Mac OS X Server User Management For Version 10.5 Leopard K Apple Inc. © 2007 Apple Inc. All rights reserved. The owner or authorized user of a valid copy of Mac OS X Server software may reproduce this publication for the purpose of learning to use such software. No part of this publication may be reproduced or transmitted for commercial purposes, such as selling copies of this publication or for providing paid-for support services. Every effort has been made to ensure that the information in this manual is accurate. Apple Inc. is not responsible for printing or clerical errors. Apple 1 Infinite Loop Cupertino, CA 95014-2084 408-996-1010 www.apple.com Use of the "keyboard" Apple logo (Option-Shift-K) for commercial purposes without the prior written consent of Apple may constitute trademark infringement and unfair competition in violation of federal and state laws. Apple, the Apple logo, AirPort, AppleShare, Bonjour, FireWire, iCal, iTunes, Mac, Mac OS, MacBook, Macintosh, QuickTime, SuperDrive, Xgrid, Xsan, and Xserve are trademarks of Apple Inc., registered in the U.S. and other countries. Apple Remote Desktop, Extensions Manager, Finder, iWork, and Safari are trademarks of Apple Inc. Mac is a service mark of Apple Inc. Adobe and PostScript are trademarks of Adobe Systems Incorporated. The Bluetooth® word mark and logos are registered trademarks owned by the Bluetooth SIG, Inc. and any use of such marks by Apple is under license. Java and all Java-based trademarks and logos are trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. and other countries. UNIX is a registered trademark of The Open Group. Other company and product names mentioned herein are trademarks of their respective companies. Mention of third-party products is for informational purposes only and constitutes neither an endorsement nor a recommendation. Apple assumes no responsibility with regard to the performance of these products. 019-0938/2007-09-01 1 Contents Preface 13 13 14 15 16 17 17 18 18 19 19 19 20 21 21 21 22 22 23 24 25 25 26 26 26 27 31 31 34 34 About This Guide What's New in Workgroup Manager What's in This Guide Using Onscreen Help Mac OS X Server Administration Guides Viewing PDF Guides Onscreen Printing PDF Guides Getting Documentation Updates Getting Additional Information User Management Overview Tools for User Management Workgroup Manager Server Admin Server Preferences NetBoot NetInstall Command-Line Tools Accounts Administrator Accounts User Accounts Group Accounts Computer Accounts Computer Groups The User Experience Authentication and Identity Validation Information Access Control Getting Started with User Management Setup Overview Planning Strategies for User Management Analyzing Your Environment Chapter 1 Chapter 2 3 35 35 36 37 38 38 Chapter 3 41 41 41 42 42 42 43 44 45 46 46 46 47 48 48 48 49 50 50 50 51 53 55 55 55 56 57 57 58 59 59 60 60 60 Identifying Directory Services Requirements Determining Server and Storage Requirements Choosing a Home Folder Structure Devising a Home Folder Distribution Strategy Identifying Groups Determining Administrator Requirements Getting Started with Workgroup Manager Configuring the Administrator's Computer and Account Setting Up an Administrator Computer Creating a Domain Administrator Account Using Workgroup Manager Using Mac OS X Server v10.5 to Administer Earlier Versions of Mac OS X Connecting and Authenticating to Directory Domains in Workgroup Manager Major Workgroup Manager Tasks Modifying Workgroup Manager Preferences Finding and Listing Accounts Working with Account Lists in Workgroup Manager Listing Accounts in the Local Directory Domain Listing Accounts in Search Policy Directory Domains Listing Accounts in Available Directory Domains Refreshing Account Lists Finding Specific Accounts in a List Using Advanced Search Sorting Users and Groups Shortcuts for Working with Accounts Using Presets Editing Multiple Accounts Simultaneously Importing and Exporting Account Information Setting Up User Accounts About User Accounts Where User Accounts Are Stored Predefined User Accounts Administering User Accounts Creating User Accounts Editing User Account Information Working with Read-Only User Accounts Working with Guest Users Working with Windows User Accounts Deleting a User Account Disabling a User