Levels of Management


Workgroup Manager is used to manage the three account levels:

  • User accounts

  • Workgroup accounts

  • Computer accounts

When you consider managing accounts, think about your organization. You have users, which consist of both standard users and administrators. Among these, the administrators are likely to have various levels of technical acumen and are categorized accordingly by job.

You have workgroupsgroups of users, groups of administrators, groups of groups.

You also have computers, perhaps not just Apple computers, but also computers that run other operating systems, such as Windows. These computers might be laptop computers, desktop computers, servers, or small, non-laptop, somewhat portable computers (such as the Mac Mini). These computers may be used by just one person within your organization, or they may be in a computer lab environment.

Each of these levels of management can be used for control and can act independently of each other.

Understanding Account Types

Understanding the levels of accounts that can be managed is a good start. But what types of accounts can be at each level? For example, can you manage a user on a local Mac OS X computer if that computer isn't connected to or bound to a Mac OS X Server? Can groups be managed on Mac OS X as easily as on Mac OS X Server? How many different computer types can you manage? Macs? Windows machines? There are three main account types when dealing with Mac OS X and Mac OS X Server:

  • The local account. The local account exists only on Mac OS X. There is no connection to any accounts on Mac OS X Server or any other directory service; therefore, user account management is minimal at best. All Mac OS X computers have at least one local account. This is the account that is initially created when Mac OS X is set up without being connected to or bound to a directory service. If the computer on which the local account is located is stolen, is compromised, or has a hard-disk failure, then that user account and all related user information, such as the user's files and data, can be lost (unless it has been backed up to a remote computer or device). One advantage of a local account is that a server need not be present for it to function for the user.

  • The network account. If a local account does not have any relationship with a directory service, then a network account is the opposite. It exists solely on a server and is used transparently on Mac OS X, allowing for the full complement of account management. Network accounts have no predilection to the computer to which they are bound. If that computer is stolen or a hard-disk failure occurs, only the open files are affected. The user's files and data actually exist on a remote server. However, if the server is not available, the user cannot use the computer.

  • The mobile account. Mobile accounts combine the advantage of a local accountthe freedom to be disconnected from the server (such as with a laptop computer)with the granularity of account management from a network account. Mobile accounts essentially are new accounts that employ the user account template on the Mac OS X computer to create an account based on the network user account. Any management that is performed on the network account is cached locally on the Mac OS X computer, permitting the user to disconnect from the server to which it was bound when the account was created. This allows for a tremendous amount of physical freedom with regard to the computer's location, as the computer does not constantly have to be bound to the server. However, when the user does reconnect to the network, any changes to that account's management are downloaded to the local computer from the server. A user's data resides locally on the computer on which the mobile account was created. The user's files and data are not synchronized back to the server unless that option is chosen.

Matching Account Types to Individuals

When creating a solution for account management, roles must be clearly defined with respect to users, administrators, and groups. How many groups are required and who should be a member of each group? Mac OS X Server has virtually no limitation on the number of groups you can create. Since you can have as many groups as you like, it is easy to assume that dragging users into their groups is the best solution.

However, removing a user from one group does not remove her from another group. The time spent managing groups can quickly lengthen, and the groups can become difficult to keep organized. Creating nested groups (groups within groups) allows better control of users.

Administrative users are of particular interest because they may be in separate departments within your organization. A one-size-fits-all administrator group may not be the best solution. Within an educational environment, teachers are often placed in control of their students, so they effectively become administrators. However, they may not need or require administrator access to other groups or computers outside of their classroom. Burdening them with additional administrative capabilities when unnecessary is asking for trouble, should their accounts become compromised. It is best to take an organizational chart, evaluate skill levels and specific administrative tasks, and create administrative groups based on these criteria.

Matching User Requirements to Management Solutions

It is important to qualify in advance which management solutions work for each type of user. Defining roles and determining in advance how accounts will be managed removes any doubt or question when setting up accounts. For example, there are probably several skill levels relative to Mac OS X within your organization. Some users may possess more advanced skills than others. A level of account management should respect the fact that some users have earned more freedom to make decisions about their systems. Conversely, new users may merit a more restrictive management solution.

Setting User Management Policies

Regardless of the organization, it is beneficial to create polices early on to use various levels of account management. Doing so defines what is to be accomplished and how deep the management will be.

Setting Account Creation Policy

All organizations have work-related policies, such as vacation policies and lunchtime limitations. To avoid disputes, it is best to plan what types of accounts are to be created, and when. Should a user have a quota on his home folder? If so, how much? And should it depend on the user? These questions and others need answers to avoid confusion.

In no other situation is this more important than when creating administrator accounts. Not everyone should be made an administrator, and doing so can also add liability that did not exist when there were just three or four administrators. Consider the following when deciding on policies for administrator user creation:

  • Organizational group

  • Job description

  • Competency

  • Trust

These factors are not set in stone. Each organization will have to decide how to mete out the creation of accounts. The point is that account policies are a critical factor when planning the entire account management structure.

Setting Policy Components

As when you set your account creation policy, you will have to decide on what pieces of the policy deserve a higher priority than others. Examples of policy component issues:

  • Can a user create other accounts, and if so, what types?

    • User accounts

    • Group accounts

    • Computer list accounts

  • Should the user be able to reset other users' passwords?

  • Should the user be able to manage file share points that directly relate to another user's home folder?

  • How much restriction should the user be able to place on another user's interface environment?

You can use Workgroup Manager to establish policy priorities to restrict certain administrators to certain groups. This effectively confines an administrator to a given user, workgroup, or computer list. An example of this is a teacher who has total access to her students' accounts, being allowed to manage all their settings and preferences, but is not allowed to manage the computer list settings of the computers that are in her room.

Using Workgroup Manager to restrict an administrator to a given workgroup.

There are usually no easy answers here, and attempting to provide some without an intimate knowledge of an organization's infrastructure would be doing that organization a great disservice.

You must plan not only with computers in mind, but also considering people, personalities, defined roles within the organization, legal ramifications, and long-term goals. This may sound like an overwhelming task, but it is essential to flush out any issues that may arise at the outset, before they become financial and legal burdens later. Proper planning requires that you play the what-if game and provide concrete answers.




Apple Training Series(c) Mac OS X v10. 4 System Administration Reference
Apple Training Series: Mac OS X v10.4 System Administration Reference, Volume 2
ISBN: 0321423151
EAN: 2147483647
Year: 2006
Pages: 128

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net