Where Group Accounts Are Stored | Apple 10.5 Leapard manual

90

Where Group Accounts Are Stored

Group accounts can be stored in any Open Directory domain. A directory domain can reside on a Mac OS X computer (for example, an Open Directory domain) or it can reside on a non-Apple server (for example, an LDAP or Active Directory server). Workgroup Manager can work with accounts stored in any of these directory domains.

Group accounts must be stored in a directory domain accessible from the server that needs them:

ÂFor services provided by a Mac OS X Server PDC or Windows domain member server, group accounts can be stored in the PDC LDAP directory.

ÂFor services provided by an Active Directory domain member, group accounts can be stored in the Active Directory domain.

ÂFor services provided by a Windows standalone server, group accounts can be stored in the server’s local directory domain.

ÂIf a server is configured to access multiple directory domains, group accounts can be stored in any of them.

For more information about the different kinds of Open Directory domains, see Open Directory Administration.

Predefined Group Accounts

The following table describes most group accounts that are created when you install Mac OS X Server. For a complete list, open Workgroup Manager and choose View > Show System Users and Groups.

Predefined
group name	Group ID	Use
admin	80	A group that users with administrator privileges belong to.

bin	7	A group that owns all binary files.

daemon	1	A group used by system services.

dialer	68	A group for controlling access to modems on a server.

kmem	2	A legacy group used to control access to reading kernel memory.

mail	6	A group historically used for access to local UNIX mail.

_mysql	74	A group that the MySQL database server uses for its processes that
		handle requests.

network	69	A group that has no specific meaning.

nobody	-2	A group used by system services.

nogroup	-1	A group used by system services.

operator	5	A group that has no specific meaning.

smmsp	25	A group used by sendmail.

sshd	75	A group used for the sshd child processes that process network
		data.

Chapter 5 Setting Up Group Accounts

Image 90

Apple 10.5 Leapard manual Where Group Accounts Are Stored, Predefined Group Accounts, Predefined Group name Group ID Use

