User manual APPLE LEOPARD - USER MANAGEMENT

Mac OS X Server User Management For Version 10.5 Leopard K Apple Inc. © 2007 Apple Inc. All rights reserved. The owner or authorized user of a valid copy of Mac OS X Server software may reproduce this publication for the purpose of learning to use such software. No part of this publication may be reproduced or transmitted for commercial purposes, such as selling copies of this publication or for providing paid-for support services. Every effort has been made to ensure that the information in this manual is accurate. Apple Inc. is not responsible for printing or clerical errors. Apple 1 Infinite Loop Cupertino, CA 95014-2084 408-996-1010 www.apple.com Use of the "keyboard" Apple logo (Option-Shift-K) for commercial purposes without the prior written consent of Apple may constitute trademark infringement and unfair competition in violation of federal and state laws. Apple, the Apple logo, AirPort, AppleShare, Bonjour, FireWire, iCal, iTunes, Mac, Mac OS, MacBook, Macintosh, QuickTime, SuperDrive, Xgrid, Xsan, and Xserve are trademarks of Apple Inc., registered in the U.S. and other countries. Apple Remote Desktop, Extensions Manager, Finder, iWork, and Safari are trademarks of Apple Inc. Mac is a service mark of Apple Inc. Adobe and PostScript are trademarks of Adobe Systems Incorporated. The Bluetooth® word mark and logos are registered trademarks owned by the Bluetooth SIG, Inc. and any use of such marks by Apple is under license. Java and all Java-based trademarks and logos are trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. and other countries. UNIX is a registered trademark of The Open Group. Other company and product names mentioned herein are trademarks of their respective companies. Mention of third-party products is for informational purposes only and constitutes neither an endorsement nor a recommendation. Apple assumes no responsibility with regard to the performance of these products. 019-0938/2007-09-01 1 Contents Preface 13 13 14 15 16 17 17 18 18 19 19 19 20 21 21 21 22 22 23 24 25 25 26 26 26 27 31 31 34 34 About This Guide What's New in Workgroup Manager What's in This Guide Using Onscreen Help Mac OS X Server Administration Guides Viewing PDF Guides Onscreen Printing PDF Guides Getting Documentation Updates Getting Additional Information User Management Overview Tools for User Management Workgroup Manager Server Admin Server Preferences NetBoot NetInstall Command-Line Tools Accounts Administrator Accounts User Accounts Group Accounts Computer Accounts Computer Groups The User Experience Authentication and Identity Validation Information Access Control Getting Started with User Management Setup Overview Planning Strategies for User Management Analyzing Your Environment Chapter 1 Chapter 2 3 35 35 36 37 38 38 Chapter 3 41 41 41 42 42 42 43 44 45 46 46 46 47 48 48 48 49 50 50 50 51 53 55 55 55 56 57 57 58 59 59 60 60 60 Identifying Directory Services Requirements Determining Server and Storage Requirements Choosing a Home Folder Structure Devising a Home Folder Distribution Strategy Identifying Groups Determining Administrator Requirements Getting Started with Workgroup Manager Configuring the Administrator's Computer and Account Setting Up an Administrator Computer Creating a Domain Administrator Account Using Workgroup Manager Using Mac OS X Server v10.5 to Administer Earlier Versions of Mac OS X Connecting and Authenticating to Directory Domains in Workgroup Manager Major Workgroup Manager Tasks Modifying Workgroup Manager Preferences Finding and Listing Accounts Working with Account Lists in Workgroup Manager Listing Accounts in the Local Directory Domain Listing Accounts in Search Policy Directory Domains Listing Accounts in Available Directory Domains Refreshing Account Lists Finding Specific Accounts in a List Using Advanced Search Sorting Users and Groups Shortcuts for Working with Accounts Using Presets Editing Multiple Accounts Simultaneously Importing and Exporting Account Information Setting Up User Accounts About User Accounts Where User Accounts Are Stored Predefined User Accounts Administering User Accounts Creating User Accounts Editing User Account Information Working with Read-Only User Accounts Working with Guest Users Working with Windows User Accounts Deleting a User Account Disabling a User Account Chapter 4 4 Contents 61 61 62 62 62 63 63 63 64 65 66 67 68 68 69 70 70 70 72 72 72 73 73 74 75 75 76 77 77 78 78 79 79 80 80 81 81 81 82 82 83 Working with Presets Creating a Preset for User Accounts Using Presets to Create Accounts Renaming Presets Editing Presets Deleting a Preset Working with Basic Settings Modifying User Names Modifying Short Names Choosing Stable Short Names Avoiding Duplicate Names Modifying User IDs Assigning a Password to a User Assigning Administrator Privileges for a Server Choosing a User's Login Picture Working with Privileges Removing Administrative Privileges from a User Giving a User Limited Administrative Capabilities Giving a User Full Administrative Capabilities Working with Advanced Settings Enabling a User's Calendar Allowing a User to Log In to More Than One Computer At a Time Choosing a Default Shell Choosing a Password Type and Setting Password Options Creating a Master List of Keywords Applying Keywords to User Accounts Editing Comments Working with Group Settings Choosing a User's Primary Group Reviewing a User's Group Memberships Adding a User to a Group Removing a User from a Group Working with Home Settings Working with Mail Settings Enabling Mail Service Account Options Disabling a User's Mail Service Forwarding a User's Mail Working with Print Quota Settings Enabling a User's Access to All Available Print Queues Enabling a User's Access to Specific Print Queues Removing a Print Quota For a Queue Contents 5 83 84 84 85 85 86 87 87 87 87 Chapter 5 89 89 89 90 90 91 91 92 92 93 94 94 95 95 95 96 97 98 99 99 100 100 101 101 103 105 105 106 107 107 Resetting a User's Print Quota Disabling a User's Access to Print Queues That Enforce Quotas Working with Info Settings Working with Windows Settings Changing a Windows User's Profile Location Changing a Windows User's Login Script Location Changing a Windows User's Home Folder Drive Letter Changing a Windows User's Home Folder Location Working with GUIDs Viewing GUIDs Setting Up Group Accounts About Group Accounts How Group Accounts Track Membership Where Group Accounts Are Stored Predefined Group Accounts Administering Group Accounts Creating Group Accounts Creating a Preset for Group Accounts Editing Group Account Information Creating Hierarchical Groups Upgrading Legacy Groups Working with Read-Only Groups Deleting a Group Working with Basic Settings for Groups Naming a Group Defining a Group ID Choosing a Group's Login Picture Enabling a Group's Web Services Working with Member Settings for Groups Adding Users or Groups to a Group Removing Group Members Working with Group Folder Settings Specifying No Group Folder Creating a Group Folder Designating a Group Folder for Use by Multiple Groups Setting Up Computers and Computer Groups About Computer Accounts Creating Computer Accounts Working with Guest Computers Working with Windows Computers Chapter 6 6 Contents 108 108 108 108 109 110 111 111 112 112 Chapter 7 113 113 114 114 115 116 116 117 118 119 121 121 122 123 124 127 129 130 130 130 130 131 131 132 133 134 134 135 136 136 About Computer Groups Differences Between Computer Groups and Computer Lists Administering Computer Groups Creating a Computer Group Creating a Preset for Computer Groups Using a Computer Group Preset Adding Computers or Computer Groups to a Computer Group Removing Computers and Computer Groups from a Computer Group Deleting a Computer Group Upgrading Computer Lists to Computer Groups Setting Up Home Folders About Home Folders Hosting Home Folders for Mac OS X Clients Hosting Home Folders for Other Clients Distributing Home Folders Across Multiple Servers Administering Share Points Setting Up a Share Point Setting Up an Automountable AFP Share Point for Home Folders Setting Up an Automountable NFS Share Point for Home Folders Setting Up an SMB Share Point Administering Home Folders Specifying No Home Folder Creating a Home Folder for a Local User Creating a Network Home Folder Creating a Custom Location for Home Folders Setting Up a Home Folder for a Windows User Setting Disk Quotas Setting Disk Quotas for Windows Users to Avoid Data Loss Using Presets to Choose Default Home Folders Moving Home Folders Deleting Home Folders Managing Portable Computers About Mobile Accounts About Portable Home Directories Logging In to Mobile Accounts Resolving Sync Conflicts About External Accounts Logging In to External Accounts Considerations and Strategies for Deploying Mobile Accounts Advantages of Using Mobile Accounts Chapter 8 Contents 7 137 139 140 140 141 141 142 142 144 144 Chapter 9 147 148 149 149 150 151 152 152 155 155 156 159 159 160 160 161 162 162 163 163 164 165 167 168 168 169 170 171 171 172 Considerations for Using Mobile Accounts Strategies for Syncing Content Setting Up Mobile Accounts for Use on Portable Computers Configuring Portable Computers Managing Mobile Clients Without Using Mobile Accounts Unknown Mac OS X Portable Computers Using Mac OS X Portable Computers with One Primary Local User Using Mac OS X Portable Computers with Multiple Users Securing Mobile Clients Optimizing the File Server for Mobile Accounts Client Management Overview Using Network-Visible Resources Customizing the User Experience The Power of Preferences Designing the Login Experience Choosing a Workgroup Working with Synced Homes Improving Workflow Managing Preferences Using Workgroup Manager to Manage Preferences Understanding Managed Preference Interactions Understanding Hierarchical Preference Management Setting the Permanence of Management Caching Preferences Preference Management Basics Managing User Preferences Managing Group Preferences Managing Computer Preferences Managing Computer Group Preferences Disabling Management for Specific Preferences Managing Access to Applications Controlling User Access to Specific Applications and Folders Allowing Specific Dashboard Widgets Disabling Front Row Allowing Legacy Users to Open Specific Applications and Folders Managing Classic Preferences Selecting Classic Startup Options Choosing a Classic System Folder Allowing Special Actions During Restart Controlling Access to Classic Apple Menu Items Chapter 10 8 Contents 173 174 174 174 175 176 177 177 178 179 180 181 182 182 183 183 184 184 185 185 185 186 186 187 187 188 189 189 191 192 193 194 196 197 198 199 200 200 201 201 202 Adjusting Classic Sleep Settings Maintaining Consistent User Preferences for Classic Managing Dock Preferences Controlling the User's Dock Providing Easy Access to Group Folders Adding Items to a User's Dock Preventing Users from Adding or Deleting Dock Items Managing Energy Saver Preferences Using Sleep and Wake Settings for Desktop Computers Setting Energy Saver Settings for Portable Computers Displaying Battery Status to Users Scheduling Automatic Startup, Shutdown, or Sleep Managing Finder Preferences Setting Up Simple