Tải bản đầy đủ - 0 (trang)
Chapter 25.  Managing Preferences for Mac OS X Clients

Chapter 25.  Managing Preferences for Mac OS X Clients

Tải bản đầy đủ - 0trang

Inadditiontoconfiguringusersettings,managedpreferences

alsoenableyoutofurthersecureanenvironment.Youcan

restrictusersfromaccessinganyapplicationsthattheydon't

needtoaccess.Youcanlimituseraccesstospecificprinters(in

additiontopreconfiguringaccesstotheprintersthatusers

need).YoucankeepusersfromaccessingvariousFinder

commands.Youcanalsorestrictthecomputerswhereusersare

allowedtologin.Inshort,managedpreferencesallowyouto

designacohesivecomputingexperience,simplifyday-to-day

usermanagement,andsecureworkstationsandlocalresources

aswellasnetworkresources.



25.1.ApplyingManagedPreferences

Thereare12areasofMacOSXtowhichmanagedpreferences

canbeapplied.Theseareascorrespondtothe12preference

panesincludedinWorkgroupManager.Allpanesareconfigured

inmuchthesameway,althoughthespecificoptionsavailable

oneachpaneobviouslyvary.Laterinthechapter,I'lldiscuss

eachofthesepanesindividually,butfirstIwanttodescribethe

overallprocessofapplyingmanagedpreferences.

Toenablemanagedpreferences,launchWorkgroupManager

andclickthePreferencesbuttoninthetoolbaratthetopofthe

window.Next,selecttheuser,group,orcomputerlisttowhich

youwishtoapplyapreferenceusingtheaccountslist.As

showninFigure25-1,therighthandpaneofthewindow

displaysalistofallpreferencesthatcanbemanagedforthis

typeofaccount(youcanapplyallpreferencesbasedonuser,

group,orcomputerlist,withtheexceptionofEnergySaver,

whichcanbeappliedonlytocomputerlists).Ifanymanaged

preferencesarealreadyappliedexplicitlytotheuser,group,or

computerlistyouselected,therewillbeapointericonnextto

preference'sicon.Tomanageapreferenceortoadjustthe

settingsforanalreadymanagedpreference,clickthe

appropriatepreference'siconinthelist.Thisdisplaysthe

preferencepaneforthatpreference;youcanenableordisable

managementofthepreferenceandconfiguretheavailable

settings.



25.1.1.ChoosingWhenandHowaPreferenceIs

Managed

Whenapreferencepaneisselected,thetopsectionofthepane

willincludetheManagetheSettingssection,whichcontains

radiobuttonsforNotManaged,Once,andAlways.Some



preferencepaneswithcontainmultipletabs,eachwithitsown

uniqueoptionsandManagetheSettingssection,allowingyou

toapplymanagedpreferencestoitemsonlyontheselectedtab

withoutmanagingitemsonothertabsofthesamepreference

panetothesamedegreeoratall.

WhenyouselecttheNotManagedradiobutton,nopreference

managementisassigned.Bydefault,allpreferencepanesand

tabsaresettoNotManaged.Usershavefullaccesstothe

settingsorMacOSXcomponentsthatrelatetotheselected

preferencepane.Ifagivenpreferencepaneissettoeither

OnceorAlways(thusestablishingmanagedpreferences),

selectingNotManageddisablessuchmanagement.

WhenyouselecttheOnceradiobuttoninapreferencepane's

ManagetheSettingssection,thepreferenceisinitially

managed,butcanbechangedbyauserafterherinitiallogin.

ManagingOnceonlycreatesaninitialconfigurationfortheuser

andisusedtogivetheuserastartingpointformwhichthey

canfurtherconfiguretheiruserenvironment.Itdoesnotforce

theinitialsettingstobekeptanditdoesnotlimittheuserto

them.



Figure25-1.TheWorkgroupManagerPreferences

display.



WhenyouselecttheAlwaysradiobutton,thepreferencethat

youconfigureisalwaysenforced.Theuserexperiencerelating

tothepreferencewillalwaysbewhatisdefinedinthe

preferencepane.Insomeinstances,youhavetheoptionof

givingtheusertheabilitymakeadjustmentsthatareadditive

towhatyoudefineforinstance,whenyoudefineDockitemsfor

auser,youcanallowtheusertoaddadditionalDockitemsbut

theinitialconfigurationmadeinthepreferencepanecannotbe

adjustedorremoved.

