+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 18
Mac Thread, Workgroup Manager permissions in Technical; Hi all, sorry to post yet again but you guys have been great. I'd like to hear from you how ...
  1. #1

    Join Date
    Apr 2012
    Posts
    54
    Thank Post
    1
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Workgroup Manager permissions

    Hi all, sorry to post yet again but you guys have been great. I'd like to hear from you how you have your schools configured and what teachers are and aren't allowed to access.

    From what I'm finding my predecessor didn't let them do anything. Almost everything was locked down so much they couldn't change the resolution or even run the printer utility. I don't want to have to run down to these rooms each time they want to do something silly (and that IMO they should have access to).

    I'd like to unlock all faculty machines so that they have access to all programs that are currently installed on their machines. I don't want them to be able to install new programs but everything that's on there now, they should have access to. I see permission errors on these machines constantly.

    Do you see any risks in letting them access all current programs? All machines are based on a model. For instance I have a teacher that wants a few programs installed on her machine. I now have to unlock that program for all faculty. It's a pain because the only way I know how to add programs into the allowed list is to use WGM from my machine and browse my HDD to add it to the list.

  2. #2
    stevehp's Avatar
    Join Date
    Jul 2008
    Location
    Ohio
    Posts
    102
    Thank Post
    13
    Thanked 19 Times in 16 Posts
    Rep Power
    17
    In the other thread you have for Google Chrome I showed you how to type in rather than select a folder or application from a chooser. Any user be it student or staff should at the very least have launch permissions for /Applications , /Library and /System/Library . As far as Preference Panes goes for staff the only panes I would lock out are: Sharing, Network, Energy Saver (they like to stop ours from sleeping), Startup Disk, and maybe Time Machine. Locking out the Print & Scan preference pane is a bold move, teachers, especially mine go three shades of crazy if they can't print something or change a setting that involves that pane.

    We're a 1:1 district and we started off by giving staff a laptop and giving them full tilt local admin rights with nothing locked down. This year I've restricted some things, but they as local admins(OD Mobile Accounts) can still install applications, change settings or do whatever they want as long as the settings I set don't get modified. If they do change one of those settings they get to visit me, and I give them a polite yet blunt talk about their place in the scheme of things and what they should and should not be doing with school owned equipment.

    Since it appears your staff don't have local admin rights simply giving them access to the above directories isn't at all risky since the /Applications directory is permissioned as such so that only accounts with (local)admin rights can modify it's contents.

  3. Thanks to stevehp from:

    Stryker412 (6th September 2013)

  4. #3

    Join Date
    Apr 2012
    Posts
    54
    Thank Post
    1
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Thanks Steve. I honestly feel they're all adults and need to be treated as such. I was shocked to see how much was locked down by the person before me. I was in a classroom today where a teacher's printer was printing streaks, so I needed to clean the heads. Her printer utility was locked out. I just shook my head. What harm could using that do? lol

  5. #4
    stevehp's Avatar
    Join Date
    Jul 2008
    Location
    Ohio
    Posts
    102
    Thank Post
    13
    Thanked 19 Times in 16 Posts
    Rep Power
    17
    I see outwardly that all of my staff are adults, but inwardly in some instances I'd judge them on the same level as a first grader. Entitlement issues, bad attitude when the word no is breathed in their direction, etc, etc... Printing is an area we I would put major restrictions on staff. With the exception of one that has gone paperless the rest print like it's going out of style and if nothing comes out guess what I get to do?

  6. #5

    Join Date
    Apr 2012
    Posts
    54
    Thank Post
    1
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    I've run into a few instances now where users are seeing phantom printers (old installs). I've checked the network queues and only the two that I've set up are in there. Where are these other queues coming from and how can I get rid of them?

  7. #6
    stevehp's Avatar
    Join Date
    Jul 2008
    Location
    Ohio
    Posts
    102
    Thank Post
    13
    Thanked 19 Times in 16 Posts
    Rep Power
    17
    WGM and Profile Manager printers are big pita. Firstly using either results in the Nearby Printers menu item showing in the print dialog of an application. That pretty much is an open field day for printing. Like above it also causes zombie queues on clients i.e. the queues on the server were renamed or removed all together, but the client still thinks they're active up to the point when a user tries to send a print job to it. The only way around it is to create a script or send a terminal command using ARD that will delete all queues on a client then either refresh MCX or logout and log back into a client to retrieve the proper queues.

    At the moment because I'm still neck deep in deployment and smoothing out server and application issues, so printing is taking a lower priority. I'll have to at this point resort to using Profile Manager to deploy printers and deal with the consequences later on. What I'm planning on doing is delivering printers using Munki and tie them a mostly defunct open source quota system called Pykota. That way I can sufficiently lock down color queues and stop students from printing to other buildings or printing to their hearts content.

  8. #7

    Join Date
    Apr 2012
    Posts
    54
    Thank Post
    1
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    What termainal command can I use? I have ARD so I can easily use it on all the machines.

