem is configuration related or due to the password Try these techniques e Reset the password to a known value and then determine whether there is still a problem Try using a 7 bit ASCII password which is supported by most clients e Make sure the password contains characters supported by the authentication protocol Leading em
46. You can use presets when creating accounts manually or when importing them from a file If you change a preset after it has been used to create an account accounts already created using the preset are not updated to reflect those changes Chapter 3 Getting Started with Workgroup Manager For more information about how to create presets see Creating a Preset for User Accounts on page 61 Editing Multiple Accounts Simultaneously You can edit settings if they don t need to be unique for multiple user accounts group accounts or computer groups at the same time Simultaneously editing multiple accounts is referred to as batch editing There are two ways to simultaneously edit accounts select several accounts in the accounts list or use the batch edit feature in the Advanced Search dialog Unlike when you select several accounts the batch edit feature allows you to preview and edit search results before applying changes and you can view changes and errors after applying more changes There are several ways to select multiple accounts To select a range of accounts hold down the Shift key while clicking To select accounts individually hold down the Command key while clicking To deselect accounts choose Edit gt Select All and then Command click individual accounts Although you can simultaneously edit most account settings for multiple users some settings must be made for individual users For example you can
47. a computer account which identifies the Windows computer by its NetBIOS name The computer account for a Windows computer also contains information for authenticating the computer as a trusted workstation in the Windows domain Mac OS X Server creates this information in the form of a UID and a GID You can add Windows computer accounts to computer groups but Windows computers don t receive managed preferences Chapter 6 Setting Up Computers and Computer Groups 107 108 Important Don t create computer accounts for Windows 2000 or Windows XP computers If you do so they may not be usable for domain login Instead use the Windows software on these computers to join them to the Windows domain For information see Open Directory Administration About Computer Groups A computer group comprises computers with the same preference settings You can use Workgroup Manager create and modify computer groups To edit computer groups or computer group preferences you must have domain administrator privileges For instructions on assigning administrator privileges for a directory domain see Giving a User Full Administrative Capabilities on page 72 Differences Between Computer Groups and Computer Lists Computer groups are a new concept to Mac OS X Server v10 5 Before Mac OS X Server v10 5 computer lists were used to manage computers Computer lists and computer groups function similarly By managing a computer list or a computer group
48. accounts Chapter 10 Managing Preferences 209 210 N OO Ww A W nO un A WwW To set an expiration period In Workgroup Manager click Preferences Make sure the correct directory is selected and you are authenticated To switch directories click the globe icon If you are not authenticated click the lock and enter the name and password of a directory domain administrator Select one or more users groups computers or computer groups Click Mobility and then click Account Expiry Set the management setting to Always Select Delete mobile accounts and enter a number of hours days or weeks To wait until after the user s mobile account syncs to delete the local home folder select Delete only after successful sync Click Apply Now Choosing Folders to Sync at Login and Logout or in the Background You can use Workgroup Manager to choose which folders to sync at login and logout or in the background for users with mobile accounts You can also choose not to sync specific folders You should carefully manage login and logout syncing because a user s login and logout is delayed while files are syncing Using background syncing can also cause users to load outdated files from the network especially when syncing is set to occur at long intervals Also you can t sync Library in the background For considerations when choosing folders to sync and how to sync them see Strategies for Syncing Content on p
49. an application or its folder doesn t appear in these lists the user can t open the application Note Some applications don t fully support signatures To make sure a signed application is properly restricted make a copy of the application sign it and move it to a location in the Disallow applications within these folders list when you try to open the application on a managed computer it should open because the signature is valid Next void the signed application s signature by copying a file into its application package Now when you try to open the application on a managed computer it should not open because the signature is void and the application is in a disallowed folder To allow users to open specific applications and folders In Workgroup Manager click Preferences Make sure the correct directory is selected and you are authenticated To switch directories click the globe icon If you are not authenticated click the lock and enter the name and password of a directory domain administrator Select one or more users groups computers or computer groups Click Applications and then click the Applications tab Set the management setting to Always Chapter 10 Managing Preferences Select Restrict which applications are allowed to launch 7 Click the Applications tab within the Applications pane click the Add button 10 N OAU A W choose an application you want to always allow and then click Ad
50. and Designing the Login Experience on page 150 Using Workgroup Manager to Manage Preferences Workgroup Manager allows you to set and lock certain system settings for users on the network You can set initial preferences and allow users to change them later or you can keep preferences under administrative control at all times you can also leave preference settings unmanaged Workgroup Manager provides control over most major system and application preferences as well as various settings for users groups computers and computer groups The preference editor controls the remainder of the applications that may require management These preference panes allow you to manage the following settings Preference pane What you can manage Applications Applications and Dashboard widgets available to users and if Front Row is enabled For more information see Managing Access to Applications on page 164 Classic Classic startup settings sleep settings and the availability of Classic items such as Control Panels For more information see Managing Classic Preferences on page 169 155 156 Preference pane What you can manage Dock Dock location behavior and items For more information see Managing Dock Preferences on page 174 Energy Saver Performance options for Mac OS X client and server computers battery usage for portable computers and sleep or wake options For more information see Managin
51. and click Latest help topics or Staying current in the main help page for the application To download the latest guides in PDF format go to the Mac OS X Server documentation website www apple com server documentation Getting Additional Information For more information consult these resources Read Me documents important updates and special information Look for them on the server discs Mac OS X Server website www apple com server macosx gateway to extensive product and technology information Mac OS X Server Support website www apple com support macosxserver access to hundreds of articles from Apple s support organization Apple Discussions website discussions apple com a way to share questions knowledge and advice with other administrators Apple Mailing Lists website www lists apple com subscribe to mailing lists so you can communicate with other administrators using email Preface About This Guide User Management Overview This chapter introduces user management concepts and describes the applications used to manage accounts and privileges User management encompasses everything from setting up accounts for network access and creating home folders to fine tuning the user experience by managing preferences and settings for users groups computers and computer groups Mac OS X Server provides tools for accomplishing these tasks and more Tools for User Management User manageme
52. are created when you install Mac OS X Server unless otherwise indicated For a complete list open Workgroup Manager and choose View gt Show System Users and Groups Predefined username Shortname UserID Use MySQL Server mysql 74 The user that the MySQL database server uses for its processes that handle requests sshd Privilege sshd 75 The user for the sshd child processes that process separation network data System Administrator root 0 A user with no protections or restrictions System Services daemon 1 A legacy UNIX user Unknown User unknown 99 A user with no login or password When files or volumes have no real owner they are assigned unknown as their owner Unprivileged User nobody 2 This user was originally created so system services didn t need to run as System Administrator Now service specific users such as World Wide Web Server are often used for this purpose World Wide Web Server www 70 The nonprivileged user that Apache uses for its processes that handle requests Chapter 4 Setting Up User Accounts Administering User Accounts You can view create edit and delete user accounts stored in various kinds of directory domains Creating User Accounts To create a user account in a directory domain you must have administrator privileges for the domain To create user accounts in an LDAPv3 directory on a non Apple server use Directory Utility to map the LDAPv3 directory attributes to Open Director
53. are not authenticated click the lock and enter the name and password of a directory domain administrator Select one or more users groups computers or computer groups Select an entry with managed preferences Entries with managed preferences are noted by a cursor icon in the left column This can only be done one entry at a time Click the Remove button and then click Remove in the confirmation dialog Chapter 10 Managing Preferences 235 236 Using the Preference Editor to Manage Core Services You can add several important manifests by adding a single core services bundle These manifests allow management of many features that are unavailable through the main preference editing interface For example you can disable Bluetooth lock iTunes parental controls and set the license number and registration key for all iWork 08 installations Core service manifests include Manifest Examples of things you can change Bluetooth Enable or disable Bluetooth Dashboard Enable or disable Dashboard Desktop Picture Set the Desktop background image Dock Customize how the Dock looks Home Sync Fine tune mobility settings such as how to resolve conflicts iCal Change iCal settings such as Kerberos usage SSL usage and refresh intervals iChat Change iChat settings such as account name and info and SSL and Kerberos usage Internet Configuration Change Internet settings such as the mail server mail
54. automate a group member s access to the group folder when the user logs in by e Setting up Dock preferences to make the group folder visible in the Dock For instructions see Providing Easy Access to Group Folders on page 175 Chapter 5 Setting Up Group Accounts 101 102 e Setting up login preferences so that users can click Computer in the Finder to see the group folder share point and the group folders in it For instructions see Providing Easy Access to the Group Share Point on page 199 When setting up these preferences make sure the group is defined in a shared domain in the search policy of the group member s computer For instructions on setting a computer s search policy see Open Directory Administration If you don t automate group folder access group members can access the group folder using the Connect to Server command in the Go menu in the Finder to navigate to the server where the group folder resides To set up a group folder in the Groups folder or in another existing share point In Workgroup Manager click Accounts Select the group account you want to work with To select an account connect to the server where the account resides click the globe icon choose the directory domain where the group account is stored click the Groups button and then select the group To authenticate click the lock and enter the name and password of a directory domain administrator Click Group Folder
55. choosing Other In the dialog that appears select the domain and then click OK Choose from the following e To view user accounts click the Users button e To view group accounts click the Groups button To view computer accounts click the Computers button To view computer groups click the Computer Groups button To work with a particular account select it Changing the account requires domain administrator privileges so you might need to click the lock to authenticate Refreshing Account Lists If more than one administrator makes changes to directory domains make sure you re viewing the current list of user accounts group accounts computer accounts and computer groups by refreshing the lists To refresh account lists click Refresh in the toolbar Alternatively click the globe icon and then choose the directory domain you re working in from the pop up menu Finding Specific Accounts in a List After you ve displayed a list of accounts in Workgroup Manager you can filter the list to find particular users or groups You can choose from several filters Name Contains Chapter 3 Getting Started with Workgroup Manager e Name Starts With Name Ends With Name Is e IDIs ID Is Greater Than ID Is Less Than e Comment Contains e Keyword Contains To filter items in the list of accounts After listing accounts click the Users Groups Computers or Computer Groups button Click the Search magnif
56. click the Add button and then drag user or group accounts from the drawer to the list To switch the drawer s display of user accounts to group accounts or vice versa click the Users or Groups button at the top of the drawer To allow or deny access to a user or group in the Access Control List choose Allow or Deny from the Access pop up menu for that user or group To allow local users to access the computer select Local only users may login Click Apply Now Customizing the Workgroups Displayed at Login You can change settings that affect how workgroup preferences and other settings impact a user s experience For example you can require local users to choose a workgroup This makes the user s environment the same as if he or she was a member of the workgroup Or you can configure how to handle situations where multiple workgroups are available for a user Chapter 10 Managing Preferences 193 The following access options control workgroup settings at login Option What this does when enabled Local only users use available For computers with Mac OS X v10 4 or later Local users must choose workgroup settings a workgroup when logging in The user can choose from all workgroups that can access the computer The user s environment is the same as if he or she was a member of the workgroup Ignore workgroup nesting For computers with Mac OS X v10 5 or later The user can choose whether to use managed preferences
57. click the lock and enter the name and password of a directory domain administrator In the Members pane select the members you want to remove from the group click the Remove button and then click Save From the Command Line You can also remove users from a group using the dseditgroup command in Terminal For more information see the users and groups chapter of Command Line Administration Working with Group Folder Settings A group folder offers a way to organize and distribute documents and applications to group members and gives group members a way to share files with each other Group folders are not directly linked to workgroup management but access and workflow management can be improved by combining the use of group folders with managed preferences for workgroups Chapter 5 Setting Up Group Accounts For example to set a multimedia lab computer specifically for a movie editing class you could set Dock preferences for the movie editing workgroup to display only iMovie and the group folder Because the group folder is in the Dock it provides an easily accessible location for students to store and retrieve files Group folders aren t automatically mounted on Windows workstations when group members log in to the Windows domain If the group folder s share point is shared using SMB a Windows user can go to My Network Places or Network Neighborhood and access the contents of the group folder Specifying No Group Folde
58. directory domain administrator Select one or more users groups computers or computer groups Click Dock and then click Dock Items Set the management setting to Once or Always If you select Once the user can add and remove Dock items If you select Always the user can t remove items from the Dock To add individual applications folders and documents to the Dock click the Add button to browse and select the item you want To remove a Dock item select it and then click the Remove button You can rearrange Dock items in the list by dragging them into the order in which you want them to appear Applications are always grouped at one end while folders and files are grouped at the other User added items are located after your listed applications To add the My Applications folder select My Applications Chapter 10 Managing Preferences 10 N OO Ww A W The My Applications folder contains aliases for approved applications listed in the Applications preference pane If you do not manage the Applications preference available applications are shown If you enable Simple Finder you should display the My Applications folder To add the Documents folder select Documents The Documents folder is located in the user s home folder To add the Network Home folder select Network Home The Network Home folder is the network home folder for users with network accounts For users of mobile accounts selecting Network Hom
59. directory domain where the account resides click the Groups button and select the group To authenticate click the lock and enter the name and password of a directory domain administrator In the Basic pane drag a picture to the picture area in the top right When you drag a picture to the picture area the Picture Path field is updated with the new location of the picture You can also change the picture by editing this path Click Save Chapter 5 Setting Up Group Accounts 97 98 Enabling a Group s Web Services Mac OS X Server v10 5 includes Groups a feature that allows groups to easily create a collaborative website This website uses calendar wiki and blog technology to streamline group communication You can also set up a mailing list so that mail sent to the list is sent to all group members and are archived on the group website You can only enable the web calendar and mailing list archive if you first enable the wiki and blog service You can choose who views or edits the website e Group members only includes all members of the group e Some group members only available for editing includes group members who are given editing privileges e Authenticated users includes anyone who can authenticate with your organization s directory e Anyone allows everyone without requiring authentication You can provide different levels of website access to different subsets of users For example you can
60. do the following To do this Do this Set the length of time the Move the Put the computer to sleep when it is inactive for slider desktop computer waits to enter The computer does not enter sleep mode if the slider is set to sleep mode Never The default setting for Mac OS X is 10 minutes The default setting for Mac OS X Server is Never Use a different time interval for Select Put the display to sleep when the computer is inactive for the computer s display and move the slider The interval can t be longer than the computer s sleep setting The default setting for Mac OS X is five minutes The default setting for Mac OS X Server is 30 minutes Put the hard disks to sleep Select Put the hard disk s to sleep when possible during periods of inactivity Chapter 10 Managing Preferences 7 To set wake and restart settings choose Options from the Settings pop up menu and do the following To do this Do this Wake the computer when the Select Wake when the modem detects a ring modem is activated Wake the computer when an Select Wake for Ethernet network administrator access administrator attempts remote access Alllow users to press the power For client computers with Mac OS X v10 3 or later Select Allow button without holding itdown power button to sleep the computer for a prolonged period to put the computer in sleep mode Make sure the computer restarts Select
61. doesn t let you manage individual local accounts To manage specific local accounts you must log in to the local computers individually or use Apple Remote Desktop Users can access their accounts and files when disconnected from the network Mobile accounts have two key features that allow users to access their accounts and files when disconnected from the network cached authentication and portable home directories When mobile account users disconnect from the network using cached authentication they can log in to the mobile account using the local home folder stored on the portable computer or on an external drive using the same login name and password they used when the computer or external drive was last connected By contrast network account users can t access their accounts when they disconnect from the network If you change the password for a user remotely the next time the user connects to the network he or she must use the new password to authenticate For information about portable home directories see About Portable Home Directories on page 132 Users can recover data if their computers or external drives are lost or damaged If a user with a mobile account loses or damages his or her portable computer or external drive and logs in using a new computer the server restores all previously synced files during the next sync Considerations for Using Mobile Accounts Although mobile accounts provide many advantages over
62. field in the Basic pane review or edit the user name Initially the value of the user name is Untitled where is the sequential number generated after the last generated number for an existing untitled user Avoid assigning the same name to more than one user Workgroup Manager doesn t let you assign the same name to different users in any domain or in a domain in the search policy However it can t detect whether duplicates exist in other domains Modifying Short Names A short name is an abbreviated name for a user such as mchen or annejohnson Users can log in using a short name or the user name associated with his or her accounts The short name is used by Mac OS X for home folders When Mac OS X creates a user s local or network AFP home folder it names the directory after the user s short name For more information about home folders see Chapter 7 Setting Up Home Folders You can have as many as 16 short names associated with a user account For example you might want to use multiple short names as aliases for mail accounts The first short name is the name used for home folders and legacy group membership lists Don t reassign that name after you save the user account A short user name can contain as many as 255 Roman characters However for clients using Mac OS X v10 1 5 and earlier the first short user name must be eight characters or fewer Chapter 4 Setting Up User Accounts For the firs
63. from a parent group or its child group Only the preferences of the chosen group apply When disabled the preferences of parent and child groups apply Combine available workgroup For computers with Mac OS X v10 5 or later The user s preferences settings are based on the combination of preferences from all user s workgroups For local users all workgroups that can access the computer are combined When enabled the user can t select the workgroup to use When disabled the user can select which workgroup to use If the user selects a parent or child group the preferences of both apply Always show workgroup dialog For computers with Mac OS X v10 5 or later The dialog displaying all during login available workgroups appears even when there are no workgroups available To customize the workgroups displayed at login 1 In Workgroup Manager click Preferences 2 Make sure the correct directory is selected and you are authenticated To switch directories click the globe icon If you are not authenticated click the lock and enter the name and password of a directory domain administrator Select one or more computers or computer groups Click Login click Access and then set the management setting to Always Select the workgroup settings to enable them a uu fF WwW When you finish enabling workgroup settings click Apply Now Enabling the Use of Login and Logout Scripts You can use login scripts to perform a set of
64. groups to manage computers with Mac OS X v10 5 or later Hierarchical groups inherit managed preferences Computers in a hierarchical group have combined preferences managed by their computer group and by parent computer groups They can also inherit preferences from parent computer groups To set up a computer group In Workgroup Manager click Accounts Click the globe icon and choose the directory domain where you want to store the computer group To authenticate click the lock and enter the name and password of a directory domain administrator Click the Computer Groups button on the left To use a preset choose one from the Presets pop up menu Choose Server gt New Computer Group or click New Computer Group in the toolbar and then enter a name for the computer group Click Basic Optionally add a comment Comments are useful for providing information about a computer s location configuration for example a computer set up for individuals with special needs or attached peripherals You could also use the comment for identification information such as the computer s model or serial number Click Members click the Add button and then drag computers or computer groups listed in the drawer to add them to the computer group You can also click the Browse button select a computer and click Add Click Save After setting up a computer group you can manage preferences for it For more information about us
65. have identical short names or user IDs When using GUIDs users with the same short name or user ID can have different ACL permissions The introduction of GUIDs does not change or remove POSIX permissions so it does not affect the interoperability of Mac OS X with legacy UNIX systems or other operating systems Folder and File Owner Access When a folder or file is created the file system stores the user ID of the user who created the file or folder as its owner By default when a user with that user ID accesses the folder or file he or she can read and write to it Also any process started by the user who creates the file or folder can read and write to any files associated with that same user ID If you change a user ID the user may not be able to modify or access files and folders he or she created Likewise if the user logs in as a user whose user ID is different from the user ID he or she used to create the files and folders the user no longer has owner permissions for those files and folders Folder and File Access by Other Users The use of GUIDs in conjuction with ACLs determines the files that users and groups can access Also the user ID in conjunction with a group ID is used to control access Every user belongs to a primary group The primary group ID for a user is stored in the user s account When a user accesses a folder or file and the user isn t the owner the file system checks the file s group permissions and t
66. including Mac OS 9 control panels the Chooser and Network Browser and other Apple menu items You can show or hide all some or none of these items in the Apple menu If an item is hidden users can t access that item from the Apple menu However there may be alternative methods of access such as starting the Chooser by navigating to it in the Mac OS 9 System Folder If you want to further limit user access to these items you can use the Applications preferences in Workgroup Manager to specify which applications a user can or can t open For more information see Managing Access to Applications on page 164 Note Disallowing access to the Chooser can affect what happens when a user attempts to print from Classic if printer management is also enforced If users can t access the Chooser they can t set up new printers or switch between types of printers such as PostScript and non PostScript printers To hide or show items in the Apple menu In Workgroup Manager click Preferences Make sure the correct directory is selected and you are authenticated Chapter 10 Managing Preferences Oo uu A W a uu A WwW To switch directories click the globe icon If you are not authenticated click the lock and enter the name and password of a directory domain administrator Select one or more users groups computers or computer groups Click Classic Click Advanced and then set the management setting to Always To remove th
67. information default web browser and default mail application iTunes 7 Set iTunes 7 parental controls and enable or disable podcasts and music sharing iWork Registration Set iWork 08 registration information Kerberos Login Set Kerberos name and realm Managed Menu Extras Add nonstandard menus to the menu bar Mobile Account amp Other Options Change mobile account settings like FileVault use enable sync encryption set mobile account lifetime and customize the mobile account creation dialog Quicktime Pro Key Set QuickTime registration information Screen Saver Enable or disable screen saver passwords VPN Settings Change VPN settings such as VPN server information login name and authentication type By default these manifests don t show keys You must click the disclosure triangle next to the frequency select the frequency and then click New Key When you click the name of the new key you ll see all available keys for that frequency Some keys will only work with certain management frequencies For example you can only enable Disable Bluetooth by adding a new key with the frequency Always Chapter 10 Managing Preferences To add the core services bundle to the preference editor list In Workgroup Manager click Preferences and then click Details Make sure the correct directory is selected and you are authenticated To switch directories click the globe icon If you are not authenticated click the lo
68. is added to the admin group in the directory domain This does not grant the user local admin privileges on the servers hosting this directory domain or on any other servers or clients bound to this directory domain Each directory domain has a domain administrator account and a domain administrator can create additional domain administrators in the same domain Any user with a user account in a directory domain can be made a directory domain administrator an administrator of that domain For more information see Giving a User Full Administrative Capabilities on page 72 User Accounts Depending on how you set up server and user accounts you can use Mac OS X Server to support users who log in using Mac OS X computers Windows computers or UNIX computers Most users have an individual account used to authenticate them and control their access to services When you want to personalize a user s environment you define user group computer or computer group preferences for that user The term managed client or managed user refers to a user who has administrator controlled preferences associated with his or her account Managed client is also used to refer to computers or computer groups that have preferences defined for them To learn more about how to set up user accounts see Chapter 4 Setting Up User Accounts To specify the preferences for user accounts see Chapter 10 Managing Preferences Guest Account
69. keyboard Displaying Battery Status to Users Portable computers use a battery as a direct power source while disconnected from external power or as a backup power source while connected to external power When battery power is too low for the computer to function the computer puts itself to sleep to conserve energy When a user reconnects the computer to a functional power source for example by inserting a fresh battery or connecting a power adapter the user can wake the computer and begin working again Chapter 10 Managing Preferences a uu Bb W Users should be encouraged to monitor battery status when not connected to external power and use a power adapter when possible to maintain a fully charged battery To show battery status in the menu bar In Workgroup Manager click Preferences Make sure the correct directory is selected and you are authenticated To switch directories click the globe icon If you are not authenticated click the lock and enter the name and password of a directory domain administrator Select one or more computers or computer groups Click Energy Saver and then click Battery Menu Set the management setting to Always To display the battery status select Show battery status in the menu bar to disable the battery status deselect this option Click Apply Now Scheduling Automatic Startup Shutdown or Sleep You can schedule when computers start up shut down or sleep at specific times on
70. local and network accounts they also have a few specific configuration needs that if ignored can create problems for network administrators Chapter 8 Managing Portable Computers 137 138 Consider the following e Improperly set sync settings can cause long delays during login and logout and can create inconsistent home folders e If multiple users create a mobile account on the same computer it could cause excessive proliferation of home folders e Mobile accounts can t restore deleted files through syncing e You can t create mobile accounts when connected to a network through a virtual private network VPN connection Improperly set sync settings can cause long delays during login and logout and can create inconsistent home folders If you only sync large files at login and logout this could significantly increase the amount of time it takes for users to log in and out If users make changes to large files they must wait for the files to sync before they can finish logging in or logging out If a number of users are making changes to large files and are simultaneously logging in to a wireless network with limited bandwidth they can overload the network further delaying their login If you do not sync key folders this can create inconsistent home folders and confuse your users For example as a school administrator let s say you decide to only sync a student s Documents folder This means that if students don t
71. only the managed bookmarks You can also use Workgroup Manager to block specific websites instead of blocking all websites For more information see Preventing Access to Adult Websites on page 217 To allow access only to specific websites In Workgroup Manager click Preferences Chapter 10 Managing Preferences a uu A WwW N 10 11 Make sure the correct directory is selected and you are authenticated To switch directories click the globe icon If you are not authenticated click the lock and enter the name and password of a directory domain administrator Select one or more users groups computers or computer groups Click Parental Controls and then click Content Filtering Set the management setting to Always Select Limit access to websites by and choose allowing access to the following websites only Use one of the following methods to add websites that you want to allow access to e In Safari open the site and then drag the icon from the address bar of Safari to the list e In Safari choose Bookmarks gt Show All Bookmarks then drag icons from the bookmark list to the list in Workgroup Manager e If you have a webloc file of the website you want to allow access to drag the file into the list e If you don t have a webloc file of the website you want to allow access to click the Add button and enter the URL of the website you want to allow In the Web site title field name the
72. preference panes by changing the management setting to Never Chapter 10 Managing Preferences 163 164 You can use the Once setting to create default settings These are settings that when saved take effect the next time users log in Users can then modify their settings and save their modified settings for future use To selectively disable preference management In Workgroup Manager click Preferences Make sure the correct directory is selected and you are authenticated To switch directories click the globe icon If you are not authenticated click the lock and enter the name and password of a directory domain administrator Select one or more users groups computers or computer groups Click the icon for a preference that is being managed In the pane with the preferences you no longer want to manage select Never In Media Access the management setting applies to all preferences rather than to individual panes Click Apply Now Setting the management setting to Never disables management for the current level in the users computers or groups hierarchy Preferences can still be managed at a different level When you change the preference management settings the new settings apply to all items in the active preference pane To disable all management for an individual preference for example Dock make sure the management setting is set to Never in each pane of that preference Managing Access to Applications Use App
73. preferences for this application Choose a management setting from the Manage imported preferences pop up menu If you ve selected a preference file located in Library Preferences ByHost and you ve chosen Once or Often from the Manage imported preferences pop up menu you can select Import as ByHost preferences Chapter 10 Managing Preferences 233 234 8 9 10 Click Add If you re asked to replace the manifest click Replace to replace the manifest Replacing the manifest changes the underlying manifest file for the application but it doesn t change existing managed preferences If you re asked to replace the managed preferences click Replace to remove existing managed preferences and replace them with preferences from the application you re adding Editing Application Preferences with the Preference Editor You can use the Workgroup Manager preference editor to edit and manage application specific preferences An application that follows Apple standard conventions for handling preferences will respect the settings in a preference manifest For applications without preference manifests test your settings to make sure they produce the desired results Before using the preference editor to manage application preferences add the application or its preference file to the preference editor s list For instructions see Adding to the Preference Editor s List on page 232 The preference editor divi
74. previously pressed Shift twice then you press Command and then O it s the same as pressing Shift Command O using Caps Lock instead of pressing Shift twice is like pressing Command O Pressing Shift a third time removes the Shift key from the current key combination If you set up Sticky Keys you can make them more useful by enabling these options Option Effect Beep when a modifier key is set Setting and holding a modifier key makes distinct typewriter sounds Removing a key from the current key combination doesn t create a sound Display pressed keys onscreen When a modifier key is pressed a silhouette of the modifier key is shown onscreen If the modifier key is only active for a single press its silhouette is dim If the modifier key is in held down mode its silhouette is bright Slow Keys help users who press keys for too long or accidentally press keys If you enable Slow Keys you can set a delay when a key is accepted If the user presses a key for less time than the acceptance delay the keystroke isn t accepted To help users recognize when their keystrokes are accepted enable the Use click sounds option to play a sound when the user initially presses a key and a different sound when the key is accepted Note If you enable Universal Access Shortcuts a user can press the Shift key five times to turn Sticky Keys on or off For more information see Enabling Universal Access Shortcuts on page 230 To
75. print queues the user s account must be stored in an Open Directory domain or the local directory domain To set a user s print quota for all available print queues enforcing quotas In Workgroup Manager click Accounts Select the user account you want to work with To select the account click the globe icon choose the directory domain where the account resides and then select the user account in the accounts list To authenticate click the lock and enter the name and password of a directory domain administrator In Print Quota select All Queues Enter values for the maximum number of pages the user can print in a specific number of days For the settings to take effect the print service queue must enforce quotas Click Save Enabling a User s Access to Specific Print Queues You can use Workgroup Manager to allow a user to print to all or some of the accessible Mac OS X print queues that enforce quotas To use Workgroup Manager to enable access to print queues the user s account must be stored in an Open Directory domain or the local directory domain To set a user s print quota for specific print queues enforcing quotas In Workgroup Manager click Accounts Select the user account you want to work with To select the account click the globe icon choose the directory domain where the account resides and then select the user account in the accounts list To authenticate click the lock and enter the name and pa
76. set up an intranet site where everyone in your organization can view the site allow Entire directory to view services but only group members can edit it allow Group members to edit services When setting up levels of website access the users who can edit the website are a subset of the users who can view it For example you can t let anyone edit the site and allow only group members to view it When you create a group the URL of the group website and the mailing list email address is based on the short name of the group shortname hostname com If you change the group s name after creating it the URL and mailing list email address do not change The administrator computer s search policy must include the server that hosts web services To enable a group s web services In Workgroup Manager click Accounts Select the group account you want to work with To select an account click the globe icon choose the directory domain where the account resides click the Groups button and select the group To authenticate click the lock and enter the name and password of a directory domain administrator Choose a server from the Enable the following services for this group on pop up menu Chapter 5 Setting Up Group Accounts 5 Select the services you want to enable You can only select services that are not disabled by your web server 6 Choose who can view the group website by using the can view these services
77. settings This also allows you to manage at the level of users groups computers or computer groups The biggest issue with using external accounts for a mobile lab cart scenario is sync over wireless If you don t carefully set sync settings the mobile accounts could sync very large files and overload the wireless network Securing Mobile Clients There are several security considerations for mobile clients that do not exist for stationary clients These considerations are relevant because of the mobility of the users computers When they are off your network you can no longer monitor the actions of malicious users nor can you control the network environment that your users join You can use FileVault to secure the local home folder of a mobile account If an intruder accesses the computer storing the local home folder while the user isn t logged in the intruder can t access the contents of the local home folder For more information see Enabling FileVault for Mobile Accounts on page 205 Consider taking additional steps to improve your network security and client computer security For information see Mac OS X Security Configuration and Mac OS X Server Security Configuration Optimizing the File Server for Mobile Accounts In Server Admin you can enable an option called Server Side File Tracking for Mobile Home Sync which reduces the strain on a file server that occurs when mobile accounts sync When mobile accoun
78. share point used for home folders must also be automountable For instructions see Setting Up an Automountable AFP Share Point for Home Folders on page 117 or Setting Up an Automountable NFS Share Point for Home Folders on page 118 Important The following procedure requires Mac OS X Server v10 4 3 or later To create a custom home folder using Workgroup Manager Make sure the share point exists and is configured correctly To have the home folder to reside beneath a folder under the share point use Workgroup Manager or the Finder to create all folders in the path between the share point and where the home folder resides In Workgroup Manager click Accounts and then select the user account you want to work with To select an account connect to the server where the account resides click the globe icon choose the directory domain where the user account is stored click the Users button and then select the user account To authenticate click the lock and enter the name and password of a directory domain administrator Click Home Click the Add button to add a custom home folder location or select a location and click the Duplicate copy icon button to copy an existing location In the Mac OS X Server Share Point URL field enter the full URL to an existing automountable AFP share point where you want the home folder to reside or leave this field blank for an NFS share point For example if the AFP share poi
79. sites click the Add button next to the Never allow sites at these URLs list and then enter the URL of the site you want to block To allow or block a site including all content stored in its subfolders enter the highest level URL of the site For example allowing http www example com lets the user view all pages in www example com However blocking http www example com banned prevents the user from viewing content stored in www example com banned including all subfolders in banned but allows the user to view pages in www example com that are not in banned Click Apply Now Allowing Access Only to Specific Websites You can use Workgroup Manager to allow access only to specific websites on computers with Mac OS X v10 5 or later If the user tries to visit a website that he or she is not allowed to access the web browser loads a webpage that lists all sites the user is allowed to access To help direct users to allowed sites the user s bookmarks are replaced by the websites you allow access to The bookmarks created by allowing access to websites are called managed bookmarks If the user syncs bookmarks with Mac the first time the user syncs he or she is asked if Mac should merge or replace its bookmarks with the managed bookmarks If the user merges bookmarks the Mac bookmarks will include the original Mac bookmarks and the managed bookmarks If the user replaces bookmarks the Mac bookmarks will include
80. the owner to root and give the owner Read amp Write permission Set the group to the user s primary group which is normally staff and give the group Read amp Write permission Set the permission for everyone else to None For instructions see Setting Up an SMB Share Point on page 119 Instead of storing a roaming profile in a share point on a server you can designate the location of a local profile stored on the Windows computer Chapter 4 Setting Up User Accounts 85 86 To change the Windows roaming profile location for a user account In Workgroup Manager click Accounts Open the user account whose profile location you want to change To open a user account in the PDC click the globe icon and choose the PDC server s LDAP directory To authenticate click the lock and enter the name and password of a directory domain administrator Click Windows and enter the new profile location in the User Profile Path field e To use the default share point for user profiles leave this field blank e Fora roaming profile stored in a different share point enter the location of the share point using the universal naming convention UNC format servername sharename usershortname For servername substitute the NetBIOS name of the PDC server or a Windows domain member server where the share point is located To view the server s NetBIOS name open Server Admin select SMB in the Servers list click Settings cl
81. then click Creation Set the management setting to Always Select Create mobile account when user logs in to network account This option must be selected to enable a mobile account for the selected account To allow the user to choose not to create a local home folder so that instead of a mobile account the user logs in with a network account select Require confirmation before creating mobile account If you require a master password but the user logs in to computers without master passwords set selecting this allows the user to log in with a network account Click Options Select Encrypt contents with FileVault then select Use master password if available or Require computer master password If you select Use master password if available the mobile account uses FileVault regardless of whether there is a master password already set If you select Require computer master password and there is no master password set the user might be able to log in with a network account depending on whether you selected Require confirmation before creating mobile account in the Creation pane To restrict the size of the local home folder select Restrict size and select to fixed size or to percentage of network home quota then enter a value that is less than the size of your network home folder s disk quota If you didn t set a disk quota select to fixed size For
82. to To change the Windows home folder drive letter for a user account In Workgroup Manager click Accounts Open the user account whose Windows home folder drive letter you want to change To open a user account in the PDC click the globe icon and choose the PDC server s LDAP directory To authenticate click the lock and enter the name and password of a directory domain administrator Click Windows and choose a drive letter from the Hard Drive pop up menu The default drive letter is H Windows uses the drive letter to identify the mounted home folder Click Save Changing a Windows User s Home Folder Location You can change where a Windows user s network home folder is stored By default the network home folder is the same for Windows as it is for Mac OS X and its location is specified in the Home pane For more information see Setting Up a Home Folder for a Windows User on page 127 Working with GUIDs Although you can view and modify most user account attributes using the Accounts pane in Workgroup Manager you must use the Inspector to view and modify GUIDs Viewing GUIDs GUIDs are stored in the directory domain and are not immediately visible in Workgroup Manager To view GUIDs you must first enable the Inspector in Workgroup Manager For instructions on using the Inspector see Open Directory Administration WARNING Although the Inspector allows you to edit GUIDs it is not recommended Doing so dest
83. to edit the user ID of an account stored in an Open Directory domain or in the local directory domain You can also use Workgroup Manager to review the user ID in any directory domain accessible from the server you re using To change a user ID in Workgroup Manager In Workgroup Manager click Accounts Select the user account you want to work with To select an account click the globe icon above the accounts list choose the directory domain where the user s account resides and then select the user To authenticate click the lock and enter the name and password of a directory domain administrator In the Basic pane specify a value in the User ID field Chapter 4 Setting Up User Accounts 67 68 Make sure the value is unique for all directory domains set in the search policy of computers that the user logs in to Workgroup Manager warns you if you change the value to another user ID in the same directory domain You can quickly find all existing user IDs by choosing View gt Show System Users and Groups and then clicking the UID column header in the accounts list to sort the accounts by user ID Assigning a Password to a User When you create a user account you must assign a password to the user You can reset the user s password by replacing the password field with a new password For information about choosing secure passwords see Mac OS X Security Configuration When you export user accounts using Workgroup Manager
84. to set privileges Removing Administrative Privileges from a User Users with no administrative privileges can use Workgroup Manager to view but not change accounts in a directory domain You can change a user s domain privileges for LDAPv3 directory domains You can t change privileges for a local user account or an account stored in a non LDAPv3 directory domain To remove a user s administrative privileges In Workgroup Manager click Accounts Select the user account you want to work with To select an account click the globe icon above the accounts list choose the directory domain where the user s account resides and then select the user To authenticate click the lock and enter the name and password of a directory domain administrator In Privileges choose None from the Administration capabilities pop up menu and click Save Giving a User Limited Administrative Capabilities You can allow users who don t need full administrative control the ability to perform common administrative tasks by giving them limited administrative control For example you might want student lab assistants to reset other students passwords but not to edit the groups they belong to Similarly you might want school staff to edit student user information but not their managed preferences When a user has limited administrative control after authenticating in Workgroup Manager the Workgroup Manager interface only allows users to perfor
85. user login to provide password hints and to control the user s ability to restart and shut down the computer from the login window You can also mount a group volume or set applications to open when a user logs in The table below summarizes what you can do with settings in each Login pane Login preference pane What you can control Window For computers and computer groups only The appearance of the login window such as the heading message which users are listed if the List of users is specified and the ability to restart or shut down Options For computers and computer groups only Login window options like enabling password hints automatic login console fast user switching inactivity log out disabling of management setting the computer name to match the computer record external account login Access For computers and computer groups only Who can log in if local users can use workgroup settings and the combination and selection of workgroups Scripts For computers and computer groups only Specify a script to run during login or logout and whether to execute or disable the client computer s own LoginHook or LogoutHook scripts Items Access to the group volume which applications open automatically for the user and if users can add or remove login items Scripts Login Window and Options can be managed for computers only not for users or groups Changing the Appearance of the Login Window Yo
86. 0 Managing Preferences 213 214 CoN AU A UW Un A W You must assign a single server for every type of proxy server for example you can t have multiple FTP proxy servers To configure proxy servers for a user or a group In Workgroup Manager click Preferences Make sure the correct directory is selected and you are authenticated To switch directories click the globe icon If you are not authenticated click the lock and enter the name and password of a directory domain administrator Select one or more users groups computers or computer groups Click Network and then click Proxies Set the management setting to Always Select the specific type of proxy you want to configure FTP Web and so on Specify a URL and a port using the form proxyserver apple com 8080 Click Apply Now Allowing Users to Bypass Proxy Servers for Specific Domains When managing Network preferences for users you can allow them to bypass proxy settings for specific hosts or domains Bypassing the proxy server lets users connect directly to specified addresses You must set up a proxy server before you can bypass it For instructions see Configuring Proxy Servers by Port on page 213 To choose the domains that users can access directly In Workgroup Manager click Preferences Make sure the correct directory is selected and you are authenticated To switch directories click the globe icon If you are not authenticated click the lock a
87. 11 Solving Problems Planning Strategies for User Management The following are planning activities to undertake before you implement user management Analyzing Your Environment Your environment defines your user management settings including e Size and distribution of your network e Number of users who access your network Type of computers used Mac OS X or Windows e How client computers are used e Which computers are mobile e Which users should have administrator privileges e Which users should have access to particular computers Chapter 2 Getting Started with User Management e What services and resources users need such as mail or access to data storage e How to divide users into groups for example by class topic or job function e How to group computers such as all computers in a public lab Identifying Directory Services Requirements Identify the directories where you ll store user and group accounts computers and computer groups e Set up an Open Directory master and replicas to host a Lightweight Directory Access Protocol LDAP directory for storing other user accounts group accounts computers and computer groups on your network For information about password handling options see Open Directory Administration e If you have an earlier version of an Apple server you might be able to migrate existing records For available options see Updating and Migrating e If you have an LDAP or Active Direc
88. 13 214 215 217 overriding 157 overview 155 Parental Controls 150 217 218 permanence settings 159 Software Update 150 224 System Preferences 150 182 225 227 Time Machine 150 157 225 See also Classic preferences Energy Saver Finder print service Universal Access managed user 157 manifests preference 232 236 master password 205 media streaming See streaming media media access control See Ethernet ID Media Access preferences 149 200 201 202 mixed state preference settings 51 mobile accounts accessing 134 135 136 administrator 132 advantages 136 creating 202 deployment 136 directory domains 132 disadvantages 138 disk quotas 129 271 272 expiration periods 209 external accounts 134 208 home folders 37 121 132 133 134 135 138 152 202 204 205 207 local 136 142 login 133 134 135 140 198 202 overview 13 131 portable home directories 37 132 preferences overview 149 152 202 removing 204 security 131 144 205 setup 140 synchronization 131 132 136 138 139 210 212 wireless considerations 143 See also portable computers mouse preferences 230 multiple account editing 51 My Applications folder 177 MySQL Server account 56 N name server 45 240 241 naming conventions computer name 105 192 group accounts 66 95 guest computers 107 home folders 64 114 128 presets 62 usernames 63 64 65 66 67 254 NetBios name 105 NetBoot service 21 148 NetInstall 21 148 Network File System
