Administrator Accounts
Users with server administration or directory domain administration privileges are known as administrators. An administrator can be a server administrator, domain administrator, or both.
Server administrator privileges determine whether a user can change the settings of a particular server.
Domain administrator privileges determine the extent to which an administrator can change account settings for users, groups, computers, and computer groups in the directory domain.
Server Administration
Server administration privileges determine the functions available to a user when logged in to a particular Mac OS X Server. For example, a server administrator can use Directory Utility to make changes to a server’s search policy.
When you assign server administration privileges to a user, the user is added to the “admin” group in the server’s local directory domain. Many Mac OS X applications— such as Server Admin, Directory Utility, and System
Local Mac OS X Computer Administration
Any user who belongs to the admin group in the local directory domain of any Mac OS X computer has administrator privileges on that computer.
Limited Administration
You can control the extent to which a limited administrator can use Workgroup Manager to change account data stored in a domain. For example, you can set up directory domain privileges so your network administrator can add and remove user accounts, but allow limited administrators to change the information for particular users. Or, you can designate multiple limited administrators to manage different groups.
For more information, see “Giving a User Limited Administrative Capabilities” on page 70.
Directory Domain Administration
When you create a directory domain in Mac OS X Server, a domain administrator account is created and added to the admin group in the domain. If you plan to connect your directory domain to other directory domains, make sure you choose a unique name and user ID for each domain.
Chapter 1 User Management Overview
23