Join Sean Colins for an in-depth discussion in this video Users and groups, part of macOS Server Essential Training.
- Before setting up your server, you should determine who your server will serve. If you're lucky enough to work for an organization with centralized directory services, like Microsoft's Active Directory, you'll want to bind your Mac OS X server to Active Directory using either the directory utility, or the Users & Groups System Preferences. This is done in exactly the same way that you would bind a client system. To do so, you open up the System Preferences by going to the apple and pulling down to System Preferences. You click on Users & Groups, and then you click on Login Options.
Now you're going to have to authenticate as an administrative user to do this, but once you do, you simply click on the Join button next to the Account Server listing there. And what you're going to do is, you're going to put in the complete name of the Active Directory server. Don't know what that is? Well, talk to your AD administrator, they're going to know what that server name is for you. You're going to need the primary or secondary directory server, and I would recommend using the primary. Once you click OK there, you're going to be presented by the system with a sheet that will allow you to authenticate with a user account.
Now this user account you're going to put in there has to be an account that has the right to add computers to what is called the computer's OU in Active Directory. Basically it's just a group for computers in that shared directory system. If you are like most of our students for this course, you probably will not have access to a shared directory, and certainly not a shared directory that's on your test network that you're setting up to learn OS X Server, so we're going to assume for the purposes of this class that you're going to be working with local users and groups.
Our list of users here in this class will contain people named Rusty Bellman, Yardley Gardner, Rose Bush, Squeaky Cleaner, Penny Pincher, Cheddar Sellers, Tasty Morsel and Quick Fixley. Together they will make up the permanent staff at our hotel and our original request for a centralized place to store files came from Penny, because she felt that she needed a central place to store important files about the hotel, its finances, sales information, customer data, restaurant menu, maintenance schedules, and the hotel calendar.
We're going to begin by creating the User & Group accounts that will be used by the staff in our organization. We're going to start by opening the Server app and navigating to Users. Click Go, Applications, type the first few letters in the word "server" and hit Command-O to open up the application. When you do, Server app will launch, and you're going to go directly to the Users area under Accounts. Now you're always going to see the user accounts that were already created before you installed OS X Server.
So you can see mine here, and if you had more than one already created, they'll be listed here. To create your first user, click the + button right here, and type the full name of your first user. Your account name must be all lowercase, have no spaces, but can contain a period or an underscore or a dash. You may not use things like a backslash or any other characters that are illegal in short account names.
I'm going to shorten this user's account name to just "rusty." In fact, for the rest of these accounts I'm simply going to use their first name as their account name. If Rusty's going to have an email address on your server, you're going to want to enter Rusty's email address here. Enter the password for Rusty. I would recommend not allowing users to administer the server. If Rusty's going to have a local home folder, you can select Local Only.
If Rusty doesn't need to store files in a home directory on the server, you could always select None, and have it available for Services Only. Note that we lose the ability to limit the user's disk usage if we remove the access to a Local Only home folder. And that's fine. You can also add keywords or notes. Keywords are useful if you're adding multiple users and you want to use a keyword or tag to identify that user along with other users, before adding them to groups.
When you're done, click Create. Once you have your user here, I want you to double-click on the user and reopen it. Note that we have a new selection here which allows the user to log in or not log in. We can disable the user's ability to log in to the server by unchecking this checkbox if we wish to, without actually deleting the user from the server. This can be useful if a user goes on sabbatical or goes on leave. Note also that we have lost the ability to edit the account name.
Once the account name or the short name for this account is set, we will not have the ability to change it from that point forward. When you're done reviewing this, please click OK. Go ahead and select that user, and click on the gear button below. Note that we have a large number of items we can choose from here to do things with this account. We can Edit User, which is the same thing as double-clicking on the user account. We can also edit this user's access to services, which opens up an access control list just for this user about which services it can or cannot use.
We can also edit the mail options for this user, go ahead and select this. This allows you to change where mail is stored for the user or whether or not it's forwarded to another account. Perhaps your user has a Gmail account or an iCloud account they want all of their mail forwarded to. This is how you would accomplish that by selecting "forwarded" and putting in the other email address for that user. We're going to store locally. You can also limit the amount of mail in a size that can be stored locally on the system.
Also back down here under the gear, we have the ability to change the user's password. This is useful if the user forgets their password, or if you need to change the user's password for them at some time in the future. You can also create templates for the creation of other users, and this is especially useful if you have set custom access to services, or other settings that you'd like to replicate across multiple users as you create them. You can edit those templates later on. You can also edit the security policy on a user-by-user basis using this panel.
This can also be set on a group basis elsewhere, and within Open Directory as a general preference. But if you have one specific user where you need to provide either more lenient or more restrictive policies, you can do so here. You may also import and export your users from your user list. This is especially helpful if you need to change your users from one server to another server without binding servers to one another.
When you're finished reviewing that one account, go ahead and click on Groups. Now under the Groups area, this works pretty much the same way that Users work, except of course we're going to be creating groups. Click the + button, and type in the full name of a group. I'm going to start with Marketing. You can create mailing lists here, and you can allow mail from non-group members into those mailing lists simply by doing things like this. When you have your group set up, just click OK.
I'd like you to double-click on Marketing once you've got it entered and notice that we get a wealth of additional options here that were not available when we initially created the account. Like our user accounts, our account name for our group account is not changeable once we've created that short name. We can, however, add new features, like allowing that mail from non-group members that was available before. We didn't check it in the previous window but we can check it again here. We can also give this group a shared folder, we can make this group a Messages buddies list, we can also change the membership of the Marketing Group right here by clicking the + button, and adding a user.
Whenever we start typing in the first few letters of someone's name, if they show up in the user's group, we simply select them and they're there. When you're done, click OK, and we're set. Now we have one new user account and we have one group. I'm going to edit the rest of these users and groups offline and I'm going to ask you to do the same thing. On your own, at least add three user accounts and add at least two group accounts. Assign users to each group account, being sure to add different groups of users to each.
This will allow us to control access for users by group later on as we enable file sharing and other services. When you have completed your list of users and groups and managed the membership of each group to your satisfaction, please proceed with the course.
Sean Colins, Apple Certified Trainer and owner of CoreQuick, an Apple Professional Services for Education provider, explains how to set up OS X Server's most requested services. He starts with the fundamentals of server administration—that apply to any kind of server—and then looks deeply into server setup, network configuration, file sharing, and caching. Sean also shows how Apple provides a fully functional reference system on which to learn mobile device management with Profile Manager, giving you the power to manage Apple devices by centrally controlling their settings and deploying apps with device-based MDM enrollment. Since collaboration and communication are key features of OS X Server, Sean covers setting up your own email server, collaboration wikis, and even website hosting for Dreamweaver and HTML5 designers. The course concludes with a chapter on OS X Server security and backup procedures to ensure all your hard work is safely secured.
- Planning your OS X Server deployment
- Setting up IP addressing, DNS, and firewalls
- Setting up file sharing
- Making OS X Server a Time Machine destination for client Macs
- Caching iCloud user data to speed up iCloud for people on your network
- Administering mail on OS X Server
- Using Profile Manager as a reference platform for day one compatibility with new iOS and Mac OS features
- Setting up and using collaboration services to enrich your users' communication, creativity, and organization
- Locking down and backing up OS X Server