89. 5 167 window behavior 183 188 Windows users access control 29 accounts 55 60 computer accounts 107 creating accounts 57 disk quotas 130 group accounts 90 99 group folders 101 Index home folders 87 114 120 127 130 login 86 modifying accounts 60 profile location 85 roaming profiles 85 114 128 130 share points 120 troubleshooting 245 246 wireless mobile lab 143 Workgroup Manager access control 23 account lists 46 48 49 administrator setup 41 42 batch editing 51 directory domains 43 earlier Mac OS X versions 42 exporting accounts 53 254 importing accounts 53 253 login 43 overview 13 19 panes 149 preferences 45 155 160 presets 50 searching users 49 synchronization 139 tasks overview 44 troubleshooting 247 See also managed preferences workgroups access control 193 247 definition 25 89 157 group folders 100 multiple 152 preferences 151 158 194 troubleshooting 247 See also Workgroup Manager X XML eXtensible Markup Language files 255 256 275
90. 8 48 49 50 50 50 51 53 55 55 55 56 57 57 58 59 59 60 60 60 Identifying Directory Services Requirements Determining Server and Storage Requirements Choosing a Home Folder Structure Devising a Home Folder Distribution Strategy Identifying Groups Determining Administrator Requirements Getting Started with Workgroup Manager Configuring the Administrator s Computer and Account Setting Up an Administrator Computer Creating a Domain Administrator Account Using Workgroup Manager Using Mac OS X Server v10 5 to Administer Earlier Versions of Mac OS X Connecting and Authenticating to Directory Domains in Workgroup Manager Major Workgroup Manager Tasks Modifying Workgroup Manager Preferences Finding and Listing Accounts Working with Account Lists in Workgroup Manager Listing Accounts in the Local Directory Domain Listing Accounts in Search Policy Directory Domains Listing Accounts in Available Directory Domains Refreshing Account Lists Finding Specific Accounts in a List Using Advanced Search Sorting Users and Groups Shortcuts for Working with Accounts Using Presets Editing Multiple Accounts Simultaneously Importing and Exporting Account Information Setting Up User Accounts About User Accounts Where User Accounts Are Stored Predefined User Accounts Administering User Accounts Creating User Accounts Editing User Account Information Working with Read Only User Accounts Working with Guest Users Working with Windows User Ac
91. 8 hours If you set a curfew users can t log in during the days and times you specify If a user is logged in when their curfew starts the user is immediately logged out You can set different times for weekdays denying access Sunday nights through Thursday nights and weekends Friday and Saturday nights To set time limits and curfews 1 In Workgroup Manager click Preferences 2 Make sure the correct directory is selected and you are authenticated To switch directories click the globe icon If you are not authenticated click the lock and enter the name and password of a directory domain administrator Select one or more users groups computers or computer groups Click Parental Controls and then click Time Limits Set the management setting to Always and then select Enforce limits ao uu A WwW To set time limits click Allowances then under Weekdays or Weekends select Limit computer use to and drag the slider to amount of time you want to limit use 7 To set curfews click Curfews select Sunday through Thursday or Friday and Saturday and then enter the range of time when you want to prevent computer access You can highlight the time and replace it with a new time or you can highlight the time and click the up or down buttons next to the time 8 Click Apply Now Managing Printing Preferences Use Printing preferences to create printer lists and manage access to printers The table below des
92. Designing the Login Experience An example of the power of preference management is the ability to shape and control the user s login experience You can set up Login preferences for computers and computer groups to control the appearance of the login window The following table provides example configurations of the login window and login options to suit your environment Environment Desired effect Kiosk The computer should always be logged in as a local or guest account Users can also log in with their personal accounts either externally or by using network accounts Educational lab Users should be able to select their account from a list People without accounts shouldn t be able to shut down or restart the computer Inactive users should be automatically logged out Key login settings e Show Other e Don t show Restart or Shut Down buttons e Don t show password hint e Enable automatic login e Don t enable gt console login e Don t log out inactive users e Enable external accounts e Enable guest account e Message Welcome to the Math Lab e Show mobile accounts and network users e Don t show Restart or Shut Down buttons e Don t show password hint e Don t enable automatic login e Log out inactive users e Enable external accounts Chapter9 Client Management Overview Environment Desired effect Key login settings Corporate workstation Users must enter their e Message If y
93. Folder that contains the Mac OS 9 operating system When users run Classic applications they are running Mac OS 9 from the Classic System Folder Classic can be run on Mac OS X v10 4 or earlier Chapter 10 Managing Preferences 169 170 AO un A WwW The table below describes what settings in each Classic pane can do Classic preference pane What you can control Startup Which folder is the Classic System Folder and what occurs when Classic starts Advanced Items in the Apple menu Classic sleep settings and the user s ability to turn off extensions or rebuild the Classic desktop file during startup Selecting Classic Startup Options Workgroup Manager provides a number of ways to control how and when the Classic environment starts If users often work with applications that run in Classic it is convenient to have Classic start up immediately when a user logs in If users rarely need Classic you can have Classic start only when a user opens a Classic application or a document that requires such an application You can also choose to display an alert when Classic starts giving users the option to cancel Classic startup To work with various startup options for Classic In Workgroup Manager click Preferences Make sure the correct directory is selected and you are authenticated To switch directories click the globe icon If you are not authenticated click the lock and enter the name and password of a directory domain a
94. Folders 123 124 To authenticate click the lock and enter the name and password of a directory domain administrator Click Home then in the share points list select the share point you want to use The list displays all auttomountable network visible share points in the search policy of the server you are connected to as well as custom home folder locations in the directory domain If the share point you want to select is not listed try clicking Refresh If the share point still does not appear it might not be automountable Set up the share point to have a network mount record configured for home folders as described in step 1 or create a custom home folder location as described in Creating a Custom Location for Home Folders on page 124 Optionally enter a disk quota and specify megabytes MB or gigabytes GB Click Create Home Now and then click Save For AFP share points if you do not click Create Home Now before clicking Save the home folder is created the next time the user logs in remotely For NFS share points you are required to click Create Home Now before clicking Save The home folder has the same name as the user s first short name If the home folder is in a new NFS share point make sure the user restarts his or her computer so the share point is visible When the user logs in using SSH to obtain command line access to the server the user s home folder is mounted From the Command Line You can al
95. In Workgroup Manager click Preferences Make sure the correct directory is selected and you are authenticated To switch directories click the globe icon If you are not authenticated click the lock and enter the name and password of a directory domain administrator Select one or more users groups computers or computer groups Click Applications and then click Widgets Set the management setting to Always Select Allow only the following Dashboard widgets to run To allow specific widgets click the Add button select the widget s wdgt file and then click Add The widgets included with Mac OS X are in Library Widgets Chapter 10 Managing Preferences 167 168 o Ko _ N AO Ww A W To prevent users from opening specific widgets select the widget and click the Remove button Click Apply Now Disabling Front Row With Workgroup Manager you can disable Front Row To disable Front Row In Workgroup Manager click Preferences Make sure the correct directory is selected and you are authenticated To switch directories click the globe icon If you are not authenticated click the lock and enter the name and password of a directory domain administrator Select one or more users groups computers or computer groups Click Applications and then click Front Row Set the management setting to Always Deselect Allow Front Row Click Apply Now Allowing Legacy Users to Open Specific App
96. Management Overview introduces client management tools and concepts such as how to customize a user s work environment and provide user access to network resources Chapter 10 Managing Preferences describes how to use Workgroup Manager to control preference settings for users groups computers and computer groups that use Mac OS X Chapter 11 Solving Problems helps you address issues involving account creation home folder maintenance preference management and client setup and also helps you solve problems encountered by managed clients In addition the appendix Importing and Exporting Account Information provides information you ll need when you want to transfer account information to or from an external file Finally the glossary defines terms you ll encounter as you read this guide Note Because Apple periodically releases new versions and updates to its software images shown in this book may be different from what you see on your screen Preface About This Guide Using Onscreen Help You can get task instructions onscreen in the Help Viewer application while you re managing Leopard Server You can view help on a server or an administrator computer An administrator computer is a Mac OS X computer with Leopard Server administration software installed on it To get help for an advanced configuration of Leopard Server Open Server Admin or Workgroup Manager and then e Use the Help menu to search f
97. Manager includes the following preferences Preference Description Resolve DNS names when Default on Disabling this preference causes Workgroup Manager possible to stop resolving DNS names when writing data If you re having DNS issues disabling this can help mitigate the effect of those DNS issues but you should fix those issues Show All Records tab and Default off Enabling this preference enables the Inspector The inspector Inspector allows you to see and edit directory data not otherwise visible in Workgroup Manager For more information see Open Directory Administration Limit search results to requested Default off When you don t enter anything in the search field by records default Workgroup Manager lists all user records in the selected directory domain Disabling this preference requires you to enter without quotes to list all records which can expedite working with large directory domains in Workgroup Manager because Workgroup Manager doesn t automatically list all records List a maximum of records Default off Enabling this preference limits the maximum number of search results to a number you specify Enabling this preference and setting a reasonable maximum number can improve Workgroup Manager performance However setting the number too low can cause you to overlook the total number of matches To set Workgroup Manager preferences In Workgroup Manager choose Workgroup
98. P Apple Filing Protocol A client server protocol used by Apple file service to share files and network services AFP uses TCP IP and other protocols to support communication between computers on a network Apple Filing Protocol See AFP automount To make a share point appear automatically on a client computer See also mount blog A webpage that presents chronologically ordered entries Often used as an electronic journal or newsletter BSD Berkeley Software Distribution A version of UNIX on which Mac OS X software is based child A computer that gets configuration information from the shared directory domain of a parent Glossary 257 258 computer account A computer account stores data that allows Mac OS X Server to identify and manage an individual computer You create a computer account for each computer that you intend to add to a computer group See also computer group computer group A set of computers and computer groups which all receive the managed preference settings defined for the group New in Mac OS X Server version 10 5 See also computer list computer list A set of computers that all receive the managed preference settings defined for the list and that are all available to a particular set of users and groups A computer can be a member of only one computer list Computer lists are created in Mac OS X Server version 10 4 or earlier See also computer group DHCP Dynamic Host Configuration Protocol A prot
99. POP mail it s stored on the user s computer and is usually deleted automatically from the mail server portable home directory A portable home directory provides a user with both a local and network home folder The contents of these two home folders as well as the user s directory and authentication information can be automatically kept in sync POSIX Portable Operating System Interface for UNIX A family of open system standards based on UNIX which allows applications to be written to a single target environment in which they can run unchanged on a variety of systems predefined accounts User accounts that are created automatically when you install Mac OS X Some group accounts are also predefined preference manifest A file that describes the structure of and default values for an application s preferences for example what the various preference keys do Workgroup Manager s preferences editor uses these files to make it easier for an administrator to edit an application s managed preferences preferences cache A storage place for computer preferences and preferences for groups associated with that computer Cached preferences help you manage local user accounts on portable computers presets Default attributes you specify for accounts you create using Workgroup Manager You can use presets only during account creation primary domain controller See PDC primary group A user s default group The file system uses the ID of the p
100. Preference Management Basics Managing User Preferences Managing Group Preferences Managing Computer Preferences Managing Computer Group Preferences Disabling Management for Specific Preferences Managing Access to Applications Controlling User Access to Specific Applications and Folders Allowing Specific Dashboard Widgets Disabling Front Row Allowing Legacy Users to Open Specific Applications and Folders Managing Classic Preferences Selecting Classic Startup Options Choosing a Classic System Folder Allowing Special Actions During Restart Controlling Access to Classic Apple Menu Items Contents 173 174 174 174 175 176 177 177 178 179 180 181 182 182 183 183 184 184 185 185 185 186 186 187 187 188 189 189 191 192 193 194 196 197 198 199 200 200 201 201 202 Adjusting Classic Sleep Settings Maintaining Consistent User Preferences for Classic Managing Dock Preferences Controlling the User s Dock Providing Easy Access to Group Folders Adding Items to a User s Dock Preventing Users from Adding or Deleting Dock Items Managing Energy Saver Preferences Using Sleep and Wake Settings for Desktop Computers Setting Energy Saver Settings for Portable Computers Displaying Battery Status to Users Scheduling Automatic Startup Shutdown or Sleep Managing Finder Preferences Setting Up Simple Finder Keeping Disks and Servers from Appearing on the User s Desktop Controlling the Behavior of Finder Windo
101. Sharing enabled If users also have network accounts you might prefer that they log in through their local accounts to reduce network traffic They can connect to their network accounts through the Connect to Server command in the Finder Go menu Using Mac OS X Portable Computers with Multiple Users Although mobile accounts are best suited for portable computers there are a few situations in which using local accounts provides advantages over using mobile accounts For example a school s wireless mobile lab might consist of 20 to 30 MacBooks an instructor s computer an AirPort Extreme Base Station and a printer all located ona mobile cart Because all of these computers are on a mobile cart the school could use this lab for multiple classrooms throughout the campus Chapter 8 Managing Portable Computers When using a wireless mobile lab it is very difficult to control who uses specific computers Unlike personal portable computers where you know who uses which computer or with stationary computers where you can assign seating charts it is hard to consistently use a distribution scheme for a wireless mobile lab You could use stickers to label the computers and control distribution but teachers would still need to monitor distribution to ensure students don t take the wrong computer When users create a portable home directory they create a local home folder on the computer using some of the computer s hard disk space
102. To add a share point to the list click the Add button and enter the requested information In the URL field enter the full URL to the share point where you want the group folder to reside For example to identify an AFP share point named SchoolGroups on a server whose DNS name is myserver example com enter afp myserver example com SchoolGroups If you are not using DNS replace the DNS name of the server hosting the group folder with the server s IP address afp 192 168 2 1 SchoolGroups In the Path field enter the path from the share point to the group folder including the group folder but excluding the share point Do not put a slash at the beginning or at the end of the path For example if the share point is SchoolGroups and the full path to the group folder is SchoolGroups StudentGroups SecondGrade enter StudentGroups SecondGrade in the Path field Note Configuring a group folder share point with a network mount record does not cause the group folder to mount when a group member logs in You can provide easy access to a group folder by managing Dock or login preferences for the group Chapter 5 Setting Up Group Accounts 6 Inthe Owner Name fields enter the short name and long name of the user you want to assign as the owner of the group folder so the user can act as group folder administrator To choose an owner from a list of users in the current directory domain click the Browse button Click
103. User IDs A user ID is a number that uniquely identifies a user Mac OS X computers use the user ID to track a user s folder and file ownership When a user creates a folder or file the user ID is stored as the ID of the user who created the folder or file This user ID has read and write permissions to the folder or file by default The user ID should be a unique string of digits from 500 through 2 147 483 647 It is risky to assign the same user ID to different users because two users with the same user ID have identical directory and file permissions User IDs between 0 and 100 are reserved for system use and should not be deleted or modified except to change the password of the root user Accounts with user IDs below 100 aren t listed in the login window In general after user IDs are assigned and users start creating files and folders you shouldn t change user IDs However one possible scenario where you might need to change a user ID is when merging users that were created on different servers onto a new server or cluster of servers The same user ID might still be associated with a different user on the previous server When you create a user account in a shared directory domain Workgroup Manager assigns a user ID The value assigned is an unused user ID 1025 or greater in the server s search policy Users created using the Accounts pane of System Preferences are assigned user IDs starting at 501 You can use Workgroup Manager
104. account resides and then select the user account in the accounts list To authenticate click the lock and enter the name and password of a directory domain administrator Click Groups and then click the Add button This opens a drawer that lists the groups defined in the directory domain you re working with Select the group and then drag it to the Other Groups list in the Groups pane Removing a User from a Group You can use Workgroup Manager to remove a user from a group if the user and group accounts reside in an Open Directory domain or the local directory domain To remove a user from a group using Workgroup Manager In Workgroup Manager click Accounts Select the user account you want to work with To select the account click the globe icon choose the directory domain where the account resides and then select the user account in the accounts list To authenticate click the lock and enter the name and password of a directory domain administrator Click Groups Select the groups you want to remove the user from and then click the Remove button You can also remove users from a group by using the Members pane of group accounts For more information see Removing Group Members on page 100 Working with Home Settings Home settings describe a user s home folder attributes If you don t have a share point set up to host home folders you must set one up To set up share points use Server Admin To set up hom
105. accounts using Workgroup Manager In Workgroup Manager click Accounts Make sure that the directory services of the Mac OS X Server you re using are configured to access the desired directory domain For instructions see Open Directory Administration Click the globe icon and then choose the domain where you want to import accounts To authenticate click the lock and enter the name and password of a directory domain administrator Select the accounts to export To choose multiple accounts to export select the accounts while holding the Command or Shift key Choose Server gt Export 7 Specify the name to assign to the export file and where you want to create it To browse to a location for storing the export file click the disclosure triangle Click Export Using XML Files Created with Mac OS X Server v10 1 or Earlier You can use Server Admin in Mac OS X Server v10 1 or earlier to create an export file and import that file into an Open Directory domain using Workgroup Manager or dsimport The following user account attributes are exported into the XML files An error occurs when you import a file with missing required attributes Indication of whether user can log in Indication of whether user is a server administrator User ID required Primary group ID required Shell Comment Short name required Long name required Password format required and password text required Apple mail data ARA A
106. actions when a user logs in or logs out Because login or logout scripts run as root they are very powerful Test your scripts to make sure they don t negatively impact system settings or damage user files You can add a login script to a computer in two ways Add a LoginHook script to a specific computer Apply a login script to a computer or computer group using Workgroup Manager 194 Chapter 10 Managing Preferences When enabling the use of login and logout scripts you can set a trust value for the client Trust values determine the required level of authentication before a client trusts a server enough to run its scripts Most trust values directly correlate to LDAP security policy settings that are configured in Directory Utility The trust value of DHCP doesn t correlate to a security policy Instead it correlates to whether Directory Utility is configured to use a DHCP supplied LDAP server The trust value of Authenticated requires that you set up trusted binding to an LDAP directory For more information about how to use Directory Utility to enable LDAP security policies using DHCP supplied LDAP or setting up trusted binding see Open Directory Administration The following table lists valid trust values and describes their requirements The table is arranged in order of increasing trust where the last entry requires the highest level of trust Trust value name Requirements Anonymous The client trusts any directo
107. age 121 Step 4 Set up the directory services of the client computers so their search policy includes the shared directory domain on the accounts server For information about configuring search policies see Open Directory Administration When a user restarts his or her computer and logs in using the account in the shared domain the home folder is created automatically if it hasn t already been created on the appropriate server and is visible on the user s computer Administering Share Points A share point is a hard disk or hard disk partition disc media or folder that contains files you want users to share You can use share points to host home folders Setting Up a Share Point You can use Server Admin to set up share points and then use the share points to host local home folders Or you can mount the share point so it hosts network home folders To set up a share point Open Server Admin and connect to the server where you want to host the share point To connect to the server choose Server gt Connect enter the server address in the Address field and then authenticate as a server administrator If you re already connected you ll see Disconnect instead of Connect in the Server menu Select the server and click File Sharing Click Volumes then display folders within volumes by clicking Browse Select the volume or folder that will become a share point To create a folder select a parent folder or volume and click New
108. age 139 To choose folders to sync at login and logout or in the background In Workgroup Manager click Preferences Make sure the correct directory is selected and you are authenticated To switch directories click the globe icon If you are not authenticated click the lock and enter the name and password of a directory domain administrator Select one or more users groups computers or computer groups Click Mobility click Rules and then click Login amp Logout Sync or Background Sync Select a management setting Select Sync at login and logout or Sync in the background depending on which pane you re in To add folders click the Add button for the Sync at login and logout and Sync in the background lists and then enter the path to the folder that you want to sync Chapter 10 Managing Preferences 10 11 O N AU A W Precede the folder with to denote the location of the synced folder in the user s home folder For example to sync the user s Documents folder enter Documents Alternatively click the Browse button for the Sync at login and logout and Sync in the background lists to browse to a folder Because you are browsing the computer currently running Workgroup Manager you might choose a folder that is not located in the user s account If you choose a folder that doesn t exist in the user s account no files are synced To choose not to sync specific files o
109. age Universal Access settings for specific workgroups or computers dedicated to users with special needs The table below describes what the settings in each Universal Access pane can do Universal Access preference pane What you can control Seeing Visual display and desktop zooming Hearing Visual alert for users Keyboard How the keyboard responds to keystrokes and key combinations Mouse How the pointer responds and whether users can use the numeric keypad instead of a mouse Options Shortcut key combinations the use of assistive devices and whether the computer reads text in the Universal Access preference pane Adjusting the User s Display Settings The Seeing settings in Universal Access preferences alter the appearance of the screen The user can easily zoom in or out on the desktop using keyboard shortcuts specific key combinations Changing to grayscale or white on black display can sometimes make it easier to read text on the screen Note If display settings are managed Once users can switch between the zoom or color options using keyboard shortcuts If the management setting is Always users can t switch between options To further customize the user s display you can use Finder Views preferences to control the size of icons in Finder windows and use Dock Display preferences to enlarge or magnify icons in the user s Dock For more information see Managing Finder Preferences on page 182 and
110. alidate the password associated with the account If the password is validated the user is authenticated and the login or connection process is completed Mac OS X Server validates passwords using Kerberos Open Directory Password Server shadow passwords and crypt passwords For more information about types of directory domains and instructions for configuring search policies see Open Directory Administration This guide also discusses authentication methods and provides instructions for setting up user authentication options Information Access Control To control access to information a universal ID called a globally unique identifier GUID provides user and group identity for access control list ACL permissions An ACL is a list of access control entries ACEs each specifying the permissions to be granted or denied to a group or user and how these permissions are propagated throughout a folder hierarchy The GUID also associates a user with group and hierarchical group memberships Chapter 1 User Management Overview 27 28 Prior to Mac OS X v10 4 Mac OS X used user ID and POSIX permissions to track folder and file permissions In Mac OS X folders or files include POSIX permissions for entities such as e Owner e Group e Everyone else Because GUIDs are 128 bit values duplicate GUIDs are extremely unlikely Unlike ACL permissions POSIX permissions can cause file ownership and group membership issues when multiple users
111. an handle PDF files the user can open that application first and then open the file To make sure commonly used applications are available to users groups or lists of computers use Workgroup Manager to add the application to the list of permitted applications in the Applications pane of Preferences For more information see Controlling User Access to Specific Applications and Folders on page 165 If Users Can t Add Printers to a Printer List If you manage Printing preferences you can allow users to add printers to the list of printers in Print amp Fax System Preferences In Printing preferences select Allow user to modify the printer list If you don t select this an administrator name and password is required to add or remove printers in Print amp Fax System Preferences Note When a user tries to print a document from an application the printer the user added does not appear in the list of available printers For more information see Preventing Users from Modifying the Printer List on page 221 You can also make printers available or unavailable to specific users groups or lists of computers by using the Printer List pane of Printing preferences For more information see Making Printers Available to Users on page 221 If Login Items Added by a User Don t Open In Workgroup Manager you can use the Items pane of login preferences to specify items that open when a user logs in The items that ope
112. anagement To upgrade computer lists to computer groups 1 In Workgroup Manager click Accounts click the Computer Groups button and then select a computer list 2 In the Basic pane click Upgrade Computer List to Group 112 Chapter 6 Setting Up Computers and Computer Groups Setting Up Home Folders This chapter provides guidelines for setting up and managing home folders Mac OS X uses the home folder a folder for a user s personal use to store the user s application preferences and personal files like documents and music To set up share points that host home folders you can use Server Admin After setting up share points you can then use Workgroup Manager to set up home folders on the share points About Home Folders You can set up Mac OS X home folders so they can be accessed by Apple Filing Protocol AFP or Network File System NFS To set up a home folder for a user in Workgroup Manager use the Home pane when viewing a user s account You can also import user home folder settings from a file For an explanation of how to work with import files see the appendix Importing and Exporting Account Information A user s home folder doesn t need to be stored on the same server as the directory domain containing the user s account In fact distributing directory domains and home folders across various servers can help balance the workload For more information see Distributing Home Folders Across Multipl
113. and Folders on page 168 This list determines what users find in the My Applications folder located in the Dock To prevent users from opening a Finder window to easily browse to other applications use Simple Finder For more information about using Simple Finder see Setting Up Simple Finder on page 182 If you created a group folder you can set up quick access to the folder when a user logs in to the workgroup associated with the folder Users can use this group folder to facilitate file sharing between group members For instructions on creating an alias for the group folder see Providing Easy Access to Group Folders on page 175 To provide access to the group volume which contains the Public folder and a drop box for the group see Providing Easy Access to the Group Share Point on page 199 Chapter 9 Client Management Overview 153 154 Chapter9 Client Management Overview Managing Preferences This chapter provides information about managing preferences for users workgroups computers and computer groups By managing preferences for users workgroups computers and computer groups you can customize the user s experience and restrict user access to only the applications and network resources you choose To manage preferences use the Preferences pane in Workgroup Manager For an overview of how to use managed preferences to customize the user experience see The Power of Preferences on page 149
114. are denoted by a disclosure triangle When you click the disclosure triangle you ll see a list of helper applications By default these helper applications are allowed to open You can disable individual helper applications but the application may behave erratically if it requires the helper applications To allow or prevent users from launching an application add the application or application path to one of three lists e Always allow these applications Add applications that should always be allowed regardless of their inclusion in other lists You can sign applications added to this list Don t add unsigned applications to this list because they allow users to disguise unapproved applications as approved applications e Disallow applications within these folders Add applications and folders containing applications you want to prevent users from opening All applications in the subfolders of a disallowed folder are also disallowed Disallowing a folder within an application package can cause the application to behave erratically or fail to load e Allow applications within these folders Add applications and folders containing applications you want to allow All applications in the subfolders of an allowed folder are also allowed Unlike applications in the Always allow these applications list applications listed here are not allowed if they or their paths are listed in the Disallow applications within these folders list If
115. are point to use and then do the following e In the share points list select Users or the share point you want to use and then click Create Home Now If you want to select Users but it isn t listed click the Add button and then in the Full Path field enter Users usershortname Replace usershortname with the first short name of the user account you re configuring Chapter 7 Setting Up Home Folders 127 128 e Optionally enter a disk quota for the user s home folder and specify megabytes MB or gigabytes GB Important This quota also applies to the user s roaming profile if it s on the same volume as the home folder Make sure the quota is adequate for both folders for an entire work session A user s profile folder includes the My Documents folder and the Internet Explorer cache which often use considerable disk space For more information see Setting Disk Quotas for Windows Users to Avoid Data Loss on page 130 3 Click Windows and enter the home folder location in the Path field e To use the same home folder for Windows login and Mac OS X login leave Path blank You can also specify this home folder by entering a UNC path that doesn t include a share point servername usershortname Replace servername with the NetBIOS name of the PDC server or a Windows domain member server where the share point is located You can see the server s NetBIOS name by opening Server Admin and clicking SMB in the S
116. are stored in the directory domain you re viewing If you change directory domains the presets you created in the other directory domain are not available When importing accounts you can apply a preset to the imported account For more information see Using Workgroup Manager to Import Accounts on page 253 To create an account using a preset In Workgroup Manager click Accounts Click the globe icon and then choose the directory domain where you want the new account to reside Make sure the directory domain you choose contains the preset you want to use To authenticate click the lock and then enter the name and password of a directory domain administrator Click the Users Groups or Computer Groups button From the Presets pop up menu choose a preset To create accounts click New User New Group or New Computer Group Add or update attribute values Renaming Presets You can name presets to help remind you of template settings or to identify the type of user account group account or computer group that the preset is best suited for To rename a preset In Workgroup Manager click Accounts Click the globe icon and then choose the directory domain that has the preset you want to rename To authenticate click the lock and enter the name and password of a directory domain administrator From the Presets pop up menu choose Rename Preset Choose a preset from the Rename preset pop up menu enter a name a
117. ased on IP address and also supports single sign on SSO authentication through Kerberos NTP Network Time Protocol A network protocol used to synchronize the clocks of computers across a network to some time reference clock NTP is used to ensure that all the computers on a network are reporting the same time Open Directory The Apple directory services architecture which can access authoritative information about users and network resources from directory domains that use LDAP Active Directory protocols or BSD configuration files and network services Open Directory master A server that provides LDAP directory service Kerberos authentication service and Open Directory Password Server owner The owner of an item can change access permissions to the item The owner may also change the group entry to any group the owner is a member of By default the owner has Read amp Write permissions parent A computer whose shared directory domain provides configuration information to another computer password An alphanumeric string used to authenticate the identity of a user or to authorize access to files or services PDC Primary domain controller In Windows networking a domain controller that has been designated as the primary authentication server for its domain physical disk An actual mechanical disk Compare with logical disk Glossary POP Post Office Protocol A protocol for retrieving incoming mail After a user retrieves
118. ate local accounts on Mac OS X computers Chapter 8 Managing Portable Computers Create at least one local administrator account and create local user accounts as needed Make sure the users local account names are not easily confused with the users network names By creating an administrator account you are preventing the user from having administrator access unless you specify it for that user Administrator access allows the user to override many managed settings Set up computers and computer groups on your server Use Workgroup Manager to create computer accounts for portable computers and then add them to a computer group and enforce preference management for all users of those computers Computer group management does not always affect external accounts because external accounts can be used on computers that aren t connected to the network Allow the creation of mobile accounts for specific computers or computer groups rather than for specific users or groups Doing so limits the creation of portable home directories only to specific computers This way you can ensure that users who use several computers do not create portable home directories on each of those computers For more information about creating computer groups see Chapter 6 Setting Up Computers and Computer Groups For instructions about creating mobile accounts see Creating a Mobile Account on page 202 Managing Mobile Clients Without Using Mobile
119. authenticating at the login window the user is prompted to choose a location If you select any volume the user can choose either on the local hard disk or on the external hard disk If the user chooses the external hard disk the local home folder is stored in Users ShortName where ShortName is the user s short name Click Apply Now Setting Expiration Periods for Mobile Accounts When a user enables a mobile account Mac OS X usually creates a local home folder on the computer he or she is using If that user enables mobile accounts on several computers each of those computers has a local home folder for the user If the user doesn t use those computers the local home folders are unused and waste disk space When you set an expiration period on a mobile account the mobile account and its local home folder are deleted after a period of inactivity You can also set an expiration period of 0 to delete the mobile account and its local home folder as soon as possible Depending on the account type you re managing as soon as possible refers to two different events e For users and groups the mobile account and its local home folder are deleted after the user logs out e For computers and computer groups the mobile account and its local home folder are deleted the next time the login window appears This doesn t include when the login window appears while using fast user switching Expiry settings do not affect external
120. b assistants using Media Access settings at their user account level You could also designate a specific computer for media recording by overriding the restrictions at the computer level Inherited preferences are preferences set at only one level In some cases you may find it easier and more useful to set certain preferences at only one level For example you could set printer preferences only for computer groups set application preferences only for workgroups and set Dock preferences only for users In this example no overriding or combining occurs and the user inherits the preferences without competition The illustration below shows how managed preferences interact when the same preferences are set at multiple levels Combined Overridden Inherited Computer Group Group as oars Computer Resulting Relationship a ED Most of the time you ll use workgroup level and computer group level preferences e Workgroup preferences are most useful if you want to customize the work environment such as application visibility for specific groups of users or if you want to use group folders For example a student may belong to a group called Class of 2011 for administrative purposes and to a workgroup called Students to limit application choices and provide a group shared folder for turning in homework Another workgroup may be Teacher Prep used to provide faculty members with access to folders and
121. bedded and trailing spaces as well as special characters such as pressing Option 8 to form a bullet are not supported by some protocols For example leading spaces work with POP and AFP but not IMAP e Make sure the user s keyboard can generate all characters in the user s password e Crypt passwords don t support many authentication methods To increase the probability that a user s client applications are supported set the user s password type to Open Directory or suggest that the user try a different application Chapter 11 Solving Problems 243 244 e If the user s account resides in a directory domain that is not available create a user account in a directory domain that is available e Make sure the client software encodes the password so it is recognized correctly For example Open Directory recognizes UTF 8 encoded strings which may not be sent by some clients e Make sure the user s current application and operating system support the user s password length For example Windows applications that use the LAN Manager authentication method support only 14 character passwords so a password longer than 14 characters causes an authentication failure even though Windows service supports longer passwords e If you disabled authentication methods for Open Directory or shadow passwords such as APOP or LAN Manager the user s applications can t authenticate using the disabled methods After enabling or disabling Open Directo
122. bile accounts you can create a work environment where users effortlessly access their latest files from several locations keep their managed preferences while offline and retrieve file backups if they lose or damage their computers all while requiring less network traffic than network accounts If improperly configured mobile accounts can overload the server force users to wait for long periods of time to log in or log out and potentially cripple client computers by using all available hard disk space Advantages of Using Mobile Accounts Mobile accounts have several advantages over using local or network accounts e Applications locally cache temporary files e Mobile accounts create less network traffic than network accounts e You can manage individual mobile accounts e Users can access their accounts and files when disconnected from the network e Users can recover data if their computers or external drives are lost or damaged Applications locally cache temporary files When mobile account users run applications those applications cache temporary files on the local computer When external account users run applications those applications cache temporary files on the external drive When network account users run applications instead of caching the applications transfer temporary files over the network Because mobile accounts are not repeatedly transferring temporary files they tend to be faster than other account types and a
123. can later restore the directory with passwords intact For more information and instructions on archiving the Open Directory master see Open Directory Administration Using Workgroup Manager to Import Accounts You can use Workgroup Manager to import user group computer and computer group accounts into an Open Directory domain When a file is imported Workgroup Manager identifies the record format Before trying to import accounts using Workgroup Manager create a character delimited or XML file containing the accounts to import and place it in a location accessible by the computer from which you use Workgroup Manager An Open Directory domain supports files with up to 200 000 records Important Workgroup Manager can only import files that use UNIX line breaks When editing import files use a text editor that supports UNIX line breaks You can also use the dsimport tool to import records from a text delimited file For more information see Command Line Administration For information about how to create import files using previous versions of Mac OS X Server see e Using XML Files Created with Mac OS X Server v10 1 or Earlier on page 255 e Using XML Files Created with AppleShare IP 6 3 on page 256 For information about how to create a character delimited file by hand or by using a database or spreadsheet application see Command Line Administration To import accounts using Workgroup Manager In Workgroup Manage
124. can manage its preferences or add it to a computer group Chapter 1 User Management Overview 25 26 For more information about setting up computer accounts see Chapter 6 Setting Up Computers and Computer Groups To specify preferences for Mac OS X computer accounts see Chapter 10 Managing Preferences Guest Computers Most computers on your network should have a computer account If an unknown computer one that doesn t have a computer account connects to your network and attempts to access services that computer is treated as a guest Settings chosen for the Guest Computer account apply to unknown guest computers Computer Groups A computer group is composed of one or more computer accounts or computer groups By combining these into a single computer group you can apply the same managed preferences to all its members To learn more about how to set up computer groups for Mac OS X client computers see Chapter 6 Setting Up Computers and Computer Groups To specify preferences for Mac OS X computer groups see Chapter 10 Managing Preferences The User Experience After you create an account for a user the user can access server resources according to the permissions you set The user experience depends on the type of user permissions set type of client computer in use such as Windows or UNIX whether the user is a member of a group and whether preference management is implemented at the user group
125. ccount the user can log in with a network account Network accounts don t have local home folders preventing intruders from accessing home folder content If you enable FileVault you can restrict the size of the local home folder When you set a network home disk quota in the Home pane of a user account it limits the amount of space available for the user s network home folder By restricting the size of the local home folder you prevent the user s local home folder from using more space than is available in the user s network home folder This ensures that the home folders can sync without requiring more space than is available in the network home folder Chapter 10 Managing Preferences 205 206 a un A W 10 11 Additionally if you make the maximum size of the local home folder smaller than the network home disk quota you can provide more flexibility for handling files with sync conflicts If a mobile account is protected with FileVault the user must be logged in to share files using File Sharing To enable FileVault for mobile accounts In Workgroup Manager click Preferences Make sure the correct directory is selected and you are authenticated To switch directories click the globe icon If you are not authenticated click the lock and enter the name and password of a directory domain administrator Select one or more users groups computers or computer groups Click Mobility click Account Creation and
126. ccounts Select the user account you want to delete To authenticate click the lock and enter the name and password of a directory domain administrator Choose Server gt Delete Selected User or click the Delete icon in the toolbar From the Command Line You can also delete a user account using the asc1 command in Terminal For more information see the users and groups chapter of Command Line Administration Disabling a User Account To disable a user account you can e Deselect the User can access account option in the Basic pane in Workgroup Manager e Delete the account e Change the user s password to an unknown value e Set password options to disable login This applies to user accounts with the password type Open Directory or Shadow Password Chapter 4 Setting Up User Accounts From the Command Line You can also disable a user account using the dscl and pwpolicy commands in Terminal For more information see the users and groups chapter of Command Line Administration Working with Presets Presets are templates used to define attributes that apply to new user group or computer group accounts Creating a Preset for User Accounts You can create presets to use when creating user accounts in a directory domain Presets are stored in the directory domain you re currently viewing If you change directory domains the presets you created in the other directory domain are not available To create a preset f
127. ck and enter the name and password of a directory domain administrator Select one or more users groups computers or computer groups Click the Add button Select System Library CoreServices ManagedClient app and click Add Using the Preference Editor to Manage Safari Safari is a good example of an application that can be managed by editing its preference manifest The Safari version included with Mac OS X v10 5 or later is more configurable than previous versions of Safari It includes more than 30 configurable preferences including Home Page Default Font Command Click Makes Tabs AutoFill Passwords AutoFill Credit Cards Java Enabled JavaScript Enabled Ask Before Submitting Insecure Forms When you add Safari to the preference editor list two entries are added The com apple Safari preference manifest includes most configurable preferences while com apple WebFoundation includes a configurable preference for the cookie acceptance policy By default these manifests don t show any keys You must click the disclosure triangle next to the frequency then select the frequency and click New Key When you click the name of the new key you ll see all available keys for that frequency To add Safari to the preference editor list In Workgroup Manager click Preferences and then click Details Make sure the correct directory is selected and you are authenticated To switch directories click the globe icon If you are no
128. closure triangle for the frequency select the frequency click New Key click the New Item entry that is created and choose a key from the pop up menu or choose Edit and enter a new key If you don t click the disclosure triangle and select the frequency the New Key button is deactivated To change the key s current settings click the key s type or value If you change the type to a setting that is not by default enabled by the preference manifest the preference file editing screen indicates the mismatch with an arrow icon This does not prevent you from changing the key type or value Click Apply Now and then click Done Removing an Application s Managed Preferences in the Preference Editor You can remove all managed preferences for any entry in the preference editor s list If you added an application without a preference manifest the application is also removed from the preference editor s list when you remove all of its managed preferences This action does not delete an application s preference manifest or the application s preferences file To remove all preference manifests from Workgroup Manager close Workgroup Manager and delete Library Preferences com apple mcx manifests To disable management of an application s preferences In Workgroup Manager click Preferences and then click Details Make sure the correct directory is selected and you are authenticated To switch directories click the globe icon If you
129. computer groups Groups folder 101 guest accounts AFP access 117 creating 59 definition 24 login options 192 mobile 141 permissions 59 share point access 117 guest computers 26 107 GUID globally unique identifier 27 28 87 252 H helper applications 168 hierarchical groups computers 109 preferences management 159 users 25 93 94 99 home folders creating 122 customizing 124 default 130 deleting 130 disk quotas for 129 130 distributing across servers 115 Dock preferences 177 hosting for clients 114 local user 36 122 login controls 198 management of 121 mobile accounts 37 121 132 133 134 135 138 152 202 204 205 207 moving 130 naming 64 114 128 network 36 114 123 148 198 no home folder status 121 overview 113 portable home directories 37 132 securing 38 144 205 server requirements 36 setup 36 37 79 share points 32 79 115 116 117 118 120 123 125 synchronization 152 troubleshooting 245 246 users 36 37 87 152 Windows users 87 114 120 127 130 hosts See servers hybrid computer group 108 iCal service 72 iDisk 185 images disk See disk images NetBoot NetInstall importing accounts 53 68 authentication 252 253 command line tools 251 groups 253 GUID maintenance 252 overview 251 passwords 68 252 users 253 XML files 255 256 See also exporting Info settings 84 inheritance file permission 93 inherited preferences 158 install images See Netinstall Internet shari
130. counts Deleting a User Account Disabling a User Account Contents 61 62 62 62 63 63 63 64 65 66 67 68 68 69 70 70 70 72 72 72 73 73 74 75 75 76 77 77 78 78 79 79 80 80 81 81 81 82 82 83 Working with Presets Creating a Preset for User Accounts Using Presets to Create Accounts Renaming Presets Editing Presets Deleting a Preset Working with Basic Settings Modifying User Names Modifying Short Names Choosing Stable Short Names Avoiding Duplicate Names Modifying User IDs Assigning a Password to a User Assigning Administrator Privileges for a Server Choosing a User s Login Picture Working with Privileges Removing Administrative Privileges from a User Giving a User Limited Administrative Capabilities Giving a User Full Administrative Capabilities Working with Advanced Settings Enabling a User s Calendar Allowing a User to Log In to More Than One Computer At a Time Choosing a Default Shell Choosing a Password Type and Setting Password Options Creating a Master List of Keywords Applying Keywords to User Accounts Editing Comments Working with Group Settings Choosing a User s Primary Group Reviewing a User s Group Memberships Adding a User to a Group Removing a User from a Group Working with Home Settings Working with Mail Settings Enabling Mail Service Account Options Disabling a User s Mail Service Forwarding a User s Mail Working with Print Quota Settings Enabling a User s Access to All Availabl
131. creening method to control access to a server A filter is made up of an IP address and a subnet mask and sometimes a port number and access type The IP address and the subnet mask determine the range of IP addresses that the filter applies to firewall Software that protects the network applications running on your server IP firewall service which is part of Mac OS X Server software scans incoming IP packets and rejects or accepts these packets based on a set of filters you create FTP File Transfer Protocol A protocol that allows computers to transfer files over a network FTP clients using any operating system that supports FTP can connect to a file server and download files depending on their access privileges Most Internet browsers and a number of freeware applications can be used to access an FTP server fullname See long name globally unique identifier See GUID group A collection of users who have similar needs Groups simplify the administration of shared resources group folder A folder that organizes documents and applications of special interest to group members and allows group members to pass information among themselves guest computer A computer that doesn t have a computer account guest user A user who can log in to your server without a user name or password Glossary 259 260 GUID Globally unique identifier A hexadecimal string that uniquely identifies a user account group account or computer list Als
