Workgroup Manager is used to manage the three account levels:
When you consider managing accounts, think about your organization. You have users, which consist of both standard users and administrators. Among these, the administrators are likely to have various levels of technical acumen and are categorized accordingly by job. You have workgroupsgroups of users, groups of administrators, groups of groups. You also have computers, perhaps not just Apple computers, but also computers that run other operating systems, such as Windows. These computers might be laptop computers, desktop computers, servers, or small, non-laptop, somewhat portable computers (such as the Mac Mini). These computers may be used by just one person within your organization, or they may be in a computer lab environment. Each of these levels of management can be used for control and can act independently of each other. Understanding Account TypesUnderstanding the levels of accounts that can be managed is a good start. But what types of accounts can be at each level? For example, can you manage a user on a local Mac OS X computer if that computer isn't connected to or bound to a Mac OS X Server? Can groups be managed on Mac OS X as easily as on Mac OS X Server? How many different computer types can you manage? Macs? Windows machines? There are three main account types when dealing with Mac OS X and Mac OS X Server:
Matching Account Types to IndividualsWhen creating a solution for account management, roles must be clearly defined with respect to users, administrators, and groups. How many groups are required and who should be a member of each group? Mac OS X Server has virtually no limitation on the number of groups you can create. Since you can have as many groups as you like, it is easy to assume that dragging users into their groups is the best solution. However, removing a user from one group does not remove her from another group. The time spent managing groups can quickly lengthen, and the groups can become difficult to keep organized. Creating nested groups (groups within groups) allows better control of users. Administrative users are of particular interest because they may be in separate departments within your organization. A one-size-fits-all administrator group may not be the best solution. Within an educational environment, teachers are often placed in control of their students, so they effectively become administrators. However, they may not need or require administrator access to other groups or computers outside of their classroom. Burdening them with additional administrative capabilities when unnecessary is asking for trouble, should their accounts become compromised. It is best to take an organizational chart, evaluate skill levels and specific administrative tasks, and create administrative groups based on these criteria. Matching User Requirements to Management SolutionsIt is important to qualify in advance which management solutions work for each type of user. Defining roles and determining in advance how accounts will be managed removes any doubt or question when setting up accounts. For example, there are probably several skill levels relative to Mac OS X within your organization. Some users may possess more advanced skills than others. A level of account management should respect the fact that some users have earned more freedom to make decisions about their systems. Conversely, new users may merit a more restrictive management solution. Setting User Management PoliciesRegardless of the organization, it is beneficial to create polices early on to use various levels of account management. Doing so defines what is to be accomplished and how deep the management will be. Setting Account Creation PolicyAll organizations have work-related policies, such as vacation policies and lunchtime limitations. To avoid disputes, it is best to plan what types of accounts are to be created, and when. Should a user have a quota on his home folder? If so, how much? And should it depend on the user? These questions and others need answers to avoid confusion. In no other situation is this more important than when creating administrator accounts. Not everyone should be made an administrator, and doing so can also add liability that did not exist when there were just three or four administrators. Consider the following when deciding on policies for administrator user creation:
These factors are not set in stone. Each organization will have to decide how to mete out the creation of accounts. The point is that account policies are a critical factor when planning the entire account management structure. Setting Policy ComponentsAs when you set your account creation policy, you will have to decide on what pieces of the policy deserve a higher priority than others. Examples of policy component issues:
You can use Workgroup Manager to establish policy priorities to restrict certain administrators to certain groups. This effectively confines an administrator to a given user, workgroup, or computer list. An example of this is a teacher who has total access to her students' accounts, being allowed to manage all their settings and preferences, but is not allowed to manage the computer list settings of the computers that are in her room. Using Workgroup Manager to restrict an administrator to a given workgroup. There are usually no easy answers here, and attempting to provide some without an intimate knowledge of an organization's infrastructure would be doing that organization a great disservice. You must plan not only with computers in mind, but also considering people, personalities, defined roles within the organization, legal ramifications, and long-term goals. This may sound like an overwhelming task, but it is essential to flush out any issues that may arise at the outset, before they become financial and legal burdens later. Proper planning requires that you play the what-if game and provide concrete answers. |