Information Access Control | Apple 10.5 Leapard specification

The following illustration shows a user logging in to an account in a directory domain in the computer’s search policy.

Log in to

Mac OS X

Directory domains

in search policy

After login, the user can connect to a remote server to access its services (if the user’s account is located in the server’s search policy).

Connect to

Mac OS X Server

Directory domains

in search policy

If Mac OS X finds a user account containing the name entered by the user, it attempts to validate the password associated with the account. If the password is validated, the user is authenticated and the login or connection process is completed.

Mac OS X Server validates passwords using Kerberos, Open Directory Password Server, shadow passwords, and crypt passwords.

For more information about types of directory domains and instructions for configuring search policies, see Open Directory Administration. This guide also discusses authentication methods and provides instructions for setting up user authentication options.

Information Access Control

To control access to information, a universal ID called a globally unique identifier (GUID) provides user and group identity for access control list (ACL) permissions.

An ACL is a list of access control entries (ACEs), each specifying the permissions to be granted or denied to a group or user, and how these permissions are propagated throughout a folder hierarchy. The GUID also associates a user with group and hierarchical group memberships.

Chapter 1 User Management Overview

27

Image 27

Apple 10.5 Leapard manual Information Access Control

Contents

Mac OS X Server 019-0938/2007-09-01 Contents Using Workgroup Manager Configuring the Administrator’s Computer and AccountSetting Up an Administrator Computer Creating a Domain Administrator Account Contents Creating a Preset for Group Accounts Setting Up Group AccountsWhere Group Accounts Are Stored Administering Group Accounts 118 Chapter Contents Contents If You Can‘t Change a User’s Password Type to Open Directory 267 257 What’s New in Workgroup Manager About This Guide What’s in This Guide Using Onscreen Help To get help for an advanced configuration of Leopard ServerTo see the most recent server help topics This guide Tells you how to Mac OS X Server Administration Guides User Management Getting Additional Information Getting Documentation Updates Workgroup Manager Tools for User Management See this document Server Admin NetBoot NetInstallServer Preferences Accounts Command-Line Tools Server Administration Administrator Accounts Guest Account User Accounts Computer Accounts Group Accounts Authentication and Identity Validation User ExperienceComputer Groups Information Access Control Folder and File Owner Access ACLs and Posix Permissions User Management Overview Getting Started with User Management Setup Overview Set up an administrator computer Create user accounts and home folders Analyzing Your Environment Planning Strategies for User Management Determining Server and Storage Requirements Identifying Directory Services Requirements Users with local accounts typically have local home folders Choosing a Home Folder Structure Devising a Home Folder Distribution Strategy Identifying Groups Determining Administrator Requirements Getting Started with User Management Getting Started with User Management Configuring the Administrator’s Computer and Account Setting Up an Administrator ComputerTo set up an administrator computer Using Workgroup Manager Creating a Domain Administrator AccountTo create a domain administrator account To connect and authenticate to directory domains Major Workgroup Manager Tasks Modifying Workgroup Manager Preferences To set Workgroup Manager preferencesPreference Description Finding and Listing Accounts Working with Account Lists in Workgroup ManagerListing Accounts in the Local Directory Domain To list accounts in a server’s local directory domain Listing Accounts in Search Policy Directory Domains Listing Accounts in Available Directory Domains Refreshing Account ListsFinding Specific Accounts in a List Using Advanced Search To filter items in the list of accountsTo do this Do this Using Presets Shortcuts for Working with AccountsSorting Users and Groups Interface element Mixed-state appearance Editing Multiple Accounts Simultaneously To batch-edit accounts that match specific criteria Importing and Exporting Account Information Getting Started with Workgroup Manager About User Accounts Where User Accounts Are Stored User ID Predefined User Accounts Administering User Accounts Creating User AccountsTo create a user account To make changes to a user account Editing User Account Information Working with Read-Only User Accounts Working with Guest UsersTo work with a read-only user account Disabling a User Account To delete a user account using Workgroup ManagerWorking with Windows User Accounts Deleting a User Account Working with Presets Creating a Preset for User AccountsTo create a preset for user accounts To create an account using a preset Using Presets to Create AccountsRenaming Presets Editing Presets To delete a preset Working with Basic SettingsDeleting a Preset To edit a preset Modifying Short Names To work with the user name using Workgroup Manager Choosing Stable Short Names To work with a user short name using Workgroup Manager Avoiding Duplicate Names To change a user ID in Workgroup Manager Modifying User IDs To set server administrator privileges in Workgroup Manager Assigning a Password to a UserAssigning Administrator Privileges for a Server To assign a password To change a user’s login picture Choosing a User’s Login Picture Working with Privileges Removing Administrative Privileges from a UserGiving a User Limited Administrative Capabilities To remove a user’s administrative privileges Task Description To add limited administrative capabilities To enable a user’s calendar Working with Advanced SettingsGiving a User Full Administrative Capabilities To change a user’s administrative privileges To choose a default shell Choosing a Default Shell To choose a user password type and set password options Choosing a Password Type and Setting Password Options Creating a Master List of Keywords Applying Keywords to User AccountsTo edit the master keyword list To work with a comment using Workgroup Manager Editing CommentsTo work with keywords for a user account Working with Group Settings To set a primary group ID using Workgroup ManagerChoosing a User’s Primary Group To review group memberships using Workgroup Manager Reviewing a User’s Group MembershipsAdding a User to a Group Removing a User from a Group Working with Home SettingsTo add a user to a group using Workgroup Manager To remove a user from a group using Workgroup Manager Enabling Mail Service Account Options Working with Mail Settings To forward a user’s mail using Workgroup Manager Working with Print Quota SettingsDisabling a User’s Mail Service To disable a user’s mail service using Workgroup Manager Enabling a User’s Access to Specific Print Queues Enabling a User’s Access to All Available Print Queues Removing a Print Quota For a Queue Resetting a User’s Print QuotaTo delete a user’s print quota using Workgroup Manager To restart a user’s print quota using Workgroup Manager To disable a user’s access to print queues enforcing quotas Working with Info Settings Working with Windows Settings Changing a Windows User’s Profile LocationTo change a user’s info Changing a Windows User’s Login Script Location Viewing GUIDs Working with GUIDsChanging a Windows User’s Home Folder Drive Letter Changing a Windows User’s Home Folder Location To view a user or group Guid How Group Accounts Track Membership About Group Accounts Where Group Accounts Are Stored Predefined Group AccountsPredefined Group name Group ID Use Administering Group Accounts Creating Group AccountsTo create a group account To make changes to a group account Creating a Preset for Group AccountsTo create a preset for group accounts Editing Group Account Information To create a hierarchical group Creating Hierarchical Groups To convert a legacy group to an upgraded group account Upgrading Legacy GroupsWorking with Read-Only Groups Naming a Group Working with Basic Settings for GroupsTo delete a group using Workgroup Manager Deleting a Group Defining a Group ID To work with group names using Workgroup Manager Choosing a Group’s Login Picture To work with a group ID using Workgroup ManagerTo choose a group’s login picture To enable a group’s web services Enabling a Group’s Web Services Adding Users or Groups to a Group Working with Member Settings for Groups Working with Group Folder Settings Removing Group MembersTo remove group members Specifying No Group Folder Creating a Group FolderTo specify no group folder 102 Designating a Group Folder for Use by Multiple Groups 104 About Computer Accounts Setting Up Computers Computer Groups To create a computer account Creating Computer Accounts To set up the guest computer account Working with Guest ComputersWorking with Windows Computers Creating a Computer Group Administering Computer GroupsAbout Computer Groups Differences Between Computer Groups and Computer Lists To set up a computer group Creating a Preset for Computer Groups Using a Computer Group Preset To set up a preset for computer groupsTo use a preset for computer groups To add computers or computer groups to a computer group Adding Computers or Computer Groups to a Computer Group To delete a computer group To upgrade computer lists to computer groupsDeleting a Computer Group Upgrading Computer Lists to Computer Groups About Home Folders Setting Up Home Folders Hosting Home Folders for Other Clients Hosting Home Folders for Mac OS X Clients Distributing Home Folders Across Multiple Servers Unix Class Name Permission Administering Share PointsSetting Up a Share Point To set up a share point To set up an automountable AFP share point for home folders Setting Up an Automountable AFP Share Point for Home Folders To set up an automountable NFS share point for home folders Setting Up an Automountable NFS Share Point for Home Folders Setting Up an SMB Share Point To create an SMB share point and set permissions Administering Home Folders Specifying No Home FolderTo define no home folder To create a home folder for a local user Creating a Home Folder for a Local User To create a network home folder for AFP or NFS share points Creating a Network Home Folder Creating a Custom Location for Home Folders To create a custom home folder using Workgroup Manager Element Do this To set up a home folder in an existing share point Setting Up a Home Folder for a Windows User \\servername\usershortname Setting Disk Quotas Deleting Home Folders Setting Disk Quotas for Windows Users to Avoid Data LossUsing Presets to Choose Default Home Folders Moving Home Folders About Mobile Accounts Managing Portable Computers About Portable Home Directories Logging In to Mobile Accounts Resolving Sync Conflicts About External Accounts Logging In to External Accounts Advantages of Using Mobile Accounts Considerations and Strategies for Deploying Mobile AccountsApplications locally cache temporary files You can manage individual mobile accounts Considerations for Using Mobile Accounts 138 Mobile accounts can’t restore deleted files through syncing Strategies for Syncing Content Setting Up Mobile Accounts for Use on Portable Computers Configuring Portable ComputersTo set up portable computers for use on your network Unknown Mac OS X Portable Computers Managing Mobile Clients Without Using Mobile Accounts Using Mac OS X Portable Computers with Multiple Users 143 Optimizing the File Server for Mobile Accounts Securing Mobile Clients To optimize the file server for mobile accounts 146 Client Management Overview There are several key network-visible resources Using Network-Visible Resources Environment Control By letting you manage Power of PreferencesLimits access Customizing the User Experience Designing the Login Experience Key login settingsEnvironment Desired effect Choosing a Workgroup Improving Workflow Working with Synced Homes 153 154 Preference pane What you can manage Using Workgroup Manager to Manage Preferences Understanding Managed Preference Interactions 157 158 Understanding Hierarchical Preference Management Setting the Permanence of Management Caching Preferences Preference Management Basics To manage user preferences Managing User Preferences To manage computer preferences Managing Group PreferencesManaging Computer Preferences To manage group preferences Managing Computer Group Preferences Disabling Management for Specific PreferencesTo manage computer group preferences To selectively disable preference management Managing Access to Applications Icon Indicates the application has this type of signature What you can control To allow users to open specific applications and folders To allow specific Dashboard widgets Allowing Specific Dashboard Widgets Disabling Front Row To disable Front Row Managing Classic Preferences To set up a list of accessible applications Selecting Classic Startup Options To work with various startup options for ClassicClassic preference pane What you can control Choosing a Classic System Folder Allowing Special Actions During RestartTo choose a specific Classic System Folder Controlling Access to Classic Apple Menu Items To allow special actions during restartTo hide or show items in the Apple menu To adjust Classic sleep settings Adjusting Classic Sleep Settings Controlling the User’s Dock To choose where Classic user preferences are storedManaging Dock Preferences Maintaining Consistent User Preferences for Classic To add a Dock item for a group folder Providing Easy Access to Group Folders To add items to a user’s Dock Adding Items to a User’s Dock Managing Energy Saver Preferences Preventing Users from Adding or Deleting Dock ItemsTo prevent users from adding items to their Docks To set sleep and wake settings Using Sleep and Wake Settings for Desktop Computers To manage portable computer settings Setting Energy Saver Settings for Portable Computers Displaying Battery Status to Users To show battery status in the menu bar Scheduling Automatic Startup, Shutdown, or SleepTo schedule automatic actions Setting Up Simple Finder Managing Finder PreferencesFinder preference pane What you can control To set Finder window preferences Controlling the Behavior of Finder WindowsTo turn on Simple Finder To hide disk and server icons on the desktop To make filename extensions visible Hiding the Alert Message When a User Empties the TrashMaking Filename Extensions Visible To hide the Trash warning message Controlling User Access to Remote Servers Controlling User Access to an iDiskPreventing Users from Ejecting Discs To hide the Go to Folder command Hiding the Burn Disc Command in the FinderControlling User Access to Folders To hide the Burn Disc command To set preferences for the desktop view Adjusting the Appearance and Arrangement of Desktop ItemsTo hide the Restart and Shut Down commands Removing Restart and Shut Down from the Apple Menu Adjusting the Appearance of Finder Window Contents List setting Mac OS X version Effect Managing Login PreferencesChanging the Appearance of the Login Window Login preference pane What you can control To change the appearance of the Login Window Option What this does when enabled Configuring Miscellaneous Login Options Choosing Who Can Log To configure miscellaneous login options To choose who can log Customizing the Workgroups Displayed at Login To customize the workgroups displayed at login Enabling the Use of Login and Logout Scripts Trust value name Requirements To enable the use of login or logout scripts Click Edit Choosing a Login or Logout Script To choose login or logout scripts Automatically Opening Items After a User LogsTo set an item to open automatically Providing Access to a User’s Network Home Folder Providing Easy Access to the Group Share Point To add a login item for the group share pointTo automatically mount the Network Home Managing Media Access Preferences Controlling Access to CDs, DVDs, and Recordable DiscsTo control access to disc media To automatically eject removable media Controlling Access to Hard Drives, Disks, and Disk ImagesEjecting Removable Media Automatically When a User Logs Out To restrict access to internal and external disks Managing Mobility Preferences Creating a Mobile AccountMobility