132. cribes what the printing settings do Printing preference pane What you can control Printers Available printers the user s ability to add printers or access a printer and the default printer Footer Customization of the page footer 220 Chapter 10 Managing Preferences aA uu A WwW Making Printers Available to Users To give users access to printers you must first set up a printer list Then you can allow specific users or groups to use printers in that list You can also make printers available to computers A user s list of printers is a combination of printers available to the user the group selected at login and the computer used To create a printer list for users In Workgroup Manager click Preferences Make sure the correct directory is selected and you are authenticated To switch directories click the globe icon If you are not authenticated click the lock and enter the name and password of a directory domain administrator Select one or more users groups computers or computer groups Click Printing and then click Printers Set the management setting to Always Click Printer List The Available Printers list is created from the list of available network printers in Print amp Fax System Preferences Select a printer in the Available Printers list and then click Add to List to make that printer available in the user s printer list If the printer you want doesn t appear in the Available Prin
133. cts files that are new modified or deleted since the last sync If users save files in locations that are not synced the files remain local If users delete files and then sync those files are removed from local and network home folders Unlike some formal backup solutions users can t retrieve older versions of files such as versions saved prior to the last sync You can t create mobile accounts when connected to a network through a virtual private network VPN connection You must create mobile accounts while being directly connected to the network After enabling a mobile account you can then use VPN to connect to the network and sync your mobile account Strategies for Syncing Content Administrators can enable and configure syncing through Workgroup Manager and users can configure syncing through Accounts preferences Each method of creating mobile accounts has different sync capabilities e When you create mobile accounts through Workgroup Manager you can sync any folder in the user s home folder e When a user creates a mobile account through the Accounts System Preferences he or she can only sync top level folders like Desktop or Documents A background sync occurs at a frequency set by you or when the user manually syncs By default when you enable background syncing it occurs every 20 minutes If a file in one home folder has been modified and the file in the other home folder has not the newer file overwri
134. cture user login 69 97 pointer preferences 230 portable computers directory synchronization 37 Energy Saver settings 177 179 180 FileVault 144 205 guest 141 multiple local accounts 142 setup 140 See also mobile accounts portable home directories 37 132 ports proxy server 213 214 POSIX Portable Operating System Interface 28 29 power settings See Energy Saver predefined accounts 56 90 251 preferences account 139 appearance 227 assistive devices 227 228 229 231 browser 237 CDs 200 computer accounts 157 162 computer groups 157 158 163 directory services 160 DVDs 200 group 157 159 162 175 inherited 158 keyboard 229 mail 80 manifests 232 236 mixed state 51 mouse 230 overview 149 152 server 21 streaming media 149 user 149 157 161 174 web 237 Workgroup Manager 45 155 160 workgroups 151 158 194 See also managed preferences presets computer groups 50 109 110 group accounts 50 92 user accounts 50 61 62 primary domain controller See PDC primary group user s 28 77 89 print service access control 81 82 83 84 220 221 222 223 default printer setting 222 223 footers on printouts 223 overview 150 220 printer problems 248 privileges administrator 23 38 68 70 243 See also permissions problems See troubleshooting profanity hiding 217 protocols AFP 114 117 123 DHCP 195 240 241 FTP 215 SMB 29 114 119 127 See also LDAP proxy server sett
135. d When you allow an application you also allow all helper applications included with that application You can deselect helper applications to disallow them If you re asked to sign the application click Sign if you re asked to authenticate authenticate as a local administrator To add the application to the list as an unsigned application click Don t Sign When you sign the application Workgroup Manager tries to embed the signature If you don t have write access to the application Workgroup Manager creates a detached signature Click the Folders tab click the Add button next to Disallow applications within these folders and then choose folders containing applications you want to prevent users from launching Click the Add button next to the Allow applications within these folders field and choose folders containing applications you want to allow Disallowing folders takes precedence over allowing them If you allow a folder that is a subfolder of a disallowed folder the subfolder is still disallowed Click Apply Now Allowing Specific Dashboard Widgets If your users have Mac OS X v10 5 or later installed you can prevent them from opening unapproved Dashboard widgets by creating a list of approved widgets which can include widgets included with Mac OS X and third party widgets To approve third party widgets you must be able to access them from your server To allow specific Dashboard widgets
136. d Computer Groups About Computer Accounts Creating Computer Accounts Working with Guest Computers Working with Windows Computers Contents Chapter 7 Chapter 8 108 108 108 108 109 110 111 111 112 112 13 13 114 114 15 116 116 117 18 119 121 121 122 123 124 127 129 130 130 130 130 131 131 132 133 134 134 135 136 136 About Computer Groups Differences Between Computer Groups and Computer Lists Administering Computer Groups Creating a Computer Group Creating a Preset for Computer Groups Using a Computer Group Preset Adding Computers or Computer Groups to a Computer Group Removing Computers and Computer Groups from a Computer Group Deleting a Computer Group Upgrading Computer Lists to Computer Groups Setting Up Home Folders About Home Folders Hosting Home Folders for Mac OS X Clients Hosting Home Folders for Other Clients Distributing Home Folders Across Multiple Servers Administering Share Points Setting Up a Share Point Setting Up an Automountable AFP Share Point for Home Folders Setting Up an Automountable NFS Share Point for Home Folders Setting Up an SMB Share Point Administering Home Folders Specifying No Home Folder Creating a Home Folder for a Local User Creating a Network Home Folder Creating a Custom Location for Home Folders Setting Up a Home Folder for a Windows User Setting Disk Quotas Setting Disk Quotas for Windows Users to Avoid Data Loss Using Presets to Choose Default Home
137. d and you are authenticated To switch directories click the globe icon If you are not authenticated click the lock and enter the name and password of a directory domain administrator Select one or more users groups computers or computer groups Click Media Access Set the management setting to Always This setting applies to all Media Access preference options Click Other Media and select desired options If you select Require Authentication the user must authenticate as a local administrator to use the disc media If you select Read Only users can view the contents of a disk but can t change it or save files on it Before you can select Require Authentication or Read Only you must first select Allow Click Apply Now Ejecting Removable Media Automatically When a User Logs Out If you allow users to access CDs DVDs or external disks such as Zip disks or FireWire drives on shared computers you can automatically eject removable media when a user logs out To automatically eject removable media In Workgroup Manager click Preferences Make sure the correct directory is selected and you are authenticated To switch directories click the globe icon If you are not authenticated click the lock and enter the name and password of a directory domain administrator Select one or more users groups computers or computer groups Click Media Access Set the management setting to Always This setting applies to all Me
138. der New Finder window shows choose the default folder for the Finder window Select Home to show items in the user s home folder Select Computer to show the top level folder which includes local disks and mounted volumes To display folder contents in a separate window when a user opens a folder select Always open folders in a new window Normally Mac OS X users can browse through a series of folders using a single Finder window To maintain a consistent view across windows select Always open windows in column view Click Apply Now Hiding the Alert Message When a User Empties the Trash Normally a warning appears when a user empties the Trash If you don t want users to see this message you can turn it off To hide the Trash warning message In Workgroup Manager click Preferences Make sure the correct directory is selected and you are authenticated To switch directories click the globe icon If you are not authenticated click the lock and enter the name and password of a directory domain administrator Select one or more users groups computers or computer groups Click Finder click the Preferences tab and then select a management setting Deselect Show warning before emptying the Trash Click Apply Now Making Filename Extensions Visible A filename extension usually appears at the end of a filename for example txt or jpg Applications use the filename extension to identify the file t
139. des keys by management frequency as described below Frequency Description Once Similar to the Once setting in the main interface Sets a preference but allows the user to change that preference and retain his or her changes Often Only available in the preference editor Allows users to modify their preferences but the preferences revert to your managed setting when a user begins a new session Always Similar to the Always setting in the main interface Sets a preference and usually does not allow the user to modify the preference Note Always might still allow users to modify preferences For this reason Often is usually a better choice for making persistent preference changes Important When you add or modify keys always test the additions or changes to make sure they work as expected To edit application preferences In Workgroup Manager click Preferences and then click Details Make sure the correct directory is selected and you are authenticated To switch directories click the globe icon If you are not authenticated click the lock and enter the name and password of a directory domain administrator Chapter 10 Managing Preferences a un A WwW Select one or more users groups computers or computer groups Select an item in the list and click the Edit pencil button To locate the keys you want to change click the disclosure triangles To add a key to the application s preferences file click the dis
140. dia Access preference options Chapter 10 Managing Preferences 201 202 6 In Disc Media or Other Media select Eject all removable media at logout 7 Click Apply Now Managing Mobility Preferences You can automatically create mobile accounts for users during their next login If your computers have Mac OS X v10 5 or later you can also encrypt the contents of the mobile account s portable home directory restrict its size choose its location or set an expiration date on the account The table below describes what you can do with the settings in each Mobility pane Mobility preference pane What you can control Account Creation Whether to create mobile accounts when users log in and whether to encrypt contents of the portable home directory restrict its size or choose a different location for it Account Expiry Whether to delete mobile accounts and how soon to do so after the user s next login Rules The folders you want to sync at login and logout or in the background and how frequently to sync folders in the background For planning information and other considerations for mobile accounts see Chapter 8 Managing Portable Computers Creating a Mobile Account You can use Workgroup Manager to create a mobile account when a user logs in If you don t enable the creation of mobile accounts the user logs in using a network account When you enable mobile accounts a local home folder is created for the
141. dministrator Select one or more users groups computers or computer groups Click Classic and then click Startup Set the management setting to Always To start Classic immediately when a user logs in select Start up Classic at login When Classic starts up at login the startup window is hidden and the user can t cancel Classic startup If users rarely use Classic you can deselect this option and Classic starts up when a user opens a document or an application that requires it In this case the Classic startup window is visible to users and they can cancel Classic startup To show an alert dialog only when Classic starts after a user attempts to open a Classic application or document select Warn at Classic startup If users manually start Classic or Classic automatically starts up at login the warning is not shown Users can allow Classic startup to continue or they can cancel the process If you don t want to allow users to interrupt Classic startup deselect this option Chapter 10 Managing Preferences 8 aA uu A WwW Click Apply Now Choosing a Classic System Folder In most cases there is only one Mac OS 9 System Folder on a computer and it is on the Mac OS X startup disk In this case you don t need to specify a Classic System Folder If a computer has multiple Mac OS 9 System Folders on the startup disk and you haven t set a specific path to one folder users receive an error message and can t
142. e Planning Strategies for User Management on page 34 Step 2 Set up the server infrastructure Before deploying client computers make sure one or more computers with Mac OS X Server installed is set up for hosting accounts and share points New servers come with Mac OS X Server software preinstalled Set up the server so it hosts or provides access to shared directory domains Shared directory domains also called shared directories contain user group and computer information you want multiple computers to access Users whose accounts reside in a shared directory are referred to as network users There are different kinds of shared directories You can use Workgroup Manager to add or modify accounts that reside in read write directory domains such as an Open Directory domain or the local directory domain 31 32 Make sure that read only directory domains such as LDAPv2 read only LDAPv3 or BSD flat files are configured to support Mac OS X Server and that they provide necessary account data To make the directory compatible you must add modify and reorganize directory information Mac OS X offers various options for authenticating users including Windows users whose accounts are stored in directory domains on Mac OS X Server In addition Mac OS X accesses accounts in existing directories on your network such as an Active Directory hosted on a Windows server To make resources visible throughout the network so users ca
143. e for example all eighth grade students The use of subnets simplifies administration See also IP subnet Glossary TCP Transmission Control Protocol A method used with the Internet Protocol IP to send data in the form of message units between computers over the Internet IP handles the actual delivery of the data and TCP keeps track of the units of data called packets into which a message is divided for efficient routing through the Internet UID User ID A number that uniquely identifies a user within a file system Mac OS X computers use the UID to keep track of a user s folder and file ownership URL Uniform Resource Locator The address of a computer file or resource that can be accessed on a local network or the Internet The URL is made up of the name of the protocol needed to access the resource a domain name that identifies a specific computer on the Internet and a hierarchical description of a file location on the computer user name The long name for a user sometimes referred to as the user s real name See also short name user profile The set of personal desktop and preference settings that Windows saves for a user and applies each time the user logs in virtual user An alternate email address short name for a user Similar to an alias but it involves creating another user account VPN Virtual Private Network A network that uses encryption and other technologies to provide secure communications over a publ
144. e Chooser and Network Browser from the Apple menu select Hide Chooser and Network Browser Deselect this option to show Chooser and Network Browser To remove Control Panels from the Apple menu select Hide Control Panels Deselect this option to show Control Panels To hide remaining Apple menu items select Hide other Apple Menu Items This group includes items such as Calculator Key Caps and Recent Applications Deselect this option to show these Apple menu items Click Apply Now Adjusting Classic Sleep Settings When no Classic applications are open Classic enters sleep mode to reduce the use of system resources You can adjust the amount of time Classic waits before going to sleep after a user quits the last Classic application If Classic is in sleep mode opening a Classic application might take a little longer In some circumstances you might need to use applications that operate in the background without the user s interaction or knowledge If a background application is in use when Classic enters sleep mode that application suspends its activity If you want to keep the application running you can set the Classic sleep setting to Never To adjust Classic sleep settings In Workgroup Manager click Preferences Make sure the correct directory is selected and you are authenticated To switch directories click the globe icon If you are not authenticated click the lock and enter the name and password of a di
145. e Command Line You can also create a hierarchical group account using the dseditgroup command in Terminal For more information see the users and groups chapter of Command Line Administration Upgrading Legacy Groups When you upgrade from Mac OS X Server v10 3 or earlier or when you import groups created using Workgroup Manager v10 3 or earlier existing groups can t use hierarchical preference management unless you first convert them Upgrading legacy groups does not negatively affect group members with client computers running previous versions of Mac OS X To convert a legacy group to an upgraded group account In Workgroup Manager click Accounts Make sure that the directory services of the Mac OS X Server computer you re using are configured to access the directory domain For instructions see Open Directory Administration 3 Click the globe icon and choose the domain where the group account resides To authenticate click the lock and enter the name and password of a directory domain administrator Click the Groups button and select the legacy group you want to upgrade In the Members pane click the Upgrade Legacy Group button and then click Save Working with Read Only Groups You can use Workgroup Manager to review information for group accounts stored in read only directory domains Read only directory domains include LDAPv2 domains LDAPv3 domains not configured for write access NIS domains and BSD configuration f
146. e Print Queues Enabling a User s Access to Specific Print Queues Removing a Print Quota For a Queue Contents Chapter 5 Chapter 6 83 84 84 85 85 86 87 87 87 87 89 89 89 90 90 91 91 92 92 93 94 94 95 95 95 96 97 98 99 99 100 100 101 101 103 105 105 106 107 107 Resetting a User s Print Quota Disabling a User s Access to Print Queues That Enforce Quotas Working with Info Settings Working with Windows Settings Changing a Windows User s Profile Location Changing a Windows User s Login Script Location Changing a Windows User s Home Folder Drive Letter Changing a Windows User s Home Folder Location Working with GUIDs Viewing GUIDs Setting Up Group Accounts About Group Accounts How Group Accounts Track Membership Where Group Accounts Are Stored Predefined Group Accounts Administering Group Accounts Creating Group Accounts Creating a Preset for Group Accounts Editing Group Account Information Creating Hierarchical Groups Upgrading Legacy Groups Working with Read Only Groups Deleting a Group Working with Basic Settings for Groups Naming a Group Defining a Group ID Choosing a Group s Login Picture Enabling a Group s Web Services Working with Member Settings for Groups Adding Users or Groups to a Group Removing Group Members Working with Group Folder Settings Specifying No Group Folder Creating a Group Folder Designating a Group Folder for Use by Multiple Groups Setting Up Computers an
147. e Servers on page 115 113 114 The home folder you designate in the Home pane can be used when logging in from a Windows workstation or a Mac OS X computer This can be helpful for a user whose account resides on a server that is a Windows primary domain controller PDC WARNING If the absolute path from the client to the network home folder on the server contains spaces or more than 89 characters some types of clients won t connect For example a client using automount with an LDAP based AFP home folder might not be able to access its home folder The character is considered a character There are additional limitations on the maximum path length depending on the version of Mac OS X used by clients For more information see the Apple Service amp Support website article Avoid spaces and long names in network home directory name path at docs info apple com article html artnum 107695 Hosting Home Folders for Mac OS X Clients To host home folders for Mac OS X clients use AFP or NFS If you are hosting only Mac OS X clients use AFP If you are hosting Mac OS X and UNIX clients use NFS The preferred protocol is AFP because it provides authentication level access security A user must log in with a valid name and password to access files NFS file access is based not on user authentication but on the user ID and the client IP address so it is generally less secure than AFP Use NFS only if you need to
148. e Workgroup Manager to create an administrator user with a password different from the root password Use the root password with caution and store it in a secure location The root user has full access to the system including system files If necessary you can use Workgroup Manager to change the root password Chapter 2 Getting Started with User Management 39 40 Chapter 2 Getting Started with User Management Getting Started with Workgroup Manager This chapter provides instructions for setting up Workgroup Manager and using its core features Workgroup Manager is the primary application for managing client computers You can use Workgroup Manager to create accounts and manage preferences Configuring the Administrator s Computer and Account To use Workgroup Manager you must first install the Mac OS X Server administration tools Before you can manage client computers you must configure a computer for use as an administrator computer and create a domain administrator account Setting Up an Administrator Computer When you install Workgroup Manager and other administration tools on a remote administrator computer you do not need to physically access the server Instead use this administrator computer to connect to the server and perform administrative tasks remotely The computer should have Mac OS X v10 5 or later at least 512 MB of RAM and 1 GB of unused disk space For more about server and storage requirements
149. e adds the user s network home folder not the user s local home folder to the Dock To replace the user s current Dock with your selected items deselect Merge with user s Dock After you finish adding Dock items click Apply Now Preventing Users from Adding or Deleting Dock Items Ordinarily users can add items to their own Docks but you can prevent this Users can t remove items you add to the Dock when Always Manage these settings is selected To prevent users from adding items to their Docks In Workgroup Manager click Preferences Make sure the correct directory is selected and you are authenticated To switch directories click the globe icon If you are not authenticated click the lock and enter the name and password of a directory domain administrator Select one or more users groups computers or computer groups Click Dock and then click Dock Items Set the management setting to Always Deselect Merge with user s Dock Click Apply Now Managing Energy Saver Preferences Energy Saver preference settings help you save energy and battery power by managing wake sleep and restart timing for servers and client computers You can configure Energy Saver preferences for desktop and portable computers Desktop and portable computers differ in that portable computers can run on battery power Chapter 10 Managing Preferences 177 178 The table below summarizes what you can control with setting
150. e default preferences which users can then modify and keep the modifications These preferences are effectively unmanaged For example you could set up a group of computers to display the Dock in a certain way the first time users log in A user can change these preferences you ve set to Once and the selected changes always apply to that user In the Overview Preference panes you can set the following preferences to Once Dock Finder Preferences and Views Login Login Items Mobility Login amp Logout Sync and Background Sync panes of Rules and Universal Access For all other preferences you must choose Always or Never e Never lets a user control his or her preferences However some preference settings such as Accounts and Date amp Time require a local administrator s name and password before changes can be made Never also means that the preferences are not managed at this account level but may be managed at a different account level For example even if you set the Dock preference to Never for a user the Dock preference could still be managed at the group or computer level Note When using the preference editor the Details view in the Preferences pane you can set preferences to Often Often settings are similar to Once settings but are reapplied at every login This management setting is useful for training environments Users can customize their preferences to suit their needs during a session without any risk of a
151. e folders use Workgroup Manager For information about setting up share points and home folders see Chapter 7 Setting Up Home Folders Chapter 4 Setting Up User Accounts 79 80 Working with Mail Settings You can create a mail account by specifying mail settings in the user account To use the mail service account the user configures a mail client to identify the user name password mail service and mail protocol you specify in the mail settings In Workgroup Manager use the Mail pane in the user account to work with mail settings For information about how to set up and manage Mac OS X Server mail service see Mail Service Administration Enabling Mail Service Account Options You can use Workgroup Manager to enable mail service and set mail options for a user account stored in an Open Directory domain or other read write directory domain You can also use Workgroup Manager to review the mail settings of accounts stored in a directory domain accessible from the server you re using To work with a user s mail account options using Workgroup Manager In Workgroup Manager click Accounts Select the user account you want to work with To select the account click the globe icon choose the directory domain where the account resides and then select the user account in the accounts list To authenticate click the lock and enter the name and password of a directory domain administrator Click Mail 5 To allow the us
152. e group Use group account settings to control user access to folders and files For more information see Folder and File Access by Other Users on page 28 A group can be a member of another group A group that contains another group is called a parent group The group contained in the parent group is called a hierarchical group Hierarchical groups are useful for inheriting access permissions and managed preferences To learn more about how to set up group accounts see Chapter 5 Setting Up Group Accounts To specify preferences for group accounts see Chapter 10 Managing Preferences Workgroups When you define preferences for a group it becomes a workgroup A workgroup lets you manage the work environment of group members Workgroup preferences are stored in the group account For a description of workgroup preferences see Chapter 10 Managing Preferences Group Folders When you define a group you can also specify a folder for storing files that you want group members to share The location of the folder is stored in the group account You can give users permission to write to a group folder or to change group folder attributes in the Finder Computer Accounts Computer accounts allow you to identify and manage individual computers To create a computer account you need the computer s Ethernet ID When creating the account you can also associate it with an IP address After creating the account you
153. e information see Customizing the Workgroups Displayed at Login on page 193 Working with Synced Homes After choosing a workgroup users with local or network accounts are logged in If the user has a mobile account he or she might be prompted to create a synced home depending on the user s mobility settings and whether he or she already has a mobile account After the user creates a synced home he or she might be prompted to choose where to store the home The user can choose a volume on the local computer or an external volume such as external hard drive If you choose the location for the user by setting it to the startup volume or a specific path the user won t need to choose where to create the home Like the login preferences set in Workgroup Manager mobility preferences also affect how users log in and what dialogs are shown and they dictate the kinds of decisions the user must make when they log in By managing preferences you choose what features are available and whether they re automatically enabled or the user must enable them Login and mobility preference management is an example of how preference management allows you to precisely sculpt the user experience Improving Workflow You can use preference management to improve workflow by limiting the number of applications and folders that are displayed You can also make applications and folders more accessible by putting them in the Dock and creating multiple w
154. e login window The login window does not list system users but they can still log in by entering their user names and passwords The login window lists particular types of users depending on how Login preferences are managed For more information see Changing the Appearance of the Login Window on page 189 If You Can t Unlock an LDAP Directory To make changes in a directory domain you must authenticate with the name and password of a directory administrator Therefore to edit an entry in a shared LDAPv3 directory domain you must authenticate in Workgroup Manager with the name and password of an administrator account in that LDAPv3 directory domain Chapter 11 Solving Problems An administrator account in the computer s local directory domain can t be used to authenticate as an administrator of a shared LDAP directory If You Can t Modify a User s Open Directory Password To modify the password of a user whose password type is Open Directory you must be an administrator of the directory domain where the user s record resides In addition your user account must have a password type of Open Directory Setting up an Open Directory master using Server Assistant or the Open Directory service settings in Server Admin creates a directory administrator account with an Open Directory password This account can be used to set up other user accounts as directory domain administrators with Open Directory passwords If You Can t Change a
155. e share point must be automountable that is it must have a network mount record in the directory domain An automountable share point ensures that the client computer can locate the share point and the home folder It also makes the share point s server visible in Network Servers when the user logs in to a Mac OS X computer configured to access the shared domain You can use Workgroup Manager to create a network home folder for a user whose account is stored in an Open Directory domain or another read write directory domain accessible from the server you are using You can also use Workgroup Manager to review home folder information in any accessible read only directory domain To create a network home folder for AFP or NFS share points 1 Make sure that the share point exists on the server where you want the home folder to reside and that the share point has a network mount record configured for home folders For instructions see Setting Up an Automountable AFP Share Point for Home Folders on page 117 or Setting Up an Automountable NFS Share Point for Home Folders on page 118 2 In Workgroup Manager click Accounts and select the user account you want to work with To select an account connect to the server where the account resides click the globe icon choose the directory domain where the user account is stored click the Users button and then select the user account in the accounts list Chapter 7 Setting Up Home
156. e the Go to iDisk command in the Finder Go menu If you don t want users to access this menu item you can hide the command To hide the Go to iDisk command In Workgroup Manager click Preferences Make sure the correct directory is selected and you are authenticated To switch directories click the globe icon If you are not authenticated click the lock and enter the name and password of a directory domain administrator Select one or more users groups computers or computer groups Click Finder click Commands and then set the management setting to Always Deselect Go to iDisk Click Apply Now Preventing Users from Ejecting Discs If you don t want users to be able to eject discs for example CDs DVDs floppy disks or FireWire drives you can hide the Eject command in the Finder File menu To hide the Eject command In Workgroup Manager click Preferences Make sure the correct directory is selected and you are authenticated Chapter 10 Managing Preferences 185 186 ao uu A W AO uu A WwW To switch directories click the globe icon If you are not authenticated click the lock and enter the name and password of a directory domain administrator Select one or more users groups computers or computer groups Click Finder click Commands and then set the management setting to Always Deselect Eject Click Apply Now Hiding the Burn Disc Command in the Finder On computers with appropria
157. e user must enter a login name and password If you enabled login and logout syncing the user s folders sync and the user s desktop appears If the user does not have a mobile account with a portable home directory there are a few different steps required after authentication One of two things occur depending on mobile account creation settings e If you deselected Require confirmation before creating mobile account the computer creates the mobile account e If you selected Require confirmation before creating mobile account the user sees a confirmation dialog that allows him or her to create a portable home directory delay it or not create a portable home directory and disable the dialog until the user holds down the Option key during login You can allow the user to choose which volume stores the user s local home folder in Mobility options Before the mobile account is created the user must choose where to store the local home folder Mobile accounts remain on the computer even when the user logs out or disconnects from the network Even when disconnected the user can still log in to that account Note The mobile account s local home folder is deleted if you set account expiry settings and the account goes unused or if a local administrator deletes it When the local home folder is deleted the mobile account user can t log in away from the network The login window lists the mobile account based on the following
158. ed and you are authenticated To switch directories click the globe icon If you are not authenticated click the lock and enter the name and password of a directory domain administrator Click the Users button and select one or more user accounts from the list Click the icon for the preference you want to manage Chapter 10 Managing Preferences 161 162 5 In each Preference pane select a Manage option In Media Access the management setting applies to all preferences rather than to individual panes Select preference settings or fill in information you want to use Some management settings are not available for some preferences and some preferences are not available for some types of accounts When you finish click Apply Now Managing Group Preferences Group preferences are shared among all users in the group Setting some preferences only for groups instead of for each user can save time especially when you have large numbers of managed users Because users can select a workgroup at login they can choose a group with managed settings appropriate to the current task location or environment It can be more efficient to set preferences once for a single group instead of setting preferences for each member of the group To manage group preferences In Workgroup Manager click Preferences Make sure the correct directory is selected and you are authenticated To switch directories click the globe icon If you are no
159. ed using AFP SMB NFS an export or FTP short name An abbreviated name for a user The short name is used by Mac OS X for home folders authentication and email addresses SID Security identifier A unique value that identifies a user group or computer account in a Windows NT compatible domain Simple Finder A user environment featuring panels and large icons that provide novice users with an easy to navigate interface Mounted volumes or media to which users are allowed access appear in panels instead of on the standard desktop SLP DA Service Location Protocol Directory Agent A protocol that registers services available on a network and gives users easy access to them When a service is added to the network the service uses SLP to register itself on the network SLP DA uses a centralized repository for registered network services SMB Server Message Block A protocol that allows client computers to access files and network services It can be used over TCP IP the Internet and other network protocols SMB services use SMB to provide access to servers printers and other network resources SSL Secure Sockets Layer An Internet protocol that allows you to send encrypted authenticated information across the Internet More recent versions of SSL are known as TLS Transport Level Security subnet A grouping on the same network of client computers that are organized by location for example different floors of a building or by usag
160. er Before setting up a computer you need the computer s name and address You usually use the computer name specified in a computer s Sharing preferences or you can use a descriptive name that you find more suitable A computer s address must be the Ethernet address which is unique to each computer A computer s Ethernet address or Ethernet ID is also known as its MAC address When you browse for a computer Workgroup Manager enters the computer s name and Ethernet address for you A client computer uses this data to find preference information when a user logs in For Windows computers you must know the NetBIOS name of each Windows client computer This name is entered in the name field You don t need to know the Ethernet address of Windows client computers 105 106 When a computer starts up Mac OS X tries to match the computer s Ethernet address with a computer account If a matching computer account is found the computer uses the managed preferences for that computer account and the computer groups it belongs to If no matching computer account is found the computer uses the managed preferences for the Guest Computer account Creating Computer Accounts To create a computer account in a directory domain you must have administrator privileges and the computer s Ethernet ID When you enter the Ethernet ID it must be entered correctly so the DHCP server can find the computer It must follow these rules e It must be en
161. er Click Apply Now Allowing Special Actions During Restart If managed users have access to the Classic pane of System Preferences they can click the Start Restart button in the Classic pane to start or restart Classic Chapter 10 Managing Preferences 171 172 N QO Ww A W You can allow users to perform special actions such as turning off extensions starting or restarting Classic or rebuilding the Classic desktop file from the Advanced pane of Classic system preferences You might want to allow this for specific users such as members of your technical staff To allow special actions during restart In Workgroup Manager click Preferences Make sure the correct directory is selected and you are authenticated To switch directories click the globe icon If you are not authenticated click the lock and enter the name and password of a directory domain administrator Select one or more users groups computers or computer groups Click Classic and then click Advanced Set the management setting to Always Select Allow special startup modes To allow users to rebuild the Classic desktop file select Allow user to rebuild Desktop Deselecting this option disables the Rebuild Desktop button in the Advanced pane of Classic system preferences Click Apply Now Controlling Access to Classic Apple Menu Items Classic managed preference options allow you to control access to certain items in the Classic Apple menu
162. er If the folder you want to use is a share point select it The list displays all share points on the server you are connected to If the folder isn t a share point click the Add button then in the dialog enter the path to the folder in the Full Path field leave the other two fields blank and click OK For example if you want to use the local Users folder enter Users usershortname Replace usershortname with the short name of the user Don t use a terminating slash Optionally enter a disk quota and specify megabytes MB or gigabytes GB Chapter 7 Setting Up Home Folders 8 Click Create Home Now and then click Save If you do not click Create Home Now before clicking Save the home folder is created the next time the user logs in remotely However only certain clients can connect to servers hosting share points in the local domain For instructions on setting up a share point for Mac OS X clients see Creating a Network Home Folder on page 123 From the Command Line You can also create a home folder for a local user using the createhomedir command in Terminal For more information see the users and groups chapter of Command Line Administration Creating a Network Home Folder In Workgroup Manager you can set up a network home folder for a user account stored in a shared directory domain A user s network home folder can reside in any AFP or NFS share point that the user s computer can access Th
163. er open Network Utility click Info and then select the network interface that connects to your network If the displayed IP address is not in your range of supplied addresses the computer is not receiving an IP address through your DHCP service If the IP address is 169 254 x x it is a self assigned IP address This means your computer is not receiving DHCP service If the IP address is not an assigned address and is not 169 254 x x the computer is receiving DHCP service from a DHCP server other than yours Solving Account Problems Follow the suggestions in this section when problems arise with user and group account administration If You Want to Use Earlier Versions of Workgroup Manager If you have administrative applications and tools from Mac OS X Server v10 4 or earlier do not use them with Mac OS X Server v10 5 or later You can use Mac OS X Server v10 5 applications to administer Mac OS X Server v10 4 If You Can t Edit an Account Using Workgroup Manager Editable domains include the local directory domain Open Directory domains and other read write directory domains Before you can edit an account using Workgroup Manager you must first authenticate as a domain administrator To authenticate click the lock near the top of the Workgroup Manager window If Users Can t See Their Names in the Login Window When you upgrade Mac OS X and migrate users to a shared directory on the new server some users might not appear in th
164. er moves the pointer over them select Magnification and then adjust the slider Magnification is useful if you have many items in the Dock From the Position on screen radio buttons select whether to place the Dock on the left right or bottom of the desktop From the Minimize using pop up menu choose a minimizing effect If you don t want to use animated icons in the Dock when an application opens deselect Animate opening applications If you don t want the Dock to be visible all the time select Automatically hide and show the Dock When the user moves the pointer to the edge of the screen where the Dock is located the Dock appears Click Apply Now Providing Easy Access to Group Folders After you have set up a group volume you can make it easy for users to locate the group folder by placing an alias in the user s Dock The group folder contains the group s Library folder Documents folder and Public folder including a drop box If you need help setting up a group share point see Creating a Group Folder on page 101 If the group folder is not available when the user clicks the group folder icon the user must enter a user name and password to connect to the server and open the directory Note This preference setting applies only to groups You can t manage this setting for users or computers To add a Dock item for a group folder If you haven t set up a group share point do so bef
165. er to use mail service select Enabled In the Mail Server fields enter a valid mail server name or address for the DNS name or enter the IP address of the server the user s mail should be routed to Workgroup Manager doesn t verify this information In the Mail Quota field enter a value to specify the maximum number of megabytes for the user s mailbox A 0 zero or empty value means no quota is used When the user s message space approaches or surpasses the mail quota you specify mail service displays a message prompting the user to delete unwanted messages to free up space The message shows quota information in megabytes MB To identify the protocol used for the user s mail account select a Mail Access setting Post Office Protocol POP Internet Message Access Protocol IMAP or both Click Save Chapter 4 Setting Up User Accounts Disabling a User s Mail Service You can use Workgroup Manager to disable mail service for users whose accounts are stored in an Open Directory domain the local directory domain or other read write directory domain To disable a user s mail service using Workgroup Manager In Workgroup Manager click Accounts Select the user account you want to work with To select the account click the globe icon choose the directory domain where the account resides and then select the user account in the accounts list To authenticate click the lock and enter the name and password of a direc
166. ernal drive e If you set the location to at path and enter the path to the external drive the user doesn t choose a location For more information about setting up mobile account creation options see Creating External Accounts on page 208 After a local home folder is created on the external drive if the computer is connected to the directory server that holds the mobile account the user is allowed to log in If it s not connected to the directory server Mac OS X checks to see if the external account is allowed or denied access to the computer If an external account isn t permanently allowed or denied access to a computer a dialog appears asking if the external account should be allowed or denied access to the computer To allow access the user must authenticate as the local computer administrator If the external account is allowed access the user logs in If the user is denied access the user is returned to the login window The local administrator can permanently allow or deny access to the computer If a user is permanently denied access he or she can hold down the Option key while logging in to redisplay the dialog Chapter 8 Managing Portable Computers 135 136 Considerations and Strategies for Deploying Mobile Accounts Before you deploy mobile accounts carefully weigh the advantages and disadvantages of using mobile accounts and strategize how you will configure them When you properly configure mo
167. ers or groups This is helpful because it reduces external network traffic while also providing more control to server administrators By configuring the Software Update server server administrators can choose which updates to provide To manage access to Software Update servers In Workgroup Manager click Preferences Make sure the correct directory is selected and you are authenticated To switch directories click the globe icon If you are not authenticated click the lock and enter the name and password of a directory domain administrator Select one or more users groups computers or computer groups Click Software Update Set the management setting to Always Specify a URL in the form http someserver apple com 8088 index sucatalog Click Apply Now Managing Access to System Preferences You can specify which preferences to show in System Preferences Chapter 10 Managing Preferences aA uu A WwW If a user can see a particular preference it does not mean the user can modify that preference Some preferences such as Startup Disk preferences require an administrator name and password before a user can modify its settings The preferences that appear in Workgroup Manager are those installed on the computer you re currently using If your administrator computer is missing preferences that you want to disable on client computers install the applications related to those preferences or use Workgroup Manager on a computer tha
168. ers with a CD RW drive Combo Drive or SuperDrive Users can burn DVDs only on computers with a SuperDrive To control access to disc media In Workgroup Manager click Preferences Make sure the correct directory is selected and you are authenticated To switch directories click the globe icon If you are not authenticated click the lock and enter the name and password of a directory domain administrator Select one or more users groups computers or computer groups Click Media Access and then set the management setting to Always This setting applies to all Media Access preference options Click Disc Media and select the desired options If you select Require Authentication the user must authenticate as a local administrator to use the disc media Before you can select Require Authentication you must first select Allow Click Apply Now Chapter 10 Managing Preferences Controlling Access to Hard Drives Disks and Disk Images You can control access to internal or external disk drives such as floppy disk drives Zip drives and FireWire drives You can also control access to disk images files with the dmg extension If you disallow external disks external disks are not displayed in the Finder If you disallow disk images the images are visible in the Finder but users can t open them To restrict access to internal and external disks In Workgroup Manager click Preferences Make sure the correct directory is selecte
169. ervers list Then click Settings click General and look at the Computer Name field Replace usershortname with the first short name of the user account you re configuring e To specify a different SMB share point enter a UNC path that includes the share point servername sharename usershortname Replace sharename with the name of the share point From the Hard Drive pop up menu choose a drive letter The default drive letter is H Windows uses the drive letter to identify the mounted home directory Click Save If the Path field isn t blank make sure the specified share point contains a folder for the user s home folder The folder s name must match the user s first short name and the user must have read and write permission for the folder If the Path field is blank the home directory share point doesn t need to contain a home folder for the user In this case Mac OS X Server creates a home folder in the share point specified in the Home pane Chapter 7 Setting Up Home Folders CoN OO U Setting Disk Quotas You can limit the disk space users have available to store files in the volume where their home folders reside This quota applies to all files that the user stores in the volume where his or her home folder resides including all files stored in the user s drop box Therefore when a user places files in another user s drop box it can affect the other user s disk quota or have other effects such a
170. es the user s long name and the date and time when the user sent the print job The date and time is based on the user s computer s date and time not the server s The footer can also include the Ethernet ID of the computer that sent the print job For example here s a footer for a user named Anne Johnson Anne Johnson Saturday March 3 2007 5 59 01 PM PT 00 11 22 33 44 55 To add a footer to all printouts In Workgroup Manager click Preferences Make sure the correct directory is selected and you are authenticated Chapter 10 Managing Preferences 223 224 CoN ODO UN A UW 10 N AO Ww A W To switch directories click the globe icon If you are not authenticated click the lock and enter the name and password of a directory domain administrator Select one or more users groups computers or computer groups Click Printing and then click Footer Set the management setting to Always Select Print page footer user name and date To print the Ethernet ID select Include MAC address Choose a font for the footer from the Font name pop up menu You can choose from Helvetica Courier Lucida Grande and Times Enter a font size for the footer There is no font size limit for the footer However 7 is the default and recommended size Click Apply Now Managing Software Update Preferences With Mac OS X Server you can create your own Software Update server to control updates that are applied to specific us
171. esides and then select the user To authenticate click the lock and enter the name and password of a directory domain administrator In the Basic pane click the picture area in the top right and then choose Edit Picture to open the User Picture window In the User Picture window click Choose select an image file and then click Open As an alternative you can drag an image file from the Finder or Safari and drop it into the picture area in Workgroup Manager or in the main area of the User Picture window If you have iSight you can click the camera button to take a snapshot Use the slider to zoom in and out of your picture and drag your picture around so the focal point is in the center square and then click Set The user s picture is the image in the center square Click Save Chapter 4 Setting Up User Accounts 69 70 Working with Privileges You can give a user account full or limited control over domain administration When giving limited administrative control you can choose which users and groups the user can administer and what kind of control the user has over those users and groups You can change a user s domain privileges for Open Directory domains You can t change privileges for a local user account or an account stored in domains that are not Open Directory Full and limited administrators use Workgroup Manager to administer and manage users In Workgroup Manager use the user account s Privileges pane
172. esktop send the following UNIX command to all computers sudo systemsetup gettime Your computers should have times within a few minutes of each other If they have a wide range of times send the following UNIX command sudo systemsetup settime current_time Replace current_time with the current time in 24 hour format using HH MM SS hour minute second notation Testing Your DNS Service Your DNS service should allow you to discover a server s domain name when given an IP address or to retrieve an IP address when given a domain name If your computers can t do these tasks perform further analysis on your DNS service For a detailed description of DNS and for instructions on configuring DNS see Network Services Administration If you have Apple Remote Desktop installed you can quickly test your entire network In Apple Remote Desktop create a scanner that displays computers with IP addresses in the range distributed by your DHCP server If a computer is turned on is not in sleep mode and is connected to your network the computer should be in the scanner The scanner displays the IP address given to the computer and the computer s host name Computers that are not assigned host names by the DNS service are listed without host names If a computer is listed and has an appropriate IP address and host name the computer is receiving DHCP and DNS service For more information about how to use scanners in Apple Remote Desktop see the
173. ess To create a group account In Workgroup Manager click Accounts Make sure the directory services of the Mac OS X Server computer you re using are configured to access the directory domain For information about using Directory Utility to configure an LDAP connection see Open Directory Administration For information about the group account elements that may need to be mapped see the appendix Importing and Exporting Account Information Click the globe icon and choose the domain where you want the group account to reside To authenticate click the lock and enter the name and password of a directory domain administrator Click the Groups button Click New Group and then specify settings for the group in the panes provided Chapter 5 Setting Up Group Accounts 91 92 You can also use a preset or an import file to create a group For details see Creating a Preset for Group Accounts and the appendix Importing and Exporting Account Information From the Command Line You can also create a group account using the dseditgroup command in Terminal For more information see the users and groups chapter of Command Line Administration Creating a Preset for Group Accounts You can use presets to apply predetermined settings to a new group account Presets are stored in the directory domain that you re viewing If you change directory domains the presets you created in the other directory domain are not availab