Mostpreferencesthathavetodowithconfiguringacustom

userenvironment(suchasconfiguringtheitemsintheDock)

canbesettobemanagedoncewhilethosethathavetodowith

restrictinguseraccesstofeatures(suchaslimitingwhich

applicationsausercanlaunch)canbesetonlytoNotManaged

orAlwaysmanaged.

Ifyouchoosetomanageapreferenceonceandthenadjust

thatpreferenceagainlater,youareinaffectcreatinganew

initialconfiguration.Assuch,afteryouhavemanageditforthe



secondtime,thenewconfigurationwillbeappliedtouserseven

iftheyhavemadechangesfromthefirstconfiguration.This

happensbecauseyouareeffectivelyturningoffthe

managementofthepreferenceandthenturningitbackon

againandsettingittobemanagedonce.

Ifthepreferencewassettobemanagedonceandthenyou

removemanagement,thesettingwillstillremainwiththeinitial

configurationforuserwhohadloggedinwhileitwas

configured.Thiseffecthappensbecauseitwascopiedintothe

user'spreferencewhenitwasfirstmanaged.However,ifa

preferencewassettobemanagedalwaysandisthenturned

off,thedefinedconfigurationislost,becausethepreferenceis

nolongerbeingmanaged.



25.1.2.ManagingPreferencesforUsersor

Groups

Althoughyoucanmanagepreferencesforindividualusers,itis

generallyconsideredeasiertomanagepreferencesbasedon

groups,becauseyoucanmakeusersmembersofthe

appropriategroupstoapplymanagedpreferencestothem.(A

groupassignedmanagedpreferencesisoftencalledamanaged

grouporaworkgroup.)Theonemajordrawbacktomanaging

preferences-basedgroupsisthatwhenuserswhoaremembers

ofmultiplemanagedgroupswillbepresentedwithalistofall

managedgroupsofwhichtheyaremembersatlogin.Users

needtoselectwhichworkgroupsettingstheywanttousefor

thatparticularsession.Thisprocedurecanbeconfusingto

userswhoaremembersofmultiplegroupswherethemanaged

preferencesassignedtovaryinggroupsvarysignificantly.A

user'sexperienceandaccessrestrictionsmayvarynotablyfrom

onegrouptothenext.



Userscannotbemembersofmorethan16managedgroups.



Toavoidconfusion,itisoftenbettertolimitthenumberof

managedgroupswithinanetworkasmuchaspossible.

Generally,itisbettertocreatemanagedgroupsbyjobfunction

ratherthandepartmentandthentoassignpreferencesbased

ondepartmentbyusingdepartmentalcomputerlists(which

identifytheworkstationsinthedepartment).Ifpossible,avoid

assigninguserstomorethanonemanagedgroup,thus

avoidingtheneedforthemtoselectaworkgroupenvironment

atlogin.Ifyoumustassignuserstomultipleworkgroups,tryto

limitthenumberofworkgroupsthattheyareassignedtoand

makecertainthattheusersunderstandthedifferencesbetween

thegroupsandwhenorwhytheyshouldloginasamemberof

eachgroup.

Youcaneditmanagedpreferencesformultipleusersinthe

samewayyoueditaccountinformationformultipleusers(by

selectingalltheusersintheaccountlistandmakingthe

appropriatechanges).Thismethodmakesiteasiertomanage

groupsofuserswithoutassigningthemtomultiplemanaged

groups,becauseitgivesyoutheadvantagesofmanaging

groupsofuserswithoutthelimitationsofmakingthemchoose

oneofmultipleworkgroupsatlogin.Youcanusethekeywords

functionforuseraccountstogroupuserstogetherforthe

purposeofeditingmanagedpreferencesandusethesortand

searchfeaturesoftheuserlistbasedonkeywordstoeasily

locateusersaftergroupingthembykeyword.Becareful,

however;eachtimeyoueditapreferencepaneformultiple

usersyouchangewhateverexistingpreferenceswereassigned

toeachuserinthatpane.

Asimilarlyusefulfeatureisthatmanagedpreferencesare



storedinuserandgrouppresets.Thisgivesyoutheabilityto

createpresetswithmanagedpreferencesforvaryingtypesof

usersandthenassignthosepreferences(alongwithotheruser

accountinformation)astheusersarecreated.Again,this

involvesidentifyingtypesofuserswithinyournetwork,which

canbedifferentfromdeterminingpreferencesbasedon

department.



