AFP548.com: Articles: Customizing the New User's Account Defaults

Customizing the New User’s Account Defaults

—Joel Rennich,

31 May 2002

So, you have your Server set up, but before you can do much you need to set up your users. Seems easy enough, but there are number of different settings to play with when you set up your first user.

In the “General” pane you are presented with a few easy options. The name is the long name of the user. This can hold most any character and have multiple spaces in it. Underneath that is the short name; this can have no spaces and has to be eight characters or less. The short name can be changed to a longer name, but it must be done through the NetInfo Manager. Either one of these is good for logging onto the server from the console or over AppleShare. For command-line and other file sharing connections you will probably need to stick with the short name.

Next comes your password, easy enough. If you don’t want the user to be able to change their own password, you can edit their “_writers_passwd” attribute using NetInfo Manager. Change this to an admin user’s name, and the user can’t change his or her password. If you are creating a user for a service that you are going to install that never needs to login you can set the password to “*,” which will prevent logins and also prevent that user from showing up in the login window or in the Users preference pane. Also, you will never be able to see what the password is. The encryption method used by the system is a one-way algorithm, so once it is encrypted it can never be converted back to plain text.

Finally, you have two check boxes. The first allows the user to administer the server. This is pretty much the same as making the user an Administrator on a Mac OS X Client machine. The second allows the user to log on. Why would you want a user that can’t log on? This allows you to temporarily disable the user without having to change their password. Also, disabled users can still forward e-mail, so you probably want to leave this unchecked for e-mail aliases you set up.

Now you can move on to the “Advanced” pane.

The user ID is already filled out for you. Leave this alone unless you have reason to play with it. When a file is assigned to a user on a Mac OS X Server machine, it isn’t really assigned to the user but to that user’s user ID. Changing the user’s user ID after they have had files assigned to them will not migrate those files to the new ID. Instead, they will be orphaned permissions-wise. You can have two users with different names but with the same ID. This will make each user identical as far as file permissions go but have different passwords and names.

The Primary Group will also be automatically assigned to the user. For most purposes this is unnecessary for Mac OS X, since it is based on BSD. For those who care, on a System V UNIX system you have to change what group you are currently a part of if you are a member of many. On BSD, the vast majority of this is taken care of for you behind the scenes.

Next you have to decide which shell you want the user to have. The big question here is to have a shell or not. Having a shell allows a user to log into the server over SSH and FTP, and most other command-line connection services like telnet if you have them enabled. Leaving this at “None” will prevent that type of access, but still allow the user to log in via AppleShare and Windows file sharing. Also, the user can still log on through the console. For your users that are Mac OS 9 users, or don’t need access to the command line, you should probably leave this at None to minimize the risk of a compromised password. If you do want them to have command-line access, then pick a shell. The default on Mac OS X Server is tcsh. The default on Linux is bash (bash is available for Mac OS X, but must be installed from the Internet.) If the user doesn’t have a preference, put them in tcsh.

Now you set a Home Directory location. This is exactly what it sounds like: it specifies where the user’s home folder will live. Use “None” if you are not going to have the user log in at the console. They will still be able to use file sharing and even command-line services. They will even still be able to log in at the console but will quickly run into problems when the system is unable to save any preference files. This is probably what you will do with most users. If you want them to be able to use the console or have a roaming profile you need to set the Home Directory to either “Local” or “Custom.” Local will make you pick a sharepoint; usually, this should be left at “Users.” With Custom you can specify an IP address to an AppleShare server where the folder will reside.

When it is set to something other than “None,” a home folder will be created. If you want to change the default home folder—for example, to remove the “Music” folder—you can edit the default set by changing the layout at /System/Library/UserTemplate/English.lproj/. Add or remove any folders or files that you want from here. Set the owner to root and change the other permissions as necessary. Now when you create a new user with a home folder they will get these files and folders. If your primary language isn’t English, adjust your location to the appropriate “.proj” directory.

The default Home Directory settings can be saved by using the “Home Directory Defaults” menu item under the Users & Groups icon in the Server Admin application.

Now on to the “Comment” pane: it is really self-explanatory, put whatever you want into here.

Finally we come to “Mail Service.” Setting this to “None” will prevent any mail going to that user. They will have no POP or IMAP services. Setting this to “Enable” will allow the user to receive mail. Make sure to put the server’s IP address or fully qualified domain name in the field or else the Apple Mail Service can get a little cranky. You can also choose to allow the user to connect over IMAP, POP, or both. The options button will allow you to set separate mailboxes for the POP and IMAP inboxes, which not something you really want to do unless you have a good reason. Also, you can enable NotifyMail. This is a cool idea, as it lets you know when you have mail before you check it, but isn’t used much anymore since it requires a proprietary client. For more information on this go to http://www.notifymail.com/.