Contents

Mac OS X Server 019-0938/2007-09-01 Contents Creating a Domain Administrator Account Configuring the Administrator’s Computer and AccountSetting Up an Administrator Computer Using Workgroup Manager Contents Administering Group Accounts Setting Up Group AccountsWhere Group Accounts Are Stored Creating a Preset for Group Accounts 118 Chapter Contents Contents If You Can‘t Change a User’s Password Type to Open Directory 257 267 About This Guide What’s New in Workgroup Manager What’s in This Guide Using Onscreen Help To get help for an advanced configuration of Leopard ServerTo see the most recent server help topics Mac OS X Server Administration Guides This guide Tells you how to User Management Getting Documentation Updates Getting Additional Information Tools for User Management Workgroup Manager Server Admin See this document NetBoot NetInstallServer Preferences Command-Line Tools Accounts Administrator Accounts Server Administration User Accounts Guest Account Group Accounts Computer Accounts Authentication and Identity Validation User ExperienceComputer Groups Information Access Control Folder and File Owner Access ACLs and Posix Permissions User Management Overview Setup Overview Getting Started with User Management Set up an administrator computer Create user accounts and home folders Planning Strategies for User Management Analyzing Your Environment Identifying Directory Services Requirements Determining Server and Storage Requirements Choosing a Home Folder Structure Users with local accounts typically have local home folders Devising a Home Folder Distribution Strategy Determining Administrator Requirements Identifying Groups Getting Started with User Management Getting Started with User Management Configuring the Administrator’s Computer and Account Setting Up an Administrator ComputerTo set up an administrator computer Using Workgroup Manager Creating a Domain Administrator AccountTo create a domain administrator account To connect and authenticate to directory domains Major Workgroup Manager Tasks Modifying Workgroup Manager Preferences To set Workgroup Manager preferencesPreference Description Finding and Listing Accounts Working with Account Lists in Workgroup ManagerListing Accounts in the Local Directory Domain Listing Accounts in Search Policy Directory Domains To list accounts in a server’s local directory domain Listing Accounts in Available Directory Domains Refreshing Account ListsFinding Specific Accounts in a List Using Advanced Search To filter items in the list of accountsTo do this Do this Using Presets Shortcuts for Working with AccountsSorting Users and Groups Editing Multiple Accounts Simultaneously Interface element Mixed-state appearance To batch-edit accounts that match specific criteria Importing and Exporting Account Information Getting Started with Workgroup Manager Where User Accounts Are Stored About User Accounts Predefined User Accounts User ID Administering User Accounts Creating User AccountsTo create a user account Editing User Account Information To make changes to a user account Working with Read-Only User Accounts Working with Guest UsersTo work with a read-only user account Deleting a User Account To delete a user account using Workgroup ManagerWorking with Windows User Accounts Disabling a User Account Working with Presets Creating a Preset for User AccountsTo create a preset for user accounts Editing Presets Using Presets to Create AccountsRenaming Presets To create an account using a preset To edit a preset Working with Basic SettingsDeleting a Preset To delete a preset To work with the user name using Workgroup Manager Modifying Short Names To work with a user short name using Workgroup Manager Choosing Stable Short Names Avoiding Duplicate Names Modifying User IDs To change a user ID in Workgroup Manager To assign a password Assigning a Password to a UserAssigning Administrator Privileges for a Server To set server administrator privileges in Workgroup Manager Choosing a User’s Login Picture To change a user’s login picture To remove a user’s administrative privileges Removing Administrative Privileges from a UserGiving a User Limited Administrative Capabilities Working with Privileges To add limited administrative capabilities Task Description To change a user’s administrative privileges Working with Advanced SettingsGiving a User Full Administrative Capabilities To enable a user’s calendar Choosing a Default Shell To choose a default shell Choosing a Password Type and Setting Password Options To choose a user password type and set password options Creating a Master List of Keywords Applying Keywords to User AccountsTo edit the master keyword list To work with a comment using Workgroup Manager Editing CommentsTo work with keywords for a user account Working with Group Settings To set a primary group ID using Workgroup ManagerChoosing a User’s Primary Group To review group memberships using Workgroup Manager Reviewing a User’s Group MembershipsAdding a User to a Group To remove a user from a group using Workgroup Manager Working with Home SettingsTo add a