Apple 10.5 Leapard - Manual

Contents 7 108 About Computer Groups 108 Differences Between Computer Groups and Computer Lists 108 Administering Computer Groups 108 Creating a Computer Group 109 Creating a Preset for Computer Groups 110 Using a Computer Group Preset 111 Adding Computers or Computer Groups to a Computer Group 111 ...

8 Contents 137 Considerations for Using Mobile Accounts 139 Strategies for Syncing Content 140 Setting Up Mobile Accounts for Use on Portable Computers 140 Configuring Portable Computers 141 Managing Mobile Clients Without Using Mobile Accounts 141 Unknown Mac OS X Portable Computers 142 Using Mac O...

Contents 11 232 Adding to the Preference Editor’s List 234 Editing Application Preferences with the Preference Editor 235 Removing an Application’s Managed Preferences in the Preference Editor 236 Using the Preference Editor to Manage Core Services 237 Using the Preference Editor to Manage Safari Ch...

12 Contents Appendix 251 Importing and Exporting Account Information 251 Understanding What You Can Import and Export 252 Limitations for Importing and Exporting Passwords 252 Maintaining GUIDs When Importing from Earlier Versions of Mac OS X Server 253 Archiving the Open Directory Master 253 Using ...

13 P refac e About This Guide This guide explains how to use Workgroup Manager to set up and manage accounts and preferences for clients. Mac OS X Server includes Workgroup Manager, a user management tool you can use to create and manage accounts. When managing accounts, you can define core account ...

14 Preface About This Guide You can enable these features by managing Mobility preferences. For more information, see Chapter 8, “Managing Portable Computers.” Â New managed preferences. Preferences now let you manage Parental Controls, Dashboard, Front Row, and Time Machine. Existing preferences ha...

Preface About This Guide 15 Using Onscreen Help You can get task instructions onscreen in the Help Viewer application while you’re managing Leopard Server. You can view help on a server or an administrator computer. (An administrator computer is a Mac OS X computer with Leopard Server administration...

16 Preface About This Guide Mac OS X Server Administration Guides Getting Started covers installation and setup for standard and workgroup configurations of Mac OS X Server. For advanced configurations, Server Administration covers planning, installation, setup, and general server administration. A ...

Preface About This Guide 17 Viewing PDF Guides Onscreen While reading the PDF version of a guide onscreen: Â Show bookmarks to see the guide’s outline, and click a bookmark to jump to the corresponding section. Â Search for a word or phrase to see a list of places where it appears in the document. C...

18 Preface About This Guide Getting Documentation Updates Periodically, Apple posts revised help pages and new editions of guides. Some revised help pages update the latest editions of the guides. Â To view new onscreen help topics for a server application, make sure your server or administrator com...

1 19 1 User Management Overview This chapter introduces user management concepts and describes the applications used to manage accounts and privileges. User management encompasses everything from setting up accounts for network access and creating home folders, to fine-tuning the user experience by ...

20 Chapter 1 User Management Overview Using Workgroup Manager with Mac OS X Server services, you can:  Customize the work environments of network users by organizing their desktop resources and personal files  Enable services that require user accounts, such as mail, file sharing, iChat service, a...

Chapter 1 User Management Overview 21 Server Preferences If you use the standard or workgroup configuration of Mac OS X Server, you can use Server Preferences to configure key features of collaboration and file services. Its streamlined approach allows novice system administrators to quickly configu...

22 Chapter 1 User Management Overview You can use NetInstall to upgrade operating systems, install software updates and custom software packages, or re-image desktop and portable computers. You can create custom installation packages for various departments in an organization, such as marketing, eng...

Chapter 1 User Management Overview 23 Administrator Accounts Users with server administration or directory domain administration privileges are known as administrators. An administrator can be a server administrator, domain administrator, or both. Server administrator privileges determine whether a ...

24 Chapter 1 User Management Overview When you assign full directory domain administration privileges to a user, the user is added to the “admin” group in the directory domain. This does not grant the user local admin privileges on the servers hosting this directory domain or on any other servers or...

Chapter 1 User Management Overview 25 For some services, like Apple Filing Protocol (AFP), you can let guest users access files. Instead of authenticating with a name and a password, a guest user connects as a guest, not as a registered user. Guests are restricted to files and folders with permissio...

26 Chapter 1 User Management Overview For more information about setting up computer accounts, see Chapter 6, “Setting Up Computers and Computer Groups.” To specify preferences for Mac OS X computer accounts, see Chapter 10, “Managing Preferences.” Guest Computers Most computers on your network shou...

Chapter 1 User Management Overview 27 The following illustration shows a user logging in to an account in a directory domain in the computer’s search policy. After login, the user can connect to a remote server to access its services (if the user’s account is located in the server’s search policy). ...

28 Chapter 1 User Management Overview Prior to Mac OS X v10.4, Mac OS X used user ID and POSIX permissions to track folder and file permissions. In Mac OS X, folders or files include POSIX permissions for entities such as:  Owner  Group  Everyone else Because GUIDs are 128-bit values, duplicate G...

Chapter 1 User Management Overview 29 ACLs and POSIX Permissions Every file and folder has POSIX permissions. Unless an administrator assigns ACL permissions, POSIX permissions continue to define user access. If you assign ACL permissions, they take precedence over standard POSIX permissions. If a f...

2 31 2 Getting Started with User Management This chapter provides information about planning and setting up a user management environment. To create an effective user management environment, you must carefully plan your network. Then, when deploying the network, you must systematically and methodica...

32 Chapter 2 Getting Started with User Management Make sure that read-only directory domains (such as LDAPv2, read-only LDAPv3, or BSD flat files) are configured to support Mac OS X Server and that they provide necessary account data. To make the directory compatible, you must add, modify, and reorg...

Chapter 2 Getting Started with User Management 33 For information about setting up home folders using AFP, NFS, or SMB, see Chapter 7, “Setting Up Home Folders.” Step 5: Create user accounts and home folders You can use Workgroup Manager to create user accounts in directories that reside on Mac OS X...

34 Chapter 2 Getting Started with User Management  For information about how to work with Mac OS X group accounts and group folders, see Chapter 5, “Setting Up Group Accounts.”  For information about how to add a group folder to the dock to make it more accessible to users, see Chapter 10, “Managi...

Chapter 2 Getting Started with User Management 35 Â What services and resources users need (such as mail or access to data storage) Â How to divide users into groups (for example, by class topic or job function) Â How to group computers (such as all computers in a public lab) Identifying Directory S...

36 Chapter 2 Getting Started with User Management If you use network home folders, they require one dedicated home folder server for every 150 concurrent connections. If you use mobile accounts with portable home directories, you need one dedicated home folder server for every 300 concurrent connect...

Chapter 2 Getting Started with User Management 37 When users save files in network home folders, the files are stored on the server. Additionally, when users access home folders, even for common tasks like caching webpages, the users’ computers must retrieve these files from the server. Using networ...

38 Chapter 2 Getting Started with User Management A user’s network home folder doesn’t need to be stored on the same server as the directory containing the user’s account. In fact, distributing directory domains and home folders across multiple servers can help balance your network load. This scenar...

3 41 3 Getting Started with Workgroup Manager This chapter provides instructions for setting up Workgroup Manager and using its core features. Workgroup Manager is the primary application for managing client computers. You can use Workgroup Manager to create accounts and manage preferences. Configur...