Finder Keeping Disks and Servers from Appearing on the User's Desktop Controlling the Behavior of Finder Windows Hiding the Alert Message When a User Empties the Trash Making Filename Extensions Visible Controlling User Access to Remote Servers Controlling User Access to an iDisk Preventing Users from Ejecting Discs Hiding the Burn Disc Command in the Finder Controlling User Access to Folders Removing Restart and Shut Down from the Apple Menu Adjusting the Appearance and Arrangement of Desktop Items Adjusting the Appearance of Finder Window Contents Managing Login Preferences Changing the Appearance of the Login Window Configuring Miscellaneous Login Options Choosing Who Can Log In Customizing the Workgroups Displayed at Login Enabling the Use of Login and Logout Scripts Choosing a Login or Logout Script Automatically Opening Items After a User Logs In Providing Access to a User's Network Home Folder Providing Easy Access to the Group Share Point Managing Media Access Preferences Controlling Access to CDs, DVDs, and Recordable Discs Controlling Access to Hard Drives, Disks, and Disk Images Ejecting Removable Media Automatically When a User Logs Out Managing Mobility Preferences Contents 9 202 203 204 205 207 208 209 210 211 212 212 213 213 214 215 215 216 216 217 217 217 218 219 220 221 221 222 222 223 223 224 224 225 227 227 228 228 230 230 231 231 Creating a Mobile Account Preventing the Creation of a Mobile Account Manually Removing Mobile Accounts from Computers Enabling FileVault for Mobile Accounts Selecting the Location of a Mobile Account Creating External Accounts Setting Expiration Periods for Mobile Accounts Choosing Folders to Sync at Login and Logout, or in the Background Stopping Files from Syncing for a Mobile Account Setting the Background Sync Frequency Showing Mobile Account Status in the User's Menu Bar Managing Network Preferences Configuring Proxy Servers by Port Allowing Users to Bypass Proxy Servers for Specific Domains Enabling Passive FTP Mode Disabling Internet Sharing Disabling AirPort Disabling Bluetooth Managing Parental Controls Preferences Hiding Profanity in Dictionary Preventing Access to Adult Websites Allowing Access Only to Specific Websites Setting Time Limits and Curfews on Computer Usage Managing Printing Preferences Making Printers Available to Users Preventing Users from Modifying the Printer List Restricting Access to Printers Connected to a Computer Setting a Default Printer Restricting Access to Printers Adding a Page Footer to All Printouts Managing Software Update Preferences Managing Access to System Preferences Managing Time Machine Preferences Managing Universal Access Preferences Adjusting the User's Display Settings Setting a Visual Alert Adjusting Keyboard Accessibility Options Adjusting Mouse and Pointer Responsiveness Enabling Universal Access Shortcuts Allowing Devices for Users with Special Needs Using the Preference Editor with Preference Manifests 10 Contents 232 234 235 236 237 Chapter 11 239 239 239 240 241 242 242 242 242 242 243 243 243 243 244 245 245 245 245 245 245 246 246 246 247 247 247 247 248 248 249 249 249 250 250 Adding to the Preference Editor's List Editing Application Preferences with the Preference Editor Removing an Application's Managed Preferences in the Preference Editor Using the Preference Editor to Manage Core Services Using the Preference Editor to Manage Safari Solving Problems Diagnosing Common Network Issues Testing Your Network's Time and Time Zones Testing Your DNS Service Testing Your DHCP Service Solving Account Problems If You Want to Use Earlier Versions of Workgroup Manager If You Can't Edit an Account Using Workgroup Manager If Users Can't See Their Names in the Login Window If You Can't Unlock an LDAP Directory If You Can't Modify a User's Open Directory Password If You Can`t Change a User's Password Type to Open Directory If You Can't Assign Server Administrator Privileges If Users Can't Log In or Authenticate If Users Relying on a Password Server Can't Log In If Users Can't Log In with Accounts in a Shared Directory Domain If Users Can't Access Their Home Folders If Users Can't Change Their Passwords If Users Can't Authenticate Using Single Sign-On or Kerberos Problems with a Primary or Backup Domain Controller If a Windows User Can't Log in to the Windows Domain If a Windows User Has No Home Folder If a Windows User's Profile Settings Revert to Defaults If a Windows User Loses the Contents of the My Documents Folder Solving Preference Management Problems Testing Your Managed Client Settings If Users Don't See a List of Workgroups at Login If Users Can't Open Files If Users Can't Add Printers to a Printer List If Login Items Added by a User Don't Open If Items Placed in the Dock by a User Are Missing If a User's Dock Has Duplicate Items If Users See a Question Mark in the Dock If Users See a Message About an Unexpected Error If You Can't Manage Network Views Contents 11 Appendix 251 251 252 252 253 253 254 255 256 257 267 Importing and Exporting Account Information Understanding What You Can Import and Export Limitations for Importing and Exporting Passwords Maintaining GUIDs When Importing from Earlier Versions of Mac OS X Server Archiving the Open Directory Master Using Workgroup Manager to Import Accounts Using Workgroup Manager to Export Accounts Using XML Files Created with Mac OS X Server v10.1 or Earlier Using XML Files Created with AppleShare IP 6.3 Glossary Index 12 Contents This guide explains how to use Workgroup Manager to set up and manage accounts and preferences for clients. Mac OS X Server includes Workgroup Manager, a user management tool you can use to create and manage accounts. When managing accounts, you can define core account settings like name, password, home folder location, and group membership. You can also manage preferences, allowing you to customize the user's experience, granting or restricting access to his or her own computer's settings and to network resources. Workgroup Manager works closely with a directory domain. Directory domains are like databases but are specifically designed for storing account information and handling authentication. What's New in Workgroup Manager  Computer accounts and computer groups. You can create computer accounts for individual computers. By managing computer accounts individually, you can fully customize preference management settings for those computers. You can create computer groups composed of these individual computer accounts, or of hierarchical groups. Managed preferences for a parent computer group in a hierarchical group also apply to child computer groups. The addition of computer accounts and computer groups eases administration and increases flexibility. For more information, see Chapter 6, "Setting Up Computers and Computer Groups."  Improved mobile accounts. Mobile accounts are now more secure, efficient, and portable. You can protect mobile accounts with FileVault. You can set account expiry options so that local home folders are deleted after a period of inactivity. You can also create mobile accounts on an external drive, so users can still access a synced home folder with cached managed preferences even when they don't have their computers. Preface 13 About This Guide You can enable these features by managing Mobility preferences. For more information, see Chapter 8, "Managing Portable Computers."  New managed preferences. Preferences now let you manage Parental Controls, Dashboard, Front Row, and Time Machine. Existing preferences have been enhanced, using embedded and detached signatures to prevent the launching of unapproved applications, giving you more control over the login window, and letting you create page footers on printed documents. For more information, see Chapter 10, "Managing Preferences." What's in This Guide This guide includes the following chapters:  Chapter 1, "User Management Overview," highlights important concepts, introduces user management tools, and tells you where to find additional information about user management and related topics.  Chapter 2, "Getting Started with User Management," provides planning and setup information to create a user management environment.  Chapter 3, "Getting Started with Workgroup Manager," describes how to set up Workgroup Manager and use its core features.  Chapters 4, 5, and 6 explain how to use Workgroup Manager to set up users, groups, computers, and computer groups.  Chapter 7, "Setting Up Home Folders," covers creating home folders.  Chapter 8, "Managing Portable Computers," details considerations for managing portable computers.  Chapter 9, "Client Management Overview," introduces client management tools and concepts, such as how to customize a user's work environment and provide user access to network resources.  Chapter 10, "Managing Preferences," describes how to use Workgroup Manager to control preference settings for users, groups, computers, and computer groups that use Mac OS X.  Chapter 11, "Solving Problems," helps you address issues involving account creation, home folder maintenance, preference management, and client setup, and also helps you solve problems encountered by managed clients. In addition, the appendix, "Importing and Exporting Account Information," provides information you'll need when you want to transfer account information to or from an external file. Finally, the glossary defines terms you'll encounter as you read this guide. Note: Because Apple periodically releases new versions and updates to its software, images shown in this book may be different from what you see on your screen. 14 Preface About This Guide Using Onscreen Help You can get task instructions onscreen in the Help Viewer application while you're managing Leopard Server. You can view help on a server or an administrator computer. (An administrator computer is a Mac OS X computer with Leopard Server administration software installed on it.) To get help for an advanced configuration of Leopard Server: m Open Server Admin or Workgroup Manager and then:  Use the Help menu to search for a task you want to perform.  