Account Chapter 4 4 Contents 61 61 62 62 62 63 63 63 64 65 66 67 68 68 69 70 70 70 72 72 72 73 73 74 75 75 76 77 77 78 78 79 79 80 80 81 81 81 82 82 83 Working with Presets Creating a Preset for User Accounts Using Presets to Create Accounts Renaming Presets Editing Presets Deleting a Preset Working with Basic Settings Modifying User Names Modifying Short Names Choosing Stable Short Names Avoiding Duplicate Names Modifying User IDs Assigning a Password to a User Assigning Administrator Privileges for a Server Choosing a User's Login Picture Working with Privileges Removing Administrative Privileges from a User Giving a User Limited Administrative Capabilities Giving a User Full Administrative Capabilities Working with Advanced Settings Enabling a User's Calendar Allowing a User to Log In to More Than One Computer At a Time Choosing a Default Shell Choosing a Password Type and Setting Password Options Creating a Master List of Keywords Applying Keywords to User Accounts Editing Comments Working with Group Settings Choosing a User's Primary Group Reviewing a User's Group Memberships Adding a User to a Group Removing a User from a Group Working with Home Settings Working with Mail Settings Enabling Mail Service Account Options Disabling a User's Mail Service Forwarding a User's Mail Working with Print Quota Settings Enabling a User's Access to All Available Print Queues Enabling a User's Access to Specific Print Queues Removing a Print Quota For a Queue Contents 5 83 84 84 85 85 86 87 87 87 87 Chapter 5 89 89 89 90 90 91 91 92 92 93 94 94 95 95 95 96 97 98 99 99 100 100 101 101 103 105 105 106 107 107 Resetting a User's Print Quota Disabling a User's Access to Print Queues That Enforce Quotas Working with Info Settings Working with Windows Settings Changing a Windows User's Profile Location Changing a Windows User's Login Script Location Changing a Windows User's Home Folder Drive Letter Changing a Windows User's Home Folder Location Working with GUIDs Viewing GUIDs Setting Up Group Accounts About Group Accounts How Group Accounts Track Membership Where Group Accounts Are Stored Predefined Group Accounts Administering Group Accounts Creating Group Accounts Creating a Preset for Group Accounts Editing Group Account Information Creating Hierarchical Groups Upgrading Legacy Groups Working with Read-Only Groups Deleting a Group Working with Basic Settings for Groups Naming a Group Defining a Group ID Choosing a Group's Login Picture Enabling a Group's Web Services Working with Member Settings for Groups Adding Users or Groups to a Group Removing Group Members Working with Group Folder Settings Specifying No Group Folder Creating a Group Folder Designating a Group Folder for Use by Multiple Groups Setting Up Computers and Computer Groups About Computer Accounts Creating Computer Accounts Working with Guest Computers Working with Windows Computers Chapter 6 6 Contents 108 108 108 108 109 110 111 111 112 112 Chapter 7 113 113 114 114 115 116 116 117 118 119 121 121 122 123 124 127 129 130 130 130 130 131 131 132 133 134 134 135 136 136 About Computer Groups Differences Between Computer Groups and Computer Lists Administering Computer Groups Creating a Computer Group Creating a Preset for Computer Groups Using a Computer Group Preset Adding Computers or Computer Groups to a Computer Group Removing Computers and Computer Groups from a Computer Group Deleting a Computer Group Upgrading Computer Lists to Computer Groups Setting Up Home Folders About Home Folders Hosting Home Folders for Mac OS X Clients Hosting Home Folders for Other Clients Distributing Home Folders Across Multiple Servers Administering Share Points Setting Up a Share Point Setting Up an Automountable AFP Share Point for Home Folders Setting Up an Automountable NFS Share Point for Home Folders Setting Up an SMB Share Point Administering Home Folders Specifying No Home Folder Creating a Home Folder for a Local User Creating a Network Home Folder Creating a Custom Location for Home Folders Setting Up a Home Folder for a Windows User Setting Disk Quotas Setting Disk Quotas for Windows Users to Avoid Data Loss Using Presets to Choose Default Home Folders Moving Home Folders Deleting Home Folders Managing Portable Computers About Mobile Accounts About Portable Home Directories Logging In