25.1.3.CreatingandManagingComputerLists

Youcancreatecomputerlistsforadirectorydomainusing

WorkgroupManager.Computerlistscanbeusedtoapply

managedpreferencesandcanalsobeusedtocontrolaccessto

specificworkstationsbyallowingorrestrictingmembersof

certaingroups(betheypermissions-onlygroupsormanaged

groups)logintocomputersinalist.Usingcomputerlistsfor

specificcomputerlabsordepartmentsorevencomputertypes

(suchasportablecomputers)allowsyoutoapplypreferences

thataffectusersonlywhileatspecificworkstations(suchas

accesstospecificprintersorsoftware),whichmightbetheonly

placethatsuchpreferencesarewarranted.Theycanalsobe

usedformanagingpreferencesthataffectworkstations

themselvesandnotusers(suchasschedulingautomaticstartup

orshutdown).



Unlikeusers'accounts,whichcanbeassignedtomultiplegroups,

computerscanbeassignedonlytoonecomputerlist.



25.1.3.1Creatingacomputerlist



Tocreateacomputerlist,launchWorkgroupManagerandclick

theAccountsbuttoninthetoolbaratthetopofthewindow.

Selectthecomputeraccountstababovetheaccountslist(the

tabwiththeiconofablacksquare).Youwillseethatoneor

twolistsareautomaticallycreated.Thefirstautomaticlististhe

GuestComputerslist,whichcanbeusedtoapplysettingsto

anycomputernotlistedincomputerliststhatyoucreate.The

second,WindowsComputers,existsifyouhaveconfiguredMac

OSXServertoworkasaWindowsPrimaryDomainController.

I'llgettotheGuestComputerslistinamoment.First,let'slook

athowtocreateandconfigureanewcomputerlist.

ClicktheNewComputerListiconinthetoolbaratthetopofthe

window.EnterthenameofthenewlistintheListNamefield.

Useadescriptivenamethatwillhelpyoubeabletounderstand

whichcomputersarepartofthelistlater(suchnamesmightbe

somethinglikeMarketingDept.WorkstationsorMiddleSchool

LibraryorFacultyiBooks).Figure25-2showstheinitialdisplay

foranewcomputerlist.

Youcanaddworkstationstoacomputerlisteitherbyentering

theMACaddressoftheirEthernetorAirPortcardsorbyusing

self-discoveringprotocolstolocatecomputersonthenetwork.

ToaddacomputerusingitsMACaddress,clicktheaddbutton

belowthelistboxandentertheappropriateinformation.You

mustentertheMACaddressandanameforthecomputerthat

willbeusedasthenamedisplayedintheComputerslistbox;

thereisalsoacheckboxtoforcethisasthehostname,which

willoverrideanyconfigurationforcomputernameinthe

SharingSystemPreferencespaneontheworkstation.Youcan

alsoentercommentinformationaboutthecomputer,suchasits

model,configuration,typicaluse,orlocation.ClicktheOK

buttontoaddthecomputertothelist.



Figure25-2.AcomputerlistinWorkgroup

Manager.



Clickthebrowsebutton(whichhasanellipsisicon)belowthe

listboxtosearchforcomputersusingAppleTalk,Rendezvous,or

SMB.Thisstepbringsupastandardconnect-to-serverdialog

thatcanbeusedtonavigatetoandselecttheappropriate

workstation.Thisapproachcantypicallybeusedonlyto

discoverworkstationsonthesamesubnetasthecomputeron

whichWorkgroupManagerisbeingrun.

Youcanremoveaworkstationfromacomputerlistbyselecting

itinthelistboxandclickingtheremovebuttonbelowthe

listbox.Youcanalsoeditthedisplayednameandcomment

informationforacomputerbyselectingitinthelistboxand

clickingtheeditbutton(whichhasapencilicon).Onceyou

haveaddedandeditedtheinformationforworkstationsina

computerlist,clicktheSavebuttontosavethecomputerlist.

YoucanthenusethePreferencesbuttoninthetoolbaratthe

topofthewindowtoconfiguremanagedpreferencesforthe

computerlist.