Choose Help > Server Admin Help or Help > Workgroup Manager Help to browse and search the help topics. The onscreen help contains instructions taken from Server Administration and other advanced administration guides described in "Mac OS X Server Administration Guides," next. To see the most recent server help topics: m Make sure the server or administrator computer is connected to the Internet while you're getting help. Help Viewer automatically retrieves and caches the most recent server help topics from the Internet. When not connected to the Internet, Help Viewer displays cached help topics. Preface About This Guide 15 Mac OS X Server Administration Guides Getting Started covers installation and setup for standard and workgroup configurations of Mac OS X Server. For advanced configurations, Server Administration covers planning, installation, setup, and general server administration. A suite of additional guides, listed below, covers advanced planning, setup, and management of individual services. You can get these guides in PDF format from the Mac OS X Server documentation website: www.apple.com/server/documentation This guide ... Getting Started and Installation & Setup Worksheet Command-Line Administration File Services Administration iCal Service Administration iChat Service Administration Mac OS X Security Configuration Mac OS X Server Security Configuration Mail Service Administration Network Services Administration Open Directory Administration Podcast Producer Administration Print Service Administration QuickTime Streaming and Broadcasting Administration Server Administration tells you how to: Install Mac OS X Server and set it up for the first time. Install, set up, and manage Mac OS X Server using UNIX commandline tools and configuration files. Share selected server volumes or folders among server clients using the AFP, NFS, FTP, and SMB protocols. Set up and manage iCal shared calendar service. Set up and manage iChat instant messaging service. Make Mac OS X computers (clients) more secure, as required by enterprise and government customers. Make Mac OS X Server and the computer it's installed on more secure, as required by enterprise and government customers. Set up and manage IMAP, POP, and SMTP mail services on the server. Set up, configure, and administer DHCP, DNS, VPN, NTP, IP firewall, NAT, and RADIUS services on the server. Set up and manage directory and authentication services, and configure clients to access directory services. Set up and manage Podcast Producer service to record, process, and distribute podcasts. Host shared printers and manage their associated queues and print jobs. Capture and encode QuickTime content. Set up and manage QuickTime streaming service to deliver media streams live or on demand. Perform advanced installation and setup of server software, and manage options that apply to multiple services or to the server as a whole. Use NetBoot, NetInstall, and Software Update to automate the management of operating system and other software used by client computers. Use data and service settings from an earlier version of Mac OS X Server or Windows NT. System Imaging and Software Update Administration Upgrading and Migrating 16 Preface About This Guide This guide ... User Management Web Technologies Administration Xgrid Administration and High Performance Computing Mac OS X Server Glossary tells you how to: Create and manage user accounts, groups, and computers. Set up managed preferences for Mac OS X clients. Set up and manage web technologies, including web, blog, webmail, wiki, MySQL, PHP, Ruby on Rails, and WebDAV. Set up and manage computational clusters of Xserve systems and Mac computers. Learn about terms used for server and storage products. Viewing PDF Guides Onscreen While reading the PDF version of a guide onscreen:  Show bookmarks to see the guide's outline, and click a bookmark to jump to the corresponding section.  Search for a word or phrase to see a list of places where it appears in the document. Click a listed place to see the page where it occurs.  Click a cross-reference to jump to the referenced section. Click a web link to visit the website in your browser. Printing PDF Guides If you want to print a guide, you can take these steps to save paper and ink:  Save ink or toner by not printing the cover page.  Save color ink on a color printer by looking in the panes of the Print dialog for an option to print in grays or black and white.  Reduce the bulk of the printed document and save paper by printing more than one page per sheet of paper. In the Print dialog, change Scale to 115% (155% for Getting Started). Then choose Layout from the untitled pop-up menu. If your printer supports two-sided (duplex) printing, select one of the Two-Sided options. Otherwise, choose 2 from the Pages per Sheet pop-up menu, and optionally choose Single Hairline from the Border menu. (If you're using Mac OS X version 10.4 or earlier, the Scale setting is in the Page Setup dialog and the Layout settings are in the Print dialog.) You may want to enlarge the printed pages even if you don't print double sided, because the PDF page size is smaller than standard printer paper. In the Print dialog or Page Setup dialog, try changing Scale to 115% (155% for Getting Started, which has CDsize pages). Preface About This Guide 17 Getting Documentation Updates Periodically, Apple posts revised help pages and new editions of guides. Some revised help pages update the latest editions of the guides.  To view new onscreen help topics for a server application, make sure your server or administrator computer is connected to the Internet and click "Latest help topics" or "Staying current" in the main help page for the application.  To download the latest guides in PDF format, go to the Mac OS X Server documentation website: www.apple.com/server/documentation Getting Additional Information For more information, consult these resources:  Read Me documents--important updates and special information. Look for them on the server discs.  Mac OS X Server website (www.apple.com/server/macosx)--gateway to extensive product and technology information.  Mac OS X Server Support website (www.apple.com/support/macosxserver)--access to hundreds of articles from Apple's support organization.  Apple Discussions website (discussions.apple.com)--a way to share questions, knowledge, and advice with other administrators.  Apple Mailing Lists website (www.lists.apple.com)--subscribe to mailing lists so you can communicate with other administrators using email. 18 Preface About This Guide 1 User Management Overview 1 This chapter introduces user management concepts and describes the applications used to manage accounts and privileges. User management encompasses everything from setting up accounts for network access and creating home folders, to fine-tuning the user experience by managing preferences and settings for users, groups, computers and computer groups. Mac OS X Server provides tools for accomplishing these tasks and more. Tools for User Management User management tools and technologies in Mac OS X Server include Workgroup Manager, Server Admin, NetBoot, and NetInstall. Workgroup Manager Workgroup Manager is a powerful tool that delivers features for comprehensive management of Macintosh clients. You can use Workgroup Manager on a computer with Mac OS X or Mac OS X Server installed. Workgroup Manager provides a centralized method of managing Mac OS X computers, controlling access to software and removable media, and providing a consistent, personalized experience for users at different levels, whether they're beginners in a classroom or advanced users in an office. You use Workgroup Manager to create user accounts and set up groups to provide convenient access to resources. You can:  Use account settings and managed preferences to achieve the level of administrative control you need, while making the user experience more efficient  Manage Finder, login, media access, and print settings  Control access to computers and restrict the applications allowed to run on them 19 Using Workgroup Manager with Mac OS X Server services, you can:  Customize the work environments of network users by organizing their desktop resources and personal files  Enable services that require user accounts, such as mail, file sharing, iChat service, and web service  Share system resources, such as printers and computers, maximizing their availability and ensuring that disk space and printer usage remains equitably shared To get started with Workgroup Manager, see Chapter 3, "Getting Started with Workgroup Manager." Server Admin The Server Admin application provides access to various tools and services that play a role in server management. After installing the Mac OS X Server software, use Server Admin to set up directory services and establish your network. Then use Workgroup Manager to create and manage accounts. After that, use Server Admin to set up additional services to provide mail service, host websites, share printers, and create share points (which allow users to share folders and files). For information about how to use the many services managed through Server Admin, see the service administration guides. The following table lists common server administration tasks and includes the location of related documentation. To Assign permissions to folders and files in a share point Share printers among users Set up websites or WebDAV support on the server Provide email service for users Broadcast multimedia from the server in real time Provide identical operating system and applications folders for client computers Install applications across a network Share information among multiple Mac OS X Server systems or Mac OS X computers See this document File Services Administration Print Service Administration Web Technologies Administration Mail Service Administration QuickTime Streaming Server Administration System Imaging and Software Update Administration System Imaging and Software Update Administration Open Directory Administration For a complete list of Mac OS X Server documentation, see "Mac OS X Server Administration Guides" on page 16. 20 Chapter 1 User Management Overview Server Preferences If you use the standard or workgroup configuration of Mac OS X Server, you can use Server Preferences to configure key features of collaboration and file services. Its streamlined approach allows novice system administrators to quickly configure a server without requiring much technical knowledge. You can also use Server Preferences to configure user and group accounts (such as setting passwords, enabling services, and assigning group membership). However, you can't use Server Preferences to manage preferences. For more information, see Getting Started and Server Preferences Help. NetBoot Mac OS X computers can start up from a network-based NetBoot image, providing quick and easy configuration of department, classroom, and individual systems, as well as web and application servers, throughout a network. When you update a NetBoot image, all computers using NetBoot have instant access to the new configuration. To customize the computer setup for different groups of clients, you can set up multiple NetBoot images. These features provide quick setup and a customized user experience. NetBoot simplifies administration and reduces the support normally associated with large-scale deployments of network-based Macintosh computers. It's ideal for an organization with client computers that are identically configured. For example, NetBoot can be a powerful solution for a data center that needs multiple, identically configured web and application servers. With NetBoot, you can quickly configure and update client computers by updating a NetBoot image stored on the server. NetBoot images contain the operating system and application folders for all clients on the server, so that changes made on the server are reflected on the clients when they restart. Systems that are compromised or otherwise altered can be instantly restored by restarting them. You use System Image Utility to create and modify NetBoot images, and then use NetBoot to deploy NetBoot images. For more information about these tools, or about installing an operating system over a