user to a group using Workgroup Manager Removing a User from a Group Working with Mail Settings Enabling Mail Service Account Options To disable a user’s mail service using Workgroup Manager Working with Print Quota SettingsDisabling a User’s Mail Service To forward a user’s mail using Workgroup Manager Enabling a User’s Access to All Available Print Queues Enabling a User’s Access to Specific Print Queues To restart a user’s print quota using Workgroup Manager Resetting a User’s Print QuotaTo delete a user’s print quota using Workgroup Manager Removing a Print Quota For a Queue Working with Info Settings To disable a user’s access to print queues enforcing quotas Working with Windows Settings Changing a Windows User’s Profile LocationTo change a user’s info Changing a Windows User’s Login Script Location Changing a Windows User’s Home Folder Location Working with GUIDsChanging a Windows User’s Home Folder Drive Letter Viewing GUIDs To view a user or group Guid About Group Accounts How Group Accounts Track Membership Where Group Accounts Are Stored Predefined Group AccountsPredefined Group name Group ID Use Administering Group Accounts Creating Group AccountsTo create a group account Editing Group Account Information Creating a Preset for Group AccountsTo create a preset for group accounts To make changes to a group account Creating Hierarchical Groups To create a hierarchical group To convert a legacy group to an upgraded group account Upgrading Legacy GroupsWorking with Read-Only Groups Deleting a Group Working with Basic Settings for GroupsTo delete a group using Workgroup Manager Naming a Group To work with group names using Workgroup Manager Defining a Group ID Choosing a Group’s Login Picture To work with a group ID using Workgroup ManagerTo choose a group’s login picture Enabling a Group’s Web Services To enable a group’s web services Working with Member Settings for Groups Adding Users or Groups to a Group Working with Group Folder Settings Removing Group MembersTo remove group members Specifying No Group Folder Creating a Group FolderTo specify no group folder 102 Designating a Group Folder for Use by Multiple Groups 104 Setting Up Computers Computer Groups About Computer Accounts Creating Computer Accounts To create a computer account To set up the guest computer account Working with Guest ComputersWorking with Windows Computers Differences Between Computer Groups and Computer Lists Administering Computer GroupsAbout Computer Groups Creating a Computer Group Creating a Preset for Computer Groups To set up a computer group Using a Computer Group Preset To set up a preset for computer groupsTo use a preset for computer groups Adding Computers or Computer Groups to a Computer Group To add computers or computer groups to a computer group Upgrading Computer Lists to Computer Groups To upgrade computer lists to computer groupsDeleting a Computer Group To delete a computer group Setting Up Home Folders About Home Folders Hosting Home Folders for Mac OS X Clients Hosting Home Folders for Other Clients Distributing Home Folders Across Multiple Servers To set up a share point Administering Share PointsSetting Up a Share Point Unix Class Name Permission Setting Up an Automountable AFP Share Point for Home Folders To set up an automountable AFP share point for home folders Setting Up an Automountable NFS Share Point for Home Folders To set up an automountable NFS share point for home folders Setting Up an SMB Share Point To create an SMB share point and set permissions Administering Home Folders Specifying No Home FolderTo define no home folder Creating a Home Folder for a Local User To create a home folder for a local user Creating a Network Home Folder To create a network home folder for AFP or NFS share points Creating a Custom Location for Home Folders To create a custom home folder using Workgroup Manager Element Do this Setting Up a Home Folder for a Windows User To set up a home folder in an existing share point \\servername\usershortname Setting Disk Quotas Moving Home Folders Setting Disk Quotas for Windows Users to Avoid Data LossUsing Presets to Choose Default Home Folders Deleting Home Folders Managing Portable Computers About Mobile Accounts About Portable Home Directories Logging In to Mobile Accounts About External Accounts Resolving Sync Conflicts Logging In to External Accounts Advantages of Using Mobile Accounts Considerations and Strategies for Deploying Mobile AccountsApplications locally cache temporary files Considerations for Using Mobile Accounts You can manage individual mobile accounts 138 Strategies for Syncing Content Mobile accounts can’t restore deleted files through syncing Setting Up Mobile Accounts for Use on Portable Computers Configuring Portable ComputersTo set up portable computers for use on your network Managing Mobile Clients Without Using Mobile Accounts Unknown Mac OS X Portable Computers Using Mac OS X Portable Computers with Multiple Users 143 Securing Mobile Clients Optimizing the File Server for Mobile Accounts To optimize the file server for mobile accounts 146 Client