We running Mac OS X Server 10.5.8 with Mac OS X 10.5.8 clients. Students use network logins to, well, log in.
I've been asked to deny internet access to a specific user. I was told that a good way to do it is to create a user workgroup called "No Internet Access" and manage settings there. (Specifically, I told parental controls to allow access to no sites, and blacklisted all the installed web browsers).
Now, when the user authenticates to log in, they are greeted with this dialog:
Workgroups for <username>
Grade 7 Students
No Internet Access
It is unlikely that the student would willing choose "No Internet Access" to be their base group.
Looking in Workgroup Manager at the student's record, it shows their primary group ID is the grade 7 group, and "No Internet Access" is listed as another group they belong to.
I looked at the managed preferences for all the computers pertaining to logins. They are set to their defaults. Specifically, the computer groups' preference for Logins - Access has the defaults:
[unchecked] Ignore workgroup nesting
[checked] Combine available workgroup settings
Based on my reading of Tips and Tricks for Mac Administrators, this should be correct, the user should not be asked which group they belong to, and settings from all applicable groups should be applied. How can I achieve that result?
Edit: I've decided to add some additional information from the Tips and Tricks for Mac Management White Paper (via Apple in Education, via the author's site).
On page 21, it says:
With Leopard MCX, workgroup
preference settings are combined by
default into a single set of values.
This means that instead of having to
choose between the Math, Science, or
Language Arts workgroups when logging
in, a user can just authenticate and
be taken directly to the desktop. All
the settings for each of those
workgroups are composited together,
providing you with all the Dock items
and a composite of all the other
settings.
On page 40, an example is given in which settings are combined from different 'domains', one computer group, two (user) workgroups, and one individual user's settings.
[When johnd logs into a leopard
client,] the items staged in the Dock
from left to right are: computer
group, first workgroup alphabetically,
second workgroup, user. Items within
the workgroup are staged
alphabetically.
Nowhere is there an indication that groups are nested; indeed, I can see no sensible (non-flat) heirarchy for groups like Math, Science, and Language Arts.
I strongly believe that there is a way to apply settings from two unrelated user workgroups such that a user of OS X 10.5.x or newer does not need to choose their workgroup. This is what I seek to achieve.