to Mobile Accounts Resolving Sync Conflicts About External Accounts Logging In to External Accounts Considerations and Strategies for Deploying Mobile Accounts Advantages of Using Mobile Accounts Chapter 8 Contents 7 137 139 140 140 141 141 142 142 144 144 Chapter 9 147 148 149 149 150 151 152 152 155 155 156 159 159 160 160 161 162 162 163 163 164 165 167 168 168 169 170 171 171 172 Considerations for Using Mobile Accounts Strategies for Syncing Content Setting Up Mobile Accounts for Use on Portable Computers Configuring Portable Computers Managing Mobile Clients Without Using Mobile Accounts Unknown Mac OS X Portable Computers Using Mac OS X Portable Computers with One Primary Local User Using Mac OS X Portable Computers with Multiple Users Securing Mobile Clients Optimizing the File Server for Mobile Accounts Client Management Overview Using Network-Visible Resources Customizing the User Experience The Power of Preferences Designing the Login Experience Choosing a Workgroup Working with Synced Homes Improving Workflow Managing Preferences Using Workgroup Manager to Manage Preferences Understanding Managed Preference Interactions Understanding Hierarchical Preference Management Setting the Permanence of Management Caching Preferences Preference Management Basics Managing User Preferences Managing Group Preferences Managing Computer Preferences Managing Computer Group Preferences Disabling Management for Specific Preferences Managing Access to Applications Controlling User Access to Specific Applications and Folders Allowing Specific Dashboard Widgets Disabling Front Row Allowing Legacy Users to Open Specific Applications and Folders Managing Classic Preferences Selecting Classic Startup Options Choosing a Classic System Folder Allowing Special Actions During Restart Controlling Access to Classic Apple Menu Items Chapter 10 8 Contents 173 174 174 174 175 176 177 177 178 179 180 181 182 182 183 183 184 184 185 185 185 186 186 187 187 188 189 189 191 192 193 194 196 197 198 199 200 200 201 201 202 Adjusting Classic Sleep Settings Maintaining Consistent User Preferences for Classic Managing Dock Preferences Controlling the User's Dock Providing Easy Access to Group Folders Adding Items to a User's Dock Preventing Users from Adding or Deleting Dock Items Managing Energy Saver Preferences Using Sleep and Wake Settings for Desktop Computers Setting Energy Saver Settings for Portable Computers Displaying Battery Status to Users Scheduling Automatic Startup, Shutdown, or Sleep Managing Finder Preferences Setting Up Simple Finder Keeping Disks and Servers from Appearing on the User's Desktop Controlling the Behavior of Finder Windows Hiding the Alert Message When a User Empties the Trash Making Filename Extensions Visible Controlling User Access to Remote Servers Controlling User Access to an iDisk Preventing Users from Ejecting Discs Hiding the Burn Disc Command in the Finder Controlling User Access to Folders Removing Restart and Shut Down from the Apple Menu Adjusting the Appearance and Arrangement of Desktop Items Adjusting the Appearance of Finder Window Contents Managing Login Preferences Changing the Appearance of the Login Window Configuring Miscellaneous Login Options Choosing Who Can Log In Customizing the Workgroups Displayed at Login Enabling the Use of Login and Logout Scripts Choosing a Login or Logout Script Automatically Opening Items After a User Logs In Providing Access to a User's Network Home Folder Providing Easy Access to the Group Share Point Managing Media Access Preferences Controlling Access to CDs, DVDs, and Recordable Discs Controlling Access to Hard Drives, Disks, and Disk Images Ejecting Removable Media Automatically When a User Logs Out Managing Mobility Preferences Contents 9 202 203 204 205 207 208 209 210 211 212 212 213 213 214 215 215 216 216 217 217 217 218 219 220 221 221 222 222 223 223 224 224 225 227 227 228 228 230 230 231 231 Creating a Mobile Account Preventing the Creation of a Mobile Account Manually Removing Mobile Accounts from Computers Enabling FileVault for Mobile Accounts Selecting the Location of a Mobile Account Creating External Accounts Setting Expiration Periods for Mobile Accounts Choosing Folders to Sync at Login and Logout, or in the Background Stopping Files from Syncing for a M ...