42 Chapter 3 Getting Started with Workgroup Manager 3 If you are managing preferences that use specific paths to find files (such as Dock preferences), make sure the administrator computer has the same file system structure as each managed client computer. This means that folder names, volumes, the ...

Chapter 3 Getting Started with Workgroup Manager 43 Connecting and Authenticating to Directory Domains in Workgroup Manager When you install your server or set up an administrator computer, Workgroup Manager is installed in /Applications/Server/. Use the Finder to open the application, or click its ...

44 Chapter 3 Getting Started with Workgroup Manager Major Workgroup Manager Tasks After login, the Accounts pane appears (see below), showing a list of user accounts. Initially, the user accounts listed are those stored in the last directory domain of the server’s search policy. Here is how to get s...

Chapter 3 Getting Started with Workgroup Manager 45 Â To view onscreen help, use the Help menu. The Help menu gives you access to help for administration tasks available through Workgroup Manager, as well as other Mac OS X Server topics. Â To open Server Admin so you can monitor and work with servic...

46 Chapter 3 Getting Started with Workgroup Manager Finding and Listing Accounts Workgroup Manager provides several methods for finding and listing user accounts, group accounts, computer accounts, and computer groups. Working with Account Lists in Workgroup Manager In Workgroup Manager, user accoun...

Chapter 3 Getting Started with Workgroup Manager 47 User accounts from the server’s local directory domain can’t be used to authenticate in the login window on client computers, because the login window is a process running on the client computer. To list accounts in a server’s local directory domai...

48 Chapter 3 Getting Started with Workgroup Manager Listing Accounts in Available Directory Domains Using Workgroup Manager, you can list user accounts, group accounts, computer accounts, and computer groups residing in any available directory domain accessible from the server you’re connected to. A...

Chapter 3 Getting Started with Workgroup Manager 49  Name Starts With  Name Ends With  Name Is  ID Is  ID Is Greater Than  ID Is Less Than  Comment Contains  Keyword Contains To filter items in the list of accounts: 1 After listing accounts, click the Users, Groups, Computers, or Computer Gr...

50 Chapter 3 Getting Started with Workgroup Manager There are several field options:  Is less than  Is greater than  Is  Contains To locate users or groups in the Accounts or Preferences panes: 1 In the Workgroup Manager toolbar, click Search. You can also click the Search (magnifying glass) but...

Chapter 3 Getting Started with Workgroup Manager 51 For more information about how to create presets, see “Creating a Preset for User Accounts” on page 61. Editing Multiple Accounts Simultaneously You can edit settings (if they don’t need to be unique) for multiple user accounts, group accounts, or ...

52 Chapter 3 Getting Started with Workgroup Manager For example, suppose you select three group accounts that each have different settings for the Dock size. When you look at the Dock Display preference pane for these accounts, the Dock Size slider is centered and has a dash on it. If you change the...

Chapter 3 Getting Started with Workgroup Manager 53 Importing and Exporting Account Information You can use XML or character-delimited text files to import and export user and group account information. Importing information can make it easier to set up many accounts quickly. Exporting information t...

4 55 4 Setting Up User Accounts This chapter tells you how to set up, edit, and manage user accounts. User accounts give users unique identities on your network and allow you to manage those users. You can use Workgroup Manager to view, create, edit, and delete user accounts. To view user accounts i...

56 Chapter 4 Setting Up User Accounts A Windows user account that is not stored in the PDC server’s LDAP directory can be used to access other services. For example, Mac OS X Server can authenticate users with accounts in the server’s local directory domain for the server’s Windows file service. Mac...

Chapter 4 Setting Up User Accounts 57 Administering User Accounts You can view, create, edit, and delete user accounts stored in various kinds of directory domains. Creating User Accounts To create a user account in a directory domain, you must have administrator privileges for the domain. To create...

58 Chapter 4 Setting Up User Accounts 3 Click the globe icon and then choose the domain where you want the user’s account to reside. For Mac OS X Server v10.5 or later, Local and /Local/Default refer to the local directory domain. 4 To authenticate, click the lock and enter the name and password of ...

Chapter 4 Setting Up User Accounts 59 For details, see “Working with Basic Settings” on page 63 through “Working with Windows Settings” on page 85. From the Command Line You can also edit user account information using the dscl command in Terminal. For more information, see the users and groups chap...

60 Chapter 4 Setting Up User Accounts Working with Windows User Accounts Use Workgroup Manager to change passwords, password policies, and other settings in Windows user accounts. The user accounts can reside in a server’s local directory domain, a Mac OS X Server PDC LDAP directory, or another dire...

Chapter 4 Setting Up User Accounts 61 From the Command Line You can also disable a user account using the dscl and pwpolicy commands in Terminal. For more information, see the users and groups chapter of Command-Line Administration . Working with Presets Presets are templates used to define attribut...

62 Chapter 4 Setting Up User Accounts Using Presets to Create Accounts Presets provide a quick way to apply settings to a new account. After applying the preset, you can continue to modify settings for the new account, if necessary. You can use presets with user, group, and computer group accounts. ...

Chapter 4 Setting Up User Accounts 63 You edit a preset by using it to create an account, changing fields defined by the preset, and then saving the preset. To edit a preset: 1 In Workgroup Manager, click Accounts. 2 Click the globe icon and then choose the directory domain with the preset you want ...

64 Chapter 4 Setting Up User Accounts A user name can contain no more than 255 bytes. Because long user names support various character sets, the maximum number of characters for long user names ranges from 255 Roman characters to as few as 63 characters in character sets where characters occupy up ...

Chapter 4 Setting Up User Accounts 65 For the first short user name, use only these characters (subsequent short names can contain any Roman character):  a through z  A through Z  0 through 9  _ (underscore)  - (hyphen) Typically, short names contain eight or fewer characters. Initially, the va...

66 Chapter 4 Setting Up User Accounts To change a user’s first short name, create a new account for the user in the same directory domain that contains the new first short name and retain all other account information (user ID, primary group, home folder, and so on). Make sure you use the same GUID ...

Chapter 4 Setting Up User Accounts 67 Modifying User IDs A user ID is a number that uniquely identifies a user. Mac OS X computers use the user ID to track a user’s folder and file ownership. When a user creates a folder or file, the user ID is stored as the ID of the user who created the folder or ...

68 Chapter 4 Setting Up User Accounts Make sure the value is unique for all directory domains set in the search policy of computers that the user logs in to. Workgroup Manager warns you if you change the value to another user ID in the same directory domain. You can quickly find all existing user ID...

Chapter 4 Setting Up User Accounts 69 3 Click the globe icon and choose Local. 4 Click the lock and enter the name and password of a local administrator. 5 Click the globe icon and choose the directory domain where the user’s account resides. 6 Click the lock and enter the name and password of a dir...

70 Chapter 4 Setting Up User Accounts Working with Privileges You can give a user account full or limited control over domain administration. When giving limited administrative control, you can choose which users and groups the user can administer, and what kind of control the user has over those us...

Chapter 4 Setting Up User Accounts 71 The following tasks are available to limited administrators: If you give a user different administrative capabilities at several account levels, the capabilities are merged. For example, let’s say a user named Anne Johnson is a member of the Algebra 101 group, a...

72 Chapter 4 Setting Up User Accounts Giving a User Full Administrative Capabilities A user with full administrative capabilities is also known as a directory domain administrator . Directory domain administrators can modify any records in the directory domain and are the only users who can change t...