network, see System Imaging and Software Update Administration. NetInstall NetInstall is a centralized software installation service that lets you use installation images to selectively and automatically install, restore, or upgrade network-based Macintosh systems. Those images can contain the latest version of Mac OS X, a software update, site-licensed or custom applications, or configuration scripts. Chapter 1 User Management Overview 21 You can use NetInstall to upgrade operating systems, install software updates and custom software packages, or re-image desktop and portable computers. You can create custom installation packages for various departments in an organization, such as marketing, engineering, and sales. Using NetInstall, it's not necessary to use CDs or DVDs to configure a computer. All installation files and packages reside on the server. Use NetInstall to run pre- and post-installation scripts to perform system commands before or after the installation of a software package or system image. To create NetInstall packages, use System Image Utility or PackageMaker. Then use NetBoot to deploy NetInstall packages. For more information about using these tools with NetInstall, see System Imaging and Software Update Administration. Command-Line Tools Mac OS X Server v10.5 includes several client-management command-line tools. For example, the dscl tool allows you to view and edit account settings and manage preferences, while the mcxquery tool reports the managed preferences that are effective for a particular user. Use the mcxquery tool to review how combined and overridden managed preferences interact at the user, group, computer, or computer group level. The tool also determines which directory domain stores those managed preference settings. For more information about client-management command-line tools, see CommandLine Administration. Accounts To manage accounts, you use an administrator account. With an administrator account, you can set up and manage the following account types:  User accounts  Group accounts  Computer accounts  Computer groups When creating a user account, you must specify a user name and password, which is needed to prove the user's identity. You can also specify a user identification number (user ID), which is useful for folder and file permissions. Other user account information is used by various services to determine what the user is authorized to do and to personalize the user's environment. In addition to the accounts you create, Mac OS X Server also has predefined user and group accounts, some of which are reserved for use by Mac OS X. 22 Chapter 1 User Management Overview Administrator Accounts Users with server administration or directory domain administration privileges are known as administrators. An administrator can be a server administrator, domain administrator, or both. Server administrator privileges determine whether a user can change the settings of a particular server. Domain administrator privileges determine the extent to which an administrator can change account settings for users, groups, computers, and computer groups in the directory domain. Server Administration Server administration privileges determine the functions available to a user when logged in to a particular Mac OS X Server. For example, a server administrator can use Directory Utility to make changes to a server's search policy. When you assign server administration privileges to a user, the user is added to the "admin" group in the server's local directory domain. Many Mac OS X applications-- such as Server Admin, Directory Utility, and System Preferences--use the admin group to determine whether a particular user can perform certain administrative activities with the application. Local Mac OS X Computer Administration Any user who belongs to the admin group in the local directory domain of any Mac OS X computer has administrator privileges on that computer. Limited Administration You can control the extent to which a limited administrator can use Workgroup Manager to change account data stored in a domain. For example, you can set up directory domain privileges so your network administrator can add and remove user accounts, but allow limited administrators to change the information for particular users. Or, you can designate multiple limited administrators to manage different groups. For more information, see "Giving a User Limited Administrative Capabilities" on page 70. Directory Domain Administration When you create a directory domain in Mac OS X Server, a domain administrator account is created and added to the admin group in the domain. If you plan to connect your directory domain to other directory domains, make sure you choose a unique name and user ID for each domain. Chapter 1 User Management Overview 23 When you assign full directory domain administration privileges to a user, the user is added to the "admin" group in the directory domain. This does not grant the user local admin privileges on the servers hosting this directory domain or on any other servers or clients bound to this directory domain. Each directory domain has a domain administrator account, and a domain administrator can create additional domain administrators in the same domain. Any user with a user account in a directory domain can be made a directory domain administrator (an administrator of that domain). For more information, see "Giving a User Full Administrative Capabilities" on page 72. User Accounts Depending on how you set up server and user accounts, you can use Mac OS X Server to support users who log in using Mac OS X computers, Windows computers, or UNIX computers. Most users have an individual account used to authenticate them and control their access to services. When you want to personalize a user's environment, you define user, group, computer, or computer group preferences for that user. The term managed client or managed user refers to a user who has administratorcontrolled preferences associated with his or her account. Managed client is also used to refer to computers or computer groups that have preferences defined for them. To learn more about how to set up user accounts, see Chapter 4, "Setting Up User Accounts." To specify the preferences for user accounts, see Chapter 10, "Managing Preferences." Guest Account You can provide services for users who can't be authenticated because they don't have a valid user name or password. These users are known as guest users. If your computers run Mac OS X v10.5 or later, you can enable a guest account, which is specifically designed for guest users. The guest account allows anonymous access to a computer. The guest account has a local home folder that has its contents erased when the user logs in or out of the guest account. The guest account is best used for common-access computers, such as those in a library or open lab where you may not need to log user access and where the user maintains his or her files separate from the local computer. 24 Chapter 1 User Management Overview For some services, like Apple Filing Protocol (AFP), you can let guest users access files. Instead of authenticating with a name and a password, a guest user connects as a guest, not as a registered user. Guests are restricted to files and folders with permissions set to Everyone. Group Accounts To ease user administration, you can create group accounts. A group is a collection of users who have similar needs. For example, you can add all English teachers to one group and allow that group to access certain files or folders on a volume. Groups simplify the administration of shared resources. Instead of granting access to various resources for each user who needs access, you can add users to a group and then grant access to everyone in the group. Use group account settings to control user access to folders and files. For more information, see "Folder and File Access by Other Users" on page 28. A group can be a member of another group. A group that contains another group is called a parent group. The group contained in the parent group is called a hierarchical group. Hierarchical groups are useful for inheriting access permissions and managed preferences. To learn more about how to set up group accounts, see Chapter 5, "Setting Up Group Accounts." To specify preferences for group accounts, see Chapter 10, "Managing Preferences." Workgroups When you define preferences for a group, it becomes a workgroup. A workgroup lets you manage the work environment of group members. Workgroup preferences are stored in the group account. For a description of workgroup preferences, see Chapter 10, "Managing Preferences." Group Folders When you define a group, you can also specify a folder for storing files that you want group members to share. The location of the folder is stored in the group account. You can give users permission to write to a group folder, or to change group folder attributes in the Finder. Computer Accounts Computer accounts allow you to identify and manage individual computers. To create a computer account, you need the computer's Ethernet ID. When creating the account, you can also associate it with an IP address. After creating the account, you can manage its preferences or add it to a computer group. Chapter 1 User Management Overview 25 For more information about setting up computer accounts, see Chapter 6, "Setting Up Computers and Computer Groups." To specify preferences for Mac OS X computer accounts, see Chapter 10, "Managing Preferences." Guest Computers Most computers on your network should have a computer account. If an unknown computer (one that doesn't have a computer account) connects to your network and attempts to access services, that computer is treated as a guest. Settings chosen for the Guest Computer account apply to unknown guest computers. Computer Groups A computer group is composed of one or more computer accounts or computer groups. By combining these into a single computer group, you can apply the same managed preferences to all its members. To learn more about how to set up computer groups for Mac OS X client computers, see Chapter 6, "Setting Up Computers and Computer Groups." To specify preferences for Mac OS X computer groups, see Chapter 10, "Managing Preferences." The User Experience After you create an account for a user, the user can access server resources according to the permissions you set. The user experience depends on the type of user, permissions set, type of client computer in use (such as Windows or UNIX), whether the user is a member of a group, and whether preference management is implemented at the user, group, or computer level. For more information about the Mac OS X user experience, see Chapter 9, "Client Management Overview." Basic information about authentication, identity validation, and information-access control is given in the following sections. Authentication and Identity Validation Before a user can log in or connect to a Mac OS X computer, he or she must enter a name and password associated with a user account accessible by the computer. A Mac OS X computer can access user accounts that are stored in a directory domain of the computer's search policy:  A directory domain stores information about users and resources. It is like a database that a computer accesses to retrieve configuration information.  