Jesus Vigo offers a tutorial on managing user and group accounts in Apple OS X Server.
One of Apple's prevailing principals, permeating into every aspect of the company – across all departments – is the customer. How they think, work, perceive, design and function. Everything revolves around its users.
As the late Steve Jobs once said, "Technology is nothing. What's important is that you have a faith in people, that they're basically good and smart, and if you give them tools, they'll do wonderful things with them." This fundamental belief goes hand in hand with users and groups of users on an Open Directory network. In essence, the network exists for end-users to access resources and produce things, so I felt it relevant to make user management the focus of the next article in this series. So far, we've covered: How to set up Apple OS X Server.
By default, there are no network accounts created during the Open Directory configuration process, only the "diradmin" account to manage OD. To create an account, click on the "+" sign to bring up the New User* screen and fill out the pertinent fields, then click "done" when complete:
Repeat step #3 until the user accounts section is fully populated with all the desired user and service-level accounts:
*Note: There are 4 types of accounts that can be created through the Users pane:
- User Account
- User Account with Administrative Access
- Service Account
- Service Account with Administrative Access
Primarily, the difference between a User & Service account lies in being able to log on locally to the node. Service accounts do not retain a User profile directory since they're mainly used to launch services (and/or applications) with a specific level of access, typically administrative. A service account would be used to grant users access to FTP or Email services, without actually handing over the administrator's credentials or enabling admin rights for the end-user account(s). This grants the specific service or app the access it requires to run within the context of the service account – but still manage to keep an eye on security by minimizing the number of users running around with administrative privileges to the network.
Manage user settings individually vs. globally
An essential part of user management is the "management" portion. Since end-users are prone to forgetting passwords (or sometimes holding onto them for longer than they should), it is not a question of "if" but "when" you'll be called upon to modify a user account.
For most changes that occur individually, like a forgotten password or a name change, simply access the Edit drop-down menu, by clicking on the cogwheel, to make these changes:
Highlighting a user account and selecting Edit user… from the menu will allow access to modify the Full Name, email address, checkboxes that control admin privilege, access to login, limiting disk space (or quota), and finally, adding/removing membership to user security groups:
Next, the Edit Access to Services… selection allows the administrator to specifically pick and choose what services an end-user will be allowed to use. By default, user accounts are granted access to all services, yet access can be revoked as easily as unchecking the check box next to the service and clicking OK when done. This is often referred to as scoping, as access is limited based on the needs of the account. (For example, limiting access to an Email service account to just the Email service. If the account were to become compromised, access will only allow changes to the Email service – all other services would be disallowed from modification.)
The next entry on the list is Edit Mail Options… This setting allows for only two changes: Specifying whether email should be stored locally or forwarded and limiting message storage (in MB).
Most should be familiar with the following menu entry, Reset Password… This one is pretty straightforward cross-platform – from Apple to Microsoft to Linux to just about any OS! You enter the new password in the New Password field and again in the Verify field. For additional security on behalf of the end-users, checking the checkbox to Require password change at next login will allow the user to select his/her own password after the subsequent successful login, following the initial password reset.
But what happens when there are 100's or 1000's of users that require password resets? Or how do I control what passwords users have selected, so my admin-level users don't have the easy to guess "password" as their password? Two words: Global Settings.
The title of this section – individual vs. global settings – is indicative of this dilemma. As a network/systems admin, the goal is to do more with less. Knowing to balance the workload in contrast to the time it takes to execute the task is tantamount to working smarter, not harder (my personal motto). And as such, setting up a password policy with character requirements, previous password history. and timed reset cycles are just a few of the changes that can be made from the Edit Global Password Policy… menu. This is by far not a one size fits all group of settings, so please tread lightly and be mindful of security and best practices, as well as, any company or Enterprise policies in effect. (Figure K)
Creating User Security Groups
- Similar to creating a user account above, launch Server.app from the Applications folder and authenticate when prompted to do so.
- Select the "Groups" configuration pane.
- By default, there is one network group created during the Open Directory configuration process - Workgroups - to manage File Sharing preferences in OD. To create an account, click on the "+" sign to bring up the New Group screen and fill out the pertinent fields, then click Done when complete:
- Repeat step #3 until the user groups' section is fully populated with all the desired security groups.
Managing User Security Groups
Similar to the managing user accounts section above, managing security groups is no different in theory. However, since groups act as containers for various user accounts, this changes the dynamic of its execution and calls into effect once again the individual vs. global settings changes.
The Edit Group… menu item allows for modifications to the Full Name, as well as, the membership of users to the specifically selected group. But also adds hooks into other network services, such as: the ability to create a shared folder for group members (File Sharing), make members messaging buddies (Messages), enable a group mailing list (Email) and lastly, creation of a group-based webpage for collaboration (Wiki). (Figure O)
Next, Edit Access to Services… is the final selection available, yet arguably the most powerful for an administrator. This menu item allows access (or disallows access**) to OS X Server services, based on membership to the highlighted security group. This gives the administrator the ability to manage many users (and their respective accesses) with a few well-thought-out security groups.
**Note: Contrary to user accounts, which have every service enabled by default due to his/her automatic membership into the "Workgroup" security group; Newly created groups have all service access disallowed by default. Meaning one must manually edit the services each group is to have access to by explicitly checking the checkbox.
While the days of iron-fisted network management aren't quite over, at many enterprises, this method of management has hit several financial, ethical and liability walls with the introduction of forward-thinking technologies, such as: BYOD and virtualization, mixed in with "basically good and smart", tech-savvy users. The landscape is shifting less to managing people and more to managing expectations, controlling environments, and ensuring the end-user has what he/she needs to get the job done. After all, isn't that what the infusion of technology was to bring, a life where we could leverage the computer to perform the "heavy lifting" for us?