Chapter 4 Setting Up User Accounts 73 Allowing a User to Log In to More Than One Computer At a Time You can allow a managed user to log in to more than one managed computer at a time, or you can prevent the user from doing so. Note: Simultaneous login is not recommended for most users. You may want ...

74 Chapter 4 Setting Up User Accounts 4 To specify the user’s default shell when logging in to a Mac OS X computer, choose a shell from the Login Shell pop-up menu. To specify a shell that doesn’t appear in the list, choose Custom and then enter the path to the shell. To ensure that a user can’t acc...

Chapter 4 Setting Up User Accounts 75 If you choose Shadow Password, you can also select authentication methods by clicking Security. 6 Click Save. Creating a Master List of Keywords You can define keywords that enable quick searching and sorting of user accounts. Using keywords can simplify tasks s...

76 Chapter 4 Setting Up User Accounts To work with keywords for a user account: 1 In Workgroup Manager, click Accounts. 2 Select the user account you want to work with. To select the account, click the globe icon, choose the directory domain where the account resides, and then select the user accoun...

Chapter 4 Setting Up User Accounts 77 Working with Group Settings Group settings identify the groups a user belongs to. In Workgroup Manager, use the Group Settings pane in the user’s account to work with group settings. For information about how to administer group accounts, see Chapter 5, “Setting...

78 Chapter 4 Setting Up User Accounts Workgroup Manager displays long and short names for the group after you enter a primary group ID (if the group exists and is accessible in the search policy of the server you’re logged in to). Reviewing a User’s Group Memberships You can use Workgroup Manager to...

Chapter 4 Setting Up User Accounts 79 To add a user to a group using Workgroup Manager: 1 In Workgroup Manager, click Accounts. 2 Select the user account you want to work with. To select the account, click the globe icon, choose the directory domain where the account resides, and then select the use...

80 Chapter 4 Setting Up User Accounts Working with Mail Settings You can create a mail account by specifying mail settings in the user account. To use the mail service account, the user configures a mail client to identify the user name, password, mail service, and mail protocol you specify in the m...

Chapter 4 Setting Up User Accounts 81 Disabling a User’s Mail Service You can use Workgroup Manager to disable mail service for users whose accounts are stored in an Open Directory domain, the local directory domain, or other read/write directory domain. To disable a user’s mail service using Workgr...

82 Chapter 4 Setting Up User Accounts In Workgroup Manager, use the Print Quota pane in the user account to work with print quota settings. Enabling a User’s Access to All Available Print Queues You can use Workgroup Manager to allow a user to print to all or some of the accessible Mac OS X print qu...

Chapter 4 Setting Up User Accounts 83 6 To give the user unlimited printing rights to the queue, select “Unlimited printing”; otherwise, select “Limit to” and specify the maximum number of pages the user can print in a specific number of days. 7 Click Save. Removing a Print Quota For a Queue If you ...

84 Chapter 4 Setting Up User Accounts 3 To authenticate, click the lock and enter the name and password of a directory domain administrator. 4 Click Print Quota. 5 If you’re managing All Queues, click Restart Print Quota. 6 If you’re managing Per Queue, choose a print queue from the Queue Name pop-u...

Chapter 4 Setting Up User Accounts 85 Other users can view the information in this pane when they view the user account in Workgroup Manager and Directory. To change a user’s info: 1 In Workgroup Manager, click Accounts. 2 Select the user account you want to work with. To select the account, click t...

86 Chapter 4 Setting Up User Accounts To change the Windows roaming profile location for a user account: 1 In Workgroup Manager, click Accounts. 2 Open the user account whose profile location you want to change. To open a user account in the PDC, click the globe icon and choose the PDC server’s LDAP...

Chapter 4 Setting Up User Accounts 87 Enter the relative path to a login script in /etc/netlogon/ on the PDC server. For example, if an administrator places a script named setup.bat in /etc/netlogon/, the Login Script field should contain “setup.bat.” 5 Click Save. Changing a Windows User’s Home Fol...

88 Chapter 4 Setting Up User Accounts To view a user or group GUID: 1 In Workgroup Manager, click Accounts. 2 Make sure the directory services of the Mac OS X Server computer you’re using are configured to access the directory domain. 3 Click the globe icon and then choose the domain where the accou...

5 89 5 Setting Up Group Accounts This chapter tells you how to set up, edit, and manage group accounts. A group account offers a simple way to manage a collection of users with similar needs. You can also create group folders, which provide an easy way for group members to share files with each othe...

90 Chapter 5 Setting Up Group Accounts Where Group Accounts Are Stored Group accounts can be stored in any Open Directory domain. A directory domain can reside on a Mac OS X computer (for example, an Open Directory domain) or it can reside on a non-Apple server (for example, an LDAP or Active Direct...

Chapter 5 Setting Up Group Accounts 91 Administering Group Accounts Workgroup Manager lets you administer group accounts stored in multiple directory domains. Creating Group Accounts To create a group account in a directory domain, you must have domain administrator privileges. You can also create g...

92 Chapter 5 Setting Up Group Accounts You can also use a preset or an import file to create a group. For details, see “Creating a Preset for Group Accounts,” and the appendix, “Importing and Exporting Account Information.” From the Command Line You can also create a group account using the dseditgr...

Chapter 5 Setting Up Group Accounts 93 4 To authenticate, click the lock and enter the name and password of a directory domain administrator. 5 Click the Groups button and select the group you want to work with. 6 Edit settings for the group in the panes provided. For details, see “Working with Basi...

94 Chapter 5 Setting Up Group Accounts 5 To create a group, click the Groups button. 6 In the Members pane, click the Add (+) button to open a drawer that lists the users and groups defined in the directory domain you’re working with. Make sure the group account resides in a directory domain specifi...

Chapter 5 Setting Up Group Accounts 95 To work with read-only groups: 1 In Workgroup Manager, click Accounts. 2 Make sure that the directory services of the Mac OS X Server computer you’re using are configured to access the directory domain where the account resides. For information about using Dire...

96 Chapter 5 Setting Up Group Accounts Because long group names support various character sets, the number of characters for long group names can range from 255 Roman characters to as few as 63 characters (for character sets in which characters occupy up to 4 bytes). Â A short group name contains as...

Chapter 5 Setting Up Group Accounts 97 You can use Workgroup Manager to edit the ID for a group account stored in an Open Directory domain or the local domain, or to review the group ID in any directory domain accessible from the server you’re using. The group ID is associated with group privileges ...

98 Chapter 5 Setting Up Group Accounts Enabling a Group’s Web Services Mac OS X Server v10.5 includes Groups, a feature that allows groups to easily create a collaborative website. This website uses calendar, wiki, and blog technology to streamline group communication. You can also set up a mailing ...

Chapter 5 Setting Up Group Accounts 99 5 Select the services you want to enable. You can only select services that are not disabled by your web server. 6 Choose who can view the group website by using the “can view these services” pop-up menu. This option applies to viewing the wiki, blog, calendar,...

100 Chapter 5 Setting Up Group Accounts 3 To authenticate, click the lock and enter the name and password of a directory domain administrator. 4 In the Members pane, click the Add (+) button to open a drawer that lists the users and groups defined in the directory domain you’re working with. Make su...

Chapter 5 Setting Up Group Accounts 101 For example, to set a multimedia lab computer specifically for a movie-editing class, you could set Dock preferences for the movie-editing workgroup to display only iMovie and the group folder. Because the group folder is in the Dock, it provides an easily acc...

