Mac Thread, Someone please explain OD permissions to me in Technical; Background information so you know where I stand:
I've been thrown in the deep end with managing a Mac network, ...
1st April 2009, 11:26 AM #1
Someone please explain OD permissions to me
Background information so you know where I stand:
I've been thrown in the deep end with managing a Mac network, having no education with Macs, no training, no nothing.
I've learn't enough about Windows Servers at college, and one course on Windows Server Administration and about 7 months actually using what I learn't in practice, and only 3 weeks with actually being able to use Windows Servers, rather than watching.
I've been managing the whole Mac network (Xserve on 10.5 with 50-60 iMacs also 10.5) for as long as I've been in this job (about 9-10 months). The line manager gave me an iMac and told me to play and find out everything, which I did and thought I done well considering I had never used a Mac before.
Watched a Mac professional set up the Xserve and give a rough understanding on how to do network shares and basic application permissions. Also used a huge number of manuals downloaded from the internet about a number of things.
I've put in a request for Mac training but due to the time of year it seems a while away for now.
The Problem / Request:
Myself and the art department have been pulling our hair out because of applications not being allowed to run for some staff, however it works for other staff in the same department. If I allow it for the one member of staff its not working, it will stop working for another member of staff. But its only one of the three at a time (Not one not allowed, two allowed changing to Two not allowed, one allowed) therefore making me think its not a problem with the group settings.
I add permissions for a Staff OD Group, in which all the staff are members of, I have checked.
I added in the application by using Sever Admin Tools Workgroup Manager on the client, dragging and dropping the application into the Applications Pane. If they request to be signed, I sign them.
I have had problems with Keychain Minder, Smart Tools 10, Microsoft Office and HP All in one Scanner / Printer software.
This is just is a start of the list.
I would love to know if I am adding in permissions correctly, or if there is another way?
I would love to know why there is always one member of staff not allowed to use something?
I would love to know how permissions work?
I would love to know about this application signing?
I would love more documentation on setting permissions and using workgroup manager?
Many thanks in advance.
1st April 2009, 03:07 PM #2
I think the new AD-OD PDF from bombich explains how the whole OD permissions/policy system works. What get overridden by what and which takes precedence. You may wish to read that. It is a great read and very informative. The new one even goes into how augmented records work and how to create your own.
There are also the Open Directory guides on Apples own website. These are also worth reading, but more importantly than any reading i think is to keep trialing things that you find out. Of course this can only be done if you have a mac at home or time at work to look at things. This is what i did.
I am like yourself. I have had no formal training whatsoever on either Windows 2003 or any Apple product. Once you get it set up and working then it generally just keeps ticking over (although i still have issues with my SMB service i need to look at).
I think the Application signing has something to do with the sandboxing that Leopard introduced although i am not certain.
The failing permissions could be an overriding issue, for example, they may have permissions on the computer and the users' group. One has precedence over the other, similar to Windows GPO
I tend to set most of my permissions on the computer lists. This has made things simple but also a nightmare when it comes to sorting out permissions further down the line if any changes are needed between pupils and staff.
There are also workgroups as well. A user can be a member of different workgroups. If this is the case then the user can choose which workgroup to load on login. This gives a bit of flexibility as the user can choose what restrictions to apply when they log in.
I hope this gives a little idea of what can be achieved. For more information though i would recommend reading the Apple guides as well as the other PDFs have been written.
You can also download an evaluation of the Leopard Server now from the Apple website.
Also check out AFP548.com for even more articles. Some of these are very technical docs as well.
2nd April 2009, 12:38 AM #3
2nd April 2009, 01:00 AM #4
As I have mentioned before use the path rules to set application permissions, do not use the signed applications! This means that as long as the application is stored in the same place it will not need to be signed, will not be affected by minor version changes and should apply correctly to all machines.
Originally Posted by rolfea
As an example you can add /Applications/ then deny the ones you don't want people to access, by user group if you wish.
I would also only apply OD preferences to Machines groups and User groups, don't set any per user or machine.
By mattx in forum Jokes/Interweb Things
Last Post: 25th November 2008, 07:16 PM
By LGS in forum Courses and Training
Last Post: 22nd September 2008, 07:33 PM
By rush_tech in forum Hardware
Last Post: 21st January 2008, 06:22 PM
By mrbios in forum Wireless Networks
Last Post: 12th December 2007, 11:50 AM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)