174. f Mac OS X v10 5 Front Row Whether Front Row is allowed Legacy Access to specific applications and paths to applications using bundle IDs primarily for users of Mac OS X v10 4 or earlier Controlling User Access to Specific Applications and Folders You can use Workgroup Manager to prevent users from launching unapproved applications or applications located in unapproved folders In Mac OS X v10 4 or earlier applications were identified by their bundle IDs If your users have Mac OS X v10 5 or later installed you can use digital signatures to identify applications Digital signatures are much more difficult to circumvent than a bundle ID Workgroup Manager can sign applications that aren t already signed When signing an application you can embed a signature or you can store a detached signature separate from the application Embedding a signature has several performance benefits over a detached signature but with signature embedding you must make sure every computer has the same signed application For applications that are run from a CD DVD or other read only media you must use detached signatures Workgroup Manager uses the following icons to denote the kind of signature associated with an application Icon Indicates the application has this type of signature no icon Embedded signature G Detached signature A No signature Chapter 10 Managing Preferences 165 166 Applications that include helper applications
175. ffecting a future user s work experience Some applications only respond to preference management set to Often Caching Preferences Preferences are cached on Mac OS X computers so they remain in effect even when the computer is off the network With Mac OS X v10 5 and later the preferences cache is automatically managed e Computer preferences and preferences for any workgroups that can use the computer are cached e User preferences are always cached for users who have mobile accounts When a computer is off the network only users with local accounts or network users with mobile accounts on that computer can log in Preference Management Basics In Workgroup Manager information about users groups computers and computer groups is integrated with directory services After you set up the accounts you can manage preferences for them Chapter 10 Managing Preferences Managing preferences means you can control settings for certain system preferences in addition to controlling user access to system preferences applications printers and removable media Information about settings and preferences in user group or computer records is stored in a directory domain accessible to Workgroup Manager such as an Open Directory domain Preferences are stored in a record which is either a user group or computer record During login the managed client combines them into a management list that is applied to the user experience After
176. fic criteria In Workgroup Manager select Accounts or Preferences Click the globe icon below the toolbar and choose the directory domain that contains the accounts you want to edit To authenticate click the lock and enter the name and password of a directory domain administrator In the toolbar click Search You can also click the magnifier in the search field above the accounts list and then choose Advanced Search To enter search criteria choose the field to search and the field option enter the text you want to search and then click the Add button to add additional search criteria Select Perform a batch edit on the search results To create a list of accounts affected when you save batch edits select Preview and edit search results before applying changes To create a list of accounts and changes made to each of those accounts after saving batch edits select Display postview of changes or errors Click Continue Change account information or preference settings and then click Apply Now If a field is disabled you can t edit the field while multiple user accounts are selected If you selected Preview and edit search results before applying changes a dialog appears listing all accounts affected by the batch edit To remove an account select the account and then click Remove Item When the dialog lists only the accounts you want to edit click Apply If you perform more batch edits using
177. fined 56 90 251 preferences 139 types 56 See also computer accounts group accounts importing mobile accounts user accounts ACEs access control entries 27 29 ACLs access control lists 27 29 Index Active Directory 29 35 37 57 132 addresses See IP addresses admin group 23 administrator accounts for 22 23 42 56 132 142 directory services 23 domain 38 72 groups for 90 91 mobile accounts 132 passwords for 39 privileges of 23 38 68 70 243 server 68 setup 38 41 42 system 56 administrator computer 32 41 98 adult websites access control 217 AFP Apple Filing Protocol service 114 117 123 AirPort 216 Always setting for preferences 159 anonymous users See guest accounts Apple Filing Protocol service See AFP Apple menu Classic 172 187 Apple Remote Desktop 239 241 AppleShare IP migration utility 256 applications access control 149 153 164 165 177 legacy access 168 preference editor 231 232 234 235 See also specific applications archiving Open Directory master 253 ARD See Apple Remote Desktop assistive devices 227 228 229 231 attributes types of 251 authentication directory domains 32 43 imported accounts 252 253 Kerberos 245 mobile accounts 131 overview 26 55 troubleshooting 242 243 245 See also login passwords automountable share points 117 118 123 125 267 B background synchronization 139 212 backup account 252 Time Machine 150 157 225 v
178. follows and use the Owner Group and Everyone pop up menus To prevent AFP access to the share point in AFP deselect Share this item using AFP To prevent NFS access to the share point in NFS deselect Export this item and its contents to To prevent FTP access to the share point in FTP deselect Share this item using FTP Click OK to close the Protocol Options dialog and then click Save From the Command Line You can also set up a share point using the sharing command in Terminal For more information see the file services chapter of Command Line Administration Administering Home Folders You can use Workgroup Manager to assign a home folder location to user accounts To assign a home folder location you must create a share point For instructions on creating share points see Setting Up a Share Point on page 116 Specifying No Home Folder You can use Workgroup Manager to change a user account that has a home folder to one that has none By default new users have no home folder When users do not have home folders they can t save files locally Important Portable home directories require that you specify a network home folder To define no home folder In Workgroup Manager click Accounts Open the directory domain where the user account resides and authenticate as an administrator of the domain Chapter 7 Setting Up Home Folders 121 122 To open a directory domain click the globe icon a
179. formation about enabling a group s mailing list see Enabling a Group s Web Services on page 98 You can use Workgroup Manager to edit the long or short names of a group account stored in an Open Directory domain the local directory domain or other read write directory domain You can also use Workgroup Manager to review the names in any directory domain accessible from the server you re using To work with group names using Workgroup Manager In Workgroup Manager click Accounts Select the group account you want to work with To select an account click the globe icon choose the directory domain where the account resides click the Groups button and select the group To authenticate click the lock and enter the name and password of a directory domain administrator Click Basic then in the Name field or the Short name field review or edit the names and then click Save Before saving a new name Workgroup Manager checks to ensure that the name is unique Defining a Group ID A group ID is a string of ASCII digits that uniquely identifies the group The maximum value is 2 147 483 647 Chapter 5 Setting Up Group Accounts You can use Workgroup Manager to edit the ID for a group account stored in an Open Directory domain or the local domain or to review the group ID in any directory domain accessible from the server you re using The group ID is associated with group privileges and permissions To work with a grou
180. formation about how to add a group folder to the dock to make it more accessible to users see Chapter 10 Managing Preferences e For information about setting up ACLs see File Services Administration Step 9 Define group account preferences You can manage preferences for a group account A group account with managed preferences is called a workgroup For information about Mac OS X workgroups see Chapter 9 Client Management Overview and Chapter 10 Managing Preferences Step 10 Define computer accounts computer groups and preferences Use computer accounts or computer groups to manage Macintosh client computers e For information about creating Mac OS X computer accounts or computer groups see Chapter 6 Setting Up Computers and Computer Groups e For information about computer group preferences see Chapter 9 Client Management Overview and Chapter 10 Managing Preferences Step 11 Perform ongoing account maintenance As users come and go and the requirements for your servers change you must update account information e For information about how to use Workgroup Manager to display accounts see Chapter 3 Getting Started with Workgroup Manager For information about how to perform common tasks such as creating accounts disabling accounts adding and removing users from groups and deleting accounts see Chapter 4 through Chapter 6 e For solutions to common problems see Chapter
181. g Energy Saver Preferences on page 177 Finder Finder behavior desktop appearance and items and availability of Finder menu commands For more information see Managing Finder Preferences on page 182 Login Login window appearance mounted volumes access control scripts and items that automatically open For more information see Managing Login Preferences on page 189 Media Access Settings for optical discs internal and external disks and disk images For more information see Managing Media Access Preferences on page 200 Mobility Creation of mobile accounts at login and mobile account options For more information see Managing Mobility Preferences on page 202 Network Configuration of specific proxy servers and settings for hosts and domains to bypass and disabling Internet Sharing AirPort and Bluetooth For more information see Managing Network Preferences on page 213 Parental Controls Filter content or limit client computer usage For more information see Managing Parental Controls Preferences on page 217 Printing Available printers printer access and page footers For more information see Managing Printing Preferences on page 220 Software Update Specific server to use for software update service For more information see Managing Software Update Preferences on page 224 System Preferences System preferences available to users F
182. g items previously added through preference management merging only opens login items that appear on the user s list and on your list If the user s login list does not include items all managed login items appear If you do not select Merge with user s items all login items on either list open Click Apply Now Providing Access to a User s Network Home Folder This setting is used primarily for mobile accounts on computers using Mac OS X v10 3 through Mac OS X v10 3 9 When a user logs in while connected to the network the share point with the user s original home folder on the server is mounted on the desktop Don t provide access to a user s network home folder to users with mobile accounts on Mac OS X v10 4 or later Mac OS X v10 4 and later include portable home directories which provide a synced subset of the user s local and network home folders If a user modifies files in the local and network home folders when the two home folders sync the newer modifications take precedence which could surprise and confuse the user Additionally users could be confused by having multiple folders titled with their user names and similarly named folders like Documents Music and others Chapter 10 Managing Preferences N OO Ww A W o N OO WN A To automatically mount the Network Home In Workgroup Manager click Preferences Make sure the correct directory is selected and you are authenticated To switch directories c
183. g used and the group chosen at login If you deselect Merge with user s Dock all Dock items you place will override users Dock items settings Users can t add items to their Docks if you select Always and deselect Merge with user s Dock If you select Always users can t remove items from their Docks For more information about how to add Dock items see Adding Items to a User s Dock on page 176 If a User s Dock Has Duplicate Items When you use Workgroup Manager to set up the same Dock item preferences for more than one account type user group computer or computer group a managed user s Dock can contain duplicate items For example an application icon may appear more than once in the user s Dock Duplicate applications or folders work as expected when you open them To correct duplicate Dock items try removing Dock item preferences for all account types that affect the user then carefully configure the Dock item preferences for the account types If Users See a Question Mark in the Dock You can use Workgroup Manager to control what items a user sees in his or her Dock Items in the Dock are aliases to original items stored elsewhere such as on the computer s hard disk or on a remote server If you add items to a user s Dock that are not on the user s hard disk or other volume mounted on the user s computer the items appear as question mark icons Clicking these icons does not open the items
184. group Manager You can set up alternate SMB share points for home folders and user profiles on the PDC server or on domain member servers Distributing Home Folders Across Multiple Servers The following illustration shows one Mac OS X Server computer storing user accounts and two other Mac OS X Server computers storing AFP home folders i a gt Mac OS X Server Home folders A through M Home folders N through Z When a user logs in he or she is authenticated using an account stored in a shared directory domain on the accounts server The location of the user s home folder stored in the account is used to mount the home folder which resides on one of the two home folder servers Here are the steps you could use to set up this scenario for AFP home folders Step 1 Create a shared domain for user accounts on the accounts server Create a shared LDAP directory domain by setting up an Open Directory master as described in Open Directory Administration Step 2 Set up an automountable share point for home folders on each home folder server For information about how to set up automountable share points see Setting Up an Automountable AFP Share Point for Home Folders on page 117 Chapter 7 Setting Up Home Folders 115 116 Step 3 Create the user accounts in the shared domain on the accounts server For information about specifying which share point is used for a user s home folder see Administering Home Folders on p
185. group Manager User accounts from the server s local directory domain can t be used to authenticate in the login window on client computers because the login window is a process running on the client computer To list accounts in a server s local directory domain In Workgroup Manager connect to the server hosting the domain then click the globe icon and choose Local For servers running Mac OS X Server v10 5 or later the local directory domain is listed as Local Default Choose from the following e To view user accounts click the Users button e To view group accounts click the Groups button e To view computer accounts click the Computers button e To view computer groups click the Computer Groups button To work with a particular account select it Changing account settings or preferences requires server administrator privileges so you may need to click the lock to authenticate Listing Accounts in Search Policy Directory Domains A computer s search policy specifies which directory domains Open Directory can access The search policy also specifies the order in which Open Directory accesses directory domains By listing accounts in a search policy you list the accounts on all directory domains in the search policy You can t edit accounts when listing accounts in a search policy For more information about how to set up search policies see Open Directory Administration To list accounts in search policy domains
186. h accounts stored in an Active Directory domain To manage sync settings for these mobile accounts extend the Active Directory schema to accept and map Open Directory attributes There are two ways to create mobile accounts e Use Workgroup Manager to enable syncing of user accounts e Allow network users to create mobile accounts themselves For instructions on using Workgroup Manager to enable syncing see Creating a Mobile Account on page 202 Users with network accounts who have administrative access to their computers can create mobile accounts which also creates a portable home directory You can manage their sync settings in the Rules panes of Mobility preferences To prevent users from creating mobile accounts you can choose not to show Accounts in their System Preferences For instructions on denying access to specific System Preferences see Managing Access to System Preferences on page 224 You can also manage Mobility preferences so that they can t create mobile accounts For instructions on managing Mobility preferences see Preventing the Creation of a Mobile Account on page 203 Chapter 8 Managing Portable Computers Logging In to Mobile Accounts If a user has created a portable home directory logging in to a mobile account is similar to logging in to a local account First the user selects his or her account and then enters the correct password to complete the login If the account is not displayed th
187. hared directory by clicking the globe icon and choose the directory domain If you re not authenticated click the lock and enter the name and password of a directory domain administrator Click New User click Basic and then provide basic information for the administrator Click Privileges and from the Administration capabilities pop up menu choose Full Click Save From the Command Line You can also create a domain administrator account using the dsc1 and pwpolicy commands in Terminal For more information see the users and groups chapter of Command Line Administration Using Workgroup Manager After installing the Mac OS X Server software and setting up a domain administrator account you can access and use Workgroup Manager for user management This section provides an introduction to Workgroup Manager Using Mac OS X Server v10 5 to Administer Earlier Versions of Mac OS X Servers running Mac OS X Server v10 3 or v10 4 can be administered using v10 5 server administration tools You can use Workgroup Manager on a computer running Mac OS X Server v10 5 to manage Mac OS X clients running Mac OS X v10 3 9 or later Chapter 3 Getting Started with Workgroup Manager Connecting and Authenticating to Directory Domains in Workgroup Manager When you install your server or set up an administrator computer Workgroup Manager is installed in Applications Server Use the Finder to open the application or click its icon in the Dock o
188. hat they be changed at the next login If you set the password type to Shadow Password you can also set security options to control which authentication methods are used when validating the user s password You can only assign the Open Directory password type if the directory administrator account that you authenticate with also uses an Open Directory password Windows users must have Open Directory passwords for Windows domain login For a detailed explanation of password types password policy options and security options see Open Directory Administration To choose a user password type and set password options In Workgroup Manager click Accounts Select the user account you want to work with To select the account click the globe icon choose the directory domain where the account resides and then select the user account in the accounts list To authenticate click the lock and enter the name and password of a directory domain administrator Click Advanced From the User Password Type pop up menu choose Shadow Password Open Directory or Crypt Password When you choose a password type a prompt might appear requiring you to enter a password depending on whether you entered a password in the Basic pane If you choose Open Directory or Shadow Password you can set a password policy for the selected users by clicking Options selecting any of the options and clicking OK Chapter 4 Setting Up User Accounts If you cho
189. he following occurs e If the user s primary group ID matches the ID of the group associated with the file the user inherits group permissions e If the user s primary group ID doesn t match the file s group ID Mac OS X searches for the group account that has permission to access the file When the group is found all members of that group and subsequent hierarchical groups are given permission to that file e If neither of these cases apply the user s access permissions default to the generic everyone Chapter 1 User Management Overview ACLs and POSIX Permissions Every file and folder has POSIX permissions Unless an administrator assigns ACL permissions POSIX permissions continue to define user access If you assign ACL permissions they take precedence over standard POSIX permissions If a file has ACL permissions but none apply to the user the POSIX permissions determine user access If a file has multiple ACEs that apply to a user the first applicable ACE takes precedence and subsequent ACEs are ignored For more information about ACL and POSIX permissions see File Services Administration SIDs and Windows Interoperability Mac OS X computers work seamlessly with Windows computers because Mac OS X assigns a security identifier SID to a process or file when it assigns a GUID to the process or file A SID is a Windows identifier that has similar functionality to a GUID on a Mac OS X computer When Windows users acce
190. he keyword in the text field Remove a keyword from the Select the keyword select Remove deleted keywords from users master list and from all user and and computers and then click the Remove button computer accounts where it appears Remove a keyword only from Deselect Remove deleted keywords from users and computers the master list select the keyword you want to remove and then click the Remove button When you finish editing the master list click OK Applying Keywords to User Accounts You can remove a keyword from all user accounts that are tagged with that keyword However you can only add keywords to one user account at a time Chapter 4 Setting Up User Accounts 75 76 To work with keywords for a user account In Workgroup Manager click Accounts Select the user account you want to work with To select the account click the globe icon choose the directory domain where the account resides and then select the user account in the accounts list To authenticate click the lock and enter the name and password of a directory domain administrator Click Advanced and choose from the following To do this Do this Add a keyword to the selected Click the Add button to view the list of available keywords account select one or more keywords in the list and then click OK Remove a keyword from a Select the keyword you want to remove and click the Remove specific user account button
191. hen you change a preset existing accounts that were created with it are not updated to reflect the changes Change the name of a preset Choose Rename Preset from the Presets pop up menu choose the preset enter a new name and then click OK Delete a preset Choose Delete Preset from the Presets pop up menu select the preset and then click Delete Using a Computer Group Preset When you create a computer group you can choose any preset from the Presets pop up menu to apply initial settings You can further modify computer group settings before you save the list When you save the computer group you can t use the Preset menu again for that list for example you can t apply a different preset to the group To use a preset for computer groups In Workgroup Manager click Accounts Click the globe icon and choose the directory domain where you want to store the computer group To authenticate click the lock and enter the name and password of a directory domain administrator Chapter 6 Setting Up Computers and Computer Groups N QO wa Click the Computer Groups button on the left and then click Basic From the Presets pop up menu choose a preset Choose Server gt New Computer Group or click New Computer Group in the toolbar Add or update settings as needed and then click Save Adding Computers or Computer Groups to a Computer Group You can easily add computers and computer groups to an existing computer group
192. ic network typically the Internet VPNs are generally cheaper than real private networks using private lines but they rely on having the same encryption system at both ends The encryption may be performed by firewall software or by routers weblog See blog wiki A website that allows users to collaboratively edit pages and easily access previous pages using a web browser workgroup A set of users for whom you define preferences and privileges as a group Any preferences you define for a group are stored in the group account XML An extensible markup language similar to HTML but more formal and more flexible Glossary 265 266 Glossary Index A access ACLs 27 29 Apple menu 172 187 application 149 153 164 165 168 177 control process 27 32 disk 183 185 201 file 28 247 folder 28 38 153 186 245 group 28 103 153 199 guest 117 login 192 194 199 media 149 186 200 201 202 mobile account 134 135 136 preferences 149 printing 81 82 83 84 220 221 222 223 server 183 185 share point 117 199 user 23 24 70 website 98 217 218 Windows users 29 workgroup 193 247 Workgroup Manager 23 See also LDAP permissions Universal Access access control entries See ACEs access control lists See ACLs accessibility preferences See Universal Access accounts administrator 22 23 42 56 132 142 backing up 252 creating 57 directory domains 46 48 editing 51 242 lists of 46 48 49 overview 22 prede
193. ication and account management If you have 1800 computers and 2500 users you need one Open Directory master and one Open Directory replica Chapter 2 Getting Started with User Management 35 36 If you use network home folders they require one dedicated home folder server for every 150 concurrent connections If you use mobile accounts with portable home directories you need one dedicated home folder server for every 300 concurrent connections For example if you have 400 computers and 2000 users on network home folders you need three dedicated home folders servers If those users are deployed with portable home folders you need two dedicated home folder servers If you have 1800 computers and 2500 users you should have 12 dedicated home folder servers for network home folders and 6 dedicated servers for portable home directories Group folders require one server for every 450 concurrent connections For example if you have 400 computers you need one group folder server For 1800 computers you need four group folder servers Storage requirements vary because users have varying storage needs Some users may store very few files in their home folders while other users fill theirs A simple guideline is to start with 1 gigabyte GB of storage per user account but allow for expansion Don t establish disk quotas or other space restrictions unless you have closely examined your users storage needs For example 2000 user account
194. ick General and then look at the Computer Name field For sharename substitute the name of the share point For usershortname substitute the first short name of the user account you re configuring e Fora local profile stored on the Windows computer enter the drive letter and folder path in UNC format as in the following example C Documents and Settings juan Click Save Changing a Windows User s Login Script Location You can use Workgroup Manager to change the folder location of a user s Windows login script in the etc netlogon folder on the PDC server To change the Windows login script location for a user account In Workgroup Manager click Accounts Open the user account whose Windows login script location you want to change To open a user account in the PDC click the globe icon and choose the PDC server s LDAP directory To authenticate click the lock and enter the name and password of a directory domain administrator Click Windows and enter the new login script location in the Login Script field Chapter 4 Setting Up User Accounts Enter the relative path to a login script in etc netlogon on the PDC server For example if an administrator places a script named setup bat in etc netlogon the Login Script field should contain setup bat Click Save Changing a Windows User s Home Folder Drive Letter You can use Workgroup Manager to change the Windows drive letter that a user s home folder is mapped
195. ile name extensions 184 folder access 186 overview 149 182 remote server access 185 restart control 187 server access 183 shutdown control 187 Simple Finder 182 Trash alert message 184 window behavior 183 188 finding users and groups 45 49 75 folders accessing 28 38 153 186 245 client setup 114 148 269 command line tools 103 123 My Applications 177 synchronization of 210 212 System 169 171 See also group folders home folders Front Row 165 168 FTP File Transfer Protocol service 215 full name See long name G GID group ID 27 96 globally unique identifier See GUID group accounts creating 91 93 deleting 95 editing 51 92 exporting 254 finding 90 group ID 27 96 importing 253 login picture 97 member settings 89 99 naming 66 95 Open Directory 90 overview 25 89 predefined 90 251 presets 50 92 read only 94 search policies 98 web services 98 Windows 90 99 See also groups group folders access control 153 definition 25 148 preferences 175 server requirements 36 settings 100 101 103 share points 101 199 Windows users 101 group ID See GID groups access control 28 103 153 199 adding users 78 99 admin group 23 administrator 90 91 finding 50 folder settings 100 101 103 hierarchical 25 93 94 99 109 159 legacy 94 membership 77 78 79 naming 95 permissions 77 91 preferences 157 162 primary 28 77 89 270 Index removing users 79 100 sorting 50 See also
196. iles Chapter 5 Setting Up Group Accounts To work with read only groups In Workgroup Manager click Accounts Make sure that the directory services of the Mac OS X Server computer you re using are configured to access the directory domain where the account resides For information about using Directory Utility to configure server connections see Open Directory Administration For information about the group account elements that need to be mapped see the appendix Importing and Exporting Account Information Click the globe icon and then choose the directory domain where the group account resides Use the panes provided to review the group account settings Deleting a Group You can use Workgroup Manager to delete a group account stored in an Open Directory domain the local directory domain or other read write directory domain WARNING You cannot undo this action To delete a group using Workgroup Manager In Workgroup Manager click Accounts Select the group account you want to delete To select the account click the globe icon choose the directory domain where the account resides click the Groups button and then select the group To authenticate click the lock and enter the name and password of a directory domain administrator Choose Server gt Delete Selected Group or click the Delete icon in the toolbar From the Command Line You can also delete a group account using the dseditgroup command
197. in Terminal For more information see the users and groups chapter of Command Line Administration Working with Basic Settings for Groups Basic settings for groups include name ID picture path comments and whether the group uses web services Naming a Group A group has two names a long name and a short name A long group name for example English Department Students is used for display purposes and contains no more than 255 bytes Chapter 5 Setting Up Group Accounts 95 96 Because long group names support various character sets the number of characters for long group names can range from 255 Roman characters to as few as 63 characters for character sets in which characters occupy up to 4 bytes e A short group name contains as many as 255 Roman characters However for clients using Mac OS X v10 1 5 or earlier the short group name must be eight characters or less Use only the following characters in a short group name e athrough z e Athrough Z e Othrough 9 e _ underscore The short name typically eight or less characters may be used by Mac OS X to find group members user IDs when determining whether a user can access a file as a result of his or her group membership For more information about group membership see How Group Accounts Track Membership on page 89 If a group has a mailing list enabled the short name is also used in the group s mailing list address shortname hostname com For more in
198. ine core account settings like name password home folder location and group membership You can also manage preferences allowing you to customize the user s experience granting or restricting access to his or her own computer s settings and to network resources Workgroup Manager works closely with a directory domain Directory domains are like databases but are specifically designed for storing account information and handling authentication What s New in Workgroup Manager Computer accounts and computer groups You can create computer accounts for individual computers By managing computer accounts individually you can fully customize preference management settings for those computers You can create computer groups composed of these individual computer accounts or of hierarchical groups Managed preferences for a parent computer group in a hierarchical group also apply to child computer groups The addition of computer accounts and computer groups eases administration and increases flexibility For more information see Chapter 6 Setting Up Computers and Computer Groups Improved mobile accounts Mobile accounts are now more secure efficient and portable You can protect mobile accounts with FileVault You can set account expiry options so that local home folders are deleted after a period of inactivity You can also create mobile accounts on an external drive so users can still access a synced home folder with cached
199. ing managed preferences see Customizing the User Experience on page 149 and Chapter 10 Managing Preferences Creating a Preset for Computer Groups You can select settings for a computer group and save them as a preset Presets work like templates allowing you to apply preselected settings and information to new computer groups Chapter 6 Setting Up Computers and Computer Groups 109 110 Using presets you can easily set up multiple computer groups that use similar settings However you can only use presets when creating a computer group You can t use a preset to change a computer group To set up a preset for computer groups In Workgroup Manager click Accounts Click the globe icon and choose the directory domain where you want to create a computer group using presets To authenticate click the lock and enter the name and password of a directory domain administrator Click the Computer Groups button on the left Create a computer group by clicking New Computer Group or by selecting an existing computer group on the left Fill in the information in the Basic and Members panes From the Presets pop up menu choose Save Preset After creating a preset you can change its settings change its name or delete it To do this Do this Change the preset s settings Create a computer group based on the preset and change the computer group settings Save the preset using the same name as the old preset W
200. ings 213 214 Q quotas disk space 36 80 128 129 130 205 Index R read only accounts 59 94 real name See long name remote servers 185 239 241 removable media accessing 186 200 202 restart controlling 172 187 roaming user profiles 85 114 128 130 root permissions 39 S Safari 237 screen display settings 227 searching users and groups 45 49 75 search policies 26 47 98 security ACLs 27 29 directory domains 32 43 home folders 38 144 205 mobile clients 131 144 205 SID 29 See also access authentication passwords permissions security identifier See SID Seeing settings 227 Server Admin 20 server administrator 23 Server Assistant 39 Server Message Block See SMB Server Preferences 21 servers accessing 183 185 connections 185 group requirements 36 home folders 36 115 proxy 213 214 remote 185 239 241 requirements 35 setup procedures See configuration shadow passwords 74 shared directory domain 31 245 See also LDAP shared files See file sharing share points automountable 117 118 123 125 group folders 101 199 guest access 117 home folders 32 79 115 116 117 118 120 123 125 local users 122 mounting 117 118 setup 116 Windows users 120 sharing tool 118 shortcuts command 230 short name 64 65 66 96 254 273 shutdown controlling 181 187 SID Security Identifier 29 Simple Finder 182 simultaneous login privileges 73 single sign on authentication 245 sleep setti
201. ings are a collection of attributes that must be defined for all users In Workgroup Manager use the user account s Basic pane to work with basic settings Modifying User Names The user name is the long name for a user such as Mei Chen or Dr Anne Johnson In addition to the long name sometimes the user name is referred to as the full name or the real name Users can log in using the user name or a short name associated with their accounts Chapter 4 Setting Up User Accounts 63 64 A user name can contain no more than 255 bytes Because long user names support various character sets the maximum number of characters for long user names ranges from 255 Roman characters to as few as 63 characters in character sets where characters occupy up to 4 bytes Use Workgroup Manager to edit the user name of an account stored in an Open Directory domain the local directory domain or other read write directory domain You can also use Workgroup Manager to review the user name in any directory domain accessible from the server you re using To work with the user name using Workgroup Manager In Workgroup Manager click Accounts Select the user account you want to work with To select the account click the globe icon choose the directory domain where the account resides and then select the user account in the accounts list To authenticate click the lock and enter the name and password of a directory domain administrator In the Name
202. ining dedicated directory domain servers and servers that store home folders Even with local accounts you can still manage users computers when they use your network by adding their computers to a computer group When distributing portable computers you can still retain control over the computer when the user logs in with a local account while off the network To restrict a user from full use of the computer do not assign him or her local administrator privileges You can also set parental controls to further control the computer while off the network For more information about how to set parental controls see Mac Help To restrict users from full access to a computer create a local administrator account and a local user account on the computer Give the user the login information for the local user account but not the local administrator account Only administrator accounts allow users to install software and save or delete files outside of the home folder If you make a user the local administrator of a computer you can deny him or her the ability to turn off your computer management However in many cases the local administrator can still override management settings If local users want to share files with other users over the network they can enable File Sharing in the Sharing pane of System Preferences and then use their Public folder to share Similarly local users can connect to the computers of other users who have File
203. ion at a specific path make sure that the folder has the following permissions Type Name Privilege Owner system Read amp Write Group admin Read only Others Others Read only If you choose a location that doesn t exist on the user s computer it is created when the user logs in When a location is chosen on an external disk you create an external account For more information see Creating External Accounts on page 208 To select the location of a mobile account In Workgroup Manager click Preferences Make sure the correct directory is selected and you are authenticated To switch directories click the globe icon If you are not authenticated click the lock and enter the name and password of a directory domain administrator Select one or more users groups computers or computer groups Chapter 10 Managing Preferences 207 208 4 Click Mobility click Account Creation click Creation and then set the management setting to Always 5 Select Create mobile account when user logs in to network account This option must be selected to enable a mobile account for the selected account 6 Click Options and then set the management setting to Always 7 Select a Home folder location option If you select at path enter the path to a folder on an external drive in the format Volumes DriveName Folder replacing DriveName with the name of the external drive and Folder with a folder on the external dri
204. ir network home folders by clicking the Home icon in the Finder e Group folders When you set up a group account for network users you can associate a group folder with the group A group folder is a place for group members to exchange information electronically By default it contains three folders Documents Library and Public The Public folder contains a Drop Box folder which allows users to easily share their files By residing on the server for easy access throughout the network a group folder can be shown in the Dock for access from wherever a user wants to work on group activities e Other shared folders You can set up other folders on the server to provide users access to applications handouts announcements schedules and other files e NetBoot and NetInstall images You can use NetBoot images and NetInstall images on the server to simplify the setup of network users computers A user s computer can start up from a NetBoot image stored on the server You can use the same computer for a science lab booting from one image and for a French lab booting from a different image Each time a lab computer restarts the system reflects the original condition of the selected boot image regardless of what the previous student may have done on the computer A NetInstall image installs preconfigured software on users computers making it easy to remotely deploy the operating system additional applications and even custom compu
205. irectories at the same time or to work with different views of accounts in a particular directory open multiple Workgroup Manager windows by clicking the New Window icon in the toolbar or by choosing Server gt New Workgroup Manager Window To administer accounts in the selected directory click the Accounts icon in the toolbar then click the Users Groups Computers or Computer Groups button on the left side of the window to list the accounts that exist in the directories you are working with To filter the displayed account list use the pop up search menu above the accounts list To work with managed preferences select an account or several accounts and then click the Preferences icon in the toolbar To import or export user and group accounts choose Server gt Import or Server gt Export hapter 3 Getting Started with Workgroup Manager e To view onscreen help use the Help menu The Help menu gives you access to help for administration tasks available through Workgroup Manager as well as other Mac OS X Server topics To open Server Admin so you can monitor and work with services on a server click the Server Admin icon in the Workgroup Manager toolbar For information about Server Admin see Server Administration Modifying Workgroup Manager Preferences You can change Workgroup Manager preferences to customize how records are displayed and to enable the Inspector which is an advanced directory domain editor Workgroup
206. istration Perform advanced installation and setup of server software and manage options that apply to multiple services or to the server as a whole System Imaging and Software Update Administration Use NetBoot NetInstall and Software Update to automate the management of operating system and other software used by client computers Upgrading and Migrating Use data and service settings from an earlier version of Mac OS X Server or Windows NT Preface About This Guide This guide tells you how to User Management Create and manage user accounts groups and computers Set up managed preferences for Mac OS X clients Web Technologies Administration Set up and manage web technologies including web blog webmail wiki MySQL PHP Ruby on Rails and WebDAV Xgrid Administration and High Set up and manage computational clusters of Xserve systems and Performance Computing Mac computers Mac OS X Server Glossary Learn about terms used for server and storage products Viewing PDF Guides Onscreen While reading the PDF version of a guide onscreen Show bookmarks to see the guide s outline and click a bookmark to jump to the corresponding section e Search for a word or phrase to see a list of places where it appears in the document Click a listed place to see the page where it occurs e Click a cross reference to jump to the referenced section Click a web link to visit the website in your browser
207. itably shared To get started with Workgroup Manager see Chapter 3 Getting Started with Workgroup Manager Server Admin The Server Admin application provides access to various tools and services that play a role in server management After installing the Mac OS X Server software use Server Admin to set up directory services and establish your network Then use Workgroup Manager to create and manage accounts After that use Server Admin to set up additional services to provide mail service host websites share printers and create share points which allow users to share folders and files For information about how to use the many services managed through Server Admin see the service administration guides The following table lists common server administration tasks and includes the location of related documentation To See this document Assign permissions to folders and files in a File Services Administration share point Share printers among users Print Service Administration Set up websites or WebDAV support on the Web Technologies Administration server Provide email service for users Mail Service Administration Broadcast multimedia from the server in real QuickTime Streaming Server Administration time Provide identical operating system and System Imaging and Software Update Administration applications folders for client computers Install applications across a network System Imaging and Software Update Ad
208. k or grayscale select Switch to and then select White on Black or Grayscale Click Apply Now Setting a Visual Alert If users can t hear computer alert sounds for example the sound played when new mail arrives or an error occurs you can flash the screen as an alternative To set a flashing alert In Workgroup Manager click Preferences Make sure the correct directory is selected and you are authenticated To switch directories click the globe icon If you are not authenticated click the lock and enter the name and password of a directory domain administrator Select one or more users groups computers or computer groups Click Universal Access Click Hearing and then select a management setting Select Flash the screen whenever an alert sound occurs Click Apply Now Adjusting Keyboard Accessibility Options If some users have difficulty pressing keys you can use Sticky Keys or Slow Keys to help them use the keyboard Chapter 10 Managing Preferences Oo uu A WwW Sticky Keys help users who can t press multiple keys simultaneously It treats a sequence of modifier keys Shift Command Option and Control like a key combination For example to press Command O users can press Command and then O To hold down a key with multiple keystrokes users can press the key twice For example pressing Shift twice is like using Caps Lock except that it also presses Shift when entering commands So if you ve
209. k the Computer Groups button and then select the list To authenticate click the lock and enter the name and password of a directory domain administrator In the Members pane select one or more computers or computer groups Chapter 6 Setting Up Computers and Computer Groups 111 5 Click the Remove button and then click Save Deleting a Computer Group If you no longer need a computer group you can use Workgroup Manager to delete it WARNING You cannot undo this action To delete a computer group 1 In Workgroup Manager click Accounts 2 Select the computer group To select the computer group click the globe icon choose the directory domain that contains the computer group you want to delete click the Computer Groups button and then select the list 3 To authenticate click the lock and enter the name and password of a directory domain administrator 4 Choose Server gt Delete Selected Computer Group or click Delete in the toolbar and then click Delete Upgrading Computer Lists to Computer Groups Computer lists are groups of computers created in Mac OS X Server v10 4 or earlier Computer lists can only include computers not other computer lists Computer groups can include computers and hierarchical computer groups You can hierarchically manage preferences for computer groups Computer groups can include computers running earlier versions of Mac OS X These computers don t receive hierarchical preference m
210. ktop icons and how they re arranged To set preferences for the desktop view In Workgroup Manager click Preferences Make sure the correct directory is selected and you are authenticated To switch directories click the globe icon If you are not authenticated click the lock and enter the name and password of a directory domain administrator Select one or more users groups computers or computer groups Click Finder click Views and then select a management setting The management setting applies to options in all three views Click Desktop View and then drag the Icon Size slider to adjust the icon size To keep items aligned in rows and columns select Snap to grid To arrange items by criteria such as name or type for example all folders grouped together select Keep arranged by and then choose a method from the pop up menu Chapter 10 Managing Preferences 187 10 11 188 Click Apply Now Adjusting the Appearance of Finder Window Contents Items in Finder windows can be viewed in a list or as icons You can control aspects of how these items look as well as whether to show the toolbar in a Finder window Default View settings control the overall appearance of all Finder windows Computer View settings control the view for the top level computer folder showing hard disks and disk partitions external hard drives mounted volumes and removable media such as CDs or DVDs To set preferences for Defau
211. l drive and the user s network home folder When the user connects an external drive containing his or her local home folder the user can log in and use his or her account in the same way as if he or she had a mobile account with a local home folder on the computer If the login window displays accounts in a list the user can select his or her account or if it has a name and password field the user can enter his or her name and password External accounts require Mac OS X v10 5 or later and an external or ejectable volume that is formatted as Mac OS X Extended format HFS Plus If the external account is stored on a portable computer the user must start target disk mode on the portable computer before connecting it to the client computer When the portable computer is in target disk mode all mobile accounts stored on it become external accounts After the user logs in Mac OS X only shows the external account that the user logged in with When the user views the account list in Accounts System Preferences the user sees his or her external account but doesn t see other external accounts Similarly the fast user switching menu displays all accounts with local home folders on the client computer If the user chooses Login Window from the fast user switching menu all external accounts are shown in the fast user switching login window Because their home folder is stored on an external volume external account users can use File Sharing o
212. lder without syncing choose Create home with syncing off Click Apply Now Changes are applied to a mobile account the next time the computer connects to the network Preventing the Creation of a Mobile Account To prevent the creation of mobile accounts manage Mobility preferences Chapter 10 Managing Preferences 203 204 N AO wu A W After a user creates a mobile account the local home folder for that account stays on the computer until it s deleted You can delete the local home folders to save disk space or you can set an expiration period on the mobile account so the local home folders are deleted when the account expires For instructions see Manually Removing Mobile Accounts from Computers on page 204 and Setting Expiration Periods for Mobile Accounts on page 209 To prevent the creation of mobile accounts In Workgroup Manager click Preferences Make sure the correct directory is selected and you are authenticated To switch directories click the globe icon If you are not authenticated click the lock and enter the name and password of a directory domain administrator Select one or more users groups computers or computer groups Click Mobility click Account Creation and then click Creation Set the management setting to Always Deselect Create mobile account when user logs in to network account Click Apply Now Manually Removing Mobile Accounts from Computers If a user no longe
213. lders When a guest browses the home folder server they can see who has home folders on that server but are restricted to opening guest access enabled folders Guests can also use user short name Public to access a user s Public folder To prevent SMB access to the share point in SMB deselect Share this item using SMB To prevent FTP access to the share point in FTP deselect Share this item using FTP To prevent NFS access to the share point in NFS deselect Export this item and its contents to Click OK to close the Protocol Options dialog and then click Save From the Command Line You can also set up a share point using the sharing command in Terminal For more information see the file services chapter of Command Line Administration Setting Up an Automountable NFS Share Point for Home Folders Although AFP is the preferred protocol for accessing home folders because of the security it offers you can use Server Admin to set up a network NFS share point for home folders NFS share points can be used for home folders of users defined in shared directory domains such as an Open Directory domain or an Active Directory domain The NFS share point must be automountable that is it must have a network mount record in the directory domain where the user account resides An automountable share point ensures that the computer can locate the NFS share point and home folder It also makes the share point s server vi
214. le For instructions on renaming editing or deleting group presets see Renaming Presets on page 62 Editing Presets on page 62 and Deleting a Preset on page 63 To create a preset for group accounts In Workgroup Manager click Accounts Make sure the server is configured to access the Mac OS X directory domain or non Apple LDAPv3 domain where the preset is used to create accounts To create a preset using data in an existing group account open the account to create a preset from scratch create a group account Fill in the fields with values you want new groups to inherit and delete values you don t want to specify in advance Click Preferences configure settings that you want the preset to define and then click Accounts After configuring preference settings for a preset you must return to the Accounts settings to save the preset From the Presets pop up menu choose Save Preset enter a name for the preset and then click OK Editing Group Account Information You can use Workgroup Manager to change a group account that resides in an Open Directory domain the local directory domain or other read write directory domain To make changes to a group account In Workgroup Manager click Accounts Make sure the directory services of the Mac OS X Server computer you re using are configured to access the directory domain For instructions see Open Directory Administration Click the globe icon and cho
215. lect the first group account that will use the folder To select an account connect to the server where the account resides click the globe icon choose the directory domain where the group account is stored click the Groups button and then select the group 3 Click Group Folder select the folder you want the group to use and then click Save 4 In Server Admin add an ACE entry that gives the group read write permissions for the group folder 5 Repeat this process for each group that you want to use the same group folder Chapter 5 Setting Up Group Accounts 103 104 Chapter 5 Setting Up Group Accounts Setting Up Computers and Computer Groups This chapter tells you how to set up and manage individual computers and groups of computers To manage an individual computer you must create a computer account To manage a group of computers you must create a computer group composed of computer accounts or of other computer groups Use Workgroup Manager to view create edit and delete computers and computer groups To view computers in Workgroup Manager click the Computers button above the accounts list To view computer groups in Workgroup Manager click the Computer Groups button above the accounts list About Computer Accounts A computer account stores data that allows Mac OS X Server to identify and manage individual computers To create computer groups you must first create computer accounts for each individual comput
216. lications and Folders To control user access to applications in Mac OS X v10 4 or earlier you either e Provide access to a set of approved applications that users can open e Prevent users from opening a set of unapproved applications You can also set additional options to further control user access to applications When users have access to local volumes they can access applications on the computer s local hard disk If you don t want to allow this you can disable local volume access Applications use helper applications for tasks they can t complete independently For example if a user tries to open a web link in a mail message the mail application might need to open a web browser to display the webpage Disallowing helper applications improves security because an application can designate any other application as a helper application However you may want to include common helper applications in the approved applications list This avoids problems such as users being unable to open and view mail content or attached files Occasionally applications or the operating system might require the use of UNIX tools such as QuickTime Image Converter These tools can t be accessed directly and generally operate in the background without the user s knowledge If you disallow access to UNIX tools some applications may not work Chapter 10 Managing Preferences AO uu A WwW 10 11 Allowing UNIX tools enhances applica