Chapter 5 Setting Up Group Accounts 103 6 In the Owner Name fields, enter the short name and long name of the user you want to assign as the owner of the group folder so the user can act as group folder administrator. To choose an owner from a list of users in the current directory domain, click the...

6 105 6 Setting Up Computers and Computer Groups This chapter tells you how to set up and manage individual computers and groups of computers. To manage an individual computer, you must create a computer account. To manage a group of computers, you must create a computer group composed of computer a...

106 Chapter 6 Setting Up Computers and Computer Groups When a computer starts up, Mac OS X tries to match the computer’s Ethernet address with a computer account. If a matching computer account is found, the computer uses the managed preferences for that computer account and the computer groups it b...

Chapter 6 Setting Up Computers and Computer Groups 107 If keywords that you want to associate aren’t listed in the master keyword list, click Edit Keywords, click the Add (+) button, enter a name for the keyword, and click OK. Select the keywords you want to associate with the computer and click OK....

108 Chapter 6 Setting Up Computers and Computer Groups Important: Don’t create computer accounts for Windows 2000 or Windows XP computers. If you do so, they may not be usable for domain login. Instead, use the Windows software on these computers to join them to the Windows domain. For information, ...

Chapter 6 Setting Up Computers and Computer Groups 109 Â A computer group is a group of computers that have the same preference settings and are available to the same users and groups. Â You can add up to 2000 computers to a computer group. You can create hierarchical groups to manage computers with...

110 Chapter 6 Setting Up Computers and Computer Groups Using presets, you can easily set up multiple computer groups that use similar settings. However, you can only use presets when creating a computer group. You can’t use a preset to change a computer group. To set up a preset for computer groups:...

Chapter 6 Setting Up Computers and Computer Groups 111 4 Click the Computer Groups button (on the left) and then click Basic. 5 From the Presets pop-up menu, choose a preset. 6 Choose Server > New Computer Group (or click New Computer Group in the toolbar). 7 Add or update settings as needed and ...

112 Chapter 6 Setting Up Computers and Computer Groups 5 Click the Remove (–) button and then click Save. Deleting a Computer Group If you no longer need a computer group, you can use Workgroup Manager to delete it. To delete a computer group: 1 In Workgroup Manager, click Accounts. 2 Select the com...

7 113 7 Setting Up Home Folders This chapter provides guidelines for setting up and managing home folders. Mac OS X uses the home folder—a folder for a user’s personal use—to store the user’s application preferences and personal files, like documents and music. To set up share points that host home ...

114 Chapter 7 Setting Up Home Folders The home folder you designate in the Home pane can be used when logging in from a Windows workstation or a Mac OS X computer. This can be helpful for a user whose account resides on a server that is a Windows primary domain controller (PDC). There are additional...

Chapter 7 Setting Up Home Folders 115 The default share point for Windows home folders is the same as the share point for Mac OS X home folders. The default share point for user profiles is the /Users/Profiles/ folder on the PDC and BDC servers. ( This SMB share point is not shown in Workgroup Manag...

116 Chapter 7 Setting Up Home Folders Step 3: Create the user accounts in the shared domain on the accounts server For information about specifying which share point is used for a user’s home folder, see “Administering Home Folders” on page 121. Step 4: Set up the directory services of the client co...

Chapter 7 Setting Up Home Folders 117 Setting Up an Automountable AFP Share Point for Home Folders You can use Server Admin to set up an AFP share point for home folders. Home folders for user accounts stored in shared directory domains (such as an Open Directory domain) can reside in any AFP share ...

118 Chapter 7 Setting Up Home Folders 11 Click Protocol Options. 12 In AFP, select “Share this item using AFP” and “Allow AFP guest access.” When you enable guest access, it is enabled for all home folders in the share point. By default, in home folders guests can only access /Public and /Sites fold...

Chapter 7 Setting Up Home Folders 119 3 To view a list of available services, use the disclosure triangle next to your server. If Server Admin doesn’t list the NFS service, click the Add (+) button, choose Add Service, select NFS, and then click Save. 4 Select the NFS service, then if NFS is not run...

120 Chapter 7 Setting Up Home Folders  Set the default permissions for new files and folders in the share point SMB share points can’t be used for Mac OS X home folders, but can be used for Windows home folders. Note: Don’t use a slash (/) in the name of a folder or volume you plan to share. Users ...

Chapter 7 Setting Up Home Folders 121 Important: Do not enable oplocks for a share point that’s using a protocol other than SMB. For more information on oplocks, see File Services Administration . Â To set standard locks on server files, select “Enable strict locking.” Note: For servers earlier than...

122 Chapter 7 Setting Up Home Folders To open a directory domain, click the globe icon and choose from the pop-up menu. To authenticate, click the lock. 3 Click the Users button and select one or more user accounts. 4 Click Home and select (None) from the list. 5 Click Save. Creating a Home Folder f...

Chapter 7 Setting Up Home Folders 123 8 Click Create Home Now and then click Save. If you do not click Create Home Now before clicking Save, the home folder is created the next time the user logs in remotely. However, only certain clients can connect to servers hosting share points in the local doma...

124 Chapter 7 Setting Up Home Folders 3 To authenticate, click the lock and enter the name and password of a directory domain administrator. 4 Click Home; then in the share points list select the share point you want to use. The list displays all automountable network-visible share points in the sea...

Chapter 7 Setting Up Home Folders 125 The share point for a local user account’s home folder should reside in an AFP share point on the server where the user account resides. This share point does not need to be automountable—that is, it does not require a network mount record in the directory domai...

126 Chapter 7 Setting Up Home Folders For example, to create a home folder for a user named Smith, in a custom location of /Homes/Teachers/SecondGrade/, enter “Teachers/SecondGrade/Smith.” Make sure the custom location folder exists. Do not put a slash (/) at the beginning or the end of the path. 9 ...

Chapter 7 Setting Up Home Folders 127 Note: Home folders are created the first time a user logs in only on share points served through an AFP or SMB server. NFS home folders must be created manually. Setting Up a Home Folder for a Windows User Using Workgroup Manager, you can set up a network home f...

Chapter 7 Setting Up Home Folders 129 Setting Disk Quotas You can limit the disk space users have available to store files in the volume where their home folders reside. This quota applies to all files that the user stores in the volume where his or her home folder resides, including all files store...

130 Chapter 7 Setting Up Home Folders Setting Disk Quotas for Windows Users to Avoid Data Loss A disk quota that applies to a Windows user’s roaming profile folder must be large enough to cover the user’s expected data storage needs for a work session. A Mac OS X Server PDC enforces quotas on a roam...

8 131 8 Managing Portable Computers This chapter provides information about tools available to manage portable computers. Mac OS X Server allows you to create and manage mobile accounts for users of portable computers. About Mobile Accounts If your organization uses portable computers, assign mobile...

132 Chapter 8 Managing Portable Computers About Portable Home Directories A portable home directory is a synced subset of a user’s local and network home folders. You can configure which folders to sync and how often to sync them. Users can also initiate syncing. By syncing key folders, a user can w...

Chapter 8 Managing Portable Computers 133 Logging In to Mobile Accounts If a user has created a portable home directory, logging in to a mobile account is similar to logging in to a local account. First, the user selects his or her account and then enters the correct password to complete the login. ...

134 Chapter 8 Managing Portable Computers Resolving Sync Conflicts When a user’s files and folders sync, a sync conflict can occur if a file in the user’s local home folder and the network home folder have two versions of a file and it is not clear which one should be saved. Sync conflicts usually o...