Management Overview Using Network-Visible Resources There are several key network-visible resources Customizing the User Experience Power of PreferencesLimits access Environment Control By letting you manage Designing the Login Experience Key login settingsEnvironment Desired effect Choosing a Workgroup Working with Synced Homes Improving Workflow 153 154 Using Workgroup Manager to Manage Preferences Preference pane What you can manage Understanding Managed Preference Interactions 157 158 Setting the Permanence of Management Understanding Hierarchical Preference Management Preference Management Basics Caching Preferences Managing User Preferences To manage user preferences To manage group preferences Managing Group PreferencesManaging Computer Preferences To manage computer preferences Managing Computer Group Preferences Disabling Management for Specific PreferencesTo manage computer group preferences Managing Access to Applications To selectively disable preference management What you can control Icon Indicates the application has this type of signature To allow users to open specific applications and folders Allowing Specific Dashboard Widgets To allow specific Dashboard widgets To disable Front Row Disabling Front Row To set up a list of accessible applications Managing Classic Preferences Selecting Classic Startup Options To work with various startup options for ClassicClassic preference pane What you can control Choosing a Classic System Folder Allowing Special Actions During RestartTo choose a specific Classic System Folder Controlling Access to Classic Apple Menu Items To allow special actions during restartTo hide or show items in the Apple menu Adjusting Classic Sleep Settings To adjust Classic sleep settings Maintaining Consistent User Preferences for Classic To choose where Classic user preferences are storedManaging Dock Preferences Controlling the User’s Dock Providing Easy Access to Group Folders To add a Dock item for a group folder Adding Items to a User’s Dock To add items to a user’s Dock Managing Energy Saver Preferences Preventing Users from Adding or Deleting Dock ItemsTo prevent users from adding items to their Docks Using Sleep and Wake Settings for Desktop Computers To set sleep and wake settings Setting Energy Saver Settings for Portable Computers To manage portable computer settings Displaying Battery Status to Users To show battery status in the menu bar Scheduling Automatic Startup, Shutdown, or SleepTo schedule automatic actions Setting Up Simple Finder Managing Finder PreferencesFinder preference pane What you can control To hide disk and server icons on the desktop Controlling the Behavior of Finder WindowsTo turn on Simple Finder To set Finder window preferences To hide the Trash warning message Hiding the Alert Message When a User Empties the TrashMaking Filename Extensions Visible To make filename extensions visible Controlling User Access to Remote Servers Controlling User Access to an iDiskPreventing Users from Ejecting Discs To hide the Burn Disc command Hiding the Burn Disc Command in the FinderControlling User Access to Folders To hide the Go to Folder command Removing Restart and Shut Down from the Apple Menu Adjusting the Appearance and Arrangement of Desktop ItemsTo hide the Restart and Shut Down commands To set preferences for the desktop view Adjusting the Appearance of Finder Window Contents Login preference pane What you can control Managing Login PreferencesChanging the Appearance of the Login Window List setting Mac OS X version Effect To change the appearance of the Login Window Configuring Miscellaneous Login Options Option What this does when enabled To configure miscellaneous login options Choosing Who Can Log Customizing the Workgroups Displayed at Login To choose who can log Enabling the Use of Login and Logout Scripts To customize the workgroups displayed at login To enable the use of login or logout scripts Trust value name Requirements Choosing a Login or Logout Script Click Edit To choose login or logout scripts Automatically Opening Items After a User LogsTo set an item to open automatically Providing Access to a User’s Network Home Folder Providing Easy Access to the Group Share Point To add a login item for the group share pointTo automatically mount the Network Home Managing Media Access Preferences Controlling Access to CDs, DVDs, and Recordable DiscsTo control access to disc media To restrict access to internal and external disks Controlling Access to Hard Drives, Disks, and Disk ImagesEjecting Removable Media Automatically When a User Logs Out To automatically eject removable media Managing Mobility Preferences Creating a Mobile AccountMobility preference pane What you can control To create a mobile account using Workgroup Manager Preventing the Creation of a Mobile Account Manually Removing Mobile Accounts from Computers To prevent the creation of mobile accountsTo remove a mobile account Enabling FileVault for Mobile Accounts OptionEffect To enable FileVault for mobile accounts Home folder location Description Selecting the Location of a Mobile AccountTo