217. lications preferences to allow or restrict user access to applications Computers identify applications using one of two methods digital signatures used in Mac OS X v10 5 or later and bundle IDs used in Mac OS X v10 4 or earlier but can be used in Mac OS X v10 5 or later Digital signatures are much more secure because clever users can manipulate bundle IDs Workgroup Manager supports the use of both methods Use the Applications pane to work with digital signatures Use the Legacy pane to work with bundle IDs Application restrictions depend on which pane you re managing and the version of Mac OS X run by client computers e If you manage the Applications pane and your users run Mac OS X v10 5 or later Applications settings take effect and Legacy settings are ignored Chapter 10 Managing Preferences e If you don t manage the Applications pane Legacy settings take effect for any version of Mac OS X e If your users run Mac OS X v104 or earlier only Legacy settings take effect You can also use settings in Applications preferences to allow only specific widgets in Dashboard or to disable Front Row The table below describes what the settings in each Applications pane can do Applications preference pane What you can control Applications Access to specific applications and paths to applications using digital signatures for users of Mac OS X v10 5 or later Widgets List of allowed Dashboard widgets for users o
218. lick Parental Controls and then click Content Filtering Set the management setting to Always Select Hide profanity in Dictionary Click Apply Now Preventing Access to Adult Websites You can use Workgroup Manager to help prevent users from visiting adult websites You can also block access to specific websites while allowing users to access other websites You can allow or deny access to specific subfolders in the same website Instead of preventing access to specific websites you can allow access only to specific websites For more information see Allowing Access Only to Specific Websites on page 218 To prevent access to specific websites In Workgroup Manager click Preferences Make sure the correct directory is selected and you are authenticated Chapter 10 Managing Preferences 217 218 Oo uu A W To switch directories click the globe icon If you are not authenticated click the lock and enter the name and password of a directory domain administrator Select one or more users groups computers or computer groups Click Parental Controls and then click Content Filtering Set the management setting to Always Select Limit access to websites by and choose trying to limit access to adult websites To allow access to specific sites click the Add button next to the Always allow sites at these URLs list and then enter the URL of the site you want to allow To block access to specific
219. lick the globe icon If you are not authenticated click the lock and enter the name and password of a directory domain administrator Select a mobile user account in the account list Click Login and then click Items Select a management setting Select Add network home share point Click Apply Now Providing Easy Access to the Group Share Point After you set up a group share point you can make it easy for users to locate group folders by automatically connecting to the share point at login The connection to the group share point uses the user name and password given at login When you manage Finder preferences you can choose to not show connected servers which removes the group volume icon from the desktop If you change the location of the group share point update the login item for the group in Workgroup Manager For information about setting up a group share point see Creating a Group Folder on page 101 Note This preference setting applies only to groups You can t manage this setting for users or computers To add a login item for the group share point If you haven t set up a group share point and group folder do so In Workgroup Manager click Preferences Make sure the correct directory is selected and you are authenticated To switch directories click the globe icon If you are not authenticated click the lock and enter the name and password of a directory domain administrator Click the G
220. ll in information you want to use Some management settings are not available for some preferences and some preferences are not available for some types of accounts Click Apply Now Managing Computer Group Preferences Computer preferences are shared among all computers in a computer group In some cases it is more useful to manage preferences for computers rather than users or groups Energy Saver and Time Machine preferences can be managed for computers and computer groups but not for users or groups To manage computer group preferences In Workgroup Manager click Preferences Make sure the correct directory is selected and you are authenticated To switch directories click the globe icon If you are not authenticated click the lock and enter the name and password of a directory domain administrator Click the Computer Groups button and select one or more computer groups Click the icon for the preference you want to manage In each preference pane select a Manage option In Media Access the management setting applies to all preferences rather than to individual panes Select preference settings or fill in information you want to use Some management settings are not available for some preferences and some preferences are not available for some types of accounts Click Apply Now Disabling Management for Specific Preferences After you set managed preferences for an account you can turn off management for specific
221. llows you to create and manage mobile accounts for users of portable computers About Mobile Accounts If your organization uses portable computers assign mobile accounts to users This allows you to manage their preferences and control their level of access to local and network resources These mobile accounts which are designed for portable computers provide many advantages over local or network accounts A mobile account includes both a network home folder and a local home folder Having these two types of home folders allows users to take advantage of features available for both local and network accounts You can sync specific folders in these two home folders creating a portable home directory Syncing ensures that users access their most recently updated files when they connect to the network If a user modifies files on different computers when he or she connects to the network and syncs his or her computer retrieves the most recently synced file Mobile accounts also cache authentication information and managed preferences A user s authentication information is maintained on the directory server but is cached on the local computer With cached authentication information a user can log in using the same user name and password even if he or she is not connected to the network For example if a student has a mobile account the student s login name password and preferences defined for the user account workgroups and computer a
222. lly associated with large scale deployments of network based Macintosh computers It s ideal for an organization with client computers that are identically configured For example NetBoot can be a powerful solution for a data center that needs multiple identically configured web and application servers With NetBoot you can quickly configure and update client computers by updating a NetBoot image stored on the server NetBoot images contain the operating system and application folders for all clients on the server so that changes made on the server are reflected on the clients when they restart Systems that are compromised or otherwise altered can be instantly restored by restarting them You use System Image Utility to create and modify NetBoot images and then use NetBoot to deploy NetBoot images For more information about these tools or about installing an operating system over a network see System Imaging and Software Update Administration NetInstall NetInstall is a centralized software installation service that lets you use installation images to selectively and automatically install restore or upgrade network based Macintosh systems Those images can contain the latest version of Mac OS X a software update site licensed or custom applications or configuration scripts Chapter 1 User Management Overview 21 22 You can use NetInstall to upgrade operating systems install software updates and custom software packages or
223. lso offer improved application stability Some applications don t work with network home folders and temporary files that are not cached locally Using mobile accounts these applications run as if the user had a local account Mobile accounts create less network traffic than network accounts When network account users save files they transfer the files over the network When they open files they also transfer files over the network With a mobile account files are stored locally on the client computer or in an external drive and are only transferred during syncing Syncing only transfers files if the modification time of a local or network file is different than the last time the files synced Chapter 8 Managing Portable Computers Mobile accounts cache temporary files locally improving network and individual computer performance Locally caching files like webpages helps reduce network traffic You can also reduce network traffic by carefully planning user sync settings For information about how to plan sync settings see Strategies for Syncing Content on page 139 You can manage individual mobile accounts Like network accounts you can use Workgroup Manager to manage preferences and set account attributes for individual mobile accounts You can manage users with local accounts only if you add a computer to a computer group This allows you to set management preferences affecting all local accounts for that computer but it
224. lt and Computer Views In Workgroup Manager click Preferences Make sure the correct directory is selected and you are authenticated To switch directories click the globe icon If you are not authenticated click the lock and enter the name and password of a directory domain administrator Select one or more users groups computers or computer groups Click Finder click Views and then set the management setting to Once or Always This setting applies to options in all three views Click Default View or Computer View Available settings are similar for both views Drag the Icon Size slider to adjust the icon size To keep icons aligned in rows and columns select Snap to grid Arranging icons in a grid prevents icons from overlapping To sort icons select Keep arranged by and then choose a method from the pop up menu You can arrange items by name creation or modification date size or kind for example all folders grouped together Adjust List View settings If you select Use relative dates an item s creation or modification date is displayed as Today instead of 3 24 05 If you select Calculate folder sizes the computer calculates the total size of each folder shown in a Finder window This can take some time if a folder is very large Select a size for icons in a list Click Apply Now Chapter 10 Managing Preferences Managing Login Preferences Use Login preferences to set options for
225. ltiple users with the same short name when you use command line tools or the Inspector If multiple user accounts have the same long user name on a Mac OS X computer the login window displays a list of users to choose from If two users have the same first short user name the login window only recognizes and authenticates the first matching user account it finds in the sequence of directory domains specified by the computer s search policy as set in Directory Utility If a local user and a network user have the same first short user name the local user always takes precedence preventing the network user from logging in to the computer In groups created using Mac OS X versions earlier than 10 4 group membership is determined by the user s first short name and group ID GID If multiple users have the same first short name then they have the same group memberships Groups created using Mac OS X Server v10 4 or later determine group membership using a GUID and a combination of the user s short name and GID For information about GUIDs see Working with GUIDs on page 87 If you don t upgrade legacy groups the groups still determine membership by only the user s first short name and GID For instructions on upgrading legacy groups see Upgrading Legacy Groups on page 94 To ensure that users have the correct legacy group membership do not use duplicate user short names Chapter 4 Setting Up User Accounts Modifying
226. ludes printers set up for both the user and the computer used e Other preferences defined at more than one level can be overridden at login The illustration below shows how managed preferences that override interact when the same preferences are set at multiple levels 9 User Preferences Cl Computer Preferences Computer Group Preferences S Group Preferences When preferences that override conflict user preferences override computer computer group and group preferences Computer preferences override computer group and group preferences Computer group preferences override group preferences For example let s say you have different managed Dock preferences for users workgroups computers and computer groups The Dock preferences for the user take precedence overriding and nullifying Dock preferences set for computers computer groups or workgroups If you do not manage Dock preferences for the user the computer and computer group Dock preferences override and nullify group Dock preferences An example of when preferences that override might be useful is in a school environment where you want to prevent students from using recording devices attached to a school computer except for students who serve as lab assistants Chapter 10 Managing Preferences 157 158 You could set up Media Access preferences for workgroups or computer groups to limit all students access but override these restrictions for la
227. m tasks assigned to the limited administrator Chapter 4 Setting Up User Accounts The following tasks are available to limited administrators Task Description Manage user passwords Change a user s password in the user account s Basic pane A limited administrator can t change a full administrator s password Edit managed preferences Change managed preference settings Edit user information Edit the user account s Info pane Edit group membership Edit the user account s Groups pane or the group account s Members pane If you give a user different administrative capabilities at several account levels the capabilities are merged For example let s say a user named Anne Johnson is a member of the Algebra 101 group and the Algebra 101 group is a member of the All Classes group You give another user Ravi Patel the following administrative control e Manage user passwords rights for All Users and Groups Edit managed preferences rights for the All Classes group e Edit user information rights for the Algebra 101 group e Edit group membership rights for the Anne Johnson user account Ravi Patel has all four abilities for Anne Johnson s user account You can change a user s domain privileges for LDAPv3 directory domains You can t change privileges for a local user account or an account stored in a non LDAPv3 directory domain To add limited administrative capabilities In Workgroup Manage
228. managed preferences even when they don t have their computers 14 You can enable these features by managing Mobility preferences For more information see Chapter 8 Managing Portable Computers New managed preferences Preferences now let you manage Parental Controls Dashboard Front Row and Time Machine Existing preferences have been enhanced using embedded and detached signatures to prevent the launching of unapproved applications giving you more control over the login window and letting you create page footers on printed documents For more information see Chapter 10 Managing Preferences What s in This Guide This guide includes the following chapters Chapter 1 User Management Overview highlights important concepts introduces user management tools and tells you where to find additional information about user management and related topics Chapter 2 Getting Started with User Management provides planning and setup information to create a user management environment Chapter 3 Getting Started with Workgroup Manager describes how to set up Workgroup Manager and use its core features Chapters 4 5 and 6 explain how to use Workgroup Manager to set up users groups computers and computer groups Chapter 7 Setting Up Home Folders covers creating home folders Chapter 8 Managing Portable Computers details considerations for managing portable computers Chapter 9 Client
229. me You can allow a managed user to log in to more than one managed computer at a time or you can prevent the user from doing so Note Simultaneous login is not recommended for most users You may want to reserve simultaneous login privileges for technical staff teachers or other users with administrator privileges If a user has a network home folder that s where the user s application preferences and documents are stored Simultaneous login can change these items and many applications don t support such changes while the applications are open You can only disable simultaneous login for users with AFP home folders To allow a user to log in to more than one computer at a time In Workgroup Manager click Accounts Select the user account you want to work with To select the account click the globe icon choose the directory domain where the account resides and then select the user account To authenticate click the lock and enter the name and password of a directory domain administrator Click Advanced Select Allow simultaneous login on managed computers Choosing a Default Shell You can change the default shell that the user uses for command line interactions with Mac OS X such as bin tcsh or bin bash the default The default shell is used by the Terminal application on the computer that the user is logged in to but Terminal has a preference that lets you override the default shell The default shell is u
230. ministration Share information among multiple Mac OS X Open Directory Administration Server systems or Mac OS X computers For a complete list of Mac OS X Server documentation see Mac OS X Server Administration Guides on page 16 Chapter 1 User Management Overview Server Preferences If you use the standard or workgroup configuration of Mac OS X Server you can use Server Preferences to configure key features of collaboration and file services Its streamlined approach allows novice system administrators to quickly configure a server without requiring much technical knowledge You can also use Server Preferences to configure user and group accounts such as setting passwords enabling services and assigning group membership However you can t use Server Preferences to manage preferences For more information see Getting Started and Server Preferences Help NetBoot Mac OS X computers can start up from a network based NetBoot image providing quick and easy configuration of department classroom and individual systems as well as web and application servers throughout a network When you update a NetBoot image all computers using NetBoot have instant access to the new configuration To customize the computer setup for different groups of clients you can set up multiple NetBoot images These features provide quick setup and a customized user experience NetBoot simplifies administration and reduces the support norma
231. more information about setting a disk quota see Creating a Network Home Folder on page 123 Click Apply Now Chapter 10 Managing Preferences Selecting the Location of a Mobile Account You can select the location of a mobile account s local home folder or you can let the user select the location If you select the location choose from one of the following Home folder location Description on startup volume The local home folder is located on the startup volume in Users This is the default location where the local home folders of mobile accounts on computers with Mac OS X v10 4 and earlier are stored at path The local home folder is located at the path you specify You can specify a different volume by entering Volumes DriveName Folder where DriveName is the name of the volume and Folder is the folder in the volume If you don t specify a volume the location is on the startup volume user chooses When users with mobile accounts log in a window appears that allows them to choose a location for the local home folder After they choose a location the window only appears when a mobile account is being created You can choose which types of volumes the user is allowed to choose from e any volume includes volumes on internal or external hard disks e any internal volume includes volumes on internal hard disks e any external volume includes volumes on external hard disks If you choose a locat
232. mputer does not have a valid IP address it can t be contacted through your network For a detailed description of DHCP and for instructions on configuring DHCP see Network Services Administration If you have Apple Remote Desktop installed you can quickly test your entire network In Apple Remote Desktop create a scanner that displays computers with IP addresses in the range distributed by your DHCP server If a computer is turned on is not in sleep mode and is connected to your network the computer should be in the scanner The scanner displays the IP address given to the computer and the computer s host name Computers that are not assigned host names by the DNS service are listed without host names If a computer is listed and has an appropriate IP address and host name the computer is receiving DHCP and DNS service For more information about how to use scanners in Apple Remote Desktop see the Apple Remote Desktop Administrator s Guide If you do not have Apple Remote Desktop installed you can perform the following task to test a single computer s ability to receive DHCP service To test your network s DHCP service on a single computer In Server Admin click the disclosure triangle to the left of the server providing DHCP service This displays all of the server s services Select DHCP and click Subnets The Subnets pane lists the addresses your DHCP server supplies Chapter 11 Solving Problems 241 3 Onaclient comput
233. mputer on a local subnet It can be used without a global DNS system to resolve names to IP addresses It consists of lowercase letters numbers or hyphens except as the last characters and ends with local For example bills computer local Although the default name is derived from the computer name a user can specify this name in the Sharing pane of System Preferences It can be changed easily and can be used anywhere a DNS name or fully qualified domain name is used It can only resolve on the same subnet as the computer using it logical disk A storage device that appears to a user as a single disk for storing files even though it might actually consist of more than one physical disk drive An Xsan volume for example is a logical disk that behaves like a single disk even though it consists of multiple storage pools that are in turn made up of multiple LUNs each of which contains multiple disk drives See also physical disk long name The long form of a user or group name See also user name managed client A user group or computer whose access privileges and or preferences are under administrative control managed preferences System or application preferences that are under administrative control Workgroup Manager allows administrators to control settings for certain system preferences for Mac OS X managed clients mobile account An account with both a local and a network home folder Mobile accounts cache authenticatio
234. n access them from different computers use file services Important network visible resources include network home folders group folders and other shared folders If some users use Windows computers you can configure the server to provide them with file services domain login and home folders The following administration guides describe infrastructure setup in detail e For installation requirements and guidelines see Getting Started For information about advanced installation and setup of server software see Server Administration e For information about directory services and authentication see Open Directory Administration e For information about how to set up file services see File Services Administration Step 3 Set up an administrator computer Because servers are usually kept in a secure locked location administrators typically conduct user management tasks remotely from a Mac OS X computer Such a computer is referred to as an administrator computer Before you can use an administrator computer to create and manage accounts in a shared directory you must have a user account in the shared directory and you must be a domain administrator A domain administrator can use Workgroup Manager to add and change accounts in an Open Directory domain or another read write directory domain To set up an administrator computer and create domain administrator accounts see Chapter 3 Getting Started with Workgroup Manager
235. n at login are a combination of items specified for the user the computer being used and the group chosen at login If your management frequency setting is Always when you select User may add and remove additional items a user can add additional login items Selecting Always removes existing items from the user s login items list and replaces them with the items you list It also prevents the user from disabling the items you list If your management frequency setting is Once you can select Merge with user s items which causes one of two effects e If the user has items in their login list either he or she added them or they were added through preference management merging only opens login items that appear on both the user s list and your list Chapter 11 Solving Problems e If the user s login list does not include any items all managed login items will open If you do not select Merge with user s items all login items on either list will open If you select Once a user can remove any items added to their login list For details about managing automatically opened items see Automatically Opening Items After a User Logs In on page 197 If Items Placed in the Dock by a User Are Missing In Workgroup Manager you can use the Dock Items pane of Dock preferences to specify items that appear in a user s Dock The set of items in a user s Dock is a combination of items specified for the user the computer bein
236. n information and managed preferences In Mac OS X v10 4 and later a mobile account includes a portable home directory which is a synced subset of the local and network home folders mount verb To make a remote directory or volume available for access on a local system In Xsan to cause an Xsan volume to appear on a client s desktop just like a local disk Glossary 261 262 multicast DNS A protocol developed by Apple for automatic discovery of computers devices and services on IP networks Called Bonjour previously Rendezvous by Apple this proposed Internet standard protocol is sometimes referred to as ZeroConf or multicast DNS For more information visit www apple com or www zeroconf org To see how this protocol is used in Mac OS X Server see local hostname name server A server on a network that keeps a list of names and the IP addresses associated with each name See also DNS NetBIOS Network Basic Input Output System A program that allows applications on different computers to communicate within a local area network NetBoot server A Mac OS X server you ve installed NetBoot software on and have configured to allow clients to start up from disk images on the server NetInfo An older Apple protocol for accessing a directory domain NFS Network File System A client server protocol that uses Internet Protocol IP to allow remote users to access files as though they were local NFS can export shared volumes to computers b
237. nce files at login and logout while syncing larger files such as movies in the background This reduces login and logout times because only preference files sync and movies sync throughout a user s session instead of while the user is trying to log out You can further reduce network traffic by choosing not to sync the movies folder requiring users to access the movies folder locally By balancing login and logout syncing with background syncing you can reduce the time required for logging in and logging out while retaining consistent synced home folders Setting Up Mobile Accounts for Use on Portable Computers When distributing portable computers you face challenges that don t apply when deploying stationary computers For example to ensure your portable computers remain managed while off the network you must give users mobile accounts and prevent them from creating their own local accounts or from changing settings to bypass management Configuring Portable Computers When you distribute portable computers to users you must configure those computers to prevent users from circumventing your management scheme To set up portable computers for use on your network Install the operating system applications and utilities Most computers come with Mac OS X installed However to install a newer version make sure the computer meets the minimum requirements for installing the operating system applications and utilities Cre
238. nd all Java based trademarks and logos are trademarks or registered trademarks of Sun Microsystems Inc in the U S and other countries UNIX is a registered trademark of The Open Group Other company and product names mentioned herein are trademarks of their respective companies Mention of third party products is for informational purposes only and constitutes neither an endorsement nor a recommendation Apple assumes no responsibility with regard to the performance of these products 019 0938 2007 09 01 Preface Chapter 1 Chapter 2 19 19 19 20 21 21 21 22 22 23 24 25 25 26 26 26 27 31 31 34 34 Contents About This Guide What s New in Workgroup Manager What s in This Guide Using Onscreen Help Mac OS X Server Administration Guides Viewing PDF Guides Onscreen Printing PDF Guides Getting Documentation Updates Getting Additional Information User Management Overview Tools for User Management Workgroup Manager Server Admin Server Preferences NetBoot NetInstall Command Line Tools Accounts Administrator Accounts User Accounts Group Accounts Computer Accounts Computer Groups The User Experience Authentication and Identity Validation Information Access Control Getting Started with User Management Setup Overview Planning Strategies for User Management Analyzing Your Environment Chapter 3 Chapter 4 35 35 36 37 38 38 Al 41 41 42 42 42 43 44 45 46 46 46 47 48 4
239. nd choose from the pop up menu To authenticate click the lock Click the Users button and select one or more user accounts Click Home and select None from the list Click Save Creating a Home Folder for a Local User You can use Workgroup Manager to define home folders for users whose accounts are stored in a server s local directory domain You might want to use local user accounts on standalone servers servers not accessible through a network and for administrator accounts on a server These accounts are meant to be used by those logging in to the server locally They are not meant to be used by network users Home folders for local users should reside in share points on the server where the users accounts reside These share points do not need to be automountable that is they do not require a network mount record A home folder has the same name as the user s first short name To create a home folder for a local user If you don t already have a share point create one For instructions see Setting Up a Share Point on page 116 In Workgroup Manager click Accounts and select the user account you want to work with To select a local user account click the globe icon choose the local directory domain click the Users button and then select the user account in the accounts list Click the lock and authenticate as an administrator of the local directory domain Click Home to set up the selected user s home fold
240. nd enter the name and password of a directory domain administrator Select one or more users groups computers or computer groups Click Network and then click Proxies Set the management setting to Always In the Bypass proxy settings for these Hosts amp Domains field enter the addresses of the hosts and domains that you want users to be able to connect to directly To enter multiple address separate the subnet masks with new lines spaces semicolons or commas There are several ways to enter addresses e A subdomain or fully qualified domain name FQDN of a target server such as serverl apple com or store apple com e The specific IP address of a server such as 192 168 2 1 Chapter 10 Managing Preferences N AO Ww A W e A domain name such as apple com This bypasses apple com but not subdomains such as store apple com An entire website including all subdomains such as apple com e A subnet in Classless Inter Domain Routing CIDR notation For example to add a subnet of 192 168 2 x you would name that view 192 168 2 0 24 For a detailed description of subnet masks and CIDR notation see Network Services Administration Click Apply Now Enabling Passive FTP Mode When managing Network preferences you can require passive FTP mode Passive FTP mode causes the FTP server to open a connection to the computer on a dynamically determined port This can be more convenient for computers but it requires that
241. nd then click OK Editing Presets When you change a preset existing accounts that were created with it are not updated to reflect the changes Chapter 4 Setting Up User Accounts o N DO WN You edit a preset by using it to create an account changing fields defined by the preset and then saving the preset To edit a preset In Workgroup Manager click Accounts Click the globe icon and then choose the directory domain with the preset you want to edit To authenticate click the lock and enter the name and password of a directory domain administrator Click the Users Groups or Computer Groups button From the Presets pop up menu choose a preset Click New User New Group or New Computer Group to create accounts Change account settings that you want to save to the preset After completing your changes choose Save Preset from the Presets pop up menu enter the name of the preset you want to change click OK and then click Replace Deleting a Preset If you no longer need a particular preset you can delete it To delete a preset In Workgroup Manager click Accounts Click the globe icon and then choose the directory domain with the preset you want to delete To authenticate click the lock and enter the name and password of a directory domain administrator From the Presets pop up menu choose Delete Preset Select the preset you want to delete and click Delete Working with Basic Settings Basic sett
242. ng 215 IP addresses 241 K Kerberos 245 keyboard preferences 229 keywords 75 L LDAP Lightweight Directory Access Protocol service creating accounts 55 57 domain privileges 70 72 identifying directories 35 password types 74 troubleshooting 242 Legacy preferences 165 168 limited administrator privileges 38 70 local directory domain 35 46 57 122 local home folder 36 122 local mobile accounts 136 142 login access control 192 194 199 automatic 191 configuration 191 directory domain 245 frequently used items 197 group share point access 199 home folders 198 management limitations 157 mobile accounts 133 134 135 140 198 202 passwords 27 74 picture for user 69 97 preferences overview 149 150 189 process of 26 scripts 194 196 troubleshooting 242 243 248 window appearance 189 Index workgroup access 193 Workgroup Manager 43 long name 63 95 See also short name user names M Mac OS 9 169 171 172 187 See also Classic preferences Mac OS X Server hierarchical groups 93 94 importing from earlier versions 255 working with earlier versions 42 89 mail service 60 80 81 managed computer 157 managed preferences Applications 149 caching 160 combined 157 159 Dashboard 165 167 desktop 187 disabling 164 Dock 149 174 175 176 editing 51 231 232 234 235 237 Front Row 165 168 group folders 175 hierarchy 159 introduction 149 Legacy 165 168 Media Access 149 200 201 202 Network 150 2
243. ng account types e User accounts e Group accounts e Computer accounts e Computer groups When creating a user account you must specify a user name and password which is needed to prove the user s identity You can also specify a user identification number user ID which is useful for folder and file permissions Other user account information is used by various services to determine what the user is authorized to do and to personalize the user s environment In addition to the accounts you create Mac OS X Server also has predefined user and group accounts some of which are reserved for use by Mac OS X Chapter 1 User Management Overview Administrator Accounts Users with server administration or directory domain administration privileges are known as administrators An administrator can be a server administrator domain administrator or both Server administrator privileges determine whether a user can change the settings of a particular server Domain administrator privileges determine the extent to which an administrator can change account settings for users groups computers and computer groups in the directory domain Server Administration Server administration privileges determine the functions available to a user when logged in to a particular Mac OS X Server For example a server administrator can use Directory Utility to make changes to a server s search policy When you assign server administration privileges t
244. ngs 173 177 181 Slow Keys 229 SMB Server Message Block protocol service 29 114 119 127 Software Update 150 224 sshd privilege separation 56 ssh tool 103 239 startup 21 148 170 181 Sticky Keys 229 streaming media 149 synchronization directories 37 home folders 152 mobile account data 131 132 136 138 139 210 212 System Administrator account 56 System Folder Classic 169 171 System Image Utility 21 22 System Preferences 150 182 225 227 System Services account 56 T target disk mode 134 temporary files caching of 132 136 time and time zone settings 239 time limits on computer use 220 Time Machine 150 157 225 Trash alert message 184 troubleshooting administrator privileges 243 authentication 245 BDC 245 DHCP service 241 DNS service 240 Dock items 249 editing accounts 242 error messages 250 file access 247 home folder access 245 246 LDAP directory 242 login 242 243 248 network views 250 Open Directory 242 243 244 passwords 242 243 244 245 PDC 245 printers 248 time and time zones 239 Windows user problems 245 246 workgroup access 247 trust services 195 274 Index U UIDs user IDs 28 56 67 87 164 Universal Access assistive devices 231 display settings 227 keyboard options 229 mouse options 230 overview 150 227 shortcuts 230 visual alert 228 UNIX 114 168 Unknown User account 56 Unprivileged User account 56 updating software 150 224 upgrading computer lists to computer group
245. nistration Working with Read Only User Accounts Use Workgroup Manager to review information about user accounts stored in read only directory domains Read only directory domains include LDAPv2 domains LDAPv3 domains not configured for write access and BSD configuration files To work with a read only user account In Workgroup Manager click Accounts Make sure that the directory services of the Mac OS X Server computer you re using are configured to access the directory domain where the account resides For information about using Directory Utility to configure server connections see Open Directory Administration For information about the user account elements that need to be mapped see the appendix Importing and Exporting Account Information Click the globe icon and choose the directory domain where the user s account resides Review the user s account settings using the panes provided For details see Working with Basic Settings on page 63 through Working with Windows Settings on page 85 Working with Guest Users You can set up some services to support guest users who are not authenticated because they don t have a valid user name or password You don t need to create a user account to support guest users The following services can be set up to support guest access e Apple file service See File Services Administration e FTP service See File Services Administration Web service See Web Technol
246. nly when the external volume is present Chapter 8 Managing Portable Computers All mobile accounts on Mac OS X v10 5 or later including external accounts can use FileVault to encrypt the contents of the local home folder For more information see Enabling FileVault for Mobile Accounts on page 205 For information about creating external accounts see Creating External Accounts on page 208 Logging In to External Accounts If a user has a local home folder on an external drive and he or she connects it to a computer that allows the external account logging in to an external account is like logging into a mobile account If there isn t a local home folder on the external drive or the external account isn t allowed the user must take a few additional steps before he or she can log in with the external account If the user has a local home folder on the computer the user can t create a local home folder on an external drive If the user doesn t have a local home folder on an external drive the location setting in mobile account creation options might give the user the choice of where to store the local home folder e If you set the location to user chooses a window appears allowing the user to choose where to store the local home folder You can limit the choices to store on the computer or on an external drive or you can choose both If the user chooses an external drive a local home folder is created on the ext
247. nt is Homes and you are using DNS you might enter afp server example com Homes If you are not using DNS replace the DNS name of the server hosting the home folder with the server s IP address afp 192 168 2 1 Homes Don t put a slash at the end of the URL In the Path to Home Folder field enter the path from the AFP share point to the home folder including the home folder but excluding the share point For an NFS share point leave this field blank Chapter 7 Setting Up Home Folders 125 126 10 11 12 For example to create a home folder for a user named Smith in a custom location of Homes Teachers SecondGrade enter Teachers SecondGrade Smith Make sure the custom location folder exists Do not put a slash at the beginning or the end of the path In the Full Path field enter the full path to the home folder including the home folder itself in this format Network Servers servers host name Volumes drive volume share point path The entries in brackets are optional Include them only if they apply to the share point location If the share point is for local user accounts do not include Network Servers servers host name Replace the following elements Element Do this servers host name Replace this with the AFP server s host name drive If the share point is stored on a server with multiple storage devices replace this with the name of the storage device volume If the
248. nt tools and technologies in Mac OS X Server include Workgroup Manager Server Admin NetBoot and Netlnstall Workgroup Manager Workgroup Manager is a powerful tool that delivers features for comprehensive management of Macintosh clients You can use Workgroup Manager on a computer with Mac OS X or Mac OS X Server installed Workgroup Manager provides a centralized method of managing Mac OS X computers controlling access to software and removable media and providing a consistent personalized experience for users at different levels whether they re beginners in a classroom or advanced users in an office You use Workgroup Manager to create user accounts and set up groups to provide convenient access to resources You can e Use account settings and managed preferences to achieve the level of administrative control you need while making the user experience more efficient e Manage Finder login media access and print settings e Control access to computers and restrict the applications allowed to run on them 20 Using Workgroup Manager with Mac OS X Server services you can Customize the work environments of network users by organizing their desktop resources and personal files Enable services that require user accounts such as mail file sharing iChat service and web service e Share system resources such as printers and computers maximizing their availability and ensuring that disk space and printer usage remains equ
249. o Home Folder If a Windows User s Profile Settings Revert to Defaults If a Windows User Loses the Contents of the My Documents Folder Solving Preference Management Problems Testing Your Managed Client Settings If Users Don t See a List of Workgroups at Login If Users Can t Open Files If Users Can t Add Printers to a Printer List If Login Items Added by a User Don t Open If Items Placed in the Dock by a User Are Missing If a User s Dock Has Duplicate Items If Users See a Question Mark in the Dock If Users See a Message About an Unexpected Error If You Can t Manage Network Views Contents 11 12 Appendix Glossary Index 251 251 252 252 253 253 254 255 256 257 267 Importing and Exporting Account Information Understanding What You Can Import and Export Limitations for Importing and Exporting Passwords Maintaining GUIDs When Importing from Earlier Versions of Mac OS X Server Archiving the Open Directory Master Using Workgroup Manager to Import Accounts Using Workgroup Manager to Export Accounts Using XML Files Created with Mac OS X Server v10 1 or Earlier Using XML Files Created with AppleShare IP 6 3 Contents About This Guide Preface This guide explains how to use Workgroup Manager to set up and manage accounts and preferences for clients Mac OS X Server includes Workgroup Manager a user management tool you can use to create and manage accounts When managing accounts you can def
250. o a user the user is added to the admin group in the server s local directory domain Many Mac OS X applications such as Server Admin Directory Utility and System Preferences use the admin group to determine whether a particular user can perform certain administrative activities with the application Local Mac OS X Computer Administration Any user who belongs to the admin group in the local directory domain of any Mac OS X computer has administrator privileges on that computer Limited Administration You can control the extent to which a limited administrator can use Workgroup Manager to change account data stored in a domain For example you can set up directory domain privileges so your network administrator can add and remove user accounts but allow limited administrators to change the information for particular users Or you can designate multiple limited administrators to manage different groups For more information see Giving a User Limited Administrative Capabilities on page 70 Directory Domain Administration When you create a directory domain in Mac OS X Server a domain administrator account is created and added to the admin group in the domain If you plan to connect your directory domain to other directory domains make sure you choose a unique name and user ID for each domain Chapter 1 User Management Overview 23 24 When you assign full directory domain administration privileges to a user the user
251. o used to provide user and group identity for access control list ACL permissions and to associate particular users with group and nested group memberships GUIDs are 128 bit values which makes the generation of duplicate GUIDs extremely unlikely home directory See home folder home folder A folder for a user s personal use Mac OS X also uses the home folder to store system preferences and managed user settings for Mac OS X users Also known as a home directory HTML Hypertext Markup Language The set of symbols or codes inserted in a file to be displayed on a web browser page The markup tells the web browser how to display a webpage s words and images for the user HTTP Hypertext Transfer Protocol The client server protocol for the World Wide Web HTTP provides a way for a web browser to access a web server and request hypermedia documents created using HTML idle user A user who is connected to a server but hasn t used the server volume for a period of time IP Internet Protocol Also known as IPv4 A method used with Transmission Control Protocol TCP to send data between computers over a local network or the Internet IP delivers data packets and TCP keeps track of data packets IP address A unique numeric address that identifies a computer on the Internet IP subnet A portion of an IP network which may be a physically independent network segment that shares a network address with other portions of the network and is iden
252. ocol used to dynamically distribute IP addresses to client computers Each time a client computer starts up the protocol looks for a DHCP server and then requests an IP address from the DHCP server it finds The DHCP server checks for an available IP address and sends it to the client computer along with a lease period the length of time the client computer may use the address directory domain A specialized database that stores authoritative information about users and network resources the information is needed by system software and applications The database is optimized to handle many requests for information and to find and retrieve information quickly Also called a directory node or simply a directory directory domain hierarchy A way of organizing local and shared directory domains A hierarchy has an inverted tree structure with a root domain at the top and local domains at the bottom directory node See directory domain directory services Services that provide system software and applications with uniform access to directory domains and other sources of information about users and resources disc Optical storage media such as a CD or DVD disk A rewritable data storage device See also disk drive logical disk disk drive A device that contains a disk and reads and writes data to the disk disk image A file that when opened creates an icon on a Mac OS X desktop that looks and acts like an actual disk or volume Using NetBoo
253. of the server you re working with In Workgroup Manager connect to a server that has a search policy containing the directory domains of interest Click the globe icon and choose Search Policy Choose from the following e To view user accounts click the Users button e To view group accounts click the Groups button e To view computer accounts click the Computers button e To view computer groups click the Computer Groups button Chapter 3 Getting Started with Workgroup Manager 47 48 Listing Accounts in Available Directory Domains Using Workgroup Manager you can list user accounts group accounts computer accounts and computer groups residing in any available directory domain accessible from the server you re connected to Available directory domains are not the same as directory domains in a search policy A search policy consists of the directory domains a server searches routinely when it needs to retrieve accounts However the same server might be configured to access directory domains that haven t been added to its search policy To learn how to configure access to directory domains see Open Directory Administration To list accounts in a directory domain accessible from a server In Workgroup Manager connect to a server where you can access the directory domains Click the globe icon and then choose the domain where the user s account resides If the directory domain is not listed add it to the pop up menu by
254. ogies Administration Windows services See Open Directory Administration Users who connect to a server anonymously are restricted to files folders and websites with permissions set to Everyone Another kind of guest user account is a managed user account that you can configure for easy setup of public or kiosk computers For more about these kinds of user accounts see Chapter 10 Managing Preferences Chapter 4 Setting Up User Accounts 59 60 Working with Windows User Accounts Use Workgroup Manager to change passwords password policies and other settings in Windows user accounts The user accounts can reside in a server s local directory domain a Mac OS X Server PDC LDAP directory or another directory system that allows read write access not read only access such as an Open Directory master LDAP directory or Active Directory on a Windows server You can change the user account settings in the Mac OS X Server PDC LDAP directory but not in a BDC read only LDAP directory If you have a BDC the PDC server replicates the changes to the BDC Deleting a User Account You can use Workgroup Manager to delete a user account stored in an Open Directory domain the local directory domain or from any other read write directory domain WARNING You cannot undo this action Deleting a user account also deletes all of the user s mail To delete a user account using Workgroup Manager In Workgroup Manager click A
255. ogs in e If you set the location to user chooses volume when the user logs in a window appears allowing the user to choose whether to store the local home folder on the computer or on an external drive If the user chooses an external drive a local home folder is created on the external drive To create an external account In Workgroup Manager click Preferences Make sure the correct directory is selected and you are authenticated Chapter 10 Managing Preferences To switch directories click the globe icon If you are not authenticated click the lock and enter the name and password of a directory domain administrator Select one or more users groups computers or computer groups Click Mobility click Account Creation click Creation and then set the management setting to Always Select Create mobile account when user logs in to network account This option must be selected to enable a mobile account for the selected account Click Options and then set the management setting to Always For the home folder location select either at path or user selects volume If you select at path enter the path to a folder on an external drive in the format Volumes DriveName Folders replacing DriveName with the name of the external drive and Folders with a folder on the external drive If you select user selects volume choose any external volume or any volume from the pop up menu After
256. omain administrator Select one or more users groups computers or computer groups Click Mobility and then click Rules Click Login amp Logout Sync and then set the management setting to Always Deselect Sync at login and logout Click Background Sync and then set the management setting to Always Deselect Sync in the background Chapter 10 Managing Preferences 211 212 9 Click Apply Now Setting the Background Sync Frequency You can change the frequency of syncing for background folders By default background folders sync every 20 minutes You can set frequencies from 5 minutes to 8 hours If you set the frequency to a long interval you run a higher risk of users loading older outdated files If users save files and log off before the background files sync when they load the same file on another computer they might get either an older synced file or no file at all To set the frequency for syncing background folders In Workgroup Manager click Preferences Make sure the correct directory is selected and you are authenticated To switch directories click the globe icon If you are not authenticated click the lock and enter the name and password of a directory domain administrator Select one or more users groups computers or computer groups Click Mobility click Rules and then click Background Sync Make sure Once or Always is selected and that there are items configured to sync in the background
257. ome Folders 119 120 N QO Ww A o 10 11 12 13 14 e Set the default permissions for new files and folders in the share point SMB share points can t be used for Mac OS X home folders but can be used for Windows home folders Note Don t use a slash in the name of a folder or volume you plan to share Users trying to access the share point might have trouble seeing it To create an SMB share point and set permissions If you do not have a share point to host home folders create one For instructions see Setting Up a Share Point on page 116 Open Server Admin and connect to the server that hosts the share point To connect to the server choose Server gt Connect enter the server address in the Address field and authenticate as a server administrator If you re already connected you ll see Disconnect instead of Connect in the Server menu To view a list of available services use the disclosure triangle next to your server If Server Admin doesn t list the SMB service click the Add button choose Add Service select SMB and then click Save Select the SMB service In General select Standalone Server from the Role pop up menu In Access select Allow Guest access Click Save and then click Start SMB If SMB is already running the Start SMB button is replaced by the Stop SMB button Select the server and click File Sharing Select the share point In Share Point click Protocol Op
258. oose the directory domain where the account resides and then select the user account in the accounts list To authenticate click the lock and enter the name and password of a directory domain administrator Click Info enter or change values and when you finish click Save Working with Windows Settings Windows users have settings for a Windows home folder a roaming user profile and a Windows login script You can change these settings in the Windows pane of Workgroup Manager You can change user account settings in the Mac OS X Server PDC LDAP directory but not in a BDC read only LDAP directory If you have a BDC the PDC server replicates changes to the BDC Changing a Windows User s Profile Location You can change where a Windows user s profile settings are stored The profile includes the user s My Documents folder favorites web browser bookmarks preference settings such as backgrounds and event sounds and more User profiles are stored in Users Profiles on the PDC server This is an SMB share point although it is not shown as a share point in Workgroup Manager You can designate a different location for a user profile which can be a share point on the PDC server or a Windows domain member server The share point must be configured to use SMB User profiles can be located in a share point or in a folder in a share point The share point or folder used for user profiles must have the proper access privileges Set
259. or a task you want to perform e Choose Help gt Server Admin Help or Help gt Workgroup Manager Help to browse and search the help topics The onscreen help contains instructions taken from Server Administration and other advanced administration guides described in Mac OS X Server Administration Guides next To see the most recent server help topics Make sure the server or administrator computer is connected to the Internet while you re getting help Help Viewer automatically retrieves and caches the most recent server help topics from the Internet When not connected to the Internet Help Viewer displays cached help topics Preface About This Guide 16 Mac OS X Server Administration Guides Getting Started covers installation and setup for standard and workgroup configurations of Mac OS X Server For advanced configurations Server Administration covers planning installation setup and general server administration A suite of additional guides listed below covers advanced planning setup and management of individual services You can get these guides in PDF format from the Mac OS X Server documentation website www apple com server documentation This guide tells you how to Getting Started and Installation amp Setup Worksheet Install Mac OS X Server and set it up for the first time Command Line Administration Install set up and manage Mac OS X Server using UNIX command line tools and configura