Chapter 8 Managing Portable Computers 135 All mobile accounts on Mac OS X v10.5 or later (including external accounts) can use FileVault to encrypt the contents of the local home folder. For more information, see “Enabling FileVault for Mobile Accounts” on page 205. For information about creating ex...

136 Chapter 8 Managing Portable Computers Considerations and Strategies for Deploying Mobile Accounts Before you deploy mobile accounts, carefully weigh the advantages and disadvantages of using mobile accounts and strategize how you will configure them. When you properly configure mobile accounts, ...

Chapter 8 Managing Portable Computers 137 Mobile accounts cache temporary files locally, improving network and individual computer performance. Locally caching files like webpages helps reduce network traffic. You can also reduce network traffic by carefully planning user sync settings. For informat...

138 Chapter 8 Managing Portable Computers Consider the following: Â Improperly set sync settings can cause long delays during login and logout and can create inconsistent home folders. Â If multiple users create a mobile account on the same computer, it could cause excessive proliferation of home fo...

Chapter 8 Managing Portable Computers 139 Mobile accounts can’t restore deleted files through syncing Although mobile accounts keep user files stored in two locations—in local and network home folders—they do not eliminate the need for a formal backup system. When you configure the user’s portable h...

140 Chapter 8 Managing Portable Computers  The user uses the same mobile account to log in to two computers simultaneously. This might create sync issues with the two computers, causing the computers to display error messages. Login and logout syncing should be carefully managed because a user’s lo...

Chapter 8 Managing Portable Computers 141 Create at least one local administrator account and create local user accounts as needed. Make sure the users’ local account names are not easily confused with the users’ network names. By creating an administrator account, you are preventing the user from h...

142 Chapter 8 Managing Portable Computers For more information about setting up a guest computer account for Mac OS X users, see “Working with Guest Computers” on page 107. Using Mac OS X Portable Computers with One Primary Local User You can also distribute portable computers with only local accoun...

144 Chapter 8 Managing Portable Computers Because multiple users can store items in the local home folder for a generic account, you might want to periodically clean out that folder as part of your maintenance routine. You might also recommend that students save files to a network drop box to ensure...

Chapter 8 Managing Portable Computers 145 If you enable the option, a server daemon updates the database of changed files. The user’s computer scans only the folders in the local home folder that have been modified since the last time the database was updated. To enable the option, TCP port 2336 mus...

9 147 9 Client Management Overview This chapter provides an introduction to Mac OS X client management. Client management is the centralized administration of your users’ computer experience, as shown in the following illustration. It’s usually implemented by: Â Managing access to network printers a...

148 Chapter 9 Client Management Overview Using Network-Visible Resources Mac OS X Server lets you make various resources visible throughout your network so users can access them from different computers and various locations. There are several key network-visible resources: Â Network home folders . ...

Chapter 9 Client Management Overview 149 Customizing the User Experience You manage a network user’s work environment by defining preferences—settings that customize and control the user’s computer experience. There are two panes in Workgroup Manager Preferences: Overview and Details. To manage pred...

150 Chapter 9 Client Management Overview Designing the Login Experience An example of the power of preference management is the ability to shape and control the user’s login experience. You can set up Login preferences for computers and computer groups to control the appearance of the login window. ...

Chapter 9 Client Management Overview 151 Choosing a Workgroup In addition to customizing the login window, you can manage login preferences that affect whether users choose workgroups. If you don’t manage login access preferences, after the user authenticates, a list of available workgroups appears ...

152 Chapter 9 Client Management Overview Any preferences associated with the user, the chosen workgroup, parent workgroups, and the computer being used, take effect upon login. If you manage login access preferences, you can customize the workgroup choosing process. For example, you could: Â Ensure ...

10 155 10 Managing Preferences This chapter provides information about managing preferences for users, workgroups, computers, and computer groups. By managing preferences for users, workgroups, computers, and computer groups, you can customize the user’s experience and restrict user access to only t...

156 Chapter 10 Managing Preferences Understanding Managed Preference Interactions You can define preferences for user accounts, group accounts, computers, and computer groups that are set up in a shared directory domain. Dock Dock location, behavior, and items. For more information, see “Managing Do...

Chapter 10 Managing Preferences 157 A user whose account has defined preferences is referred to as a managed user. An individual computer, or a computer that is a member of a computer group with defined preferences, is called a managed computer . A group with defined preferences is called a workgrou...

158 Chapter 10 Managing Preferences You could set up Media Access preferences for workgroups or computer groups to limit all students’ access but override these restrictions for lab assistants using Media Access settings at their user account level. You could also designate a specific computer for m...

Chapter 10 Managing Preferences 159 Computer group preferences also offer a way to manage the preferences of users who don’t have a network account but who can log in to a Mac OS X computer using a local account. ( The local account, defined using the Accounts pane of System Preferences, resides on ...

160 Chapter 10 Managing Preferences  Once is available for some preferences. You can create default preferences, which users can then modify and keep the modifications. These preferences are effectively unmanaged. For example, you could set up a group of computers to display the Dock in a certain w...

Chapter 10 Managing Preferences 161 Managing preferences means you can control settings for certain system preferences in addition to controlling user access to system preferences, applications, printers, and removable media. Information about settings and preferences in user, group, or computer rec...

162 Chapter 10 Managing Preferences 5 In each Preference pane, select a Manage option. In Media Access, the management setting applies to all preferences rather than to individual panes. 6 Select preference settings or fill in information you want to use. Some management settings are not available f...

Chapter 10 Managing Preferences 163 2 Make sure the correct directory is selected and you are authenticated. To switch directories, click the globe icon. If you are not authenticated, click the lock and enter the name and password of a directory domain administrator. 3 Click the Computers button and...

164 Chapter 10 Managing Preferences You can use the Once setting to create default settings. These are settings that, when saved, take effect the next time users log in. Users can then modify their settings and save their modified settings for future use. To selectively disable preference management...

Chapter 10 Managing Preferences 165 Â If you don’t manage the Applications pane, Legacy settings take effect for any version of Mac OS X. Â If your users run Mac OS X v10.4 or earlier, only Legacy settings take effect. You can also use settings in Applications preferences to allow only specific widg...

166 Chapter 10 Managing Preferences Applications that include helper applications are denoted by a disclosure triangle. When you click the disclosure triangle, you’ll see a list of helper applications. By default, these helper applications are allowed to open. You can disable individual helper appli...

Chapter 10 Managing Preferences 167 6 Select “Restrict which applications are allowed to launch.” 7 Click the Applications tab (within the Applications pane), click the Add (+) button, choose an application you want to always allow, and then click Add. When you allow an application, you also allow a...

168 Chapter 10 Managing Preferences 8 To prevent users from opening specific widgets, select the widget and click the Remove (–) button. 9 Click Apply Now. Disabling Front Row With Workgroup Manager, you can disable Front Row. To disable Front Row: 1 In Workgroup Manager, click Preferences. 2 Make s...

Chapter 10 Managing Preferences 169 Allowing UNIX tools enhances application compatibility and efficient operation, but may decrease security. If you don’t manage Applications settings for computers running Mac OS X v10.5 or later, Legacy settings are used. To set up a list of accessible application...

170 Chapter 10 Managing Preferences The table below describes what settings in each Classic pane can do. Selecting Classic Startup Options Workgroup Manager provides a number of ways to control how and when the Classic environment starts. If users often work with applications that run in Classic, it...

