It is important to note the differences between Mac OS X accounts and Windows accounts, especially if Windows accounts are moved to a Mac OS X Server. For example, you must understand what Mac OS X Server offers in the way of security policies, how Windows users can be managed, how to configure a basic Windows account, and how to set up a Windows computer list. While you may routinely do all these things for Mac OS X users and Macintosh computers, Windows accounts and computers often represent a new challenge for Mac OS X administrators. Comparing Security Policies Mac OS X Server has various security policies when dealing with user accounts. Password policies can be user specific or global. User-specific policies will override global policies. Here are the Mac OS X Server user authentication policies: User Authentication Policies GUI Password Policy Option | Usage | pwpolicy Command-line Equivalent |
---|
On Date | Disables an account on a set date, such as when a contractor is set to leave a job site | usingExpirationDate usingHardExpirationDate expirationDateGMT hardExpireDateGMT | After a set number of days | Disables an account after a set number of days, such as when a student has access for the number of days in a grading period | maxMinutesUntilDisabled | After a period of inactivity | Disables an account after the user doesn't log in for a set number of days, such as when a user stops using a particular file server | maxminutesOfNonUse | After a set number of failed login attempts | Disables an account after a user or hacker attempts to enter incorrect information a set number of times | maxFailedLoginAttempts | Length Policy | Dictates that a password must be at least a set number of characters long | minChars | Letter Policy | Requires a password to contain at least one letter | requiresAlpha | Numeric character policy | Requires a password to contain at least one numeric character | requiresNumeric | Account name policy | Requires the password to be different from the account name | passwordCannotBeName | Reused passwords policy | Requires a password to be different from previous passwords | usingHistory | Password change policy | Requires a password to be changed after a set number of days, weeks, or months | maxMinutesUntilChangePassword | Be reset on first user login | Require a new password at next logon | newPasswordRequired | Allow the user to change the password (in WGM) | Allows the user to change their password | canModifyPasswordSelf | (No GUI equivalent) | Requires a password to have both upper- and lowercase letters | requiresMixedCase |
Almost all these policies can be accessed via the Server Admin tool, under the Open Directory service. You can also manage password policies on Mac OS X without a connection to Mac OS X Server. You do this by using the pwpolicy command from Terminal. Before you can see all the policies, you must actually set a policy. To set the policy of requiring a minimum of eight characters for a user's password: 1. | Enter the following command in Terminal on Mac OS X:
pwpolicy -n /NetInfo/DefaultLocalNode -a davedoug -setglobalpolicy minChars=8 | 2. | Enter your password when asked. You now can enter the command
pwpolicy -n /NetInfo/DefaultLocalNode -getglobalpolicy | which returns this result: usingHistory=0 canModifyPasswordforSelf=1 usingExpirationDate=0 usingHardExpirationDate=0 requiresAlpha=0 requiresNumeric=0 expirationDateGMT=12/31/69 hardExpireDateGMT=12/31/69 maxMinutesUntilChangePassword=0 maxMinutesUntilDisabled=0 maxMinutesOfNonUse=0 maxFailedLoginAttempts=0 minChars=8 maxChars=0 passwordCannotBeName=0 requiresMixedCase=0 newPasswordRequired=0 Since there is no GUI for changing these parameters, you would use the command line to change them for local-only accounts. Therefore, it is important to understand that both Mac OS X and Mac OS X Server have very similar security policies. In contrast, Windows 2003 and Windows XP have the following password policies: The one policy that is not clearly defined in the preceding image is "Password must meet complexity requirements." When this option is enabled, the password must meet the following criteria: It must not contain all or part of the user's account name. It must be at least six characters in length. It must contain characters from three of the following four categories: English uppercase characters (A through Z) English lowercase characters (a through z) Base 10 digits (0 through 9) Non-alphanumeric characters (!, $, #, %)
When considering whether to create accounts that will be accessed from computers running Windows, the focus is not on local account password policies but on those policies residing on Mac OS X Server. As you can see, password policies vary slightly from system to system, but the basic objective of forcing a user to create a better password remains the same on both systems. Configuring Windows Accounts A Windows account is configured much like a Mac OS X account. One main difference is the Windows tab for each user. The following entries (all of which are generally entered under a user's profile tab of Active Directory) can be used by users logging in from a Windows computer: User Profile Paththe location of the user's profile setting Login script, if used Hard drive letterthe letter that appears when the user has a home directory Paththe path to the user's home directory When created, the OpenLDAP attribute names are homeDrive for the drive letter profilePath for the path to the user's profile scriptPath for the location and name of the login script smbHome for the location of the user's SMB home mount The Open Directory attribute names are SMBHomeDrive for the drive letter SMBProfilePath for the path to the user's profile SMBScriptPath for the location and name of the login script SMBHome is the location of the user's SMB home mount Assigning Login Scripts to Windows Accounts A login script can be used to execute certain commands when the user logs in. This is done for Windows-related viruses and worms, or to remove cache or temporary files. Writing a Windows batch file is similar to writing a standard UNIX shell script, although the syntax is slightly different. Writing batch scripts is beyond the scope of this book, but be aware that you do have the ability to define the script that runs for a user, and you can change or rotate the scripts that run without informing that user. Creating a Windows Computer List The Windows computer list is used to let a Mac OS X Server that is acting as a Primary Domain Controller (PDC) know which computers are to be part of the domain, based on their NetBIOS names. Once a computer is added, it is given a unique ID and a shared Group ID. To add computers running Windows to the Windows computer list in Workgroup Manager, do the following: 1. | Open and authenticate to Workgroup Manager.
| 2. | From the domain pop-up menu, choose your LDAP domain.
| 3. | Click the Accounts button in the Toolbar and then click the Computer tab.
| | | 4. | Select the Windows computer list and click the Add (+) button to add a computer, filling out the fields as shown in the figure below.
| 5. | Enter the appropriate information, including adding a dollar sign ($) at the end of the computer name, and then click Add.
| 6. | When you are finished entering all the computers, click Save.
| You must also enable Windows sharing and promote your Mac OS X Server to a PDC using the Server Admin utility to allow these computers to be part of the trusted domain. |