260. or example if you make a printer available for a parent group and a different printer available to a child group a user who belongs to the child group can access both printers Be careful when creating situations where a child has several parents If you don t manage an overriding preference for a child but you have conflicting overriding preferences for several of the child s parents it is hard to predict which parent s preference takes precedence Combined preferences work even when children have several parents The preferences of all parents combine with the child s preferences Don t make a child a parent of one of its parents When you create a loop where a child is its own grandparent you introduce unpredictable behavior Setting the Permanence of Management When you define preferences you can manage them Always or Once They are set to Never by default e Always causes the preferences to remain in effect until you change them on the server When properly designed a Mac OS X application that conforms to standard preference conventions does not allow a user to modify preferences set to Always You can use Always to ensure users can t add or remove Dock items Some applications might allow the user to change the Always managed preference but the next time the user logs back in the preference reverts to the managed setting Chapter 10 Managing Preferences 159 160 e Once is available for some preferences You can creat
261. or more information see Managing Access to System Preferences on page 224 Time Machine Time Machine settings like backup server location and coverage For more information see Managing Time Machine Preferences on page 225 Universal Access Settings to control mouse and keyboard behavior enhance display settings and adjust sound or speech for users with special needs For more information see Managing Universal Access Preferences on page 227 n Understanding Managed Preference Interactions You can define preferences for user accounts group accounts computers and computer groups that are set up in a shared directory domain Chapter 10 Managing Preferences A user whose account has defined preferences is referred to as a managed user An individual computer or a computer that is a member of a computer group with defined preferences is called a managed computer A group with defined preferences is called a workgroup Energy Saver Time Machine and Login preferences can be defined only for computers and computer groups but other preferences can be defined for users workgroups computers and computer groups There are three types of managed preference interactions e Printing Login Applications System Preferences and some Dock preferences involving items that appear in the Dock are considered combined For example if you define Printing preferences for users and computers a user s printer list inc
262. or user accounts In Workgroup Manager click Accounts Click the globe icon and then choose the domain where the user s account resides To authenticate click the lock and enter the name and password of a directory domain administrator To create a preset using data in an existing user account open the account to create a preset from scratch create a user account If you re basing the preset on an existing account fill in the fields with values you want new user accounts to inherit and then delete values you don t want to specify in advance The following attributes can be defined in a user account preset simultaneous login default shell comment primary group ID group membership list home folder settings disk quota mail settings and print settings Click Preferences Configure settings you want the preset to define and then click Accounts After configuring preference settings for a preset you return to the Accounts settings to save the preset From the Presets pop up menu choose Save Preset enter a name for the preset and click OK The preset is saved to the current directory domain Chapter 4 Setting Up User Accounts 61 62 N QO wu A Using Presets to Create Accounts Presets provide a quick way to apply settings to a new account After applying the preset you can continue to modify settings for the new account if necessary You can use presets with user group and computer group accounts Presets
263. ord of a directory domain administrator Select one or more users groups computers or computer groups Click Universal Access Click Options and then set the management setting to Once or Always Select Allow Universal Access Shortcuts Click Apply Now Allowing Devices for Users with Special Needs You can allow managed users to turn on assistive devices such as a text reader To allow assistive devices In Workgroup Manager click Preferences Make sure the correct directory is selected and you are authenticated To switch directories click the globe icon If you are not authenticated click the lock and enter the name and password of a directory domain administrator Select one or more computers or computer groups Click Universal Access Click Options and set the management setting to Always Select Enable access for assistive devices Click Apply Now Using the Preference Editor with Preference Manifests Workgroup Manager includes a preference editor which you can use to control any Mac OS X application or utility developed using Apple standard conventions for handling preferences You can also use it to manage preferences that are not configurable in the Workgroup Manager main preferences interface As with the main preferences interface you can use the preference editor to manage preferences for users groups computers and computer groups Chapter 10 Managing Preferences 231 232 For example in Safa
264. ore proceeding In Workgroup Manager click Preferences Make sure the correct directory is selected and you are authenticated To switch directories click the globe icon If you are not authenticated click the lock and enter the name and password of a directory domain administrator Click the Groups button and select one or more group accounts from the list Chapter 10 Managing Preferences 175 176 Click Dock and then click Dock Items Set the management setting to Once or Always If you select Once the group folder icon appears in the user s Dock initially but the user can remove it Select Add group folder Click Apply Now If you change the location of the group share point update the Dock item for the group in Workgroup Manager Adding Items to a User s Dock You can add applications folders or documents to a user s Dock for easy access Make sure you use consistent paths for items you add in the Dock This is especially important if you add items in nonstandard locations for example putting an application in another folder besides Applications If the Dock item can t be found a question mark replaces the item in the user s Dock To add items to a user s Dock In Workgroup Manager click Preferences Make sure the correct directory is selected and you are authenticated To switch directories click the globe icon If you are not authenticated click the lock and enter the name and password of a
265. orkgroups groups with managed preferences each of which has a Dock that is customized to show only the applications used by users in the group Chapter 9 Client Management Overview Applications can be stored locally on a computer s hard disk or on a server in a share point If applications are stored locally users can find them in the Applications folder If applications are stored in a share point and you don t add the share point as a login item the user must connect to the server by choosing Go gt Connect to Server in the Finder to locate and use applications Applications can also be made available through an automounted share point as the Network Applications mount record To make specific applications easy to find you can use Dock Items preferences to place an alias for the My Applications folder in the user s Dock The My Applications folder contains aliases for applications However adding the My Applications folder might extend the login time for managed users because Mac OS X must search available disks to build the applications list for every login For instructions on creating aliases to My Applications and other folders in a user s Dock see Adding Items to a User s Dock on page 176 You can manage user access to local applications by creating lists of approved applications in the Applications preferences To set up a list of approved applications see Allowing Legacy Users to Open Specific Applications
266. ort To enable presets for a user or a group select Preset for Users or Preset for Groups and choose presets from the two pop up menus If a setting is specified in both the preset and an import file the value in the file is used If a setting is specified in the preset but not in the import file the value in the preset is used For more information about how to create presets see Creating a Preset for User Accounts on page 61 and Creating a Preset for Group Accounts on page 92 In the First User ID field enter a user ID for new user accounts without user IDs in the import file New User IDs are then sequentially assigned for other accounts without listed user IDs In the Primary Group ID field enter the group ID to assign to new user accounts for users that have no primary group ID in the import file Choose the level of detail for the log from the Logging Detail pop up menu Every time you import a new log is created in Library Logs ImportExport Click Import Using Workgroup Manager to Export Accounts You can use Workgroup Manager to export user group computer and computer group accounts from an Open Directory domain into a character delimited file that you can import into a different LDAP directory domain You can also use the dsexport tool to export records to a text delimited file For more information see Command Line Administration Appendix Importing and Exporting Account Information To export
267. ort Names field review or edit the short names To do this Do this Change a short name Double click the short name and then replace it Add a short name Double click the blank entry at the bottom of the short name list and then enter a short name Choosing Stable Short Names When you create a user account assign the account a short name that won t be changed After creating the account you can t use the Basic pane of Workgroup Manager to change a user s first short name Chapter 4 Setting Up User Accounts 65 66 To change a user s first short name create a new account for the user in the same directory domain that contains the new first short name and retain all other account information user ID primary group home folder and so on Make sure you use the same GUID for the new account Then disable the login for the old user account After you disable the old login the user can log in using the changed name but will have the same access to files and other network resources as before and will belong to the same groups For more information see Working with GUIDs on page 87 and Disabling a User Account on page 60 Avoiding Duplicate Names A user s short name is used by the login window This means that having multiple users with the same short name causes a conflict Although you can t create multiple users with the same short name in the Basic pane of Workgroup Manager it s still possible to create mu
268. ose Shadow Password you can also select authentication methods by clicking Security Click Save Creating a Master List of Keywords You can define keywords that enable quick searching and sorting of user accounts Using keywords can simplify tasks such as creating groups or editing multiple user accounts Before you begin adding keywords to user records you must create a master keyword list The list of keywords shown in the Advanced pane for a selected user applies only to that user Each directory domain has its own master keyword list For example if you add a keyword to the local directory domain s master keyword list it isn t available in another directory domain unless you add it to that directory domain s master keyword list To edit the master keyword list In Workgroup Manager click Accounts Select the user account you want to work with To select the account click the globe icon choose the directory domain where the account resides and then select the user account in the accounts list To authenticate click the lock and enter the name and password of a directory domain administrator Click Advanced and choose from the following To do this Do this View the master keyword list Click the Edit pencil button You can access and edit the master which lists all terms available for keyword list from any selected user account use as keywords Add a keyword to the master list Click the Add button and enter t
269. ose the domain where the group account resides Chapter 5 Setting Up Group Accounts 4 To authenticate click the lock and enter the name and password of a directory domain administrator 5 Click the Groups button and select the group you want to work with 6 Edit settings for the group in the panes provided For details see Working with Basic Settings for Groups on page 95 Working with Member Settings for Groups on page 99 and Working with Group Folder Settings on page 100 From the Command Line You can also edit a group account using the dseditgroup command in Terminal For more information see the users and groups chapter of Command Line Administration Creating Hierarchical Groups A hierarchical group is a group that is a member of another group known as a parent group For computers with Mac OS X v10 5 or later hierarchical groups inherit managed preferences Members of a hierarchical group have combined preferences managed by their chosen workgroup and by parent groups They can also inherit preferences from parent groups For computers with Mac OS X v10 4 or later the access permissions of a parent group are inherited For example if you set a parent group s ACL permissions so the parent group can t write to a folder the ACL permissions are propogated so that hierarchical groups also can t write to that folder Groups created using Mac OS X Server v10 3 and v10 4 must be upgraded to become parent o
270. ou don t want users to see these items on the desktop you can hide them Disks and servers still appear in the top level folder when a user clicks the Computer icon in a Finder window s toolbar To hide disk and server icons on the desktop In Workgroup Manager click Preferences Make sure the correct directory is selected and you are authenticated To switch directories click the globe icon If you are not authenticated click the lock and enter the name and password of a directory domain administrator Select one or more users groups computers or computer groups Click Finder click the Preferences tab and then select a management setting Under Show these items on the Desktop deselect the items you want to hide Click Apply Now Controlling the Behavior of Finder Windows You can select which folder appears when a user opens a new Finder window You can also define how contents are displayed when a user opens folders To set Finder window preferences In Workgroup Manager click Preferences Make sure the correct directory is selected and you are authenticated To switch directories click the globe icon If you are not authenticated click the lock and enter the name and password of a directory domain administrator Select one or more users groups computers or computer groups Chapter 10 Managing Preferences 183 184 ao uu A W Click Finder click the Preferences tab and then select a management setting Un
271. ou have issues contact the name and password to log IT help desk at in Show name and password text fields Users should be able to e Show Restart and Shut Down buttons work without being e Don t show password hint logged out e Don t enable automatic login e Don t log out inactive users e Don t enable external accounts e Don t enable guest account Except for primary users no one can log in unless they have a network or local account High security The computer should be Message Unauthorized use prohibited as secure as possible e Show name and password text fields restricting who can use e Don t show Restart or Shut Down buttons the computer and how e Don t show password hint they log in e Don t enable automatic login e Don t enable gt console login Don t enable fast user switching e Log out inactive users e Don t enable external accounts Don t enable guest account Choosing a Workgroup In addition to customizing the login window you can manage login preferences that affect whether users choose workgroups If you don t manage login access preferences after the user authenticates a list of available workgroups appears depending on computer settings and if the user belongs to more than one workgroup Network account users choose from workgroups in their directory domain but local users access their workgroups from their local directory domain It s possible for a user to belong to a group tha
272. oup members to share files with each other You can use Workgroup Manager to view create edit and delete group accounts To view group accounts in Workgroup Manager click the Groups button above the accounts list About Group Accounts A group account stores the identities of users who belong to the group as well as information that lets you customize the working environment for members of the group When you define preferences for a group the group is known as a workgroup A primary group is the user s default group Primary groups can expedite the validation performed by the Mac OS X file system when a user accesses a file How Group Accounts Track Membership Mac OS X Server uses GUIDs and a combination of the user s short name and GID to determine group membership Before Mac OS X v10 4 group membership was based only on a combination of the user s short name and GID You can now have groups composed of users with all versions of Mac OS X When you use Workgroup Manager on Mac OS X Server v10 5 to add a member to a group you add both the user s short name and GUID which ensures backward compatibility 89 90 Where Group Accounts Are Stored Group accounts can be stored in any Open Directory domain A directory domain can reside on a Mac OS X computer for example an Open Directory domain or it can reside on a non Apple server for example an LDAP or Active Directory server Workgroup Manager can work with accounts sto
273. p ID using Workgroup Manager In Workgroup Manager click Accounts Select the group account you want to work with To select an account click the globe icon choose the directory domain where the account resides click the Groups button and then select the group To authenticate click the lock and enter the name and password of a directory domain administrator Click Basic then in the Group ID field review or edit the ID and click Save Before saving a group ID Workgroup Manager checks to ensure that it is unique in the directory domain you re using Choosing a Group s Login Picture You can quickly change a group s login picture in Workgroup Manager This picture represents the group in the workgroup chooser of the login window Although you can use an image file of any size you should use an image that is 64 x 64 pixels in size If you use a larger image it is centered and resized to 64 x 64 Group pictures are stored as a path to an image file not as the file itself This path must be accessible by the computers used by the group For example if you enter a path to an image file on the desktop the image file must be located on the desktop of all computers used by the group To avoid copying image files to all computers store image files on a server To choose a group s login picture In Workgroup Manager click Accounts Select the group account you want to work with To select an account click the globe icon choose the
274. p using Workgroup Manager 1 In Workgroup Manager click Accounts 2 Select the group account you want to work with To select an account click the globe icon choose the directory domain where the account resides click the Groups button and then select the group Chapter 5 Setting Up Group Accounts 99 100 To authenticate click the lock and enter the name and password of a directory domain administrator In the Members pane click the Add button to open a drawer that lists the users and groups defined in the directory domain you re working with Make sure the group account resides in a directory domain specified in the search policy of computers that the user logs in to Select the user account drag the user into the list and then click Save From the Command Line You can add a user to a group using the dseditgroup command in Terminal For more information see the users and groups chapter of Command Line Administration Removing Group Members You can use Workgroup Manager to remove group members if the group account and its members reside in an Open Directory domain or the local directory domain You can t remove a user s primary group To remove group members In Workgroup Manager click Accounts Select the group account you want to work with To select an account click the globe icon choose the directory domain where the account resides click the Groups button and then select the group To authenticate
275. password information isn t exported If you want to set passwords you can modify the export file before you import it or you can set passwords after importing You can also manually create a text delimited import file and include passwords in it For more information about importing user accounts see Understanding What You Can Import and Export on page 251 To assign a password In Workgroup Manager click Accounts Select the user account you want to work with To select an account click the globe icon above the accounts list choose the directory domain where the user s account resides and then select the user To authenticate click the lock and enter the name and password of a directory domain administrator In the Basic pane enter a password in the Password field enter it again in the Verify field and then click Save Assigning Administrator Privileges for a Server A user who has server administrator privileges controls most of the server s configuration settings and can use applications such as Server Admin that require a user to be a member of the server s administrator group You can use Workgroup Manager to assign server administrator privileges to a user with an account stored in an Open Directory domain You can also use Workgroup Manager to review the server administrator privileges in any directory domain accessible from the server you re using To set server administrator privileges in Workgroup Manager
276. persedes allowing access If you allow computer access to a group of network users you can deny access to specific members of the group However if you deny computer access to a group you can t allow computer access to specific members of that group If you don t list users or groups to allow or deny access to all network users can log in If you add users or groups to the list only the users and groups that are explicitly allowed access can log in Chapter 10 Managing Preferences Note A user with an administrator account in a client computer s local directory domain can always log in To choose who can log in In Workgroup Manager click Preferences Make sure the correct directory is selected and you are authenticated To switch directories click the globe icon If you are not authenticated click the lock and enter the name and password of a directory domain administrator Select one or more computers or computer groups Click Login click Access and then set the management setting to Always To control access for all network users click the Add Network Users gear button If you allow access for the Network Users group you can prevent access for specific users or groups All other network users and groups are allowed access If you deny access for the Network Users group all network users and groups are denied access even if they are specifically allowed access in the list To control access for specific users or groups
277. port filters are properly configured on the FTP server To enable passive FTP mode In Workgroup Manager click Preferences Make sure the correct directory is selected and you are authenticated To switch directories click the globe icon If you are not authenticated click the lock and enter the name and password of a directory domain administrator Select one or more users groups computers or computer groups Click Network and then click Proxies Set the management setting to Always Select Use Passive FTP Mode PASV Click Apply Now Disabling Internet Sharing Although Internet Sharing is a convenient way for computers to share Internet access turning it on can disrupt your network because it can cause conflicts with DHCP and NAT services To reenable Internet Sharing you must log in to the computer locally and enable it in the Sharing pane of System Preferences To disable Internet Sharing In Workgroup Manager click Preferences Make sure the correct directory is selected and you are authenticated To switch directories click the globe icon If you are not authenticated click the lock and enter the name and password of a directory domain administrator Select one or more computers or computer groups Click Network and then click Sharing amp Interfaces Chapter 10 Managing Preferences 215 216 N AO UW A W N QO Ww A W Set the management setting to Always Select Disable Internet Sharing Click A
278. pple Remote Access this data is ignored Appendix Importing and Exporting Account Information 255 256 The following group account attributes might be present in the XML files e Group name required Group ID required e One member s short name required e Other members short names Using XML Files Created with AppleShare IP 6 3 You can use the Web amp File Admin application on an AppleShare IP 6 3 server to create an export file and then use Workgroup Manager or dsimport to import that file into an Open Directory domain The following user account attributes are exported into the XML files An error occurs when you import a file with missing required attributes Name required mapped to a long name InetAlias mapped to a short name Comment Indication of whether user can log in Password format required and password text required Apple mail data Indicator for whether the user is a server administrator password change data and indicator for forcing a password to change this data is ignored The dsimport tool generates user IDs when you import this XML file using the s parameter to determine the user ID to start with and incrementing each subsequent imported account s user ID by one It generates primary group IDs using the r parameter When you import using Workgroup Manager user IDs and primary group IDs are generated as you indicate in the dialog provided The following group account attribu
279. pply Now Disabling AirPort If you disable AirPort it is disabled the next time a computer retrieves managed preferences If the computer had active AirPort connections they are immediately disconnected To reenable AirPort you must log in to the computer locally and enable it in the Network pane of System Preferences To disable AirPort In Workgroup Manager click Preferences Make sure the correct directory is selected and you are authenticated To switch directories click the globe icon If you are not authenticated click the lock and enter the name and password of a directory domain administrator Select one or more computers or computer groups Click Network and then click Sharing amp Interfaces Set the management setting to Always Select Disable AirPort Click Apply Now Disabling Bluetooth Before disabling Bluetooth make sure your computers don t rely on Bluetooth enabled input devices like keyboards and mice To reenable Bluetooth you must log in to the computer locally and enable it in the Network pane of System Preferences To disable Bluetooth In Workgroup Manager click Preferences Make sure the correct directory is selected and you are authenticated To switch directories click the globe icon If you are not authenticated click the lock and enter the name and password of a directory domain administrator Select one or more computers or computer groups Click Network and then click Sharing amp
280. provide home folders for a large number of users who use UNIX workstations Hosting Home Folders for Other Clients To host home folders for Windows clients use SMB To optimally handle both Mac OS X and Windows clients you could use both AFP for Mac OS X clients and SMB for Windows clients SMB is a protocol used by Windows to access share points You can set up a share point for SMB access only so that Windows users have a network location for files that can t be used on other platforms Like AFP SMB also requires authentication with a valid name and password to access files In addition to having home folders Windows users also have roaming profiles With roaming profiles each user has the same profile when he or she logs in to the domain from any Windows workstation on the network A roaming profile stores a Windows user s preference settings screensaver colors backgrounds event sounds and so on favorites My Documents folder and more in a share point on a Mac OS X Server By default a user s roaming profile is stored in a predetermined folder on the PDC and backup domain controllers BDCs have an up to date copy of this folder Chapter 7 Setting Up Home Folders The default share point for Windows home folders is the same as the share point for Mac OS X home folders The default share point for user profiles is the Users Profiles folder on the PDC and BDC servers This SMB share point is not shown in Work
281. r You can use Workgroup Manager to change a group account with a group folder to one that has no group folder By default a new group has no group folder To specify no group folder In Workgroup Manager click Accounts Select the group account you want to work with To select an account click the globe icon choose the directory domain where the account resides click the Groups button and then select the group To authenticate click the lock and enter the name and password of a directory domain administrator Click the Groups button and select a group Click Group Folder then in the list select None and click Save Creating a Group Folder You can create a group folder for a group in any existing share point or you can create the group folder in the Groups folder a predefined share point In Workgroup Manager you can also create group folders that don t reside immediately below a share point For example you can organize group folders into several subfolders under a share point that you define If Groups is the share point you can place group folders for students in Groups StudentGroups and group folders for teachers in Groups TeacherGroups The full path to a group folder for second grade students might be Groups StudentGroups SecondGrade Group folders are hosted on share points For instructions about creating share points see Setting Up a Share Point on page 116 After setting up a group folder you can
282. r click Accounts Make sure that the directory services of the Mac OS X Server computer you re using are configured to access the directory domain For instructions see Open Directory Administration 3 Click the globe icon and choose the domain where you want to import accounts To authenticate click the lock and enter the name and password of a directory domain administrator Choose Server gt Import and select an import file Appendix Importing and Exporting Account Information 253 254 6 10 11 To indicate what to do when the short name of an account being imported matches that of an existing account select one of the Duplicate Handling options e Overwrite existing record overwrites any existing record in the directory domain e Ignore new record ignores an account in the import file e Add to empty fields merges data from the import file into the existing account when the data is for an attribute that has no value e Append to existing record appends data to existing data for a particular multivalue attribute in the existing account Duplicates are not created This option could be used when importing members into an existing group e Don t check for duplicates disables checking for duplicates but it can cause misconfigured records and unexpected results Make sure there are no duplicates before choosing this option When you enable this option it can decrease the time required to imp
283. r click Accounts Select the user account you want to work with To select an account click the globe icon above the accounts list choose the directory domain where the user s account resides and then select the user To authenticate click the lock and enter the name and password of a directory domain administrator In Privileges choose Limited from the Administration capabilities pop up menu To control the level of user or group administration click the Add button and drag users and groups from the drawer to the User can administer list Select a user or group from the User can administer list and then select the administration capabilities you want the limited administrator to have To give administrative control to all users and groups select All Users and Groups and then select administrative capabilities Click Save Chapter 4 Setting Up User Accounts 71 72 Giving a User Full Administrative Capabilities A user with full administrative capabilities is also known as a directory domain administrator Directory domain administrators can modify any records in the directory domain and are the only users who can change the passwords of other directory domain administrators You can change a user s domain privileges for LDAPv3 directory domains You can t change privileges for a local user account or an account stored in a non LDAPv3 directory domain To change a user s administrative privilege
284. r account from the local directory domain but preserves the local home folder in Users as username Deleted where username is the short name of the deleted user Delete the home folder Removes a user account from the local directory domain and permanently deletes the user s home folders Enabling FileVault for Mobile Accounts If your users have computers with Mac OS X v10 5 or later installed you can use FileVault to encrypt the local home folders for their mobile accounts FileVault encrypts the user s local home folder using the Advanced Encryption Standard with 128 bit keys AES 128 The home folder content is safe even if the user s computer is stolen or if an intruder attempts to use the computer while the user is not logged in The user s login password is used to decrypt and give the user access to his or her FileVault protected account If the user forgets the login password and a computer administrator has set a master password the administrator can use the master password to unlock all local accounts You can choose whether to require master passwords when enabling FileVault protection for mobile accounts e If you don t require a master password and there is no master password local computer administrators can t unlock the account e If you require a master password and there is no master password the user can t enable a mobile account e If you select Require confirmation before creating mobile a
285. r child hierarchical groups and use hierarchical preference management If you don t upgrade groups created using Mac OS X Server v10 3 you can t use hierarchical groups If you don t upgrade groups created using Mac OS X Server v10 4 you can t use hierarchical preference management with those groups For more information see Upgrading Legacy Groups on page 94 To create a hierarchical group 1 In Workgroup Manager click Accounts 2 Make sure that the directory services of the Mac OS X Server computer you re using are configured to access the desired directory domain For instructions see Open Directory Administration 3 Click the globe icon and choose the domain where you want the hierarchical group to reside 4 To authenticate click the lock and enter the name and password of a directory domain administrator Chapter 5 Setting Up Group Accounts 93 94 To create a group click the Groups button In the Members pane click the Add button to open a drawer that lists the users and groups defined in the directory domain you re working with Make sure the group account resides in a directory domain specified in the search policy of computers the user logs in to The drawer lists user and group accounts Click the Groups button in the drawer to list group accounts Drag the group from the drawer to the Members list All members of the hierarchical group also become members of the parent group Click Save From th
286. r computer groups Chapter 10 Managing Preferences o N OO WN A a un A WwW Click Printing and then click Printers Set the management setting to Always Click Access Select a printer listed in User s Printer List and then click Make Default Click Apply Now Restricting Access to Printers You can require an administrator user name and password to print to specific printers To restrict access to a specific printer In Workgroup Manager click Preferences Make sure the correct directory is selected and you are authenticated To switch directories click the globe icon If you are not authenticated click the lock and enter the name and password of a directory domain administrator Select one or more users groups computers or computer groups Click Printing and then click Printers Set the management setting to Always Click Access select a printer listed in User s Printer List and then select Require an administrator password Click Apply Now Adding a Page Footer to All Printouts Adding page footers to all printouts can help users identify their printouts from other users printouts This is especially useful in educational environments where students might print identical or nearly identical assignments The footer appears at the bottom left of the page It overlays existing printed content If your printouts have footers or very small margins the managed footer might become garbled The footer includ
287. r folders use the Add button or Browse button to add items to the Skip items that match any of the following list To filter for specific items click the Match field entry for any list item This allows you to further specify your search To add synced folders to the folders that the user selects for syncing select Merge with user s settings If you sync the same folder in Workgroup Manager as the user chooses in the Accounts pane of System Preferences merging will cause the Workgroup Manager sync settings to take precedence If you do not select Merge with user s settings the folders that you sync will replace those chosen by the user When used with the Once setting merging with the user s settings is useful for adding folders without disrupting the folders the user has set to sync Click Apply Now Stopping Files from Syncing for a Mobile Account To stop a mobile account from syncing files you must manage its login and logout and background sync rules If you leave them unmanaged the user s current sync settings remain in effect and the user can choose his or her own sync settings in the Accounts pane of System Preferences To stop files from syncing In Workgroup Manager click Preferences Make sure the correct directory is selected and you are authenticated To switch directories click the globe icon If you are not authenticated click the lock and enter the name and password of a directory d
288. r in the Limit to___ pages field Click Save Disabling a User s Access to Print Queues That Enforce Quotas You can use Workgroup Manager to prevent a user from printing to any accessible Mac OS X print queues that enforce quotas To use Workgroup Manager to disable access to print queues the user s account must be stored in an Open Directory domain or the local directory domain To disable a user s access to print queues enforcing quotas In Workgroup Manager click Accounts Select the user account you want to work with To select the account click the globe icon choose the directory domain where the account resides and then select the user account in the accounts list To authenticate click the lock and enter the name and password of a directory domain administrator Click Print Quota and then select None Working with Info Settings If a user s account resides in an LDAPv3 directory domain it can contain information imported from Address Book Attributes that are tracked in the Info pane include Name Address e Phone number e Email address e Chat names e Homepage URL e Weblog URL Chapter 4 Setting Up User Accounts Other users can view the information in this pane when they view the user account in Workgroup Manager and Directory To change a user s info In Workgroup Manager click Accounts Select the user account you want to work with To select the account click the globe icon ch
289. r in the toolbar of the Server Admin application You can view a directory domain without authenticating by choosing Server gt View Directories in Workgroup Manager Initially you have read only access to information displayed in Workgroup Manager To make changes in a directory you must authenticate using a domain administrator account This approach is most useful when you re administering different servers and working with different directory domains To connect and authenticate to directory domains Open Workgroup Manager and when the Workgroup Manager Connect window appears click Browse or enter the IP address or DNS name for a server that connects to directory domains Enter the user name and password for a domain administrator and click Connect To change directory domains while connected to a server click the globe icon see below to select a domain then authenticate as a domain administrator by clicking the lock icon Click the globe icon to select a Click the lock to directory domain authenticate T fa Authenticated as diradmin to directory LDAPv3 127 0 0 1 a 4 To connect to a different server choose Server gt Connect Chapter 3 Getting Started with Workgroup Manager 43 44 Major Workgroup Manager Tasks After login the Accounts pane appears see below showing a list of user accounts Initially the user accounts listed are those stored in the last directory domain of the S Groups button
290. r record name you specify and uniquely identifies the computer if there are several computers with the same Bonjour name Enable external accounts For computers with Mac OS X v10 5 or later Users can log in using external accounts If the login window displays a list of user names the external account is listed as a mobile account If the login window displays a name and password field the user must enter the external account name and password Enable guest account For computers with Mac OS X v10 5 or later Users can log in using the guest account The guest account allows anyone to access the computer without requiring a password To manage guest users manage the computers or computer groups with enabled guest accounts To configure miscellaneous login options In Workgroup Manager click Preferences Make sure the correct directory is selected and you are authenticated To switch directories click the globe icon If you are not authenticated click the lock and enter the name and password of a directory domain administrator Select one or more computers or computer groups Click Login and then click Options Set the management setting to Always Select the options you want to enable and click Apply Now Choosing Who Can Log In Workgroup Manager gives you control over who is allowed to access computers You can choose which network users are allowed to log in and whether local users can log in Denying access su
291. r requires a mobile account you can delete the account When you delete the account you can also delete or archive the user s local home folder To delete a mobile account you must log in to the computer using an account other than the mobile account You must also know the name and password of an administrator account on the computer If you want to use Workgroup Manager to remove the mobile account remotely you can set a null expiration period for the account By doing so you remove the mobile account from all computers For more information see Setting Expiration Periods for Mobile Accounts on page 209 To remove a mobile account On the client computer log in using a different account from the one you re removing the mobile account of Open System Preferences Click Accounts and then click the lock and authenticate as the local administrator To list all accounts click the Other Accounts disclosure triangle and then select the mobile account you want to remove The mobile account should have the word Mobile listed Click the Delete button Chapter 10 Managing Preferences 6 Choose one of the following home folder options and then click OK Option Effect Save the home folder in a disk Removes a user account from the local directory domain but image preserves the local home folder in Users username dmg where username is the short name of the deleted user Do not change the home folder Removes a use
292. re enabled for the volume where the share point resides In Server Admin select the server hosting home folders and then click File Sharing Click Volumes and then select the volume that stores home folders Click Quotas select Enable quotas on this volume and then click Save Chapter 7 Setting Up Home Folders 129 130 Setting Disk Quotas for Windows Users to Avoid Data Loss A disk quota that applies to a Windows user s roaming profile folder must be large enough to cover the user s expected data storage needs for a work session A Mac OS X Server PDC enforces quotas on a roaming profile folder only at the end of a work session when the user logs out and the Windows computer copies the local profile to the roaming profile on the server If the copied local profile exceeds the quota the roaming profile won t be updated with changes affecting the local profile since the user logged in If enforcing a user s disk quota prevents an update of the user s roaming profile and the user later logs in using a different Windows computer Windows could load and apply the outdated roaming user profile from the server The server can t enforce the quota incrementally on the roaming profile folder because the Windows computer updates only the local profile during a work session The server enforces a quota incrementally on changes to the home folder A roaming profile folder is subject to the same disk quota as the home directory if both
293. re image desktop and portable computers You can create custom installation packages for various departments in an organization such as marketing engineering and sales Using NetInstall it s not necessary to use CDs or DVDs to configure a computer All installation files and packages reside on the server Use NetInstall to run pre and post installation scripts to perform system commands before or after the installation of a software package or system image To create NetInstall packages use System Image Utility or PackageMaker Then use NetBoot to deploy NetInstall packages For more information about using these tools with Netlnstall see System Imaging and Software Update Administration Command Line Tools Mac OS X Server v10 5 includes several client management command line tools For example the dsc1 tool allows you to view and edit account settings and manage preferences while the mcxquery tool reports the managed preferences that are effective for a particular user Use the mcexquery tool to review how combined and overridden managed preferences interact at the user group computer or computer group level The tool also determines which directory domain stores those managed preference settings For more information about client management command line tools see Command Line Administration Accounts To manage accounts you use an administrator account With an administrator account you can set up and manage the followi
294. re the same at school and at home If you change these items the local versions are updated when the user logs in at school 131 132 About Portable Home Directories A portable home directory is a synced subset of a user s local and network home folders You can configure which folders to sync and how often to sync them Users can also initiate syncing By syncing key folders a user can work on or off the network and experience the same work environment Because the user has a local home folder that only syncs periodically or at login and logout the mobile account reduces network traffic expediting server connections for users who need to access the server The computer locally caches temporary files This improves network and individual computer performance because the user s computer locally caches files like webpages In Mac OS X v10 3 mobile accounts did not sync local and network home folders Before the introduction of syncing portable home directories did not exist When you manage computers with Mac OS X v10 3 you can still assign users mobile accounts but they do not have synced home folders Because GUIDs for the local user account on the user s computer and in the network user account on an Open Directory server are the same file permissions are the same whether the user logs in using the local user account while disconnected from the network or the network user account You can assign mobile accounts to users wit
295. rectory domain administrator Select one or more users groups computers or computer groups Click Classic Click Advanced and then set the management setting to Always Drag the slider to set the length of time Classic waits before going to sleep If you don t want Classic to go to sleep at all drag the slider to Never Click Apply Now Chapter 10 Managing Preferences 173 174 O uu A WwW Maintaining Consistent User Preferences for Classic Ordinarily Classic looks for a user s Mac OS 9 preferences data in the Mac OS 9 System Folder If a user has more than one computer or if multiple users work on the same computer make sure Classic uses preferences from the Home folder in Library Classic so that preferences remain consistent for each user If you choose not to use preferences in the user s Home folder a user s Mac OS 9 data is stored in the Mac OS 9 System Folder and is not kept separate from other user data In this case users share preferences and changes made by the last user are in effect when the next user logs in To choose where Classic user preferences are stored In Workgroup Manager click Preferences Make sure the correct directory is selected and you are authenticated To switch directories click the globe icon If you are not authenticated click the lock and enter the name and password of a directory domain administrator Select one or more users groups computers or computer groups Click Cla
296. red in any of these directory domains Group accounts must be stored in a directory domain accessible from the server that needs them e For services provided by a Mac OS X Server PDC or Windows domain member server group accounts can be stored in the PDC LDAP directory e For services provided by an Active Directory domain member group accounts can be stored in the Active Directory domain e For services provided by a Windows standalone server group accounts can be stored in the server s local directory domain e If a server is configured to access multiple directory domains group accounts can be stored in any of them For more information about the different kinds of Open Directory domains see Open Directory Administration Predefined Group Accounts The following table describes most group accounts that are created when you install Mac OS X Server For a complete list open Workgroup Manager and choose View gt Show System Users and Groups Predefined group name Group ID Use admin 80 A group that users with administrator privileges belong to bin 7 A group that owns all binary files daemon 1 A group used by system services dialer 68 A group for controlling access to modems on a server kmem 2 A legacy group used to control access to reading kernel memory mail 6 A group historically used for access to local UNIX mail _mysq 74 A group that the MySQL database server uses for its proce
297. rences panes In the Workgroup Manager toolbar click Search You can also click the Search magnifying glass button in the search field above the accounts list and then choose Advanced Search Choose a field to search a field option and then enter the text you want to search Click the Add button to add search criteria Save rename or delete a preset by using the Search Presets pop up menu After you define your search click Search Now After receiving search results you can clear the search to revert to your default display or edit the search to refine it further While editing the search you can save the search as a preset for later use Sorting Users and Groups After displaying a list of accounts in Workgroup Manager click a column heading to sort entries using the values in that column Click the heading again to reverse the sort order Shortcuts for Working with Accounts Workgroup Manager provides shortcuts for applying the same settings to new or existing accounts You can also import user and group account information from a file Using Presets You can select settings for a user account group account or computer group and save them as presets Presets work like templates allowing you to apply predefined settings to a new account Using presets you can easily set up multiple accounts with similar settings You can only use presets during account creation You can t use a preset to modify an existing account
298. ri you can disable JavaScript by setting the JavaScript Enabled key to false If you save this key in the Often group the user can enable JavaScript during their current login session but JavaScript is disabled when the user logs out and logs in again Some application developers provide preference manifests A preference manifest simplifies modification of preferences by providing names and descriptions of keys that are honored by an application and tells you how to set them Preference manifests are similar to templates They re not required so you can edit the preference key value of an application even if it doesn t provide a preference manifest For applications without preference manifests you can import a preference file from Library Preferences or you can import the application its preference file is found automatically Preference manifests can be stored in an application package a file ending with manifest such as com apple Safari manifest in the package s Contents Resources folder or they can be standalone files If manifests exist for an application the preference editor loads them when you add the application to the preference editor s list When you import preferences for an application keys and values are added based on the application s currently set preferences This lets you apply your own configuration of applications to users applications You can add remove or edit keys but some keys might no
299. ries click the globe icon If you are not authenticated click the lock and enter the name and password of a directory domain administrator Select one or more users groups computers or computer groups Chapter 10 Managing Preferences a nu A W Click Finder click Commands and then set the management setting to Always Deselect Go to Folder Click Apply Now Removing Restart and Shut Down from the Apple Menu If you don t want to allow users to restart or shut down the computer they re using you can remove the Restart and Shut Down commands from the Apple menu To hide the Restart and Shut Down commands In Workgroup Manager click Preferences Make sure the correct directory is selected and you are authenticated To switch directories click the globe icon If you are not authenticated click the lock and enter the name and password of a directory domain administrator Select one or more users groups computers or computer groups Click Finder click Commands and then set the management setting to Always Deselect Restart and Shut Down Click Apply Now As an additional preventive measure you can remove the Restart and Shut Down buttons from the login window by using settings in Login preferences For instructions see Changing the Appearance of the Login Window on page 189 Adjusting the Appearance and Arrangement of Desktop Items Items on a user s desktop appear as icons You can control the size of des
300. rimary group when a user accesses a file he or she doesn t own primary group ID A unique number that identifies a primary group print queue An orderly waiting area where print jobs wait until a printer is available The print service in Mac OS X Server uses print queues on the server to facilitate management privileges The right to access restricted areas of a system or perform certain tasks such as management tasks in the system proxy server A server that sits between a client application such as a web browser and a real server The proxy server intercepts all requests to the real server to see if it can fulfill the requests itself If not it forwards the request to the real server Glossary 263 264 scope A group of services A scope can be a logical grouping of computers such as all computers used by the production department or a physical grouping such as all computers located on the first floor You can define a scope as part or all of your network search path See search policy search policy A list of directory domains searched by a Mac OS X computer when it needs configuration information also the order in which domains are searched Sometimes called a search path security identifier See SID share point A folder hard disk or hard disk partition or optical disc that s accessible over the network A share point is the point of access at the top level of a group of shared items Share points can be shar
301. rlier than v10 4 GUIDs are automatically assigned After upgrading or migrating your server to Mac OS X Server v10 5 back up your accounts by exporting user and group accounts to ensure that all your accounts have GUIDs If you need to restore user or group accounts in the future the generated export file enables you to import users and groups with their GUIDs as well as file permissions and group memberships intact If you lose user accounts and create new accounts with the same UID GID and short names as the lost accounts the replacement accounts have new GUIDs assigned A user s new GUID won t match the previous GUID so the user won t retain prior ACL permissions or group memberships Similarly if you import users or groups from a file that doesn t include the GUID attribute Mac OS X Server assigns new GUIDs to every imported user and group To make sure that GUIDs and their relationship to specific users and groups remain the same if you need to re import users and groups create a new export file on Mac OS X Server v10 5 and use this file instead of the export file created with an earlier server version Appendix Importing and Exporting Account Information Archiving the Open Directory Master Instead of exporting and importing records as a backup of directory data you can archive and restore the Open Directory master s directory and authentication data By archiving a copy of the Open Directory master s directory you