25.1.3.2Limitingaccesstocomputersinalist



Tolimitaccesstoacomputerlist,clicktheAccountsbuttonin

toolbarandselectthecomputerlistintheaccountslist.Inthe

accountinformationpaneforthelist,selecttheAccesstab.

Selectthe"Restricttogroupsbelow"radiobuttonandthenclick

theaddbuttontotherightofthegroupslistboxtodisplaya

drawertothesideofthewindowwithallgroupsthathavebeen

configuredwithinthedirectorydomain.Dragthegroupsthat

youwishtohaveaccesstotheworkstationsinthecomputerlist

intothelistboxordouble-clickonthemtoaddthemtothe

listbox.Toremoveagroup,selectitinthelistboxandclickthe

removeiconnexttothelistbox.

Bydefault,localuseraccountsonaworkstationcanloginand,

ifmanagedgroupsareusedinthedirectorydomain,localusers

willbeallowedtochoosetologinaspartofanyofthose

managedgroups.However,byuncheckingthe"Allowuserswith

local-onlyaccounts"checkboxbelowthegroupslistbox,youcan

requirethatonlyuserswithnetworkaccountsinthedirectory

domainwhoarepartofthespecifiedgroupscanlogintothe

workstationsinacomputerlist.Thisdoesnot,however,apply

tolocaladministratorormobileaccounts.ClicktheSavebutton

toactivatetheaccessrestrictions.



25.1.3.3UsingtheGuestComputerslistGuestComputers

list

TheGuestComputerslistallowsyoutoconfiguremanaged

preferencessettingsandaccessrestrictionsforallcomputers

thatarenotincludedinanyofthecomputerliststhatyou

create.Thislistcanincludenewcomputersthatyouhavenot

yetaddedtoacomputerlist,computersbroughtintothe

networkbyusersthatarenotownedbyyourinstitution,or

computerstowhichyouwishassigngenericaccessrestrictions

and/orpreferenceswithoutgoingthroughthehassleofdefining

eachindividualcomputerinacomputerlist.TheGuest

Computerslistcanbeveryusefulinalargeinfrastructure,



becauseitallowsyoutodefinesomeenvironmentvariables

acrossyournetworkwithoutneedingtodefineeverycomputer.

TousetheGuestComputerslist,firstindicatethatyouwishto

definesettingsforguestcomputers.Todothis,launch

WorkgroupManagerandselecttheAccountstabinthetoolbar.

SelecttheComputerListstababovetheaccountlistandselect

theGuestComputerslist.IntheListtaboftheaccount

informationpane(whichcontainsthelistboxforacomputersin

atypicalcomputerlist),theGuestComputerslistincludesradio

buttonsforInheritPreferencesforGuestComputers,which

meanstonotdefinesettingsforguestcomputersandleave

themunmanagedinanLDAPdomainortoinheritthemfroma

parentdomaininanNetInfohierarchy,andDefineGuest

ComputerPreferencesHere,whichisthesettingtoconfigure

guestcomputersettingsandmanagethemintheselected

domain.SelecttheDefineGuestComputerPreferencesHere

radiobuttonandclicktheSavebuttontousetheGuest

Computerslist.

OnceyouhavedesignatedthatyouwillusetheGuest

Computerslisttomanagecomputersforthedomain,youcan

selectthelistandmanagebothaccessrestrictionstoguest

computers(usingtheAccesstab)andpreferencesforguest

computers(byclickingthePreferencesbuttoninthetoolbar).

GivesomethoughttowhetheryouwanttousetheGuest

Computerlistandtohowtightlyyouwanttorestrictaccessor

howextensivelyyouwanttoconfigurepreferencesforit,

becauseyouwillbeaffectingallcomputersthatyouhavenot

definedelsewhere.

Ifyouseverelylimitaccesstoguestcomputers,userswithin

yournetworkmayexperienceextremelimitationsonwhich

workstationstheycanuse.Likewiseifyouextensivelymanage

preferencesfortheuserenvironment,usersmayfindtheir

abilitytoworktoolimitedonmostworkstations.Alsoremember

thatbydefaultMacOSX10.2andhigherwillbindtoa

directorydomainautomaticallyifDHCPbindingisenabled



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

Chapter 25.  Managing Preferences for Mac OS X Clients

Tải bản đầy đủ ngay(0 tr)

×