  9. #8
    stevehp's Avatar
    Join Date
    Jul 2008
    Location
    Ohio
    Posts
    102
    Thank Post
    13
    Thanked 19 Times in 16 Posts
    Rep Power
    17
    Use the unix toolbar button and paste this in:

    #!/bin/bash
    ## Reset Printer System
    lpstat -p | cut -d' ' -f2 | xargs -I{} lpadmin -x {}
    echo "Printer System Reset"
    exit 0

    Tell it to ran as the user root rather than The current console user. Then save it in the "sidebar" and give it a catchy name like Reset Printing System and drag and drop clients into the entry on the sidebar and hit the play button. Since the script has an echo command each client should return back "Printing System Reset". I don't do this often and the script isn't my own doing so I can't guarantee it will work 100% so test, test, test before deploying it in the wild.

  10. #9

    Join Date
    Apr 2012
    Posts
    54
    Thank Post
    1
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Quote Originally Posted by stevehp View Post
    Use the unix toolbar button and paste this in:

    #!/bin/bash
    ## Reset Printer System
    lpstat -p | cut -d' ' -f2 | xargs -I{} lpadmin -x {}
    echo "Printer System Reset"
    exit 0

    Tell it to ran as the user root rather than The current console user. Then save it in the "sidebar" and give it a catchy name like Reset Printing System and drag and drop clients into the entry on the sidebar and hit the play button. Since the script has an echo command each client should return back "Printing System Reset". I don't do this often and the script isn't my own doing so I can't guarantee it will work 100% so test, test, test before deploying it in the wild.
    I tested this today on one of our lab computers. I got:

    lpadmin: The printer or class does not exist.
    lpadmin: The printer or class does not exist.
    Printer System Reset

  11. #10
    stevehp's Avatar
    Join Date
    Jul 2008
    Location
    Ohio
    Posts
    102
    Thank Post
    13
    Thanked 19 Times in 16 Posts
    Rep Power
    17
    It worked great for me. Did it return this on all of the computers or just a select few?

    If you know the name of the printers on the clients you can run lpadmin -x printername and that will work the same as this script except that this script deletes all existing printers.

    What OS versions are you running? Hopefully no more than two and nothing below 10.6 otherwise you're setting yourself up for more headaches.

  12. #11

    Join Date
    Apr 2012
    Posts
    54
    Thank Post
    1
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    The server is running 10.6.8 and the clients are all running 10.7.5 (in the lab at least). The other faculty machines are all over the place some are 10.5 and others are 10.6.

  13. #12

    Join Date
    Apr 2012
    Posts
    54
    Thank Post
    1
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Just a quick question. I setup a test workgroup so I can get permissions figured out. I have a few teachers helping me test. I turned off application management and now they don't have permission to access any programs. If I turn off management of applications, shouldn't that give them FULL access?

  14. #13
    stevehp's Avatar
    Join Date
    Jul 2008
    Location
    Ohio
    Posts
    102
    Thank Post
    13
    Thanked 19 Times in 16 Posts
    Rep Power
    17
    Quote Originally Posted by Stryker412 View Post
    Just a quick question. I setup a test workgroup so I can get permissions figured out. I have a few teachers helping me test. I turned off application management and now they don't have permission to access any programs. If I turn off management of applications, shouldn't that give them FULL access?
    Theoretically, but since you applied mcx to that account or computer or the combination of both it's probably not refreshed yet. Add a new account that in the group you have your test teachers in and see if you still get app restrictions.

    Check out this Apple KB article as well Managed Client: How to flush cached settings .

  15. #14

    Join Date
    Apr 2012
    Posts
    54
    Thank Post
    1
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    I ran the unix command via ARD to two of the affected machines, but they still have no access to any programs or even their documents.

  16. #15
    stevehp's Avatar
    Join Date
    Jul 2008
    Location
    Ohio
    Posts
    102
    Thank Post
    13
    Thanked 19 Times in 16 Posts
    Rep Power
    17
    Quote Originally Posted by Stryker412 View Post
    I ran the unix command via ARD to two of the affected machines, but they still have no access to any programs or even their documents.
    Where they logged in to the user accounts in question when the command was sent? Application access mcx settings should be set on the user level not the computer level.

    What you should do is remove the cached user account from a machine. If it has locally stored files just choose the second option when you delete the user from System Preferences. Then delete the users cached mcx folder in /Library/Managed Preferences/"user.here". Then login to the account again and see if your app access settings get applied properly.



SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Replies: 3
    Last Post: 9th November 2010, 09:56 AM
  2. Replies: 10
    Last Post: 26th March 2009, 07:17 PM
  3. Workgroup Manager / Managing Macs
    By brahma in forum Mac
    Replies: 3
    Last Post: 3rd December 2008, 01:02 PM
  4. Moneysoft Money Manager - permissions problems.
    By boomam in forum How do you do....it?
    Replies: 1
    Last Post: 22nd August 2008, 07:04 PM
  5. Replies: 3
    Last Post: 11th January 2008, 08:02 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •