70

Working with Privileges

You can give a user account full or limited control over domain administration. When giving limited administrative control, you can choose which users and groups the user can administer, and what kind of control the user has over those users and groups.

You can change a user’s domain privileges for Open Directory domains. You can’t change privileges for a local user account or an account stored in domains that are not Open Directory.

Full and limited administrators use Workgroup Manager to administer and manage users.

In Workgroup Manager, use the user account’s Privileges pane to set privileges.

Removing Administrative Privileges from a User

Users with no administrative privileges can use Workgroup Manager to view (but not change) accounts in a directory domain.

You can change a user’s domain privileges for LDAPv3 directory domains. You can’t change privileges for a local user account or an account stored in a non-LDAPv3 directory domain.

To remove a user’s administrative privileges:

1In Workgroup Manager, click Accounts.

2Select the user account you want to work with.

To select an account, click the globe icon above the accounts list, choose the directory domain where the user’s account resides, and then select the user.

3To authenticate, click the lock and enter the name and password of a directory domain administrator.

4In Privileges, choose None from the “Administration capabilities” pop-up menu and click Save.

Giving a User Limited Administrative Capabilities

You can allow users who don’t need full administrative control the ability to perform common administrative tasks by giving them limited administrative control.

For example, you might want student lab assistants to reset other students’ passwords but not to edit the groups they belong to. Similarly, you might want school staff to edit student user information but not their managed preferences.

When a user has limited administrative control, after authenticating in Workgroup Manager, the Workgroup Manager interface only allows users to perform tasks assigned to the limited administrator.

Chapter 4 Setting Up User Accounts

Page 70
Image 70
Apple 10.5 Leapard manual Working with Privileges, Removing Administrative Privileges from a User