A search policy is a list of directory domains that the computer searches when it needs configuration information, starting with the local directory domain on the user's computer. 26 Chapter 1 User Management Overview The following illustration shows a user logging in to an account in a directory domain in the computer's search policy. Log in to Mac OS X Directory domains in search policy After login, the user can connect to a remote server to access its services (if the user's account is located in the server's search policy). Connect to Mac OS X Server Directory domains in search policy If Mac OS X finds a user account containing the name entered by the user, it attempts to validate the password associated with the account. If the password is validated, the user is authenticated and the login or connection process is completed. Mac OS X Server validates passwords using Kerberos, Open Directory Password Server, shadow passwords, and crypt passwords. For more information about types of directory domains and instructions for configuring search policies, see Open Directory Administration. This guide also discusses authentication methods and provides instructions for setting up user authentication options. Information Access Control To control access to information, a universal ID called a globally unique identifier (GUID) provides user and group identity for access control list (ACL) permissions. An ACL is a list of access control entries (ACEs), each specifying the permissions to be granted or denied to a group or user, and how these permissions are propagated throughout a folder hierarchy. The GUID also associates a user with group and hierarchical group memberships. Chapter 1 User Management Overview 27 Prior to Mac OS X v10.4, Mac OS X used user ID and POSIX permissions to track folder and file permissions. In Mac OS X, folders or files include POSIX permissions for entities such as:  Owner  Group  Everyone else Because GUIDs are 128-bit values, duplicate GUIDs are extremely unlikely. Unlike ACL permissions, POSIX permissions can cause file-ownership and group-membership issues when multiple users have identical short names or user IDs. When using GUIDs, users with the same short name or user ID can have different ACL permissions. The introduction of GUIDs does not change or remove POSIX permissions, so it does not affect the interoperability of Mac OS X with legacy UNIX systems or other operating systems. Folder and File Owner Access When a folder or file is created, the file system stores the user ID of the user who created the file or folder as its owner. By default, when a user with that user ID accesses the folder or file, he or she can read and write to it. Also, any process started by the user who creates the file or folder can read and write to any files associated with that same user ID. If you change a user ID, the user may not be able to modify or access files and folders he or she created. Likewise, if the user logs in as a user whose user ID is different from the user ID he or she used to create the files and folders, the user no longer has owner permissions for those files and folders. Folder and File Access by Other Users The use of GUIDs in conjuction with ACLs determines the files that users and groups can access. Also, the user ID, in conjunction with a group ID, is used to control access. Every user belongs to a primary group. The primary group ID for a user is stored in the user's account. When a user accesses a folder or file and the user isn't the owner, the file system checks the file's group permissions, and the following occurs:  If the user's primary group ID matches the ID of the group associated with the file, the user inherits group permissions.  If the user's primary group ID doesn't match the file's group ID, Mac OS X searches for the group account that has permission to access the file. When the group is found, all members of that group and subsequent hierarchical groups are given permission to that file.  If neither of these cases apply, the user's access permissions default to the generic "everyone." 28 Chapter 1 User Management Overview ACLs and POSIX Permissions Every file and folder has POSIX permissions. Unless an administrator assigns ACL permissions, POSIX permissions continue to define user access. If you assign ACL permissions, they take precedence over standard POSIX permissions. If a file has ACL permissions, but none apply to the user, the POSIX permissions determine user access. If a file has multiple ACEs that apply to a user, the first applicable ACE takes precedence, and subsequent ACEs are ignored. For more information about ACL and POSIX permissions, see File Services Administration. SIDs and Windows Interoperability Mac OS X computers work seamlessly with Windows computers because Mac OS X assigns a security identifier (SID) to a process or file when it assigns a GUID to the process or file. A SID is a Windows identifier that has similar functionality to a GUID on a Mac OS X computer. When Windows users access share points using Server Message Block (SMB), they transfer SIDs, not GUIDs. When Mac OS X Server receives SIDs, it retrieves the user accounts with the corresponding GUIDs. Windows servers use Active Directory as their directory domain. If a user account is moved to a different Active Directory domain, it receives a new SID but not a new GUID. The user still has access permissions assigned to old SIDs because Active Directory keeps track of SID history in user accounts. Chapter 1 User Management Overview 29 30 Chapter 1 User Management Overview 2 Getting Started with User Management 2 This chapter provides information about planning and setting up a user management environment. To create an effective user management environment, you must carefully plan your network. Then, when deploying the network, you must systematically and methodically set up your network resources. Setup Overview This section provides an overview of user management setup tasks, including the sequence of stages an administrator follows to create a managed environment. Not all steps are necessary in every case. For a more comprehensive approach to planning, security, server setup, installation and deployment, management, and monitoring, see Server Administration. Step 1: Before you begin, do some planning Analyze your users' needs to determine which directory service configuration and home folder setup is the most suitable. For more information, see "Planning Strategies for User Management" on page 34. Step 2: Set up the server infrastructure Before deploying client computers, make sure one or more computers with Mac OS X Server installed is set up for hosting accounts and share points. New servers come with Mac OS X Server software preinstalled. Set up the server so it hosts or provides access to shared directory domains. Shared directory domains (also called shared directories) contain user, group, and computer information you want multiple computers to access. Users whose accounts reside in a shared directory are referred to as network users. There are different kinds of shared directories. You can use Workgroup Manager to add or modify accounts that reside in read/write directory domains such as an Open Directory domain or the local directory domain. 31 Make sure that read-only directory domains (such as LDAPv2, read-only LDAPv3, or BSD flat files) are configured to support Mac OS X Server and that they provide necessary account data. To make the directory compatible, you must add, modify, and reorganize directory information. Mac OS X offers various options for authenticating users (including Windows users) whose accounts are stored in directory domains on Mac OS X Server. In addition, Mac OS X accesses accounts in existing directories on your network, such as an Active Directory hosted on a Windows server. To make resources visible throughout the network so users can access them from different computers, use file services. Important network-visible resources include network home folders, group folders, and other shared folders. If some users use Windows computers, you can configure the server to provide them with file services, domain login, and home folders. The following administration guides describe infrastructure setup in detail:  For installation requirements and guidelines, see Getting Started.  For information about advanced installation and setup of server software, see Server Administration.  For information about directory services and authentication, see Open Directory Administration.  For information about how to set up file services, see File Services Administration. Step 3: Set up an administrator computer Because servers are usually kept in a secure, locked location, administrators typically conduct user management tasks remotely from a Mac OS X computer. Such a computer is referred to as an administrator computer. Before you can use an administrator computer to create and manage accounts in a shared directory, you must have a user account in the shared directory and you must be a domain administrator. A domain administrator can use Workgroup Manager to add and change accounts in an Open Directory domain or another read/write directory domain. To set up an administrator computer and create domain administrator accounts, see Chapter 3, "Getting Started with Workgroup Manager." Step 4: Set up a home folder share point Home folders for accounts stored in shared directories can reside in a network share point accessible by the user's computer. You can set up network home folders so they can be accessed using either AFP or NFS, or you can set up home folders for exclusive use by Windows users using SMB. 32 Chapter 2 Getting Started with User Management For information about setting up home folders using AFP, NFS, or SMB, see Chapter 7, "Setting Up Home Folders." Step 5: Create user accounts and home folders You can use Workgroup Manager to create user accounts in directories that reside on Mac OS X Server or in other read/write directory domains. The following sections contain instructions for creating accounts and folders:  To create user accounts, see Chapter 4, "Setting Up User Accounts."  To create mobile user accounts, see Chapter 8, "Managing Portable Computers."  