Manualshelf

Setup guide

ManualsBrandsApple ManualsNetwork CardMac OS X Server
60616263646566676869
UNCLASSIFIED
58
5. User and Client Management
Mac OS X Server’s Workgroup Manager program allows administrators to enforce
system settings on a user, group or computer level. Apple’s “Mac OS X Server User
Management for version 10.3.3 or later” manual provides detailed instructions on
this process, including the important planning stages. The configuration advice
below assumes familiarity with Apple’s documentation, which describes the process
of creating appropriate users, groups, and computer lists using the Workgroup
Manager. Apple’s documentation also describes how the settings created for the
user, group, and computer levels can interact.
5.1 Recommended Account Settings
Many settings relating to new user, group, and computer accounts are particular to
the needs of the site. However, the following settings are recommended when using
Workgroup Manager to create new accounts. The Presets feature as described in the
Apple documentation can also be used to ensure uniform settings and avoid
configuration errors.
5.1.1 User Account Settings
In the Basic tab:
When creating short names, make certain to avoid duplicates
anywhere in your directory system as recommended in the Apple
documentation.
The password should be at least 12 characters, not be found in a dictionary, and
contain mixed case, numbers, and special characters.
Uncheck “User can administer the server” unless required.
Uncheck “User can administer this directory domain” unless required. If this
privilege is required, click the Privileges button and restrict the user’s ability to
manage computers, groups, and users to the minimum required.
If the user should not be able access the server remotely from a command line,
uncheck the box for “log in.”
In the Advanced tab:
Uncheck the box for Allow simultaneous login. (This cannot be disabled for users
with NFS home directories.)
The User Password Type should be set to Open Directory. Using Crypt Password
type is not recommended.
Click the Options… button.
Under Disable login, check the box for “on date” and enter a date when the user will
no longer need the account. For military personnel, a logical choice might be a
transfer date. In a school environment, a logical choice may be a graduation date for
a student. Check the box for “if account is inactive for _ days” and enter a number of