302. rofiler On a client computer open System Profiler Open the Software disclosure triangle and then choose Managed Client If Users Don t See a List of Workgroups at Login If a user with a network account doesn t see a list of workgroups at login e The user may not be in a group or may be in only one group Hold down the Option key during login to show the list of workgroups e The user s computer may not have its login preferences managed In the Access pane of login preferences select Always show workgroup dialog during login This preference is only available for clients with Mac OS X v10 5 or later Your client computers must use Mac OS X v10 4 or later to select from workgroups For more information about how to set login window access settings see Customizing the Workgroups Displayed at Login on page 193 If Users Can t Open Files Ordinarily when users double click a file in the Finder or choose a file to open from the File menu in Finder an appropriate default application opens the file for them If the user is in a managed environment this method might not always work Chapter 11 Solving Problems 247 248 For example suppose the default application for viewing PDF files is Preview A user logs in and double clicks a PDF file on his or her desktop If the management settings that apply to the user don t provide access to Preview the file does not open If the user has access to a different application that c
303. roups button and select one or more group accounts from the list Click Login and then click Items Set the management setting to Always Select Add group share point Select the newly added group share point item Chapter 10 Managing Preferences 199 200 10 If you don t want the group share point to appear in the Dock select the Hide checkbox Make sure Mount share point with user s name and password is selected Click Apply Now Managing Media Access Preferences Media Access preferences let you control settings for and access to CDs DVDs the local hard disk and external disks for example floppy disks and FireWire drives The table below describes what you can do with the settings in each Media Access pane Media Access preference pane What you can control Disc Media Settings for CDs DVDs and recordable discs for example CD R CD RW or DVD R Computers without appropriate hardware are not affected by these settings Other Media Internal hard disks and external disks other than CDs or DVDs Controlling Access to CDs DVDs and Recordable Discs You can control whether users can play or record CDs or DVDs However you can t deny access to specific discs or to specific items on a disc If a computer has a recordable disc drive you can control a user s ability to burn discs that is to write information on a recordable disc such as a CD R CD RW or DVD R Users can burn CDs on comput
304. roys existing group memberships and file permissions for that user ID Chapter 4 Setting Up User Accounts 87 88 To view a user or group GUID In Workgroup Manager click Accounts Make sure the directory services of the Mac OS X Server computer you re using are configured to access the directory domain Click the globe icon and then choose the domain where the account resides To authenticate click the lock and enter the name and password of a directory domain administrator Click the Users Groups Computers or Computer Groups button and select the account You can only view GUIDs for individual accounts Click the Inspector button under the lock on the far right If there is no Inspector button make sure the Inspector is enabled by choosing Workgroup Manager gt Preferences and then select Show All Records tab and inspector Select the GeneratedUID field and then click Edit Click Cancel to make sure you do not change the GUID From the Command Line You can also view a user or group GUID using the dsc1 command in Terminal For more information see the users and groups chapter of Command Line Administration Chapter 4 Setting Up User Accounts Setting Up Group Accounts This chapter tells you how to set up edit and manage group accounts A group account offers a simple way to manage a collection of users with similar needs You can also create group folders which provide an easy way for gr
305. ry Password Server or shadow password authentication methods you might need to reset the user s password For information about enabling and disabling authentication methods see Open Directory Administration For Kerberos troubleshooting tips see If Users Can t Authenticate Using Single Sign On or Kerberos on page 245 e If a Mac OS v8 1 8 6 computer fails to authenticate for Apple file service the computer s AppleShare Client software may need upgrading e Mac OS v8 6 computers should use AppleShare Client v3 8 8 e Mac OS v8 1 8 5 computers should use AppleShare Client v3 8 6 e Mac OS v8 1 8 6 computers that have file server volumes mount during startup should use AppleShare Client v3 8 3 with DHX UAM User Authentication Module installed DHX UAM is included with the AppleShare Client v3 8 3 installation software If Users Relying on a Password Server Can t Log In If your network has a server with Mac OS X Server v10 2 it could receive authentication from an Open Directory Password Server hosted by another server If the Password Server s computer disconnects from your network for example because you unplug the cable from the computer s Ethernet port users whose passwords are validated using the Password Server can t log in because their server s IP address isn t accessible Users can log in to Mac OS X Server if you reconnect the Password Server s computer to the network Alternately while the Password Server
306. ry domain server DHCP In Directory Utility select Add DHCP supplied LDAP servers to automatic search policies Encryption In Directory Utility select Encrypt all packets requires SSL or Kerberos Authenticated Set up trusted binding between the client computer and the LDAP directory PartialTrust In Directory Utility select Digitally sign all packets requires Kerberos Most Active Directory nodes support PartialTrust but not FullTrust FullTrust In Directory Utility select Block man in the middle attacks requires Kerberos and Digitally sign all packets requires Kerberos To set the minimum required trust level set the MCXScriptTrust client setting e If the client s MCXScriptTrust setting is a level of trust equal to or less than the trust value the client trusts the server and runs its login and logout scripts If the client s MCXScriptTrust setting is a level of trust more than the trust value the client doesn t trust the server and doesn t run its scripts The default trust value is FullTrust To enable the use of login or logout scripts Log in to the user s computer locally or use Apple Remote Desktop Open the Sharing pane of System Preferences Click the lock to authenticate and enter the name of a local or domain administrator Chapter 10 Managing Preferences 195 196 Click Edit If the local host name contains special nonalphabetic or non numeric characters
307. s When you copy a file to a user s AFP drop box the owner of the drop box becomes the owner of the file e In NFS when you copy a file to another folder you remain the owner and the copy operation reduces your disk quota on a particular partition WARNING If you set a disk quota on a user with a mobile account the quota only affects the user s network home folder There are no quota restrictions on the user s local home folder Setting the quota too low can cause sync issues and data loss For example if you set a 250 MB quota and the user uses 500 MB on his or her local home folder the mobile account doesn t sync entirely The home folders sync until the 250 MB quota is met and unsynced files remain local When the user logs in to another computer and syncs only 250 MB of data syncs from the network home folder To set up a home folder share point disk quota using Workgroup Manager In Workgroup Manager click Accounts Select the user account you want to work with To select an account connect to the server where the account resides click the globe icon choose the directory domain where the user account is stored click the Users button and then select the user account To authenticate click the lock and enter the name and password of a directory domain administrator Click Home specify the disk quota using the Disk Quota field and the adjacent pop up menu and then click Save Make sure disk quotas a
308. s In Workgroup Manager click Accounts Select the user account you want to work with To select an account click the globe icon above the accounts list choose the directory domain where the user s account resides and then select the user To authenticate click the lock and enter the name and password of a directory domain administrator In Privileges from the Administration capabilities pop up menu choose Full and then click Save Working with Advanced Settings Advanced settings include login settings keywords password type and searchable comments In Workgroup Manager use the user account s Advanced pane to work with advanced settings Enabling a User s Calendar If your iCal server enables individual user calendars you can configure user accounts to use iCal server When users use iCal to log into the server they can access their calendars To enable a user s calendar In Workgroup Manager click Accounts Select the user account you want to work with To select an account click the globe icon above the accounts list choose the directory domain where the user s account resides and then select the user To authenticate click the lock and enter the name and password of a directory domain administrator In Advanced select Enable calendaring choose a server from the pop up menu and then click Save Chapter 4 Setting Up User Accounts Allowing a User to Log In to More Than One Computer At a Ti
309. s synchronization 139 backup domain controller See BDC batch editing 51 batteries 177 180 BDC backup domain controller 55 57 114 245 Bluetooth 216 boot process See startup browsers Safari 237 bundle IDs 164 Burn Disc command 186 C calendar service See iCal service CDs preferences 200 child groups 25 159 Classic preferences Apple menu access 172 187 overview 149 restart options 172 sleep settings 173 startup options 170 System Folder 169 171 user preferences location 174 client computers 21 33 clients customizing for 149 150 151 152 management overview 147 mobile 144 network visible resources 148 preferences overview 149 workflow improvement 152 See also group accounts users combined managed preferences 157 159 command line tools domain name lookup 241 exporting 254 folders 103 123 importing 251 overview 22 sharing 118 ssh access 103 239 user accounts 42 58 59 comments on user accounts 76 computer accounts creating 106 guest 26 107 mobile 141 overview 13 25 105 preferences 157 162 Windows computers 107 Index Workgroup Manager layout 149 computer groups adding to 111 creating 108 109 deleting 112 editing 51 mobile 142 overview 13 26 108 preferences 157 158 163 presets 50 109 110 removing computers 111 upgrading from lists 112 vs computer lists 108 Workgroup Manager layout 149 computer lists 108 112 computer name 105 192 computers administrator 32 41 98
310. s 112 user accounts advanced settings 72 basic settings 63 calendar settings 72 command line tools 42 58 59 comments 76 creating 57 deleting 60 directory domains 46 47 48 57 58 disabling 60 editing 51 58 59 exporting 254 importing 53 68 253 keywords 75 lists 46 48 49 local 122 mail settings 80 organization of 26 55 overview 22 24 passwords 68 predefined 56 251 preferences 139 presets 50 61 62 read only 59 troubleshooting 242 types 56 user names 63 64 65 66 67 242 Windows 55 60 See also administrator group accounts guest accounts users user ID See UID user names 63 64 65 66 67 242 254 users access control 23 24 70 categories 28 59 customizing for 149 finding 45 49 75 identities 28 56 67 87 164 limited admin control 38 70 login design 150 mail service 80 81 network 31 136 overview 55 permissions 70 planning for 34 35 preferences control 149 157 161 174 primary group for 28 77 89 print service 81 82 83 84 220 221 222 223 remote 185 239 241 searching for 45 49 75 setup 31 sorting 75 tools overview 19 workgroup choice 151 See also clients groups home folders managed preferences user accounts Windows users V view settings 187 227 250 visual preferences 228 VPN Virtual Private Network 139 W wake settings 179 180 web services accessing 98 217 218 account 56 browser 237 websites accessing 98 217 218 widgets in Dashboard 16
311. s computer is offline users can log in with user accounts whose password type is crypt or shadow password Chapter 11 Solving Problems If Users Can t Log In with Accounts in a Shared Directory Domain Users can t log in using accounts in a shared directory domain if the server hosting the directory isn t accessible A server can become inaccessible due to a problem with the network the server software or the server hardware Problems with the server hardware or software affect users trying to log in to Mac OS X computers and users trying to log in to the Windows domain of a Mac OS X Server primary domain controller PDC Network problems can affect some users but not others depending on where the network problem is Users with mobile user accounts can still log in to the Mac OS X computers they used previously Users affected by these problems can log in using a local user account defined on the computer such as the user account created during setup after installing Mac OS X If Users Can t Access Their Home Folders Make sure users can access the share point where their home folders are located and make sure they can access their home folders Users need Read access to the share point and Read amp Write access to home folders If Users Can t Change Their Passwords Users who have accounts in the server s LDAP directory with a crypt password can t change passwords after logging in These users can change passwords if you use the
312. s in each Energy Saver pane Energy Saver preference pane What you can control Desktop Sleep timing for the computer display hard disks and wake and restart options for Mac OS X and Mac OS X Server Portable Processor performance setting sleep timing similar to Desktop and wake and restart options for adapter and battery power sources Battery Menu Display of the battery status indicator Schedule Regular schedules for startup or shutdown Using Sleep and Wake Settings for Desktop Computers Putting a computer to sleep saves energy because it turns off the display and stops the hard disk from running Waking up from sleep is faster than starting up your computer You can use the Energy Saver preference settings to put computers to sleep after a specified period of inactivity Other settings enable you to wake or restart the computer when certain events happen To set sleep and wake settings In Workgroup Manager click Preferences Make sure the correct directory is selected and you are authenticated To switch directories click the globe icon If you are not authenticated click the lock and enter the name and password of a directory domain administrator Select one or more computers or computer groups Click Energy Saver and then click Desktop From the OS pop up menu choose Mac OS X or Mac OS X Server and set the management setting to Always To adjust sleep settings choose Sleep from the Settings pop up menu and
313. s might only need 2 terabytes TB of storage over the course of several years However if you give that same 2000 users their own computers with 60 GB drives they could use as much as 120 TB of storage In this case every user fills his or her own drive and portable home directory syncing mirrors files from his or her local home folder to the network file server Choosing a Home Folder Structure When deploying computers one of the most crucial decisions is choosing how and where to host home folders There are three types of home folders a local home folder a network home folder and a portable home directory These home folders are typically tied respectively to local network and mobile accounts When considering your home folder structure keep the following in mind e Users with local accounts typically have local home folders When users save files in local home folders the files are stored locally To save the files over the network users must connect to the network and upload the file Using local home folders provides the least amount of control over a user s managed preferences and is also not inherently tied to a network account e Users with network accounts typically have network home folders Chapter 2 Getting Started with User Management When users save files in network home folders the files are stored on the server Additionally when users access home folders even for common tasks like caching webpages
314. s or change the trust value add login and logout scripts in Workgroup Manager For more information about how to use Workgroup Manager to add login and logout scripts see Choosing a Login or Logout Script Choosing a Login or Logout Script You can only run login and logout scripts on computers or computer groups Before adding scripts you must enable them using login and logout scripts If you change the trust level for client computers running Mac OS X v10 4 re add your scripts For instructions on enabling login and logout scripts on clients and for more information about trust levels see Enabling the Use of Login and Logout Scripts on page 194 If you run login or logout scripts for computers and computer groups the script for the computer is run first followed by the script for the computer group starting with hierarchical groups and ending with parent groups Chapter 10 Managing Preferences nO un A WwW AO uu A WwW You can t run scripts that are larger than 30 KB To choose login or logout scripts In Workgroup Manager click Preferences Make sure the correct directory is selected and you are authenticated To switch directories click the globe icon If you are not authenticated click the lock and enter the name and password of a directory domain administrator Select one or more computers or computer groups Click Login and then click Scripts Set the management setting to Always Select Login Scrip
315. save their homework in the Documents folder their homework isn t synced When the students log in on another computer they can t access their homework Also if homework saved in Documents references pictures in Pictures the references might not work because the Pictures folder is not synced If multiple users create a mobile account on the same computer it could cause excessive proliferation of home folders If you have a shared access computer like a kiosk or lab computer every time a user creates his or her mobile account a local home folder is created If unmanaged this could completely fill the computer s available hard disk space If you set account expiry settings for a mobile account you can automatically delete the local home folder after a set period of inactivity If you don t want to automatically delete the home folder consider using network or generic local accounts both of which prevent the user from creating local home folders If you set up a guest account the contents of its local home folder are deleted when the user logs out Chapter 8 Managing Portable Computers Mobile accounts can t restore deleted files through syncing Although mobile accounts keep user files stored in two locations in local and network home folders they do not eliminate the need for a formal backup system When you configure the user s portable home directory you choose a subset of their folders to sync This syncing affe
316. se a separate local administrator account on each computer to allow server administrators or other individuals If a generic configuration works for all users of a computer instead of creating several generic local accounts enable the guest account To use the guest account your computers must run Mac OS X v10 5 or later The guest account is a local account that doesn t require a password and can t be logged into remotely When a guest user logs out all information and files in the guest account s home folder are deleted After creating local user accounts or enabling the guest account you could then add each computer to a computer group and manage preferences for the computer or computer group Chapter 8 Managing Portable Computers 143 144 Because multiple users can store items in the local home folder for a generic account you might want to periodically clean out that folder as part of your maintenance routine You might also recommend that students save files to a network drop box to ensure their files are not deleted and to allow them to access those files regardless of who uses the computer next Instead of using local accounts you could use external accounts which would give your users individual accounts with separate home folders For external accounts each student needs an external drive This eliminates the need for hard disk space management on the portable computers and you don t have to set strict account expiry
317. sed by secure shell SSH when the user logs in to a remote Mac OS X computer Note Terminal has a preference that allows the user to override the default shell To choose a default shell In Workgroup Manager click Accounts Select the user account you want to work with To select the account click the globe icon choose the directory domain where the account resides and then select the user account To authenticate click the lock and enter the name and password of a directory domain administrator Chapter 4 Setting Up User Accounts 73 74 4 To specify the user s default shell when logging in to a Mac OS X computer choose a shell from the Login Shell pop up menu To specify a shell that doesn t appear in the list choose Custom and then enter the path to the shell To ensure that a user can t access the server remotely using the command line choose None Choosing a Password Type and Setting Password Options For user accounts in the LDAP directory of an Open Directory server you can set the password type to Open Directory or Crypt Password User accounts in the local directory domain have a password type of Shadow Password When you set the password type to Shadow Password or Open Directory you can set several password policy options including disabling login after a period of inactivity or failed authentication attempts or setting password restrictions such as requiring that passwords be a certain length or t
318. see Determining Server and Storage Requirements on page 35 To create and modify accounts you must also have a domain administrator account To set up an administrator computer 1 Insert the Administration Tools disc and then start the installer ServerAdministrationSoftware mpkg located in the Installers folder Make sure the server administration tools you install are the same version as the Mac OS X Server software installed on your servers If you use older server administration tools with a newer server version the tools can cause errors and corrupt data 2 Follow the onscreen instructions 41 42 3 If you are managing preferences that use specific paths to find files such as Dock preferences make sure the administrator computer has the same file system structure as each managed client computer This means that folder names volumes the location of applications and so on should be the same Creating a Domain Administrator Account Before creating and editing accounts in a shared directory you need a domain administrator account in the directory A domain administrator can use Workgroup Manager to add and change accounts residing in an Open Directory domain the local directory domain or another read write directory domain To create a domain administrator account On the administrator computer open Workgroup Manager and then authenticate as the administrator user created during server setup Access the s
319. set the way the keyboard responds to keystrokes In Workgroup Manager click Preferences Make sure the correct directory is selected and you are authenticated To switch directories click the globe icon If you are not authenticated click the lock and enter the name and password of a directory domain administrator Select one or more users groups computers or computer groups Click Universal Access Click Keyboard and then select a management setting To activate Sticky Keys select Sticky Keys On Chapter 10 Managing Preferences 229 230 N OO Ww A W foe To turn off the key combination alert deselect Beep when a modifier key is set To turn off onscreen display of keystrokes deselect Show pressed keys on screen To activate Slow Keys select Slow Keys On If you don t want audio feedback during keystrokes deselect Use click key sounds Move the slider to adjust the amount of delay between when a key is pressed and when the computer accepts it Click Apply Now Adjusting Mouse and Pointer Responsiveness If some users can t use a mouse or prefer not to the Mouse Keys feature allows them to use the numeric keypad instead Keys on the numeric keypad correspond to directions and mouse actions so the user can move the pointer and hold release or click Note If you enable Universal Access Shortcuts a user can press the Option key five times to turn Mouse Keys on or off If the pointer moves
320. share point is stored on a server with multiple volumes replace this with the name of the volume storing the share point share point Replace this with the name of the share point path Replace this with the path you entered in the previous step Use an initial slash but no terminating slash For example the following is a Full Path entry for a custom home folder for local users Homes Teachers SecondGrade Smith The following is a Home entry for a custom home folder in the Hard Drive volume stored in a server located at server example com Network Servers server example com Volumes Hard Drive Homes Teachers SecondGrade Smith If you used a volume named HomeFolders in an external drive named external HD as a location for a custom home folder the Full Path entry looks like this Network Servers server example com Volumes external HD HomeFolders Homes Teachers SecondGrade Smith Click OK Optionally enter a disk quota and specify megabytes MB or gigabytes GB Click Create Home Now and then click Save If you do not click Create Home Now before clicking Save the home folder is created the next time the user logs in to a client computer Chapter 7 Setting Up Home Folders Note Home folders are created the first time a user logs in only on share points served through an AFP or SMB server NFS home folders must be created manually Setting Up a Home Folder for a Windows User Using Workgroup Manager you can set up a ne
321. sible in Network Servers when the user logs in to a Mac OS X computer configured to access the shared domain To set up an automountable NFS share point for home folders If you do not have a share point to host home folders create one For instructions see Setting Up a Share Point on page 116 Open Server Admin and connect to the server that hosts the share point To connect to the server choose Server gt Connect enter the server address in the Address field and then authenticate as a server administrator If you re already connected you ll see Disconnect instead of Connect in the Server menu Chapter 7 Setting Up Home Folders N QA UU 10 11 12 13 14 15 16 17 18 To view a list of available services use the disclosure triangle next to your server If Server Admin doesn t list the NFS service click the Add button choose Add Service select NFS and then click Save Select the NFS service then if NFS is not running click Start NFS For more information about administering NFS service see File Services Administration Select the server and click File Sharing Click Share Points and then select the share point In Share Point select Enable Automount and then click Edit Choose your directory domain from the Directory pop up menu choose NFS from the Protocol pop up menu select Use for User home folders and click OK In the dialog that appears authenticate as the directory admini
322. so create a network home folder using the createhomedir command in Terminal For more information see the users and groups chapter of Command Line Administration Creating a Custom Location for Home Folders The user s home folder does not need to reside in the share point folder For example you can organize home folder locations by creating several subfolders in a share point If Homes is the share point folder you can place teacher home folders in Homes Teachers and student home folders in Homes Students You can use Workgroup Manager to define a custom location for the home folder of a user whose account is stored in a server s local directory domain or in a shared directory domain Shared directory domains can be an Open Directory domain or another read write directory domain and must be accessible from the server that you are using To create a custom location for home folders your share point must be configured correctly Chapter 7 Setting Up Home Folders The share point for a local user account s home folder should reside in an AFP share point on the server where the user account resides This share point does not need to be automountable that is it does not require a network mount record in the directory domain The share point for the home folder of a user account in a shared directory domain can reside in any share point that the user s computer can access This share point must be automountable Additionally any NFS
323. specific days of the week Scheduling shutdown or sleep can help you conserve energy during predictable times of user inactivity such as after business hours on weekends or after a class is finished Scheduling startup automatically allows you to conveniently prepare a lab or classroom for immediate use To schedule automatic actions In Workgroup Manager click Preferences Make sure the correct directory is selected and you are authenticated To switch directories click the globe icon If you are not authenticated click the lock and enter the name and password of a directory domain administrator Select one or more computers or computer groups Click Energy Saver and then click Schedule From the OS pop up menu choose Mac OS X or Mac OS X Server and set the management setting to Always To schedule automatic startup select Start up the computer choose a day or range of days Weekdays Weekends or Every Day from the pop up menu and then enter a time in the time field To disable scheduled startup deselect this option To schedule automatic sleep or shutdown select the checkbox choose Sleep or Shut Down from the pop up menu choose a day or range of days Weekdays Weekends or Every Day from the pop up menu and then enter a time in the time field To disable scheduled sleep or shutdown deselect this option Chapter 10 Managing Preferences 181 182 8 Click Apply Now Managing Finder Preferences You can con
324. ss share points using Server Message Block SMB they transfer SIDs not GUIDs When Mac OS X Server receives SIDs it retrieves the user accounts with the corresponding GUIDs Windows servers use Active Directory as their directory domain If a user account is moved to a different Active Directory domain it receives a new SID but not a new GUID The user still has access permissions assigned to old SIDs because Active Directory keeps track of SID history in user accounts Chapter 1 User Management Overview 29 30 Chapter 1 User Management Overview Getting Started with User Management This chapter provides information about planning and setting up a user management environment To create an effective user management environment you must carefully plan your network Then when deploying the network you must systematically and methodically set up your network resources Setup Overview This section provides an overview of user management setup tasks including the sequence of stages an administrator follows to create a managed environment Not all steps are necessary in every case For a more comprehensive approach to planning security server setup installation and deployment management and monitoring see Server Administration Step 1 Before you begin do some planning Analyze your users needs to determine which directory service configuration and home folder setup is the most suitable For more information se
325. ssed when the computer starts up Enable gt console login Users can log in using the Darwin console command line interface To log in to the console the user enters gt console and no password in the login window This allows the user to bypass management Enable Fast User Switching With Fast User Switching more than one account is available at the same time on a single computer The list of current active authenticated accounts appears in a menu on the right side of the Finder menu bar allowing you to switch to a different account by choosing it A user must authenticate to switch to his or her account but the previous user does not need to log out first Log out users after minutes of If a client computer has Mac OS X v10 3 or later when the set time activity interval has passed the user is logged out and returned to the login window Local administrators may refresh When local administrators log in they have the option not to or disable management choose a workgroup and to disable preference management Chapter 10 Managing Preferences 191 192 a un fF WwW Option What this does when enabled Set computer name to For computers with Mac OS X v10 5 or later You can set the computer computer record name name This name affects the client computer s Bonjour name which other computers on the local subnet use to access the client computer The new Bonjour name is name local where name is the compute
326. sses that handle requests network 69 A group that has no specific meaning nobody 2 A group used by system services nogroup 1 A group used by system services operator 5 A group that has no specific meaning smmsp 25 A group used by sendmail sshd 75 A group used for the sshd child processes that process network data Chapter 5 Setting Up Group Accounts Predefined group name Group ID Use staff 20 A default group that UNIX users are traditionally placed sys 3 A group that has no specific meaning tty 4 A group that owns special files such as the device file associated with an SSH or telnet user _unknown 99 A group used when the system doesn t know about the hard drive utmp 45 A group that controls who can update the system s list of logged in users _uucp 66 A group used to control access to UUCP spool files wheel 0 A group in addition to the admin group that users with administrator privileges belong to Membership is required for using the su command www 70 A nonprivileged group that Apache uses for its processes that handle requests Administering Group Accounts Workgroup Manager lets you administer group accounts stored in multiple directory domains Creating Group Accounts To create a group account in a directory domain you must have domain administrator privileges You can also create group accounts on a non Apple LDAPv3 server if the server is configured for write acc
327. ssic Click Advanced and then set the management setting to Always To maintain consistent Classic preferences select Use preferences from home folder Deselect this option to use the local Mac OS 9 System Folder for all Classic user preferences Click Apply Now Managing Dock Preferences Dock settings allow you to adjust the behavior of the user s Dock and specify what items appear in it The table below describes what settings in each Dock pane can do Dock preference pane What you can control Dock Items Items and their position in a user s Dock Dock Display The Dock s position and behavior Controlling the User s Dock Dock settings allow you to adjust the position of the Dock on the desktop and change the Dock s size You can also control animated Dock behaviors To set how the Dock looks and behaves In Workgroup Manager click Preferences Make sure the correct directory is selected and you are authenticated Chapter 10 Managing Preferences N AO Ww A W 10 11 12 To switch directories click the globe icon If you are not authenticated click the lock and enter the name and password of a directory domain administrator Select one or more users groups computers or computer groups Click Dock and then click Dock Display Set the management setting to Once or Always Drag the Dock Size slider to make the Dock smaller or larger If you want items in the Dock to be magnified when a us
328. ssword of a directory domain administrator In Print Quota select Per Queue If the print queue you want to specify is not on the Queue Name pop up menu click Add enter the queue name and then specify the IP address or DNS name of the server where the queue is defined in the Print Server field For your settings to take effect the print service queue must enforce quotas Chapter 4 Setting Up User Accounts 6 To give the user unlimited printing rights to the queue select Unlimited printing otherwise select Limit to and specify the maximum number of pages the user can print in a specific number of days 7 Click Save Removing a Print Quota For a Queue If you no longer require a print quota for a queue you can use Workgroup Manager to delete the quota for specific users To delete specific print quotas you must manage print settings per queue To delete a user s print quota using Workgroup Manager 1 In Workgroup Manager click Accounts 2 Select the user account you want to work with To select the account click the globe icon choose the directory domain where the account resides and then select the user in the list 3 To authenticate click the lock and enter the name and password of a directory domain administrator 4 Click Print Quota and then select Per Queue Choose the user s print queue that you want to delete from the Queue Name pop up menu 6 Click Delete and then click Save Reset
329. strator and then click OK Click Protocol Options In NFS select Export this item and its contents to and choose Client List Add client computers that you want to have access to the share point Click the Add button and enter the IP address or host name of a client you want to add to the computer group Click the Remove button to remove the selected computer from the list In the Mapping pop up menu choose Root to Nobody In the Minimum Security pop up menu choose the minimum level of authentication security required with the computers If your computers can t authenticate with this level of security they can t use NFS share points To prevent AFP access to the share point in AFP deselect Share this item using AFP To prevent SMB access to the share point in SMB deselect Share this item using SMB To prevent FTP access to the share point in FTP deselect Share this item using FTP Click OK to close the Protocol Options dialog and then click Save From the Command Line You can also set up a share point using the sharing command in Terminal For more information see the file services chapter of Command Line Administration Setting Up an SMB Share Point You can use Server Admin to e Enable or disable access to a share point that uses SMB Change the share point name that SMB clients see Choose whether guest access and opportunistic locking is allowed Chapter 7 Setting Up H
330. such as spaces dashes and underscores remove the special characters and then click OK For example change local host names like Anne Johnson s Computer to AnneJohnsonsComputer Optionally determine the trust level by entering the following command in Terminal dscl localhost read LDAPv3 www apple com dsAttrTypeStandard TrustInformation Replace www apple com with the address of your LDAP directory Running this command displays a line similar to the following TrustInformation Authenticated FullTrust In this example the current trust level is FullTrust The trust level is also Authenticated When two trust levels are listed the higher trust level takes precedence Set the EnableMCXLoginScripts key in root Library Preferences com apple loginwindow plist to TRUE by entering the following command in Terminal sudo defaults write com apple loginwindow EnableMCXLoginScripts bool TRUE To change the trust value from FullTrust set the MCXScriptTrust key in root Library Preferences com apple loginwindow plist to a valid trust value For example enter the following command in Terminal sudo defaults write com apple loginwindow MCXScriptTrust string PartialTrust This command sets the trust value to PartialTrust To set other trust values replace PartialTrust with other trust values If you enter an invalid trust value the trust value is reset to FullTrust When you enable login and logout script
331. t client computers can start up over the network from a server based disk image that contains system software Disk image files have a filename extension of either img or dmg The two image formats are similar and are represented with the same icon in the Finder The dmg format cannot be used on computers running Mac OS 9 Glossary DNS Domain Name System A distributed database that maps IP addresses to domain names A DNS server also known as a name server keeps a list of names and the IP addresses associated with each name drop box A shared folder with privileges that allow other users to write to but not read the folder s contents Only the owner has full access Drop boxes should be created only using AFP When a folder is shared using AFP the ownership of an item written to the folder is automatically transferred to the owner of the folder thus giving the owner of a drop box full access to and control over items put into it everyone Any user who can log in to a file server a registered user or guest an anonymous FTP user or a website visitor export In the Network File System NFS a way of sharing a folder with clients on a network external account A mobile account whose local home folder is stored on an external volume When the user connects the external volume to a computer the user can access the external account When the external volume is disconnected the user can t access the external account filter A s
332. t and the feature is not in use on the local computer only the client s Finder is affected Dock and Application access settings must be managed separately You can set up Simple Finder on the local computer and use the application and Dock management features in Workgroup Manager to add Dock items and application access Important Don t turn on Simple Finder for users who run Mac OS X v10 2 through v10 2 8 and log in to a workgroup with its own group folder These users can t use applications because Simple Finder prevents access to the group folder Chapter 10 Managing Preferences nO uu A WwW To turn on Simple Finder In Workgroup Manager click Preferences Make sure the correct directory is selected and you are authenticated To switch directories click the globe icon If you are not authenticated click the lock and enter the name and password of a directory domain administrator Select one or more users groups computers or computer groups Click Finder click the Preferences tab and then select a management setting If you select Always choose Use normal Finder or Use Simple Finder If you select Once the account uses only the normal Finder Click Apply Now Keeping Disks and Servers from Appearing on the User s Desktop Normally when a user inserts an external disk that disk s icon appears on the desktop Icons for local hard disks or disk partitions and mounted server volumes are also visible If y
333. t assign the same name short name or user ID to multiple users Workgroup Manager disables fields where you must provide unique values If a setting is not the same for two or more accounts you may see a mixed state slider radio button checkbox text field pop up menu or list Interface element Mixed state appearance Sliders radio buttons and A dash which indicates that the setting is not the same for all checkboxes selected accounts Text fields Either the term Varies or appears in the text field Pop up menu The term Varies appears in the pop up menu Lists The term Data Varies appears in the list The mixed state interface element also appears when you do the following Edit managed preferences that were originally set in Mac OS X v10 4 or earlier e Change a preference in the preference editor that corresponds to an interface element If you choose a new setting for a mixed state setting every account has the new setting Chapter 3 Getting Started with Workgroup Manager 51 52 10 11 12 13 For example suppose you select three group accounts that each have different settings for the Dock size When you look at the Dock Display preference pane for these accounts the Dock Size slider is centered and has a dash on it If you change the position of the Dock Size slider to Large all selected accounts then have a large size Dock To batch edit accounts that match speci
334. t authenticated click the lock and enter the name and password of a directory domain administrator Click the Groups button and select one or more group accounts from the list Click the icon for the preference you want to manage In each preference pane select a Manage option In Media Access the management setting applies to all preferences rather than to individual panes Select preference settings or fill in information you want to use Some management settings are not available for some preferences and some preferences are not available for some types of accounts Click Apply Now Managing Computer Preferences Computer preferences are preferences set for individual computers Energy Saver and Time Machine preferences can be managed for computers and computer groups but not for users or groups To manage computer preferences In Workgroup Manager click Preferences Chapter 10 Managing Preferences Make sure the correct directory is selected and you are authenticated To switch directories click the globe icon If you are not authenticated click the lock and enter the name and password of a directory domain administrator Click the Computers button and select one or more computers Click the icon for the preference you want to manage In each preference pane select a Manage option In Media Access the management setting applies to all preferences rather than to individual panes Select preference settings or fi
335. t authenticated click the lock and enter the name and password of a directory domain administrator Select one or more users groups computers or computer groups Chapter 10 Managing Preferences 237 238 4 Click the Add button select Applications Safari and then click Add The preference manifests included with older versions of Safari don t have as many configurable preferences as the Safari version included with Mac OS X v10 5 or later You can replace old Safari preference manifests by adding the new Safari application and then clicking Replace in the dialog that appears 5 To edit Safari preferences select Safari with the Preference ID com apple Safari click the Edit pencil button and then add keys you d like to manage For more information see Editing Application Preferences with the Preference Editor on page 234 Chapter 10 Managing Preferences Solving Problems If you encounter problems as you work with Workgroup Manager you may find a solution in this chapter If the answer to your question isn t here try searching Workgroup Manager Help for new topics You can also search the Apple Service amp Support website for information and solutions at www apple com support Diagnosing Common Network Issues Before you try the solutions in this chapter make sure your network is properly configured In particular test your Network Time Protocol NTP Domain Name System DNS and Dynamic Host
336. t be well described if the application doesn t have a preference manifest or if the key you re editing isn t in the preference manifest Adding to the Preference Editor s List Before you can manage an application in the preference editor you must add the application or the application s preference file to the preference editor s list The application s preference file is in Library Preferences You can manage any application that uses Mac OS X preferences To do this you must set preferences for a local copy of that application stored on the administration computer then you can add the plist file for the application stored in Library Preferences to the preference editor s list You can also import application preferences when you add the application to the preference editor s list Chapter 10 Managing Preferences When you use your own application preferences you can choose the management frequency applied to those preferences Frequency Description Once Similar to the Once setting in the main interface Sets a preference but allows the user to change that preference and retain his or her changes Often Only available in the preference editor Allows users to modify their preferences but the preferences revert to your managed setting every time the user begins a new session Always Similar to the Always setting in the main interface Sets a preference and usually does not allow the user to modify the preference
337. t doesn t appear in the list The login screen lists only workgroups that are allowed access by the computer group Local administrators also have the option not to choose a workgroup and disable preference management Users can select Remember my choice which bypasses the workgroup chooser in future logins and selects a workgroup for the user Users can still change their workgroup by holding down the Option key while their password is validated If the computer or the computer group it s associated with supports local only users all workgroups that are given access to the computer by the computer group are listed after a local user logs in The user can select from any of these Chapter 9 Client Management Overview 151 152 Any preferences associated with the user the chosen workgroup parent workgroups and the computer being used take effect upon login If you manage login access preferences you can customize the workgroup choosing process For example you could e Ensure that the workgroup chooser is always shown by selecting Always show workgroup dialog during login and in login options deselecting Local administrators may refresh or disable management e Bypass the workgroup chooser and combine settings from all available workgroups by selecting Combine available workgroup settings e Prevent parent group preferences from taking effect by selecting Ignore workgroup nesting For mor
338. t for Mobile Accounts Selecting the Location of a Mobile Account Creating External Accounts Setting Expiration Periods for Mobile Accounts Choosing Folders to Sync at Login and Logout or in the Background Stopping Files from Syncing for a Mobile Account Setting the Background Sync Frequency Showing Mobile Account Status in the User s Menu Bar Managing Network Preferences Configuring Proxy Servers by Port Allowing Users to Bypass Proxy Servers for Specific Domains Enabling Passive FTP Mode Disabling Internet Sharing Disabling AirPort Disabling Bluetooth Managing Parental Controls Preferences Hiding Profanity in Dictionary Preventing Access to Adult Websites Allowing Access Only to Specific Websites Setting Time Limits and Curfews on Computer Usage Managing Printing Preferences Making Printers Available to Users Preventing Users from Modifying the Printer List Restricting Access to Printers Connected to a Computer Setting a Default Printer Restricting Access to Printers Adding a Page Footer to All Printouts Managing Software Update Preferences Managing Access to System Preferences Managing Time Machine Preferences Managing Universal Access Preferences Adjusting the User s Display Settings Setting a Visual Alert Adjusting Keyboard Accessibility Options Adjusting Mouse and Pointer Responsiveness Enabling Universal Access Shortcuts Allowing Devices for Users with Special Needs Using the Preference Editor with Preference Manifests Conten
339. t includes those preferences To manage access to System Preferences In Workgroup Manager click Preferences Make sure the correct directory is selected and you are authenticated To switch directories click the globe icon If you are not authenticated click the lock and enter the name and password of a directory domain administrator Select one or more users groups computers or computer groups Click System Preferences Set the management setting to Always For each item you don t want displayed in a user s System Preferences deselect its Show checkbox To select all Show checkboxes click Show All To deselect all Show checkboxes click Show None Click Apply Now Managing Time Machine Preferences Time Machine preferences let you control Time Machine which provides a backup of computer data to network servers Time Machine backs up all computer data such as installed applications and their preferences all local account data and system files optionally To use Time Machine your computers must run Mac OS X v10 5 or later To manage Time Machine you ll need to run file services such as AFP service When managed users log in to Mac OS X their login name and password are used to authenticate them with the file server You can back up a computer s startup volume or all local volumes If your users have network accounts their data isn t backed up through Time Machine because their data is stored on a network server
340. t or Log Out Script then in the dialog that appears locate your script and click Open Click Apply Now Automatically Opening Items After a User Logs In You can simplify the user experience by setting frequently used items such as applications folders or server connections to open when the user logs in You can also hide the items to help prevent screen clutter while still making the items easily accessible Items open in the order they appear in Login Items preferences you specify the order The last item opened becomes the active application For example if you specify three items to open and none are hidden the user sees the menu bar for the last item opened If an application has open windows the windows may overlap windows from other applications A user can stop login items from opening by holding down the Shift key during login until the Finder appears on the desktop You can turn off this feature To set an item to open automatically In Workgroup Manager click Preferences Make sure the correct directory is selected and you are authenticated To switch directories click the globe icon If you are not authenticated click the lock and enter the name and password of a directory domain administrator Select one or more users groups computers or computer groups Click Login and then click Items Select a management setting To add an item to the list click the Add button select the application folder or ser
341. t short user name use only these characters subsequent short names can contain any Roman character athrough z e A through Z O through 9 e _ underscore e hyphen Typically short names contain eight or fewer characters Initially the value of the first short name is untitled_ where is the sequential number generated after the last generated number for an existing untitled user Avoid assigning the same name to more than one user Workgroup Manager doesn t let you assign the same name to different users in a domain or in a domain search policy However it can t detect whether duplicates exist in other domains After the user s account is saved you can t change the first short name but you can change any of the other short names Use Workgroup Manager to edit the short name of an account stored in an Open Directory domain the local directory domain or other read write directory domain You can also use Workgroup Manager to review the short name in any directory domain accessible from the server you re using To work with a user short name using Workgroup Manager In Workgroup Manager click Accounts Select the user account you want to work with To select the account click the globe icon choose the directory domain where the account resides and then select the user account To authenticate click the lock and enter the name and password of a directory domain administrator Click Basic then in the Sh
342. te hardware users can burn discs write information to recordable CDs or DVDs If you don t want users to have this ability you can hide the Burn Disc command in the Finder File menu To prevent users from using or burning recordable CDs or DVDs use settings in the Media Access panes For more information see Managing Media Access Preferences on page 200 Only computers with a CD RW drive Combo Drive or SuperDrive can burn CDs The Burn Disc command works only with CD R CD RW or DVD R discs Only a SuperDrive can burn DVD R discs To hide the Burn Disc command In Workgroup Manager click Preferences Make sure the correct directory is selected and you are authenticated To switch directories click the globe icon If you are not authenticated click the lock and enter the name and password of a directory domain administrator Select one or more users groups computers or computer groups Click Finder click Commands and then set the management setting to Always Deselect Burn Disc Click Apply Now Controlling User Access to Folders Users can open a specific folder by choosing the Go to Folder command in the Finder Go menu and providing the folder s pathname If you don t want users to have this ability you can hide the command To hide the Go to Folder command In Workgroup Manager click Preferences Make sure the correct directory is selected and you are authenticated To switch directo
343. ter settings without user interaction Chapter 9 Client Management Overview Customizing the User Experience You manage a network user s work environment by defining preferences settings that customize and control the user s computer experience There are two panes in Workgroup Manager Preferences Overview and Details To manage predefined system preferences use the Overview pane To manage preferences for any application or utility that has a preference manifest use the Details pane The Overview pane is identical for users and groups but additional items Energy Saver and Time Machine appear for computers and computer groups Many factors including user responsibilities and security issues determine what computer work environment is most suitable for a user In some cases setting up informal usage guidelines may be sufficient In other cases tightly controlling the computer experience may be necessary with each setting defined and each application controlled The preferences you define should use Mac OS X capabilities that best support your user and your business requirements The Power of Preferences Many preferences such as Dock and Finder preferences customize the appearance of the desktop For example you can set up Dock and Finder preferences so the user s work environment is simplified by including only essential applications and key folders in the Dock Other preferences manage what users can access and control
344. tered using hexadecimal numbers Hexadecimal numbers include digits 0 9 and letters a f e Bytes must be separated by colons Bytes are comprised of two hexadecimal numbers e All bytes with a single hexadecimal number should have a leading zero For example the following Ethernet ID is invalid because the single hexadecimal numbers do not have leading zeros 7 8 9 a b c However the following Ethernet ID is valid because the hexadecimal numbers have leading zeros 07 08 09 0a 0b 0c The letters a f must be entered in lower case To create a computer account In Workgroup Manager click Accounts Click the globe icon and choose the directory domain where you want to store the computer account To authenticate click the lock and enter the name and password of a directory domain administrator Click the Computers button Choose Server gt New Computer or click New Computer in the toolbar and then enter long and short names for the computer Click General To add a comment in the Comment field enter a comment Comments and keywords make it easier to search for the computer To associate keywords with the computer click the Add button next to the keywords list Chapter6 Setting Up Computers and Computer Groups N QO wu A If keywords that you want to associate aren t listed in the master keyword list click Edit Keywords click the Add button enter a name for the keyword and click OK Select the keywords yo