Chapter 10 Managing Preferences 171 8 Click Apply Now. Choosing a Classic System Folder In most cases, there is only one Mac OS 9 System Folder on a computer, and it is on the Mac OS X startup disk. In this case, you don’t need to specify a Classic System Folder. If a computer has multiple Mac OS 9 ...

172 Chapter 10 Managing Preferences You can allow users to perform special actions, such as turning off extensions, starting or restarting Classic, or rebuilding the Classic desktop file, from the Advanced pane of Classic system preferences. You might want to allow this for specific users, such as m...

Chapter 10 Managing Preferences 173 To switch directories, click the globe icon. If you are not authenticated, click the lock and enter the name and password of a directory domain administrator. 3 Select one or more users, groups, computers, or computer groups. 4 Click Classic. 5 Click Advanced and ...

174 Chapter 10 Managing Preferences Maintaining Consistent User Preferences for Classic Ordinarily, Classic looks for a user’s Mac OS 9 preferences data in the Mac OS 9 System Folder. If a user has more than one computer, or if multiple users work on the same computer, make sure Classic uses prefere...

Chapter 10 Managing Preferences 175 To switch directories, click the globe icon. If you are not authenticated, click the lock and enter the name and password of a directory domain administrator. 3 Select one or more users, groups, computers, or computer groups. 4 Click Dock and then click Dock Displ...

176 Chapter 10 Managing Preferences 5 Click Dock and then click Dock Items. 6 Set the management setting to Once or Always. If you select Once, the group folder icon appears in the user’s Dock initially, but the user can remove it. 7 Select “Add group folder.” 8 Click Apply Now. If you change the lo...

Chapter 10 Managing Preferences 177 The My Applications folder contains aliases for approved applications listed in the Applications preference pane. If you do not manage the Applications preference, available applications are shown. If you enable Simple Finder, you should display the My Application...

178 Chapter 10 Managing Preferences The table below summarizes what you can control with settings in each Energy Saver pane. Using Sleep and Wake Settings for Desktop Computers Putting a computer to sleep saves energy because it turns off the display and stops the hard disk from running. Waking up f...

Chapter 10 Managing Preferences 179 7 To set wake and restart settings, choose Options from the Settings pop-up menu and do the following: 8 Click Apply Now. To manually wake up a sleeping computer or display, the user can click the mouse or press a key on the keyboard. Setting Energy Saver Settings...

180 Chapter 10 Managing Preferences 6 To adjust sleep settings, choose Sleep from the Settings pop-up menu and do the following: 7 To set wake and restart settings, choose Options from the Settings pop-up menu and do the following: 8 Click Apply Now. To manually wake up a sleeping computer or displa...

Chapter 10 Managing Preferences 181 Users should be encouraged to monitor battery status when not connected to external power and use a power adapter when possible to maintain a fully charged battery. To show battery status in the menu bar: 1 In Workgroup Manager, click Preferences. 2 Make sure the ...

182 Chapter 10 Managing Preferences 8 Click Apply Now. Managing Finder Preferences You can control various aspects of Finder menus and windows, which can help improve or control workflow. For example, you can simplify the user experience by enabling Simple Finder. You can also prevent users from wri...

Chapter 10 Managing Preferences 183 To turn on Simple Finder: 1 In Workgroup Manager, click Preferences. 2 Make sure the correct directory is selected and you are authenticated. To switch directories, click the globe icon. If you are not authenticated, click the lock and enter the name and password ...

184 Chapter 10 Managing Preferences 4 Click Finder, click the Preferences tab, and then select a management setting. 5 Under “New Finder window shows,” choose the default folder for the Finder window. Select Home to show items in the user’s home folder. Select Computer to show the top-level folder, ...

Chapter 10 Managing Preferences 185 5 Select “Always show file extensions.” 6 Click Apply Now. Controlling User Access to Remote Servers Users can connect to a remote server by choosing the “Connect to Server” command in the Finder Go menu and providing the server’s name or IP address. If you don’t ...

186 Chapter 10 Managing Preferences To switch directories, click the globe icon. If you are not authenticated, click the lock and enter the name and password of a directory domain administrator. 3 Select one or more users, groups, computers, or computer groups. 4 Click Finder, click Commands, and th...

Chapter 10 Managing Preferences 187 4 Click Finder, click Commands, and then set the management setting to Always. 5 Deselect “Go to Folder.” 6 Click Apply Now. Removing Restart and Shut Down from the Apple Menu If you don’t want to allow users to restart or shut down the computer they’re using, you...

188 Chapter 10 Managing Preferences 8 Click Apply Now. Adjusting the Appearance of Finder Window Contents Items in Finder windows can be viewed in a list or as icons. You can control aspects of how these items look, as well as whether to show the toolbar in a Finder window. Default View settings con...

Chapter 10 Managing Preferences 189 Managing Login Preferences Use Login preferences to set options for user login, to provide password hints, and to control the user’s ability to restart and shut down the computer from the login window. You can also mount a group volume or set applications to open ...

190 Chapter 10 Managing Preferences The directory administrator account is considered a network account, and is therefore hidden when you don’t show network users. Another way to hide this account would be to set the directory administrator account’s user ID to below 100. For more information, see “...

Chapter 10 Managing Preferences 191 To ensure that a type of user doesn’t show up in the list, deselect the corresponding setting. To display mobile accounts on client computers with Mac OS X v10.5 or later, select “Show mobile accounts.” To display mobile accounts on client computers with Mac OS X ...

192 Chapter 10 Managing Preferences To configure miscellaneous login options: 1 In Workgroup Manager, click Preferences. 2 Make sure the correct directory is selected and you are authenticated. To switch directories, click the globe icon. If you are not authenticated, click the lock and enter the na...

Chapter 10 Managing Preferences 193 Note: A user with an administrator account in a client computer’s local directory domain can always log in. To choose who can log in: 1 In Workgroup Manager, click Preferences. 2 Make sure the correct directory is selected and you are authenticated. To switch dire...

194 Chapter 10 Managing Preferences The following access options control workgroup settings at login. To customize the workgroups displayed at login: 1 In Workgroup Manager, click Preferences. 2 Make sure the correct directory is selected and you are authenticated. To switch directories, click the g...

Chapter 10 Managing Preferences 195 When enabling the use of login and logout scripts, you can set a trust value for the client. Trust values determine the required level of authentication before a client trusts a server enough to run its scripts. Most trust values directly correlate to LDAP securit...

196 Chapter 10 Managing Preferences 4 Click Edit. 5 If the local host name contains special nonalphabetic or non-numeric characters such as spaces, dashes, and underscores, remove the special characters and then click OK. For example, change local host names like “Anne-Johnson’s-Computer” to “AnneJo...

Chapter 10 Managing Preferences 197 You can’t run scripts that are larger than 30 KB. To choose login or logout scripts: 1 In Workgroup Manager, click Preferences. 2 Make sure the correct directory is selected and you are authenticated. To switch directories, click the globe icon. If you are not aut...

198 Chapter 10 Managing Preferences The application remains open but its windows and menu bar remain hidden until the user activates the application (for example, by clicking its icon in the Dock). 8 To automatically connect the user to a server, select the server and then select “Mount share point ...

Chapter 10 Managing Preferences 199 To automatically mount the Network Home: 1 In Workgroup Manager, click Preferences. 2 Make sure the correct directory is selected and you are authenticated. To switch directories, click the globe icon. If you are not authenticated, click the lock and enter the nam...