To set up home folders, see Chapter 7, "Setting Up Home Folders." Step 6: Set up client computers Mac OS X Server supports users of Mac OS X, Windows, and UNIX client computers. For Mac OS X computers, configure the search policy of the computers so it locates shared directory domains. For instructions, see Open Directory Administration. For setup instructions for mobile Mac OS X computers that use AirPort to communicate with Mac OS X Server, see Designing AirPort Extreme Networks at http://www.apple.com/support/manuals/airport/. You can join Windows workstations to the Mac OS X Server primary domain controller (PDC), which is similar to the way you configure Windows workstations to join a Windows NT server domain. If you have more than a few Macintosh client computers to set up, consider using NetInstall to create a system image that automates client computer setup. For instructions, see System Imaging and Software Update Administration. To prevent unauthorized access to client computers, secure them from local and network threats. For information, see Mac OS X Security Configuration. Step 7: Define user account preferences You manage the work environment of Macintosh users whose accounts reside in a shared domain by defining user account preferences. For information about Mac OS X user preferences, see Chapter 9, "Client Management Overview," and Chapter 10, "Managing Preferences." Step 8: Create group accounts and group folders Use Workgroup Manager to create group accounts in directories that reside on Mac OS X Server and in other read/write directory domains. You can create group folders to distribute documents and organize group member applications. You can also set up ACLs and other access privileges to restrict a group's access to folders or files: Chapter 2 Getting Started with User Management 33  For information about how to work with Mac OS X group accounts and group folders, see Chapter 5, "Setting Up Group Accounts."  For information about how to add a group folder to the dock to make it more accessible to users, see Chapter 10, "Managing Preferences."  For information about setting up ACLs, see File Services Administration. Step 9: Define group account preferences You can manage preferences for a group account. A group account with managed preferences is called a workgroup. For information about Mac OS X workgroups, see Chapter 9, "Client Management Overview," and Chapter 10, "Managing Preferences." Step 10: Define computer accounts, computer groups, and preferences Use computer accounts or computer groups to manage Macintosh client computers.  For information about creating Mac OS X computer accounts or computer groups, see Chapter 6, "Setting Up Computers and Computer Groups."  For information about computer group preferences, see Chapter 9, "Client Management Overview," and Chapter 10, "Managing Preferences." Step 11: Perform ongoing account maintenance As users come and go, and the requirements for your servers change, you must update account information:  For information about how to use Workgroup Manager to display accounts, see Chapter 3, "Getting Started with Workgroup Manager."  For information about how to perform common tasks such as creating accounts, disabling accounts, adding and removing users from groups, and deleting accounts, see Chapter 4 through Chapter 6.  For solutions to common problems, see Chapter 11, "Solving Problems." Planning Strategies for User Management The following are planning activities to undertake before you implement user management. Analyzing Your Environment Your environment defines your user management settings, including:  Size and distribution of your network  Number of users who access your network  Type of computers used (Mac OS X or Windows)  How client computers are used  Which computers are mobile  Which users should have administrator privileges  Which users should have access to particular computers 34 Chapter 2 Getting Started with User Management  What services and resources users need (such as mail or access to data storage)  How to divide users into groups (for example, by class topic or job function)  How to group computers (such as all computers in a public lab) Identifying Directory Services Requirements Identify the directories where you'll store user and group accounts, computers, and computer groups:  Set up an Open Directory master and replicas to host a Lightweight Directory Access Protocol (LDAP) directory for storing other user accounts, group accounts, computers, and computer groups on your network. For information about password handling options, see Open Directory Administration.  If you have an earlier version of an Apple server, you might be able to migrate existing records. For available options, see Updating and Migrating.  If you have an LDAP or Active Directory server set up, you might be able to use existing account records. For details about accessing existing directories, see Open Directory Administration. For information about working with Open Directory groups and computer groups, see Chapter 5, "Setting Up Group Accounts," and Chapter 6, "Setting Up Computers and Computer Groups." Note: If all domains are not finalized when you're ready to start adding user and group accounts, add the accounts to any directory domain that exists on your server (the local directory domain is always available). You can move users and groups to another directory domain later by using your server's export and import functions. Passwords are not retained when exporting and importing account information. For more information, see the appendix, "Importing and Exporting Account Information." Determining Server and Storage Requirements When planning for server needs, you must first acquire the following information:  The number of concurrently connected computers, which affects network traffic and server response times  The number of user accounts, which affects the amount of storage space required to store user files Directory services, including authentication and user management, require one Open Directory master or replica for every 1000 computers, regardless of the number of total user accounts. For example, if you have 400 computers and 2000 users, you need one Open Directory master for authentication and account management. If you have 1800 computers and 2500 users, you need one Open Directory master and one Open Directory replica. Chapter 2 Getting Started with User Management 35 If you use network home folders, they require one dedicated home folder server for every 150 concurrent connections. If you use mobile accounts with portable home directories, you need one dedicated home folder server for every 300 concurrent connections. For example, if you have 400 computers and 2000 users on network home folders, you need three dedicated home folders servers. If those users are deployed with portable home folders, you need two dedicated home folder servers. If you have 1800 computers and 2500 users, you should have 12 dedicated home folder servers for network home folders and 6 dedicated servers for portable home directories. Group folders require one server for every 450 concurrent connections. For example, if you have 400 computers, you need one group folder server. For 1800 computers, you need four group folder servers. Storage requirements vary because users have varying storage needs. Some users may store very few files in their home folders, while other users fill theirs. A simple guideline is to start with 1 gigabyte (GB) of storage per user account, but allow for expansion. Don't establish disk quotas or other space restrictions unless you have closely examined your users' storage needs. For example, 2000 user accounts might only need 2 terabytes (TB) of storage over the course of several years. However, if you give that same 2000 users their own computers with 60 GB drives, they could use as much as 120 TB of storage. In this case, every user fills his or her own drive, and portable home directory syncing mirrors files from his or her local home folder to the network file server. Choosing a Home Folder Structure When deploying computers, one of the most crucial decisions is choosing how and where to host home folders. There are three types of home folders: a local home folder, a network home folder, and a portable home directory. These home folders are typically tied, respectively, to local, network, and mobile accounts. When considering your home folder structure, keep the following in mind:  Users with local accounts typically have local home folders. When users save files in local home folders, the files are stored locally. To save the files over the network, users must connect to the network and upload the file. Using local home folders provides the least amount of control over a user's managed preferences, and is also not inherently tied to a network account.  Users with network accounts typically have network home folders. 36 Chapter 2 Getting Started with User Management When users save files in network home folders, the files are stored on the server. Additionally, when users access home folders, even for common tasks like caching webpages, the users' computers must retrieve these files from the server. Using network home folders provides complete control over a user's managed preferences. When users are not connected to the network, they can't access their accounts or home folders.  Users with mobile accounts have both local and network home folders, which combine to form portable home directories. When users save files, the files are stored in a local home folder. The portable home directory is a synced subset of a user's local and network home folders. You can configure which folders to sync and how frequently to sync them. Mobile accounts also cache authentication information and managed preferences. If you sync key folders, a user can work on and off the network, and experience a seamless work environment. If you choose not to sync portable home directories, mobile accounts are then very similar to local accounts, except that mobile accounts have managed preferences.  Users with mobile accounts who access their accounts on computers running Mac OS X v10.5 or later can use portable home directories with an external drive. When users connect external drives to a computer (including computers off of the network), they can still access their accounts. These types of mobile accounts are called external accounts. An external account stores its local home folder on the external drive and doesn't create a local home folder on the computer it's accessed from. Except for the location of the local home folder, external accounts are treated like mobile accounts, with the same kinds of syncing, cached authentication, and managed preference benefits. Note: If a user's mobile account is hosted in an Active Directory domain, the mobile account does not have a portable home directory. However, it does have a local home folder and a network home folder, and caches authentication. Mobile accounts and external accounts are described in detail in Chapter 8, "Managing Portable Computers." Devising a Home Folder Distribution Strategy Determine which users need home folders and identify the computers where you want these home folders to reside. For performance reasons, avoid using network home folders over network connections slower than 100 megabits per second (Mbit/s). Chapter 2 Getting Started with User Management 37 A user's network home folder doesn't need to be stored on the same server as the directory containing the user's account. In fact, distributing directory domains and home folders across multiple servers can help balance your network load. This scenario is described in "Distributing Home Folders Across Multiple Servers" on page 115. You may want to store home folders for users with last names beginning with A through F on one computer, G through J on another, and so on. Or, you