| Administrative user accounts on Mac OS X Server are very similar to administrative user accounts on Mac OS X. Administrative users can configure any settings or file permissions on both Mac OS X and Mac OS X Server. Essentially, an administrative user account is any user who is also in the admin group. Thus, it's important to restrict administrative user accounts to only those users who require such authority. From an account management standpoint, administrators aren't that different from other user accounts. In fact, administrative users and regular users are only separated by one check box in the Workgroup Manager application. This discussion assumes you've already created additional user accounts on your server (refer to Chapter 2). To change administrative user options 1. | In Workgroup Manager, click the Accounts icon in the Toolbar, click the User tab in the account types tab, and click the Basic tab.
The user information is displayed (Figure 4.8).
Figure 4.8. Click the Accounts icon and the User tab in Workgroup Manager. 
| | | 2. | Click the directory authentication icon, and select the appropriate directory database from the pop-up menu (Figure 4.9).
Figure 4.9. Select the appropriate directory database from the pop-up menu. 
| 3. | Select the user or users you wish to configure from the user list (Figure 4.10).
Figure 4.10. Choose a user from the selected database. 
| 4. | In the user settings frame, click the Basic tab.
| | | 5. | Do one of the following, depending on what options you want your new administrator to have:
- If the user account needs to manage services using the Server Admin application, click the "administer the server" check box (Figure 4.11).
Figure 4.11. If the user account is in a local directory, select the "User can administer the server" check box. 
- If the user account needs to manage the LDAP database, click the "administer this directory domain" check box (Figure 4.12) to invoke the administrator privileges dialog (Figure 4.13), and then click OK to accept the default settings.
Figure 4.12. If the user account is in a shared directory, select both the "User can administer the server" and the "User can administer this directory domain" check boxes. Doing so... 
Figure 4.13. ...opens the administrator's privileges dialog. 
| 6. | When you've finished making changes, click Save.
This user is now allowed to make changes to all server settings, file permissions, and user accounts.
|
 Tips
Administrative users can also become the root user by typing sudo s in the Terminal, pressing Return, and entering their password. This opens a root shell. To revert the administrative account back to a regular user account, deselect both administrator check boxes and save your changes. An administrative user account in an LDAP directory can administer any computer that authenticates against that directory. In other words, if your Mac OS X computers use the directory server, then server administrators also have administrative rights on those Mac OS X computers. You can disable any account by deselecting the "access account" check box. Doing so changes the icon for the user in the user list showing an "X" over their name, indicating that user is unable to log in (Figure 4.14). Figure 4.14. Viewing a temporarily disabled user account. 
Restricting administrator directory access On Mac OS X, every administrative user is allowed to edit all settings, permissions, and user accounts. However, Mac OS X Server gives you more granularity when configuring administrative user permissions. Specifically, Mac OS X Server distinguishes administrators who can configure service settings from those who can configure account settings and share points. For example, server administrators can use the Server Admin tool, whereas directory administrators can use the Workgroup Manager tool for shared (LDAP) accounts, and local administrators can manage local (NetInfo) accounts. In the previous task, you were instructed to enable unlimited server and directory administration rights for a user account, thus turning it into an administrative account. The following task explains how to restrict an administrator's directory permissions. To restrict administrator directory access 1. | In Workgroup Manager, click the Accounts icon in the Toolbar, click the User tab in the account types tab, and click the Basic tab (Figure 4.15).
Figure 4.15. Click the Accounts icon and the User tab in Workgroup Manager. 
| 2. | Verify that the "User can administer this directory domain" check box is selected and click Privileges.
The administrator's privileges dialog opens (Figure 4.16).
Figure 4.16. Click Privileges to display the administrator's editing privileges dialog. 
| 3. | For this task, select the Users tab. The options are similar for each account type.
| | | 4. | To configure the administrator's permissions, select or deselect the following options:
- "Edit user preferences" lets the administrator edit managed preferences for this account type.
- "Edit user accounts" lets the administrator edit account attributes for this account type.
| 5. | Select the "users listed below" radio button (Figure 4.17).
Figure 4.17. Choose the option button that allows an administrator to administer certain users. 
| 6. | Drag and drop accounts from the "Available users" column to the right column (Figure 4.18).
Figure 4.18. Drag users into the field to allow administration by a certain administrator. 
| 7. | Click OK to accept the changes.
The administrator's permissions dialog closes.
| 8. | When you've finished making changes, click Save.
|
Tips When it's properly configured, you can safely delegate the task of managing accounts to other users with more time on their hands for such tasks. Keep in mind that every administrator can still become root in the terminal. You can select more than one account at a time while in the administrator's privileges dialog by holding down the Shift or Command key while you make your selections. While you can have granular control over an admin's abilities in the directory when using Workgroup Manager, keep in mind that only the Apple tools respect these controls. Any admin user has full control of their directory domain using the command-line tools.
|