200 Chapter 10 Managing Preferences If you don’t want the group share point to appear in the Dock, select the Hide checkbox. 9 Make sure “Mount share point with user’s name and password” is selected. 10 Click Apply Now. Managing Media Access Preferences Media Access preferences let you control setti...

Chapter 10 Managing Preferences 201 Controlling Access to Hard Drives, Disks, and Disk Images You can control access to internal or external disk drives such as floppy disk drives, Zip drives, and FireWire drives. You can also control access to disk images (files with the .dmg extension). If you dis...

202 Chapter 10 Managing Preferences 6 In Disc Media or Other Media, select “Eject all removable media at logout.” 7 Click Apply Now. Managing Mobility Preferences You can automatically create mobile accounts for users during their next login. If your computers have Mac OS X v10.5 or later, you can a...

Chapter 10 Managing Preferences 203 Note: When a mobile account is enabled, it appears in the login window and in the Accounts pane of System Preferences with the label Mobile . When the account is selected in the Accounts pane, some settings may appear dimmed. To create a mobile account using Workg...

204 Chapter 10 Managing Preferences After a user creates a mobile account, the local home folder for that account stays on the computer until it’s deleted. You can delete the local home folders to save disk space, or you can set an expiration period on the mobile account so the local home folders ar...

Chapter 10 Managing Preferences 205 6 Choose one of the following home folder options and then click OK. Enabling FileVault for Mobile Accounts If your users have computers with Mac OS X v10.5 or later installed, you can use FileVault to encrypt the local home folders for their mobile accounts. File...

206 Chapter 10 Managing Preferences Additionally, if you make the maximum size of the local home folder smaller than the network home disk quota, you can provide more flexibility for handling files with sync conflicts. If a mobile account is protected with FileVault, the user must be logged in to sh...

Chapter 10 Managing Preferences 207 Selecting the Location of a Mobile Account You can select the location of a mobile account’s local home folder or you can let the user select the location. If you select the location, choose from one of the following. If you choose a location at a specific path, m...

208 Chapter 10 Managing Preferences 4 Click Mobility, click Account Creation, click Creation, and then set the management setting to Always. 5 Select “Create mobile account when user logs in to network account.” This option must be selected to enable a mobile account for the selected account. 6 Clic...

Chapter 10 Managing Preferences 209 To switch directories, click the globe icon. If you are not authenticated, click the lock and enter the name and password of a directory domain administrator. 3 Select one or more users, groups, computers, or computer groups. 4 Click Mobility, click Account Creati...

210 Chapter 10 Managing Preferences To set an expiration period: 1 In Workgroup Manager, click Preferences. 2 Make sure the correct directory is selected and you are authenticated. To switch directories, click the globe icon. If you are not authenticated, click the lock and enter the name and passwo...

Chapter 10 Managing Preferences 211 Precede the folder with ~/ to denote the location of the synced folder in the user’s home folder. For example, to sync the user’s Documents folder, enter ~/Documents. 8 Alternatively, click the Browse (...) button for the “Sync at login and logout” and “Sync in th...

212 Chapter 10 Managing Preferences 9 Click Apply Now. Setting the Background Sync Frequency You can change the frequency of syncing for background folders. By default, background folders sync every 20 minutes. You can set frequencies from 5 minutes to 8 hours. If you set the frequency to a long int...

Chapter 10 Managing Preferences 213  Enabling background, login, and logout sync  Selecting what is synced  Setting the sync frequency  Enabling the mobile account status menu If you disable the mobile account status menu, the user can still configure his or her mobile account in the Accounts pa...

214 Chapter 10 Managing Preferences You must assign a single server for every type of proxy server (for example, you can’t have multiple FTP proxy servers). To configure proxy servers for a user or a group: 1 In Workgroup Manager, click Preferences. 2 Make sure the correct directory is selected and ...

Chapter 10 Managing Preferences 215 Â A domain name, such as apple.com. This bypasses apple.com but not subdomains such as store.apple.com. Â An entire website including all subdomains, such as *.apple.com. Â A subnet in Classless Inter-Domain Routing (CIDR) notation. For example, to add a subnet of...

216 Chapter 10 Managing Preferences 5 Set the management setting to Always. 6 Select Disable Internet Sharing. 7 Click Apply Now. Disabling AirPort If you disable AirPort, it is disabled the next time a computer retrieves managed preferences. If the computer had active AirPort connections, they are ...

Chapter 10 Managing Preferences 217 Managing Parental Controls Preferences Parental Controls preferences allow you to hide profanity in Dictionary, limit access to websites, or set time limits or other contraints on computer usage. To manage Parental Controls preferences, computers must have Mac OS ...

218 Chapter 10 Managing Preferences To switch directories, click the globe icon. If you are not authenticated, click the lock and enter the name and password of a directory domain administrator. 3 Select one or more users, groups, computers, or computer groups. 4 Click Parental Controls and then cli...

Chapter 10 Managing Preferences 219 2 Make sure the correct directory is selected and you are authenticated. To switch directories, click the globe icon. If you are not authenticated, click the lock and enter the name and password of a directory domain administrator. 3 Select one or more users, grou...

220 Chapter 10 Managing Preferences If you set a time limit for computer usage, users who meet their daily time limits can’t log in until the next day when their quota is reset. You can set different time limits for weekdays (Monday through Friday) and weekends (Saturday and Sunday). The time limit ...

Chapter 10 Managing Preferences 221 Making Printers Available to Users To give users access to printers, you must first set up a printer list. Then you can allow specific users or groups to use printers in that list. You can also make printers available to computers. A user’s list of printers is a c...

222 Chapter 10 Managing Preferences 6 Click Printer List. 7 Deselect “Allow user to modify the printer list.” 8 Click Apply Now. Restricting Access to Printers Connected to a Computer In some situations, you might want only certain users to print to a printer connected directly to their computer. Fo...

Chapter 10 Managing Preferences 223 4 Click Printing and then click Printers. 5 Set the management setting to Always. 6 Click Access. 7 Select a printer listed in User’s Printer List and then click Make Default. 8 Click Apply Now. Restricting Access to Printers You can require an administrator user ...

224 Chapter 10 Managing Preferences To switch directories, click the globe icon. If you are not authenticated, click the lock and enter the name and password of a directory domain administrator. 3 Select one or more users, groups, computers, or computer groups. 4 Click Printing and then click Footer...

Chapter 10 Managing Preferences 225 If a user can see a particular preference, it does not mean the user can modify that preference. Some preferences, such as Startup Disk preferences, require an administrator name and password before a user can modify its settings. The preferences that appear in Wo...

226 Chapter 10 Managing Preferences Time Machine is most appropriate for backing up computers with primarily local accounts. It is also useful if users have administrative control over the computer and can install their own applications. You can limit the total backup storage per computer. When you ...

Chapter 10 Managing Preferences 227 Managing Universal Access Preferences Universal Access settings can help improve the user experience for some users. For example, if a user has difficulty using a computer or wants to work in a different way, you can choose settings that enable the user to work mo...

228 Chapter 10 Managing Preferences To adjust screen appearance: 1 In Workgroup Manager, click Preferences. 2 Make sure the correct directory is selected and you are authenticated. To switch directories, click the globe icon. If you are not authenticated, click the lock and enter the name and passwo...

Chapter 10 Managing Preferences 229 Sticky Keys help users who can’t press multiple keys simultaneously. It treats a sequence of modifier keys (Shift, Command, Option, and Control) like a key combination. For example, to press Command-O, users can press Command and then O. To hold down a key with mu...