select the location of a mobile account Type Name Privilege Creating External Accounts To create an external account Setting Expiration Periods for Mobile Accounts To set an expiration period Stopping Files from Syncing for a Mobile Account To stop files from syncing Setting the Background Sync Frequency Showing Mobile Account Status in the User’s Menu BarTo set the frequency for syncing background folders To show mobile account status in the user’s menu bar Configuring Proxy Servers by PortManaging Network Preferences Network preference pane What you can control To configure proxy servers for a user or a group To choose the domains that users can access directlyAllowing Users to Bypass Proxy Servers for Specific Domains To disable Internet Sharing Enabling Passive FTP ModeTo enable passive FTP mode Disabling Internet Sharing To disable Bluetooth Disabling BluetoothTo disable AirPort Disabling AirPort Managing Parental Controls Preferences Preventing Access to Adult WebsitesTo prevent access to specific websites Hiding Profanity in Dictionary Allowing Access Only to Specific Websites To allow access only to specific websites Setting Time Limits and Curfews on Computer Usage Managing Printing Preferences To set time limits and curfewsPrinting preference pane What you can control Preventing Users from Modifying the Printer List To restrict access to the printer listMaking Printers Available to Users To create a printer list for users Restricting Access to Printers Connected to a Computer Setting a Default PrinterTo set the default printer Adding a Page Footer to All Printouts Restricting Access to PrintersTo restrict access to a specific printer To add a footer to all printouts Managing Software Update Preferences Managing Access to System PreferencesTo manage access to Software Update servers To manage access to System Preferences Managing Time Machine Preferences To manage Time Machine preferences Managing Universal Access Preferences Adjusting the User’s Display SettingsUniversal Access Preference pane What you can control To adjust screen appearance Setting a Visual AlertAdjusting Keyboard Accessibility Options To set a flashing alert To set the way the keyboard responds to keystrokes Option Effect Adjusting Mouse and Pointer Responsiveness Enabling Universal Access ShortcutsTo control mouse and pointer settings Allowing Devices for Users with Special Needs Using the Preference Editor with Preference ManifestsTo allow Universal Access Shortcuts To allow assistive devices Adding to the Preference Editor’s List To add to the preference editor’s list Frequency Description Editing Application Preferences with the Preference Editor To edit application preferences To disable management of an application’s preferences Using the Preference Editor to Manage Core Services Manifest Examples of things you can change Using the Preference Editor to Manage Safari To add Safari to the preference editor list 238 Diagnosing Common Network Issues Testing Your Network’s Time and Time Zones Testing Your DNS Service To test your network’s DNS service on a single computer Testing Your Dhcp Service To test your network’s Dhcp service on a single computer If Users Can’t See Their Names in the Login Window Solving Account ProblemsIf You Can’t Edit an Account Using Workgroup Manager If You Want to Use Earlier Versions of Workgroup Manager If You Can’t Modify a User’s Open Directory Password If You Can’t Assign Server Administrator PrivilegesIf Users Can’t Log In or Authenticate If Users Relying on a Password Server Can’t Log If Users Can’t Change Their Passwords Problems with a Primary or Backup Domain ControllerIf Users Can’t Access Their Home Folders If a Windows User Can’t Log in to the Windows Domain If a Windows User’s Profile Settings Revert to Defaults If a Windows User Has No Home Folder If Users Don’t See a List of Workgroups at Login Solving Preference Management ProblemsTesting Your Managed Client Settings To view managed client settings in System Profiler If Login Items Added by a User Don’t Open If Users Can’t Add Printers to a Printer List If Items Placed in the Dock by a User Are Missing If a User’s Dock Has Duplicate ItemsIf Users See a Question Mark in the Dock If Users See a Message About an Unexpected Error If You Can’t Manage Network Views Importing and Exporting Account Information Understanding What You Can Import and Export Limitations for Importing and Exporting Passwords Using Workgroup Manager to Import Accounts To import accounts using Workgroup ManagerArchiving the Open Directory Master Using Workgroup Manager to Export Accounts To export accounts using Workgroup Manager Using XML Files Created with AppleShare IP Access control list See ACL Apple Filing Protocol See AFP See also computer list Directory node See directory domain Full name See long name Globally unique identifier See Guid Home directory See home folder Local home directory See local home folder 262 Primary domain controller See PDC Search path See search policy Security identifier See SID Weblog See blog 266 Index 268 269 270 271 272 273 274 275