Actually, there is an error in the text - I must have missed that in
the review... :-(
The sentence "If you select “All groups can use the computer,” users
log in without having to select a workgroup." Is wrong - it should
say " ... local users can then choose any workgroup."
The hangup you are having is between groups and workgroups. The OD
groups are for segmenting users into nice neat piles. Workgroups are
specifically designed to provide preferences for a group or set of
users. While you can create a series of groups such as 'teachers',
'students' and 'techies' - those groups only become visible as
workgroups when you assign preferences to them. You could also create
a workgroup based on workflow - for instance, teachers and students
need to collaborate, so you create a workgroup called
"School" (really inventive, huh?). You then add the teachers nd
students groups to that workgroup. "School" becomes a workgroup when
you set preferences, such as Dock settings, Syspref access, and
automatic mounting of a group folder.
This all applies to local users (the generic 'student' account) when
you allow local users to log into that workgroup. The reason you may
specify specific workgroups for local users is that you may have
other workgroups, such as 'Tech Support" that you do not want the
local account accessing. Since - and this is key - local users cannot
be assigned to OD groups, the system allows them to access the
settings of any workgroup they are allowed to see on that local
machine. That is a very specific MCX capability.
Does this help?
JohnD
--
John DeTroye Email: email@hidden
Sr. Consulting Engineer Work: 303-933-1807
Client Management Solutions Fax: 303-979-6616
Apple Computer - Education Division iChat: email@hidden
Tips and Tricks Docs - http://homepage.mac.com/johnd/
--
On Jul 24, 2006, at 3:20 PM, Andrea XFox Govoni wrote:
Hi,
I'm working on a server with Mac OS X Server 10.4.7 configured as Open
Directory Master and some clients with Mac OS X 10.4.7.
I'm reading Apple's "User Management" PDF [1].
Section "Using Local User Accounts" on page 98 explains how to manage
preferences for clients' local user accounts and on the next page
there
is a step-based task that should teach you how to accomplish it.
It says:
[BEGIN QUOTED TEXT]
To provide access for users with local accounts:
1 In Workgroup Manager, click Accounts.
2 Select a computer list that supports computers with local users.
To select a list, click the globe and choose the directory domain that
contains the computer list, click the Computer Lists button, and
select
the list.
3 To authenticate, click the lock and enter the name and password of a
directory domain administrator.
4 Click Access.
5 Select “Restrict to groups below” to determine which workgroups are
displayed when a local user logs in. Drag groups from the drawer to
the
list in the Access pane.
If you select “All groups can use the computer,” users log in without
having to select a workgroup.
6 If you selected “Restrict to groups below,” select “Local-only
accounts pick workgroups from the above list,” to require that users
select one of those workgroups.
The workgroup picker is only displayed if client computers use Mac
OS X
version 10.4 or later. Additionally, if there is only one
workgroup, the
user will automatically log in as a member of that workgroup.
If you do not select “Local-only accounts pick workgroups from the
above
list,” local users do not have to select a workgroup.
7 Make sure “Allow users with local-only accounts” is selected.
8 Click Save.
[END QUOTED TEXT]
I really cannot understand the point of having the “Restrict to groups
below” and “Local-only accounts pick workgroups from the above list”
options.
The definition of workgroup is "A set of users for whom you define
preferences and privileges as a group." and AFAIK it's created in the
server's LDAP domain. So, how is it possible for a local account to be
in a workgroup?
Or is it allowed for a local-only user to choose to be managed with
the
preference settings of a workgroup it isn't part of?
If it would be true, wouldn't it break the whole preference management
policy used?