345. ters list click Open Printer Setup and add the printer to the Printer amp Fax printer list Click Apply Now Preventing Users from Modifying the Printer List If your users run Mac OS X v10 5 or later they must authenticate as local administrators to change the list of printers If your users run Mac OS X v10 4 or earlier you can manage preferences so users must authenticate as local administrators to change the list of printers To restrict access to the printer list In Workgroup Manager click Preferences Make sure the correct directory is selected and you are authenticated To switch directories click the globe icon If you are not authenticated click the lock and enter the name and password of a directory domain administrator Select one or more users groups computers or computer groups Click Printing and then click Printers Set the management setting to Always Chapter 10 Managing Preferences 221 222 N AO UW A W 10 Click Printer List Deselect Allow user to modify the printer list Click Apply Now Restricting Access to Printers Connected to a Computer In some situations you might want only certain users to print to a printer connected directly to their computer For example if you have a computer in a classroom with a printer attached you can reserve that printer for teachers by making the teacher an administrator and requiring an administrator s user name and password to access the printer
346. tes might be present in these XML files e Group name required e One member s short name required Other members short names The dsimport tool generates group IDs when you import this XML file using the r parameter to determine the group ID to start with and incrementing each subsequent imported group s ID by one When you import using Workgroup Manager group IDs are generated using the information you provide for group IDs in the import dialog Appendix Importing and Exporting Account Information Glossary This glossary defines terms and spells out abbreviations you may encounter while working with online help or the various reference manuals for Mac OS X Server References to terms defined elsewhere in the glossary appear in italics access control list See ACL ACE Access Control Entry An entry within the ACL that controls access rights See ACL ACL Access Control List A list maintained by a system that defines the rights of users and groups to access resources on the system Active Directory The directory and authentication service of Microsoft Windows 2000 Server Windows Server 2003 and Windows Server 2003 R2 administrator A user with server or directory domain administration privileges Administrators are always members of the predefined admin group administrator computer A Mac OS X computer onto which you ve installed the server administration applications from the Mac OS X Server Admin CD AF
347. tes the older file If both files have been modified since the last sync the user is prompted to choose which file to keep Do not use background syncing with folders containing files accessed by multiple computers There are several scenarios where this could cause users to load older unsynced files e The user saves a file on one computer and loads the same file on another computer If that file was not synced to the server since its last save the user loads an outdated version of the file located on the server e The file might not exist on the server because it was not synced If the file was not synced from the server before loading the user either does not see the file or loads an outdated local version Chapter 8 Managing Portable Computers 139 140 e The user uses the same mobile account to log in to two computers simultaneously This might create sync issues with the two computers causing the computers to display error messages Login and logout syncing should be carefully managed because a user s login and logout is delayed while files are syncing If a user has a slow network connection or is syncing many files or large files the user must wait for syncing to complete before using the system If you want to sync parts of a user s Library folder you must use login and logout syncing Syncing the Library folder retains users bookmarks and application preferences Consider syncing smaller files such as prefere
348. the dsimport command line tool to import accounts You can quickly import or export user group computer and computer group accounts using Workgroup Manager You can also use the dsimport command line tool to import user and group accounts Understanding What You Can Import and Export You can import all record types that are tracked in Workgroup Manager Common record types include users groups computers and computer groups Starting with Mac OS X Server v10 4 you can even import partial attributes of individual records and combine attributes from different records When importing from custom files the only attribute a record must have is a record name For a list of attributes open Terminal and enter man DirectoryServiceAttributes Alternately if you have Xcode installed you can view a list of attributes with improved formatting and more detailed descriptions by opening System Library Frameworks DirectoryService framework Headers DirServicesConst h You can t use an import file to change the following predefined users daemon root nobody unknown or www In addition you can t use an import file to change the following predefined groups admin bin daemon dialer mail network nobody nogroup operator staff sys tty unknown utmp uucp wheel or www However you can add users to the wheel and admin groups You can use the dsimport tool to import records from a text delimited file For descriptions of common record
349. the globe icon in the drawer to choose a different directory domain The group folder owner is given read write access to the group folder 7 Click Save 8 To create the folder use the ssh tool to connect to the server hosting the share point and then enter the createGroupFolder command in Terminal You must be the root user to use the command For more information about ssh enter man sshin Terminal to view the man page For more information about CreateGroupFolder enter man CreateGroupFolder in Terminal to view the man page The group folder is named using the short name of the group it is associated with From the Command Line You can also create a group folder using the sudo usr bin CreateGroupFolder command and assign it using the dseditgroup command in Terminal For more information see the users and groups chapter of Command Line Administration Designating a Group Folder for Use by Multiple Groups To permit a group folder to be accessed by multiple groups identify the folder for each group separately Usually a single group has read write permissions for a group folder To allow multiple groups to access the same group folder use Server Admin to add an ACE for every group to the group folder s ACL For more information about using Server Admin to apply ACL permissions to folders see File Services Administration To configure more than one group to use the same group folder 1 In Workgroup Manager click Accounts 2 Se
350. the location of the local home folder external accounts are treated like mobile accounts with the same kinds of syncing cached authentication and managed preference benefits Note If a user s mobile account is hosted in an Active Directory domain the mobile account does not have a portable home directory However it does have a local home folder and a network home folder and caches authentication Mobile accounts and external accounts are described in detail in Chapter 8 Managing Portable Computers Devising a Home Folder Distribution Strategy Determine which users need home folders and identify the computers where you want these home folders to reside For performance reasons avoid using network home folders over network connections slower than 100 megabits per second Mbit s Chapter 2 Getting Started with User Management 37 38 A user s network home folder doesn t need to be stored on the same server as the directory containing the user s account In fact distributing directory domains and home folders across multiple servers can help balance your network load This scenario is described in Distributing Home Folders Across Multiple Servers on page 115 You may want to store home folders for users with last names beginning with A through F on one computer G through J on another and so on Or you may want to store home folders on a Mac OS X Server computer but store user and group accounts on an LDAP or Active
351. the same query the removed account returns to this list If you selected Display postview of changes errors a dialog appears listing the batch edit results including the changed records and fields To save a text log of the batch edit results click Save Click OK To stop batch editing click Clear Chapter 3 Getting Started with Workgroup Manager Importing and Exporting Account Information You can use XML or character delimited text files to import and export user and group account information Importing information can make it easier to set up many accounts quickly Exporting information to a file is useful for record keeping To back up account information with passwords intact archive the directory For more information see the appendix Importing and Exporting Account Information Chapter 3 Getting Started with Workgroup Manager 53 54 Chapter 3 Getting Started with Workgroup Manager Setting Up User Accounts This chapter tells you how to set up edit and manage user accounts User accounts give users unique identities on your network and allow you to manage those users You can use Workgroup Manager to view create edit and delete user accounts To view user accounts in Workgroup Manager click the Users button above the accounts list About User Accounts A user account stores data that Mac OS X Server uses to validate a user s identity and provide services to the user Where User Acco
352. the users computers must retrieve these files from the server Using network home folders provides complete control over a user s managed preferences When users are not connected to the network they can t access their accounts or home folders Users with mobile accounts have both local and network home folders which combine to form portable home directories When users save files the files are stored in a local home folder The portable home directory is a synced subset of a user s local and network home folders You can configure which folders to sync and how frequently to sync them Mobile accounts also cache authentication information and managed preferences If you sync key folders a user can work on and off the network and experience a seamless work environment If you choose not to sync portable home directories mobile accounts are then very similar to local accounts except that mobile accounts have managed preferences e Users with mobile accounts who access their accounts on computers running Mac OS X v10 5 or later can use portable home directories with an external drive When users connect external drives to a computer including computers off of the network they can still access their accounts These types of mobile accounts are called external accounts An external account stores its local home folder on the external drive and doesn t create a local home folder on the computer it s accessed from Except for
353. tified by a subnet number ISP Internet service provider A business that sells Internet access and often provides web hosting for e commerce applications as well as mail services Kerberos A secure network authentication system Kerberos uses tickets which are issued for a specific user service and period of time After a user is authenticated it s possible to access additional services without retyping a password called single sign on for services that have been configured to take Kerberos tickets Mac OS X Server uses Kerberos v5 LDAP Lightweight Directory Access Protocol A standard client server protocol for accessing a directory domain load balancing The process of distributing client computers requests for network services across multiple servers to optimize performance Glossary local directory domain A directory of identification authentication authorization and other administrative data that s accessible only on the computer where it resides The local directory domain isn t accessible from other computers on the network local domain A directory domain that can be accessed only by the computer it resides on local home directory See local home folder local home folder A home folder that resides on disk on the computer a user is logged in to It s accessible only by logging directly in to the computer where it resides unless you log in to the computer using SSH local hostname A name that designates a co
354. ting a User s Print Quota Occasionally a user exceeds his or her print quota and needs to print additional pages For example an administrator might want to print a 200 page manual but the print quota is only 150 pages Or a student may exceed his or her quota by printing several revisions of the same essay You can use Workgroup Manager to reset a user s print quota and allow the user to continue printing You can also extend a user s page limit without resetting the quota time period by changing the number of pages allowed for the user In this way the time period for the quota remains the same and is not reset but the number of pages the user can print during that period is adjusted for both the current and future print quota periods To restart a user s print quota using Workgroup Manager 1 In Workgroup Manager click Accounts 2 Select the user account you want to work with To select the account click the globe icon choose the directory domain where the account resides and then select the user account in the accounts list Chapter 4 Setting Up User Accounts 83 84 To authenticate click the lock and enter the name and password of a directory domain administrator Click Print Quota If you re managing All Queues click Restart Print Quota If you re managing Per Queue choose a print queue from the Queue Name pop up menu and then click Restart Print Quota To increase or decrease a user s page limit enter a new numbe
355. tion compatibility and efficient operation but may decrease security If you don t manage Applications settings for computers running Mac OS X v10 5 or later Legacy settings are used To set up a list of accessible applications In Workgroup Manager click Preferences Make sure the correct directory is selected and you are authenticated To switch directories click the globe icon If you are not authenticated click the lock and enter the name and password of a directory domain administrator Select one or more users groups computers or computer groups Click Applications and then click Legacy Set the management setting to Always Select User can only open these applications or User can open all applications except these Add items to and remove items from the list To select multiple items hold down the Command key To allow access to applications stored on the user s local hard disk select User can also open all applications on local volumes To allow helper applications select Allow approved applications to launch non approved applications To allow use of UNIX tools select Allow UNIX tools to run Click Apply Now Managing Classic Preferences You use Classic Preferences to set Classic startup options assign a Classic System Folder set sleep options for the Classic environment and make specific Apple menu items available to users The Classic System Folder is a Mac OS 9 System
356. tion files File Services Administration Share selected server volumes or folders among server clients using the AFP NFS FTP and SMB protocols iCal Service Administration Set up and manage iCal shared calendar service iChat Service Administration Set up and manage iChat instant messaging service Mac OS X Security Configuration Make Mac OS X computers clients more secure as required by enterprise and government customers Mac OS X Server Security Configuration Make Mac OS X Server and the computer it s installed on more secure as required by enterprise and government customers Mail Service Administration Set up and manage IMAP POP and SMTP mail services on the server Network Services Administration Set up configure and administer DHCP DNS VPN NTP IP firewall NAT and RADIUS services on the server Open Directory Administration Set up and manage directory and authentication services and configure clients to access directory services Podcast Producer Administration Set up and manage Podcast Producer service to record process and distribute podcasts Print Service Administration Host shared printers and manage their associated queues and print jobs QuickTime Streaming and Broadcasting Administration Capture and encode QuickTime content Set up and manage QuickTime streaming service to deliver media streams live or on demand Server Admin
357. tions In SMB select Share this item using SMB To allow unregistered users access to the share point select Allow SMB guest access For greater security don t select this item To change the name that clients see when they browse for and connect to the share point using SMB enter a new name in the Custom SMB name field Changing the custom SMB name doesn t affect the name of the share point itself only the name that SMB clients see Select the type of locking for this share point e To allow clients to use opportunistic file locking select Enable oplocks Chapter 7 Setting Up Home Folders 15 16 w 18 19 Important Do not enable oplocks for a share point that s using a protocol other than SMB For more information on oplocks see File Services Administration To set standard locks on server files select Enable strict locking Note For servers earlier than Mac OS X Server v10 2 4 opportunistic locking is always on and strict locking is always off Avoid using Workgroup Manager from Mac OS X Server v10 3 or later to view locking settings for earlier servers It can display incorrect information about the settings Choose a method for assigning default UNIX access permissions for new files and folders in the share point To set new items to adopt permissions of the enclosing item select Inherit permissions from parent To assign specific permissions select Assign as
358. too quickly for some users you can adjust how soon the pointer begins to move and how fast it moves To control mouse and pointer settings In Workgroup Manager click Preferences Make sure the correct directory is selected and you are authenticated To switch directories click the globe icon If you are not authenticated click the lock and enter the name and password of a directory domain administrator Select one or more users groups computers or computer groups Click Universal Access Click Mouse and then select a management setting To activate Mouse Keys select Mouse Keys On To control how long it takes for the pointer to begin moving adjust the Initial Delay slider To control how fast the pointer moves adjust the Maximum Speed slider 9 Click Apply Now Enabling Universal Access Shortcuts Universal Access Shortcuts are key combinations that activate an available access feature such as onscreen zooming or enabling Sticky Keys If you choose not to allow Universal Access shortcuts users might not be able to use features such as Zoom or turn off activated features such as Sticky Keys Chapter 10 Managing Preferences N OO Ww A W N OO Ww A W To allow Universal Access Shortcuts In Workgroup Manager click Preferences Make sure the correct directory is selected and you are authenticated To switch directories click the globe icon If you are not authenticated click the lock and enter the name and passw
359. tory domain administrator Click Mail select None and then click Save Forwarding a User s Mail You can use Workgroup Manager to set up mail forwarding for users whose accounts are stored in an Open Directory domain or the local directory domain To forward a user s mail using Workgroup Manager In Workgroup Manager click Accounts Select the user account you want to work with To select the account click the globe icon choose the directory domain where the account resides and then select the user account in the accounts list To authenticate click the lock and enter the name and password of a directory domain administrator Click Mail select Forward and then enter the forwarding mail address in the Forward To field Make sure you enter the correct address Workgroup Manager doesn t verify that the address exists Click Save Working with Print Quota Settings User print settings define the ability of a user to print to accessible Mac OS X Server print queues For information about how to set up print queues see Print Service Administration Chapter 4 Setting Up User Accounts 81 82 In Workgroup Manager use the Print Quota pane in the user account to work with print quota settings Enabling a User s Access to All Available Print Queues You can use Workgroup Manager to allow a user to print to all or some of the accessible Mac OS X print queues that enforce quotas To use Workgroup Manager to enable access to
360. tory domain or other read write directory domain You can modify accounts in an Open Directory domain if you re authorized to administer the directory domain You don t need server administrator privileges but your user ID must have limited or full administrative privileges which are set in the Privileges pane of Accounts in Workgroup Manager For more information see Working with Privileges on page 70 To make changes to a user account In Workgroup Manager click Accounts Make sure that the directory services of the Mac OS X Server computer you re using are configured to access the desired directory domain For instructions see Open Directory Administration Click the globe icon and then choose the domain where the user s account resides If the directory domain is not listed add it to the pop up menu by choosing Other In the dialog that appears select the domain and then click OK To authenticate click the lock and enter the name and password of a directory domain administrator Click the Users button and select the user account In the panes provided edit settings for the user account Chapter 4 Setting Up User Accounts For details see Working with Basic Settings on page 63 through Working with Windows Settings on page 85 From the Command Line You can also edit user account information using the dsc1 command in Terminal For more information see the users and groups chapter of Command Line Admi
361. tory server set up you might be able to use existing account records For details about accessing existing directories see Open Directory Administration For information about working with Open Directory groups and computer groups see Chapter 5 Setting Up Group Accounts and Chapter 6 Setting Up Computers and Computer Groups Note If all domains are not finalized when you re ready to start adding user and group accounts add the accounts to any directory domain that exists on your server the local directory domain is always available You can move users and groups to another directory domain later by using your server s export and import functions Passwords are not retained when exporting and importing account information For more information see the appendix Importing and Exporting Account Information Determining Server and Storage Requirements When planning for server needs you must first acquire the following information e The number of concurrently connected computers which affects network traffic and server response times e The number of user accounts which affects the amount of storage space required to store user files Directory services including authentication and user management require one Open Directory master or replica for every 1000 computers regardless of the number of total user accounts For example if you have 400 computers and 2000 users you need one Open Directory master for authent
362. trol over 70 group accounts 90 guest computers 107 home folder storage 115 local 35 46 57 122 login 245 mobile accounts 132 proxy server settings 213 214 purpose of 26 read only 59 search policies 47 security 32 43 setup 31 43 shared 31 245 user accounts in 46 47 48 57 58 See also LDAP Open Directory drives See disks drop boxes 129 dscl tool 42 58 59 dsexport tool 254 dsimport tool 251 duplication of settings See presets DVDs preferences 200 Dynamic Host Configuration Protocol See DHCP E Energy Saver desktop settings 177 management limitations 157 Index overview 149 portable settings 177 179 180 scheduling computer activity 181 sleep wake settings 177 error messages 250 See also troubleshooting Everyone user category 28 59 exporting accounts 53 254 groups 254 overview 251 passwords 252 users 254 XML files 255 256 See also importing eXtensible Markup Language See XML external accounts 134 144 192 208 F fast user switching 191 file name extensions visibility of 184 files accessing 28 247 caching of 132 136 exporting XML 255 256 extensions for 184 importing XML 255 256 inheritance of permissions 93 file services AFP 114 117 123 FTP 215 NFS 78 114 118 123 See also share points file sharing portable computers 142 File Transfer Protocol See FTP FileVault 144 205 Finder desktop view 187 disc burning access 186 disk access 183 185 ejecting disks 185 f
363. trol various aspects of Finder menus and windows which can help improve or control workflow For example you can simplify the user experience by enabling Simple Finder You can also prevent users from writing to or ejecting disks The table below summarizes what you can do with each Finder preference pane Finder preference pane What you can control Preferences Finder window behavior Simple Finder whether open items appear on the desktop filename extension visibility and the Empty Trash warning Commands Whether commands in Finder menus and the Apple menu are available to users These allow users to perform tasks such as connecting to servers or restarting the computer Views Allow you to adjust the arrangement and appearance of items on a user s desktop in Finder windows and in the top level folder of the computer Setting Up Simple Finder You can select the normal Finder or Simple Finder as the user environment e The normal Finder looks and acts like the standard Mac OS X desktop e Simple Finder removes the ability to use a Finder window to access applications or modify files This limits users access to only what is in the Dock If you enable Simple Finder users can t mount network volumes create folders or delete files In addition to using Workgroup Manager you can use System Preferences to set up Simple Finder on a local computer When you use Workgroup Manager to apply the Simple Finder environmen
364. tructions on mapping LDAPv3 attributes or connecting to Active Directory see Open Directory Administration To create a user account In Workgroup Manager click Accounts Make sure the directory services of the Mac OS X Server computer you re using are configured to access the directory domain For instructions see Open Directory Administration Chapter 4 Setting Up User Accounts 57 58 Click the globe icon and then choose the domain where you want the user s account to reside For Mac OS X Server v10 5 or later Local and Local Default refer to the local directory domain To authenticate click the lock and enter the name and password of a directory domain administrator Choose Server gt New User or click New User in the toolbar In the panes provided specify settings for the user For details see Working with Basic Settings on page 63 through Working with Windows Settings on page 85 You can also use a preset or an imported file to create a user account For details see Using Presets to Create Accounts on page 62 and Using Workgroup Manager to Import Accounts on page 253 From the Command Line You can also create user accounts using the dscl command in Terminal For more information see the users and groups chapter of Command Line Administration Editing User Account Information You can use Workgroup Manager to change a user account that resides in an Open Directory domain the local direc
365. ts Chapter 11 232 234 235 236 237 239 239 239 240 241 242 242 242 242 242 243 243 243 243 244 245 245 245 245 245 245 246 246 246 247 247 247 247 248 248 249 249 249 250 250 Adding to the Preference Editor s List Editing Application Preferences with the Preference Editor Removing an Application s Managed Preferences in the Preference Editor Using the Preference Editor to Manage Core Services Using the Preference Editor to Manage Safari Solving Problems Diagnosing Common Network Issues Testing Your Network s Time and Time Zones Testing Your DNS Service Testing Your DHCP Service Solving Account Problems If You Want to Use Earlier Versions of Workgroup Manager If You Can t Edit an Account Using Workgroup Manager If Users Can t See Their Names in the Login Window If You Can t Unlock an LDAP Directory If You Can t Modify a User s Open Directory Password If You Can t Change a User s Password Type to Open Directory If You Can t Assign Server Administrator Privileges If Users Can t Log In or Authenticate If Users Relying on a Password Server Can t Log In If Users Can t Log In with Accounts in a Shared Directory Domain If Users Can t Access Their Home Folders If Users Can t Change Their Passwords If Users Can t Authenticate Using Single Sign On or Kerberos Problems with a Primary or Backup Domain Controller If a Windows User Can t Log in to the Windows Domain If a Windows User Has N
366. ts sync the user s computer scans every folder in the local home folder and compares them with all folders in the network home folder This scanning is unnecessary when only a few folders change and require syncing Chapter 8 Managing Portable Computers If you enable the option a server daemon updates the database of changed files The user s computer scans only the folders in the local home folder that have been modified since the last time the database was updated To enable the option TCP port 2336 must be open on your file server s firewall To optimize the file server for mobile accounts In Server Admin click the disclosure triangle for the server hosting network home folders for mobile accounts If Firewall isn t listed select the server click Settings click Services select Firewall and then click Save Select Firewall click Settings and then click Services Choose the address range for your users computers from the Edit Services for pop up menu Select Allow only traffic from ipaddress to any of these ports select the Allow checkbox for Mobile Account Sync port 2336 and then click Save Select the server click Settings and then click General Select Server Side File Tracking for Mobile Home Sync and then click Save Chapter 8 Managing Portable Computers 145 146 Chapter 8 Managing Portable Computers Client Management Overview This chapter provides an introduction to
367. twork home folder that will be mounted when a Windows user logs in to a Windows domain Normally the same network home folder is also mounted if the user logs in on a Mac OS X computer You can also set up separate home folders if you prefer You can create a home folder in any existing share point or you can create the home folder in the Users folder a predefined share point To create a home folder in a new share point create the share point first The share point for a Windows home folder must be on a Windows domain member server or the PDC server and use the SMB protocol For instructions see Setting Up an SMB Share Point on page 119 If the share point will be used for Mac OS X home folders it must also use AFP or NFS and have a network mount record configured for home folders Set the Windows home folder for a user account in the Mac OS X Server PDC LDAP directory If you have a BDC the PDC server replicates changes to it To set up a home folder in an existing share point In Workgroup Manager open the user account where you want to set up a home folder To open an account click Accounts click the globe icon below the toolbar and then open the PDC LDAP directory To edit home folder information click the lock to authenticate as an LDAP directory domain administrator and then select the user in the user list If you want to use the same network home folder for Windows as for Mac OS X click Home specify the sh
368. types and attributes see Open Directory Administration For a more complete list of attributes enter man DirectoryServiceAttributes or view the DirServicesConst h file 251 252 Limitations for Importing and Exporting Passwords When creating or overwriting records you must reset passwords for user accounts with Open Directory or shadow passwords Importing passwords generally works if the password is a plain text string in the import file Additionally you must set the AuthMethod attribute so Workgroup Manager can import the password Encrypted passwords in hash format in the import file can t be recovered Passwords can t be exported using Workgroup Manager or any other method If you import user accounts from an export file remember to manually set passwords or set default passwords to a known value Before exporting user accounts or after importing them you can set up a password policy that requires users to change their password at first login For instructions on configuring password options see Choosing a Password Type and Setting Password Options on page 74 Maintaining GUIDs When Importing from Earlier Versions of Mac OS X Server Globally unique identifiers GUIDs are used to verify user and group identity for ACL permissions and to manage user membership in groups and hierarchical groups When you use Workgroup Manager or the dsimport tool to import users and groups created on versions of Mac OS X Server ea
369. u are authenticated To switch directories click the globe icon If you are not authenticated click the lock and enter the name and password of a directory domain administrator Select one or more users groups computers or computer groups Click Mobility click Rules and then click Options Set the management setting to Always Select Show status in menu bar Click Apply Now Managing Network Preferences Use Network preferences to select and configure proxy servers that can be used by users and groups You can bypass proxy settings for specific hosts and domains This has the advantage of providing a customized browsing experience for managed users and groups You can also disable Internet Sharing AirPort or Bluetooth Disabling these can improve security by removing avenues for attack The table below describes what settings in each Network pane can do Network preference pane What you can control Proxies Access to proxy servers the ability to bypass proxy settings and use of passive FTP mode Sharing amp Interfaces Availability of Internet Sharing from the computer and use of AirPort or Bluetooth Configuring Proxy Servers by Port You can configure specific types of proxies for a user or group to access and specify the port The types of proxy servers that are individually modifiable are FTP Web HTTP Secure Web HTTPS Streaming RTSP SOCKS Gopher and Automatic Proxy Configuration Chapter 1
370. u can easily change the appearance of a computer s login window These settings include the login window s heading message which users are listed and how and the display of the restart and shut down buttons These settings apply only to computers and computer groups When you display a list of users you can choose which types of users to list The effect of these settings depend on the version of Mac OS X installed on client computers List setting Mac OS X version Effect Show local users 10 4 Lists local accounts and mobile accounts with a local home folder Show local users 10 5 Lists local accounts Show mobile accounts 10 4 N A Chapter 10 Managing Preferences 189 ao uu A WwW N 10 190 List setting Mac OS X version Effect Show mobile accounts 10 5 Lists mobile accounts with a local home folder and external accounts Show network users 10 4 and 10 5 Lists network accounts and mobile accounts without a local home folder Show computer administrators 10 4 and 10 5 Lists local system administrators Show Other 10 4 and 10 5 Displays name and password text fields allowing the user to authenticate with a local or network based account The directory administrator account is considered a network account and is therefore hidden when you don t show network users Another way to hide this account would be to set the directory administrator account s user ID to below 100 For more information see
371. u want to associate with the computer and click OK Click Network enter the Ethernet ID for the computer and its IP address if the computer receives a static IP and then click Save The Ethernet ID is required to identify the computer Working with Guest Computers If an unknown computer one that doesn t have a computer account connects to your network and attempts to access services that computer is treated as a guest computer Settings for the guest computer account apply to these unknown computers To apply specific management settings to a computer don t use the guest computer account to manage it Create a computer account for it Note You can t change the name of a guest computer Because the Guest Computer account is associated with all unknown computers you can t enter network settings to identify the computer To set up the guest computer account In Workgroup Manager click Accounts Click the globe icon and choose the directory domain that contains the guest computer account To authenticate click the lock and enter the name and password of a directory domain administrator Click the Computers button on the left Choose Server gt Create Guest Computer Select the Guest Computer account Click General enter a comment or add keywords and then click Save Working with Windows Computers Every Windows computer that joins the Windows domain of a Mac OS X Server primary doman controller PDC must have
372. u want to display in the list Chapter 10 Managing Preferences 11 12 13 To ensure that a type of user doesn t show up in the list deselect the corresponding setting To display mobile accounts on client computers with Mac OS X v10 5 or later select Show mobile accounts To display mobile accounts on client computers with Mac OS X v10 4 installed select Show local users To allow unlisted users to log in select Show Other To allow the user to restart the computer select Show Restart button If the user has physical access to the computer he or she can still restart the computer To allow the user to shut down the computer select Show Shut Down button If the user has physical access to the computer he or she can still shut down the computer You might also want to remove the Restart and Shut Down commands from the Finder For more information see Managing Finder Preferences on page 182 Click Apply Now Configuring Miscellaneous Login Options You can configure the following login options that don t change the appearance of the login window but affect how users log in Option What this does when enabled Show password hint when If the user supplied a password hint and he or she enters an needed and available incorrect password three times the password hint appears Enable automatic login If the computer s local settings enable Automatic Login the login window is bypa
373. ubsequent backups To manage Time Machine preferences In Workgroup Manager click Preferences Make sure the correct directory is selected and you are authenticated To switch directories click the globe icon If you are not authenticated click the lock and enter the name and password of a directory domain administrator Select one or more computers or computer groups Click Time Machine Set the management setting to Always In the Backup server field enter the URL of the file server or share point that will store Time Machine backups Use the form afp www example com Backups Replace www example com Backups with the URL of the file server or share point The location you enter must already exist To select which volumes to back up select Startup volume only or All local volumes To back up system files deselect Skip system files To use automatic backup select Back up automatically To limit backup storage select Limit total backup storage to MB and replace with the number of MB to limit backup storage Click Apply Now Chapter 10 Managing Preferences Managing Universal Access Preferences Universal Access settings can help improve the user experience for some users For example if a user has difficulty using a computer or wants to work in a different way you can choose settings that enable the user to work more effectively Using Workgroup Manager you can set up and man
374. unts Are Stored User accounts group accounts computer accounts and computer groups are stored in a directory domain available to any Mac OS X computer A directory domain can reside ona Mac OS X computer for example an Open Directory domain or other read write directory domain or it can reside on a non Apple server for example a non Apple LDAP or Active Directory server For Windows file service and other services you can store user accounts in any directory domain accessible from the server that needs to authenticate users for a service If the user account is used for Windows domain login from a Windows computer you must store it in the LDAP directory of the Mac OS X Server that is the primary domain controller PDC or in a copy of the LDAP directory on a backup domain controller BDC 55 56 A Windows user account that is not stored in the PDC server s LDAP directory can be used to access other services For example Mac OS X Server can authenticate users with accounts in the server s local directory domain for the server s Windows file service Mac OS X Server also authenticates users with accounts on other directory systems such as an Open Directory master on another Mac OS X Server system or Active Directory on a Windows server For complete information about the different kinds of directory domains see Open Directory Administration Predefined User Accounts The following table describes user accounts that
375. up with mobile account creation enabled they are given individual mobile accounts Similarly if you enable mobile accounts for a computer or a computer group when users log in using the computer or a computer in the computer group users are given individual mobile accounts for that computer Click Mobility click Account Creation and then click Creation Set the management setting to Always Select Create mobile account when user logs in to network account If you want the user to decide whether to enable a mobile account at login select Require confirmation before creating mobile account If this option is selected the user sees a confirmation when logging in The user can click Create Now to create a local home folder and enable the mobile account click Don t Create to log in as a network user without enabling the mobile account or click Cancel Login to return to the login window If you select Show Don t ask me again checkbox the dialog allows the user to prevent the display of the dialog on that computer If the user selects Don t ask me again and then clicks Don t Create he or she isn t asked to create a mobile account on that computer The user can hold down the Option key during login to redisplay the dialog To initially sync local and network homes so that the network home folder replaces the local home folder choose Create home with default sync settings To create the local home fo
376. use Classic If there is more than one Mac OS 9 System Folder on a computer s startup disk or if you want to use a Mac OS 9 System Folder on a different disk enforce the use of a specific folder when Classic is in use It is important if you specify a path to the folder s location that all clients have the Mac OS 9 System Folder in the same relative location on their hard disks If multiple Mac OS 9 System Folders are available and you don t enforce settings in the Startup pane of the Classic preference users can choose from among available Mac OS 9 System Folders if they have access to the Classic pane of System Preferences To choose a specific Classic System Folder In Workgroup Manager click Preferences Make sure the correct directory is selected and you are authenticated To switch directories click the globe icon If you are not authenticated click the lock and enter the name and password of a directory domain administrator Select one or more users groups computers or computer groups Click Classic and then click Startup Set the management setting to Always In the Use this System Folder when Classic starts field enter the path to the Classic System Folder for example Volumes VolumeName System Folder or click Choose and then browse to the folder you want Make sure the path to the Classic System Folder on the client computer is the same as the path to the Classic System Folder on the administrator comput
377. user accounts group accounts computer accounts and computer groups are created you can manage preferences for them using the Preferences pane in Workgroup Manager To manage preferences for Mac OS X clients make sure that each user you want to manage has a network home folder or a local home folder on the server For information about how to set up home folders for users see Chapter 7 Setting Up Home Folders Note When you manage preferences for a user group or computer an arrow icon appears next to the managed preference in the Preferences pane to indicate that you re managing that preference You can select multiple users groups or computers to review managed preferences If the arrow icon is dimmed it means managed preference settings are mixed for the selected items Managing User Preferences You can manage preferences for users as needed However if you have large numbers of users it may be more efficient to manage most preferences by group and computer You might want to manage preferences at the user level only for specific individuals such as directory domain administrators teachers or technical staff Consider which preferences you want to leave under user control For example if you aren t concerned about where a user places the Dock you might want to set Dock Display management to Never or Once To manage user preferences In Workgroup Manager click Preferences Make sure the correct directory is select
378. user at first login When the user s local home folder is created it s based on a template stored on the local computer The user s network home folder is based on a template stored on the server hosting home folders When you modify these templates you change the user s default home folder structure and content and you can modify the Library folder allowing you to set default bookmarks and application preferences You can choose whether local and network home folders initially sync in which case the network home folder replaces the local home folder You must authenticate as root to change the template stored in System Library User Template anguage proj Replace language with the language used on the client computer such as English Chapter 10 Managing Preferences N QO wa Note When a mobile account is enabled it appears in the login window and in the Accounts pane of System Preferences with the label Mobile When the account is selected in the Accounts pane some settings may appear dimmed To create a mobile account using Workgroup Manager In Workgroup Manager click Preferences Make sure the correct directory is selected and you are authenticated To switch directories click the globe icon If you are not authenticated click the lock and enter the name and password of a directory domain administrator Select a user account group account computer or computer group When users log in to a workgro
379. ve If you don t specify a volume the location is on the startup volume If you select user chooses choose a type of volume from the pop up menu to allow the user to store his or her local home folder on that type of volume Click Apply Now Creating External Accounts An external account is a mobile account where the local home folder is stored on an external drive allowing the user access to his or her account on any computer with Mac OS X v10 5 or later The user s local home folder is stored entirely on the external drive and leaves no remnants on computers External accounts also save hard disk space on the computer which is especially important if you don t set an account expiration or if many users create mobile accounts with local home folders on the same computer You can choose one of three ways to determine the location of the external account All of these ways can be used to set up external accounts e If you set the location to on startup volume the mobile account doesn t immediately become an external account After creating the local home folder if the user starts target disk mode on the computer and connects it to a client computer the mobile account then becomes an external account e If you set the location to at path you can enter the path for the mobile account s local home folder If you enter a path for an external drive a local home folder is created on the external drive after the user l
380. ver to access directory domains see Open Directory Administration After you choose directory domains all accounts residing in those domains are listed e You can list users groups computers or computer groups by clicking the Users Groups Computers or Computer Groups buttons above the search filter e To sort a list click a column heading An arrow shows the sort order ascending or descending which you can reverse by clicking the column heading again e You can search for specific items in the list by typing in the field above the accounts list To choose the search criteria use the Search magnifying glass pop up menu To work with accounts select them Settings for the selected accounts appear in the pane to the right of the list Available settings vary depending on which pane you re viewing Listing Accounts in the Local Directory Domain When you list accounts in the local directory domain you list all local accounts These local accounts can only be accessed by users of the local computer or server not by users of client computers Services and programs running on a server can access the server s local directory domain Programs running on a client computer such as the client computer s login window can t access the server s local directory domain If a server hosts file services users with accounts from the server s local directory domain can authenticate with the file services Chapter 3 Getting Started with Work
381. ver you want to automatically open and then click Add For any item you don t want the user to see right away select its Hide checkbox Chapter 10 Managing Preferences 197 198 10 11 12 The application remains open but its windows and menu bar remain hidden until the user activates the application for example by clicking its icon in the Dock To automatically connect the user to a server select the server and then select Mount share point with user s name and password The server must use the same directory domain as the one the user logs in to If you don t want users to have the ability to add and remove items deselect User may add and remove additional items This option is available only if Login Items preferences are always managed If you only manage Login Items preferences Once a user can remove any items added to the login list Users can t remove items added to the login items list but they can remove items they ve added themselves To prevent users from stopping applications that open automatically at login deselect User may press Shift to keep items from opening This option is available only if Login Items preferences are always managed If you select Once you can click Merge with user s items This produces two results depending on whether the user has items in their login list If the user has items listed in their login list either by the user adding them or by havin
382. website In the Address field enter the highest level URL of the site For example allowing http www example com lets the user view all pages in www example com Allowing http www example com allowed lets the user view content stored in www example com allowed including all subfolders in allowed but not folders located outside of allowed To create folders to organize websites click the New Folder folder button then double click the folder to rename it To add URLs within a folder open the folder s disclosure triangle select the folder and then click the Add button To create a subfolder open a folder s disclosure triangle select the folder and then click the New Folder folder button To change the name or URL of a website double click the website entry then to rename a folder double click the folder entry To rearrange websites or folders drag the websites or folders within the list Click Apply Now Setting Time Limits and Curfews on Computer Usage You can use Workgroup Manager to set time limits and curfews for computer usage on computers with Mac OS X v10 5 or later Chapter 10 Managing Preferences 219 If you set a time limit for computer usage users who meet their daily time limits can t log in until the next day when their quota is reset You can set different time limits for weekdays Monday through Friday and weekends Saturday and Sunday The time limit can range from 30 minutes to
383. ws Hiding the Alert Message When a User Empties the Trash Making Filename Extensions Visible Controlling User Access to Remote Servers Controlling User Access to an iDisk Preventing Users from Ejecting Discs Hiding the Burn Disc Command in the Finder Controlling User Access to Folders Removing Restart and Shut Down from the Apple Menu Adjusting the Appearance and Arrangement of Desktop Items Adjusting the Appearance of Finder Window Contents Managing Login Preferences Changing the Appearance of the Login Window Configuring Miscellaneous Login Options Choosing Who Can Log In Customizing the Workgroups Displayed at Login Enabling the Use of Login and Logout Scripts Choosing a Login or Logout Script Automatically Opening Items After a User Logs In Providing Access to a User s Network Home Folder Providing Easy Access to the Group Share Point Managing Media Access Preferences Controlling Access to CDs DVDs and Recordable Discs Controlling Access to Hard Drives Disks and Disk Images Ejecting Removable Media Automatically When a User Logs Out Managing Mobility Preferences Contents 10 202 203 204 205 207 208 209 210 211 212 212 213 213 214 215 215 216 216 217 217 217 218 219 220 221 221 222 222 223 223 224 224 225 227 227 228 228 230 230 231 231 Creating a Mobile Account Preventing the Creation of a Mobile Account Manually Removing Mobile Accounts from Computers Enabling FileVaul
384. y group information for any directory domain accessible from the server you re using To set a primary group ID using Workgroup Manager In Workgroup Manager click Accounts Select the user account you want to work with To select the account click the globe icon choose the directory domain where the account resides and then select the user account in the accounts list To authenticate click the lock and enter the name and password of a directory domain administrator Click Groups and then edit or review the Primary Group ID field Chapter 4 Setting Up User Accounts 77 78 Workgroup Manager displays long and short names for the group after you enter a primary group ID if the group exists and is accessible in the search policy of the server you re logged in to Reviewing a User s Group Memberships You can use Workgroup Manager to review the groups a user belongs to if the user account resides in a directory domain accessible from the server you re using You can view all groups the user belongs to and the parent groups of those groups To review group memberships using Workgroup Manager In Workgroup Manager click Accounts Select the user account you want to work with To select the account click the globe icon choose the directory domain where the account resides and then select the user account in the accounts list To authenticate click the lock and enter the name and password of a directory domain administrator
385. y user and group attributes For more information about user account elements that may need to be mapped see Understanding What You Can Import and Export on page 251 To create users in an Active Directory domain use Active Directory administration tools on a Windows computer You can t use Workgroup Manager to create user accounts group accounts computer accounts or computer groups in a standard Active Directory domain If you extend the schema of the Active Directory domain you can create computer groups in Active Directory To create user accounts for Windows users create them on a Mac OS X Server PDC which creates them in the server s LDAP directory Windows users with accounts on the PDC server can log in to the Windows domain from a Windows workstation These user accounts can be used to authenticate to Windows file service and other services and to Mac OS X computers on the network You can create user accounts in the Mac OS X Server PDC LDAP directory but not ina BDC read only LDAP directory If you have a BDC the PDC server replicates the new accounts to the BDC If you create user accounts in a server s local directory domain you can only authenticate for services provided by that server You can t use these accounts to log in to a Mac OS X client computer or to perform Windows domain login However Windows users can authenticate with Windows file service mail service and other platform neutral services For ins
386. ying glass pop up menu choose an option to describe what you want to find and then type search terms in the search field The original list is replaced by items that satisfy your search criteria If you enter a user name both full and short user names are searched If you enter a group name short group names are searched When the domains you re working with contain thousands of accounts choose Workgroup Manager gt Preferences and do the following To do this Do this Avoid listing accounts until a filter is Select Limit search results to requested records specified List all accounts in the selected directory Type without quotes in the search field domain Specify the maximum number of Select List a maximum of n records and then enter a accounts to list number no greater than 32 767 Using Advanced Search Use the Search button in the toolbar to locate specific users or groups by searching several fields relevant to them You can then batch edit these search results For more information about batch editing see Editing Multiple Accounts Simultaneously on page 51 You can search across several fields e Record Name e Real Name User ID Comment e Keyword e Group ID Chapter 3 Getting Started with Workgroup Manager 49 50 wu A WwW N There are several field options e Is less than e Is greater than e Is Contains To locate users or groups in the Accounts or Prefe
387. ype To make filename extensions visible In Workgroup Manager click Preferences Make sure the correct directory is selected and you are authenticated To switch directories click the globe icon If you are not authenticated click the lock and enter the name and password of a directory domain administrator Select one or more users groups computers or computer groups Click Finder click the Preferences tab and then select a management setting Chapter 10 Managing Preferences Oo uu A WwW ao uu A W Select Always show file extensions Click Apply Now Controlling User Access to Remote Servers Users can connect to a remote server by choosing the Connect to Server command in the Finder Go menu and providing the server s name or IP address If you don t want users to access this menu item you can hide the command To hide the Connect to Server command In Workgroup Manager click Preferences Make sure the correct directory is selected and you are authenticated To switch directories click the globe icon If you are not authenticated click the lock and enter the name and password of a directory domain administrator Select one or more users groups computers or computer groups Click Finder click Commands and then set the management setting to Always Deselect Connect to Server Click Apply Now Controlling User Access to an iDisk If users want to connect to an iDisk they can choos
Download Pdf Manuals
Related Search