may want to store home folders on a Mac OS X Server computer but store user and group accounts on an LDAP or Active Directory server. Before creating users, pick a distribution strategy. If your distribution strategy fails while using it, you can move home folders, but doing so can require changing a large number of user records. When determining the access protocol to use for home folders, AFP offers the greatest level of security. If you are hosting home folders on UNIX servers that do not support AFP, you may want to use NFS. If you are hosting home folders on Windows servers, you may want to use SMB. For more information about how to use these protocols for home folders, see "About Home Folders" on page 113. Identifying Groups Identify users with similar requirements and consider assigning them to groups. See Chapter 5, "Setting Up Group Accounts." Determining Administrator Requirements With Mac OS X v10.5, you don't need to give full domain administrator privileges to all users who need only some administrative control. Instead, you can give them limited administrative privileges. Decide which users will have full administrative control over accounts and which users will perform only a few administrative duties. The domain administrator has the greatest amount of control over other user accounts and privileges. The domain administrator can create user accounts, group accounts, computer accounts, and computer groups, and can assign settings, privileges, and managed preferences for them. He or she can also create other server administrator accounts, or give specific users (for example, teachers or technical staff ) administrator privileges in certain directory domains. Limited administrators can perform common administrative tasks for specified users and groups. They can manage user preferences, edit managed preferences, edit user information, and edit group membership. Giving users limited administrative privileges helps them to be more self-sufficient, without putting your organization at risk. 38 Chapter 2 Getting Started with User Management For example, you might want to give student lab assistants the ability to manage user passwords for a small group of students, while giving teachers the ability to manage user passwords, edit user information, and edit group information for all of their classes. Because users can be given limited administrator privileges, consider which users require domain administrator privileges. A well-planned hierarchy of administrators and users with special administrator privileges helps you distribute system administration tasks and makes workflow and network management more efficient. When you use Server Assistant to configure your server, specify a password for the owner/administrator. This password also becomes the root password for your server. Only a few server administrators need to know the root password, but sometimes it's necessary when using command-line tools (such as CreateGroupFolder). Administrators who don't need root access can use Workgroup Manager to create an administrator user with a password different from the root password. Use the root password with caution and store it in a secure location. The root user has full access to the system, including system files. If necessary, you can use Workgroup Manager to change the root password. Chapter 2 Getting Started with User Management 39 40 Chapter 2 Getting Started with User Management 3 Getting Started with Workgroup Manager 3 This chapter provides instructions for setting up Workgroup Manager and using its core features. Workgroup Manager is the primary application for managing client computers. You can use Workgroup Manager to create accounts and manage preferences. Configuring the Administrator's Computer and Account To use Workgroup Manager, you must first install the Mac OS X Server administration tools. Before you can manage client computers, you must configure a computer for use as an administrator computer and create a domain administrator account. Setting Up an Administrator Computer When you install Workgroup Manager and other administration tools on a remote administrator computer, you do not need to physically access the server. Instead, use this administrator computer to connect to the server and perform administrative tasks remotely. The computer should have Mac OS X v10.5 or later, at least 512 MB of RAM, and 1 GB of unused disk space. For more about server and storage requirements, see "Determining Server and Storage Requirements" on page 35. To create and modify accounts, you must also have a domain administrator account. To set up an administrator computer: 1 Insert the Administration Tools disc and then start the installer, ServerAdministrationSoftware.mpkg, located in the /Installers folder. Make sure the server administration tools you install are the same version as the Mac OS X Server software installed on your servers. If you use older server administration tools with a newer server version, the tools can cause errors and corrupt data. 2 Follow the onscreen instructions. 41 3 If you are managing preferences that use specific paths to find files (such as Dock preferences), make sure the administrator computer has the same file system structure as each managed client computer. This means that folder names, volumes, the location of applications, and so on should be the same. Creating a Domain Administrator Account Before creating and editing accounts in a shared directory, you need a domain administrator account in the directory. A domain administrator can use Workgroup Manager to add and change accounts residing in an Open Directory domain, the local directory domain, or another read/write directory domain. To create a domain administrator account: 1 On the administrator computer, open Workgroup Manager and then authenticate as the administrator user created during server setup. 2 Access the shared directory by clicking the globe icon and choose the directory domain. If you're not authenticated, click the lock and enter the name and password of a directory domain administrator. 3 Click New User, click Basic, and then provide basic information for the administrator. 4 Click Privileges and from the "Administration capabilities" pop-up menu choose Full. 5 Click Save. From the Command Line You can also create a domain administrator account using the dscl and pwpolicy commands in Terminal. For more information, see the users and groups chapter of Command-Line Administration. Using Workgroup Manager After installing the Mac OS X Server software and setting up a domain administrator account, you can access and use Workgroup Manager for user management. This section provides an introduction to Workgroup Manager. Using Mac OS X Server v10.5 to Administer Earlier Versions of Mac OS X Servers running Mac OS X Server v10.3 or v10.4 can be administered using v10.5 server administration tools. You can use Workgroup Manager on a computer running Mac OS X Server v10.5 to manage Mac OS X clients running Mac OS X v10.3.9 or later. 42 Chapter 3 Getting Started with Workgroup Manager Connecting and Authenticating to Directory Domains in Workgroup Manager When you install your server or set up an administrator computer, Workgroup Manager is installed in /Applications/Server/. Use the Finder to open the application, or click its icon in the Dock or in the toolbar of the Server Admin application. You can view a directory domain without authenticating by choosing Server > View Directories in Workgroup Manager. Initially, you have read-only access to information displayed in Workgroup Manager. To make changes in a directory, you must authenticate using a domain administrator account. This approach is most useful when you're administering different servers and working with different directory domains. To connect and authenticate to directory domains: 1 Open Workgroup Manager and when the Workgroup Manager Connect window appears click Browse, or enter the IP address or DNS name for a server that connects to directory domains. 2 Enter the user name and password for a domain administrator and click Connect. 3 To change directory domains while connected to a server, click the globe icon (see below) to select a domain, then authenticate as a domain administrator by clicking the lock icon. Click the globe icon to select a directory domain Click the lock to authenticate 4 To connect to a different server, choose Server > Connect. Chapter 3 Getting Started with Workgroup Manager 43 Major Workgroup Manager Tasks After login, the Accounts pane appears (see below), showing a list of user accounts. Initially, the user accounts listed are those stored in the last directory domain of the server's search policy. Computers button Groups button Click the globe icon to select a directory domain Users button Type here to search or filter the list below Computer Groups button Currently selected domain Click the lock to authenticate Accounts list Here is how to get started with the primary Workgroup Manager tasks:  To specify the directory that stores accounts you want to work with, click the globe icon.  To work with accounts in different directories at the same time or to work with different views of accounts in a particular directory, open multiple Workgroup Manager windows by clicking the New Window icon in the toolbar or by choosing Server > New Workgroup Manager Window.  To administer accounts in the selected directory, click the Accounts icon in the toolbar; then click the Users, Groups, Computers, or Computer Groups button on the left side of the window to list the accounts that exist in the directories you are working with.  To filter the displayed account list, use the pop-up search menu above the accounts list.  To work with managed preferences, select an account (or several accounts) and then click the Preferences icon in the toolbar.  To import or export user and group accounts, choose Server > Import or Server > Export. 44 Chapter 3 Getting Started with Workgroup Manager  To view onscreen help, use the Help menu. The Help menu gives you access to help for administration tasks available through Workgroup Manager, as well as other Mac OS X Server topics.  To open Server Admin so you can monitor and work with services on a server, click the Server Admin icon in the Workgroup Manager toolbar. For information about Server Admin, see Server Administration. Modifying Workgroup Manager Preferences You can change Workgroup Manager preferences to customize how records are displayed and to enable the Inspector, which is an advanced directory domain editor. Workgroup Manager includes the following preferences. Preference Resolve DNS names when possible Description (Default: on) Disabling this preference causes Workgroup Manager to stop resolving DNS names when writing data. If you're having DNS issues, disabling this can help mitigate the effect of those DNS issues (but you should fix those issues). (Default: off ) Enabling this preference enables the Inspector. The Inspector allows you to see and edit directory data not otherwise visible in Workgroup Manager. For more information, see Open Directory Administration. Show "All Records" tab and inspector Limit search results to requested (Default: off ) When you don't enter anything in the search field, by records default, Workgroup Manager lists all user records in the selected directory domain. Disabling this preference requires you to enter "*" (without quotes) to list all records, which can expedite working with large directory domains in Workgroup Manager (because Workgroup Manager doesn't automatically list all records). List a maximum of # records (Default: off ) Enabling this preference limits the maximum number of search results to a number you specify. Enabling this preference and setting a reasonable maximum number can improve Workgroup Manager performance. However, setting the number too low can cause you to overlook the total number of matches. To set Workgroup Manager preferences: 1 In Workgroup Manager, choose Workgroup Manager > Preferences. 