preference pane What you can control Preventing the Creation of a Mobile Account To create a mobile account using Workgroup Manager Manually Removing Mobile Accounts from Computers To prevent the creation of mobile accountsTo remove a mobile account OptionEffect Enabling FileVault for Mobile Accounts To enable FileVault for mobile accounts Type Name Privilege Selecting the Location of a Mobile AccountTo select the location of a mobile account Home folder location Description To create an external account Creating External Accounts Setting Expiration Periods for Mobile Accounts To set an expiration period To stop files from syncing Stopping Files from Syncing for a Mobile Account Setting the Background Sync Frequency Showing Mobile Account Status in the User’s Menu BarTo set the frequency for syncing background folders Network preference pane What you can control Configuring Proxy Servers by PortManaging Network Preferences To show mobile account status in the user’s menu bar To configure proxy servers for a user or a group To choose the domains that users can access directlyAllowing Users to Bypass Proxy Servers for Specific Domains Disabling Internet Sharing Enabling Passive FTP ModeTo enable passive FTP mode To disable Internet Sharing Disabling AirPort Disabling BluetoothTo disable AirPort To disable Bluetooth Hiding Profanity in Dictionary Preventing Access to Adult WebsitesTo prevent access to specific websites Managing Parental Controls Preferences To allow access only to specific websites Allowing Access Only to Specific Websites Setting Time Limits and Curfews on Computer Usage Managing Printing Preferences To set time limits and curfewsPrinting preference pane What you can control To create a printer list for users To restrict access to the printer listMaking Printers Available to Users Preventing Users from Modifying the Printer List Restricting Access to Printers Connected to a Computer Setting a Default PrinterTo set the default printer To add a footer to all printouts Restricting Access to PrintersTo restrict access to a specific printer Adding a Page Footer to All Printouts Managing Software Update Preferences Managing Access to System PreferencesTo manage access to Software Update servers Managing Time Machine Preferences To manage access to System Preferences To manage Time Machine preferences Managing Universal Access Preferences Adjusting the User’s Display SettingsUniversal Access Preference pane What you can control To set a flashing alert Setting a Visual AlertAdjusting Keyboard Accessibility Options To adjust screen appearance Option Effect To set the way the keyboard responds to keystrokes Adjusting Mouse and Pointer Responsiveness Enabling Universal Access ShortcutsTo control mouse and pointer settings To allow assistive devices Using the Preference Editor with Preference ManifestsTo allow Universal Access Shortcuts Allowing Devices for Users with Special Needs Adding to the Preference Editor’s List Frequency Description To add to the preference editor’s list To edit application preferences Editing Application Preferences with the Preference Editor To disable management of an application’s preferences Manifest Examples of things you can change Using the Preference Editor to Manage Core Services To add Safari to the preference editor list Using the Preference Editor to Manage Safari 238 Testing Your Network’s Time and Time Zones Diagnosing Common Network Issues To test your network’s DNS service on a single computer Testing Your DNS Service To test your network’s Dhcp service on a single computer Testing Your Dhcp Service If You Want to Use Earlier Versions of Workgroup Manager Solving Account ProblemsIf You Can’t Edit an Account Using Workgroup Manager If Users Can’t See Their Names in the Login Window If You Can’t Modify a User’s Open Directory Password If You Can’t Assign Server Administrator PrivilegesIf Users Can’t Log In or Authenticate If Users Relying on a Password Server Can’t Log If a Windows User Can’t Log in to the Windows Domain Problems with a Primary or Backup Domain ControllerIf Users Can’t Access Their Home Folders If Users Can’t Change Their Passwords If a Windows User Has No Home Folder If a Windows User’s Profile Settings Revert to Defaults To view managed client settings in System Profiler Solving Preference Management ProblemsTesting Your Managed Client Settings If Users Don’t See a List of Workgroups at Login If Users Can’t Add Printers to a Printer List If Login Items Added by a User Don’t Open If Items Placed in the Dock by a User Are Missing If a User’s Dock Has Duplicate ItemsIf Users See a Question Mark in the Dock If You Can’t Manage Network Views If Users See a Message About an Unexpected Error Understanding What You Can Import and Export Importing and Exporting Account Information Limitations for Importing and Exporting Passwords Using Workgroup Manager to Import Accounts To import accounts using Workgroup ManagerArchiving the Open Directory Master Using Workgroup Manager to Export Accounts To export accounts using Workgroup Manager Using XML Files Created with AppleShare IP Apple Filing Protocol See AFP Access control list See ACL Directory node See directory domain See also computer list Full name See long name Globally unique identifier See Guid Home directory See home folder Local home directory See local home folder 262 Primary domain controller See PDC Security identifier See SID Search path See search policy Weblog See blog 266 Index 268 269 270 271 272 273 274 275