62

Apple Remote Desktop Administrator Access Using Directory Services

You can also grant Apple Remote Desktop administrator access without enabling any local users at all by enabling group-based authorization if the client computers are bound to a directory service. When you use specially named groups from your Directory Services master domain, you don’t have to add users and passwords to the client computers for Apple Remote Desktop access and privileges.

When Directory Services authorization is enabled on a client, the user name and password you supply when you authenticate to the computer are checked in the directory. If the name belongs to one of the Apple Remote Desktop access groups, you are granted the access privileges assigned to the group.

Creating Administrator Access Groups

In order to use Directory Services authorization to determine access privileges, you need to create groups and assign them privileges. There are two ways of doing this:

Method #1

You can create groups and assign them privileges through the mcx_setting attribute on any of the following records: any computer record, any computer list record, or the guest computer record.

To create an administrator access group:

1Create groups as usual.

If you are using Mac OS X Server, you use Workgroup Manager to make them.

2After you have created groups, you edit either the computer record of the computer to be administered, its computer list record, or the guest computer record.

3Use a text editor, or the Apple Developer tool named Property List Editor to build the mcx_setting attribute XML. The XML contains some administrator privilege key designations (ard_admin, ard_reports, etc.), and the groups that you want to possess those privileges. The following privilege keys have these corresponding Remote Desktop management privileges:

Chapter 5 Understanding and Controlling Access Privileges

Page 62
Image 62
Apple 3 manual Creating Administrator Access Groups, Method #1, To create an administrator access group