230 Chapter 10 Managing Preferences To turn off the key-combination alert, deselect “Beep when a modifier key is set.” To turn off onscreen display of keystrokes, deselect “Show pressed keys on screen.” 7 To activate Slow Keys, select Slow Keys On. If you don’t want audio feedback during keystrokes,...

Chapter 10 Managing Preferences 231 To allow Universal Access Shortcuts: 1 In Workgroup Manager, click Preferences. 2 Make sure the correct directory is selected and you are authenticated. To switch directories, click the globe icon. If you are not authenticated, click the lock and enter the name an...

232 Chapter 10 Managing Preferences For example, in Safari you can disable JavaScript by setting the JavaScript Enabled key to “false.” If you save this key in the Often group, the user can enable JavaScript during their current login session but JavaScript is disabled when the user logs out and log...

Chapter 10 Managing Preferences 233 When you use your own application preferences, you can choose the management frequency applied to those preferences: Some applications use ByHost preferences. These preferences apply to a specific user for a specific computer. For example, if a network user sets s...

234 Chapter 10 Managing Preferences 8 Click Add. 9 If you’re asked to replace the manifest, click Replace to replace the manifest. Replacing the manifest changes the underlying manifest file for the application but it doesn’t change existing managed preferences. 10 If you’re asked to replace the man...

Chapter 10 Managing Preferences 235 3 Select one or more users, groups, computers, or computer groups. 4 Select an item in the list and click the Edit (pencil) button. 5 To locate the keys you want to change, click the disclosure triangles. 6 To add a key to the application’s preferences file, click...

236 Chapter 10 Managing Preferences Using the Preference Editor to Manage Core Services You can add several important manifests by adding a single core services bundle. These manifests allow management of many features that are unavailable through the main preference editing interface. For example, ...

Chapter 10 Managing Preferences 237 To add the core services bundle to the preference editor list: 1 In Workgroup Manager, click Preferences and then click Details. 2 Make sure the correct directory is selected and you are authenticated. To switch directories, click the globe icon. If you are not au...

11 239 11 Solving Problems If you encounter problems as you work with Workgroup Manager, you may find a solution in this chapter. If the answer to your question isn’t here, try searching Workgroup Manager Help for new topics. You can also search the Apple Service & Support website for informatio...

240 Chapter 11 Solving Problems Your computers should be on the same time zone. If they are not on the same time zone, send the following UNIX command: sudo systemsetup -settimezone ‘US/Pacific’ For other time zones, see the man page for systemsetup . For instructions on sending UNIX commands throug...

Chapter 11 Solving Problems 241 The resulting log should have an answer section, which displays the IP address of your Open Directory master server. If there is no answer section, or if the IP address is incorrect, perform further analysis on your DNS service. 3 In the Lookup pane of Network Utility...

242 Chapter 11 Solving Problems 3 On a client computer, open Network Utility, click Info, and then select the network interface that connects to your network. If the displayed IP address is not in your range of supplied addresses, the computer is not receiving an IP address through your DHCP service...

Chapter 11 Solving Problems 243 An administrator account in the computer’s local directory domain can’t be used to authenticate as an administrator of a shared LDAP directory. If You Can’t Modify a User’s Open Directory Password To modify the password of a user whose password type is Open Directory,...

244 Chapter 11 Solving Problems  If the user’s account resides in a directory domain that is not available, create a user account in a directory domain that is available.  Make sure the client software encodes the password so it is recognized correctly. For example, Open Directory recognizes UTF-8...

Chapter 11 Solving Problems 245 If Users Can’t Log In with Accounts in a Shared Directory Domain Users can’t log in using accounts in a shared directory domain if the server hosting the directory isn’t accessible. A server can become inaccessible due to a problem with the network, the server softwar...

246 Chapter 11 Solving Problems If a Windows User Has No Home Folder If a user’s home folder isn’t mounted in Windows, verify the following: Â Make sure the correct home folder location is selected in the Home pane of Workgroup Manager. Â Make sure the home folder path is correct in the Windows pane...

Chapter 11 Solving Problems 247 Â If the drive letter chosen for the user might be conflicting with a drive letter in use on the Windows workstation, change the drive letter setting in the Windows pane of Workgroup Manager or change the mappings of other drive letters on the workstation. Solving Pre...

248 Chapter 11 Solving Problems For example, suppose the default application for viewing PDF files is Preview. A user logs in and double-clicks a PDF file on his or her desktop. If the management settings that apply to the user don’t provide access to Preview, the file does not open. If the user has...

Chapter 11 Solving Problems 249 Â If the user’s login list does not include any items, all managed login items will open. If you do not select “Merge with user’s items,” all login items on either list will open. If you select Once, a user can remove any items added to their login list. For details a...

250 Chapter 11 Solving Problems If Users See a Message About an Unexpected Error When you manage Classic preferences and try to use the Extensions Manager, File Sharing, or Software Update control panels, you might see a message that says “The operation could not be completed. An unexpected error oc...

251 A p pendix Importing and Exporting Account Information Use Workgroup Manager to import and export accounts, or use the dsimport command-line tool to import accounts. You can quickly import or export user, group, computer, and computer group accounts using Workgroup Manager. You can also use the ...

252 Appendix Importing and Exporting Account Information Limitations for Importing and Exporting Passwords When creating or overwriting records, you must reset passwords for user accounts with Open Directory or shadow passwords. Importing passwords generally works if the password is a plain-text str...

Appendix Importing and Exporting Account Information 253 Archiving the Open Directory Master Instead of exporting and importing records as a backup of directory data, you can archive and restore the Open Directory master’s directory and authentication data. By archiving a copy of the Open Directory ...

254 Appendix Importing and Exporting Account Information 6 To indicate what to do when the short name of an account being imported matches that of an existing account, select one of the Duplicate Handling options: Â “Overwrite existing record” overwrites any existing record in the directory domain. ...

Appendix Importing and Exporting Account Information 255 To export accounts using Workgroup Manager: 1 In Workgroup Manager, click Accounts. 2 Make sure that the directory services of the Mac OS X Server you’re using are configured to access the desired directory domain. For instructions, see Open D...

256 Appendix Importing and Exporting Account Information The following group account attributes might be present in the XML files: Â Group name (required) Â Group ID (required) Â One member’s short name (required) Â Other members’ short names Using XML Files Created with AppleShare IP 6.3 You can us...

257 Glossar y Glossary This glossary defines terms and spells out abbreviations you may encounter while working with online help or the various reference manuals for Mac OS X Server. References to terms defined elsewhere in the glossary appear in italics. access control list See ACL . ACE Access Con...

260 Glossary GUID Globally unique identifier. A hexadecimal string that uniquely identifies a user account, group account, or computer list. Also used to provide user and group identity for access control list (ACL) permissions, and to associate particular users with group and nested group membershi...

Glossary 265 TCP Transmission Control Protocol. A method used with the Internet Protocol (IP) to send data in the form of message units between computers over the Internet. IP handles the actual delivery of the data, and TCP keeps track of the units of data (called packets) into which a message is d...

267 Inde x Index A access ACLs 27, 29Apple menu 172, 187application 149, 153, 164, 165, 168, 177control process 27, 32disk 183, 185, 201file 28, 247folder 28, 38, 153, 186, 245group 28, 103, 153, 199guest 117login 192, 194, 199media 149, 186, 200, 201, 202mobile account 134, 135, 136preferences 149p...