Why is user asked to choose their workgroup?

Posted by Clinton Blackmore on Server Fault See other posts from Server Fault or by Clinton Blackmore
Published on 2010-12-06T18:48:44Z Indexed on 2012/04/09 5:33 UTC
Read the original article Hit count: 558

Filed under:
|
|

We running Mac OS X Server 10.5.8 with Mac OS X 10.5.8 clients. Students use network logins to, well, log in.

I've been asked to deny internet access to a specific user. I was told that a good way to do it is to create a user workgroup called "No Internet Access" and manage settings there. (Specifically, I told parental controls to allow access to no sites, and blacklisted all the installed web browsers).

Now, when the user authenticates to log in, they are greeted with this dialog:

Workgroups for <username>

Grade 7 Students
No Internet Access

It is unlikely that the student would willing choose "No Internet Access" to be their base group.

Looking in Workgroup Manager at the student's record, it shows their primary group ID is the grade 7 group, and "No Internet Access" is listed as another group they belong to.

I looked at the managed preferences for all the computers pertaining to logins. They are set to their defaults. Specifically, the computer groups' preference for Logins -> Access has the defaults:

  • [unchecked] Ignore workgroup nesting
  • [checked] Combine available workgroup settings

Based on my reading of Tips and Tricks for Mac Administrators, this should be correct, the user should not be asked which group they belong to, and settings from all applicable groups should be applied. How can I achieve that result?


Edit: I've decided to add some additional information from the Tips and Tricks for Mac Management White Paper (via Apple in Education, via the author's site).

On page 21, it says:

With Leopard MCX, workgroup preference settings are combined by default into a single set of values. This means that instead of having to choose between the Math, Science, or Language Arts workgroups when logging in, a user can just authenticate and be taken directly to the desktop. All the settings for each of those workgroups are composited together, providing you with all the Dock items and a composite of all the other settings.

On page 40, an example is given in which settings are combined from different 'domains', one computer group, two (user) workgroups, and one individual user's settings.

[When johnd logs into a leopard client,] the items staged in the Dock from left to right are: computer group, first workgroup alphabetically, second workgroup, user. Items within the workgroup are staged alphabetically.

Nowhere is there an indication that groups are nested; indeed, I can see no sensible (non-flat) heirarchy for groups like Math, Science, and Language Arts.

I strongly believe that there is a way to apply settings from two unrelated user workgroups such that a user of OS X 10.5.x or newer does not need to choose their workgroup. This is what I seek to achieve.

© Server Fault or respective owner

Related posts about macosx

Related posts about macosxserver