2 Select the preferences you want to change. 3 To reset the warning messages you've marked as "Don't show again," click "Reset `Don't show again' messages." 4 Click OK. Chapter 3 Getting Started with Workgroup Manager 45 Finding and Listing Accounts Workgroup Manager provides several methods for finding and listing user accounts, group accounts, computer accounts, and computer groups. Working with Account Lists in Workgroup Manager In Workgroup Manager, user accounts, group accounts, computer accounts, and computer groups are listed on the left side of the Workgroup Manager window. The following settings influence the contents and appearance of the list:  Workgroup Manager preferences control the maximum number of records shown and whether you want to enable the Inspector (which allows you to view or edit raw directory data). To set up Workgroup Manager preferences, choose Workgroup Manager > Preferences.  The list reflects the directory you've chosen from the globe icon. If you connect to the directory server, the accounts in the parent directory domain are listed. If you do not connect to the directory server, local accounts are listed. The listed domains are the local directory domain, all directory domains in the server's search policy, and all available directory domains (domains the server is configured to access, even if not in the search policy). For instructions on configuring a server to access directory domains, see Open Directory Administration. After you choose directory domains, all accounts residing in those domains are listed.  You can list users, groups, computers or computer groups by clicking the Users, Groups, Computers, or Computer Groups buttons above the search filter.  To sort a list, click a column heading. An arrow shows the sort order (ascending or descending), which you can reverse by clicking the column heading again.  You can search for specific items in the list by typing in the field above the accounts list. To choose the search criteria, use the Search (magnifying glass) pop-up menu. To work with accounts, select them. Settings for the selected accounts appear in the pane to the right of the list. Available settings vary, depending on which pane you're viewing. Listing Accounts in the Local Directory Domain When you list accounts in the local directory domain, you list all local accounts. These local accounts can only be accessed by users of the local computer or server, not by users of client computers. Services and programs running on a server can access the server's local directory domain. Programs running on a client computer, such as the client computer's login window, can't access the server's local directory domain. If a server hosts file services, users with accounts from the server's local directory domain can authenticate with the file services. 46 Chapter 3 Getting Started with Workgroup Manager User accounts from the server's local directory domain can't be used to authenticate in the login window on client computers, because the login window is a process running on the client computer. To list accounts in a server's local directory domain: 1 In Workgroup Manager, connect to the server hosting the domain; then click the globe icon and choose Local. For servers running Mac OS X Server v10.5 or later, the local directory domain is listed as /Local/Default. 2 Choose from the following:     To view user accounts, click the Users button. To view group accounts, click the Groups button. To view computer accounts, click the Computers button. To view computer groups, click the Computer Groups button. 3 To work with a particular account, select it. Changing account settings or preferences requires server administrator privileges, so you may need to click the lock to authenticate. Listing Accounts in Search Policy Directory Domains A computer's search policy specifies which directory domains Open Directory can access. The search policy also specifies the order in which Open Directory accesses directory domains. By listing accounts in a search policy, you list the accounts on all directory domains in the search policy. You can't edit accounts when listing accounts in a search policy. For more information about how to set up search policies, see Open Directory Administration. To list accounts in search policy domains of the server you're working with: 1 In Workgroup Manager, connect to a server that has a search policy containing the directory domains of interest. 2 Click the globe icon and choose Search Policy. 3 Choose from the following:     To view user accounts, click the Users button. To view group accounts, click the Groups button. To view computer accounts, click the Computers button. To view computer groups, click the Computer Groups button. Chapter 3 Getting Started with Workgroup Manager 47 Listing Accounts in Available Directory Domains Using Workgroup Manager, you can list user accounts, group accounts, computer accounts, and computer groups residing in any available directory domain accessible from the server you're connected to. Available directory domains are not the same as directory domains in a search policy. A search policy consists of the directory domains a server searches routinely when it needs to retrieve accounts. However, the same server might be configured to access directory domains that haven't been added to its search policy. To learn how to configure access to directory domains, see Open Directory Administration. To list accounts in a directory domain accessible from a server: 1 In Workgroup Manager, connect to a server where you can access the directory domains. 2 Click the globe icon and then choose the domain where the user's account resides. If the directory domain is not listed, add it to the pop-up menu by choosing Other. In the dialog that appears, select the domain and then click OK. 3 Choose from the following:     To view user accounts, click the Users button. To view group accounts, click the Groups button. To view computer accounts, click the Computers button. To view computer groups, click the Computer Groups button. 4 To work with a particular account, select it. Changing the account requires domain administrator privileges, so you might need to click the lock to authenticate. Refreshing Account Lists If more than one administrator makes changes to directory domains, make sure you're viewing the current list of user accounts, group accounts, computer accounts, and computer groups by refreshing the lists. To refresh account lists, click Refresh in the toolbar. Alternatively, click the globe icon and then choose the directory domain you're working in from the pop-up menu. Finding Specific Accounts in a List After you've displayed a list of accounts in Workgroup Manager, you can filter the list to find particular users or groups. You can choose from several filters:  Name Contains 48 Chapter 3 Getting Started with Workgroup Manager         Name Starts With Name Ends With Name Is ID Is ID Is Greater Than ID Is Less Than Comment Contains Keyword Contains To filter items in the list of accounts: 1 After listing accounts, click the Users, Groups, Computers, or Computer Groups button. 2 Click the Search (magnifying glass) pop-up menu, choose an option to describe what you want to find, and then type search terms in the search field. The original list is replaced by items that satisfy your search criteria. If you enter a user name, both full and short user names are searched. If you enter a group name, short group names are searched. 3 When the domains you're working with contain thousands of accounts, choose Workgroup Manager > Preferences and do the following: To do this Avoid listing accounts until a filter is specified List all accounts in the selected directory domain Specify the maximum number of accounts to list Do this Select "Limit search results to requested records." Type "*" (without quotes) in the search field. Select "List a maximum of n records," and then enter a number no greater than 32,767. Using Advanced Search Use the Search button in the toolbar to locate specific users or groups by searching several fields relevant to them. You can then batch-edit these search results. For more information about batch editing, see "Editing Multiple Accounts Simultaneously" on page 51. You can search across several fields:  Record Name  Real Name  User ID  Comment  Keyword  Group ID Chapter 3 Getting Started with Workgroup Manager 49 There are several field options:  Is less than  Is greater than  Is  Contains To locate users or groups in the Accounts or Preferences panes: 1 In the Workgroup Manager toolbar, click Search. You can also click the Search (magnifying glass) button in the search field above the accounts list and then choose Advanced Search. 2 Choose a field to search, a field option, and then enter the text you want to search. 3 Click the Add (+) button to add search criteria. 4 Save, rename, or delete a preset by using the Search Presets pop-up menu. 5 After you define your search, click Search Now. After receiving search results, you can clear the search to revert to your default display or edit the search to refine it further. While editing the search, you can save the search as a preset for later use. Sorting Users and Groups After displaying a list of accounts in Workgroup Manager, click a column heading to sort entries using the values in that column. Click the heading again to reverse the sort order. Shortcuts for Working with Accounts Workgroup Manager provides shortcuts for applying the same settings to new or existing accounts. You can also import user and group account information from a file. Using Presets You can select settings for a user account, group account, or computer group, and save them as presets. Presets work like templates, allowing you to apply predefined settings to a new account. Using presets, you can easily set up multiple accounts with similar settings. You can only use presets during account creation. You can't use a preset to modify an existing account. You can use presets when creating accounts manually, or when importing them from a file. If you change a preset after it has been used to create an account, accounts already created using the preset are not updated to reflect those changes. 50 Chapter 3 Getting Started with Workgroup Manager