Workgroup Manager: Best Practices

Workgroup Manager Icon.pngPart 3 of my 4 part series on Workgroup Manager. We’ve already covered an Introduction to Workgroup Manager, covered the Step by Step Instructions for common tasks. Now we are going to take a look at some best practices that will ensure you maintain and reliable and useful directory system. Also, in case you missed it we also took a quick look at how to add an application to a users dock using WGM.

Workgroup Manager can be a complicated tool, and unfortunately there is potential to create conflicts and instability using this tool. Today, we are going to cover some recommended best practices and take a look at how they can you manage your Open Directory system. Have something to Add? Let me know in the comments.

User ID

Each account record within your directory system is assigned a unique numerical User ID that is used by your directory system to locate individual records. WGM by default simply adds one to the previous record to get the User ID for any new user. It also will not allow you create a duplicate User. But User IDs can be used to keep your directory organized. For Example on my network:

1000-1999 is used with Teachers, Administrators and IT Staff
2000-2999 is used with Kindergartners
3000-3999 is used with 1st Graders
4000-4999 is used with 2nd Graders
5000-5999 is used with 3rd Graders and so on.

By having a simple, unified system for user IDs I can now quickly and easily identify which group a particular user is a part of. This does not replace Workgroups, but it does allow me to know which workgroup I may need to edit or troubleshoot without having to navigate to the Groups pane. Finally, this helps find a quick test account when one is needed.

Naming Practices

Along the same line as user ID, I have found it infinitely helpful to follow a standard naming convention for the computers in all my buildings. This can help during the troubleshooting process to identify a computer in Apple Remote Desktop, assign the right image, or even know which Computer Group to assign to. We use the following format:


For Notebooks that travel we use the users last name to identify the computer instead of the location.

KJHS-eMac-Lab01 (Kennedy Junior High School - eMac - Lab Computer 1)
JHS-MB-Davis (Johnston High School - MacBook - Davis)

Uniform Standards

Because of limits in bandwidth, my District operates 9 separate Directory Systems, one in each building. Although we are moving towards one unified system, I know many other K-12 districts operate in the same way. If you are operating in this type of environment it is important to apply the same unified standards or settings across all of your systems. Not doing so will add significant frustration to the troubleshooting process.

Now, in Educational IT I do recognize that individual schools have individual personalities, and often individual culture. At first glance, this could prove problematic to having a uniform system. However, you can maintain standards such as User ID assignment, group folders, and system preferences without interfering with this culture. Teachers at Clark School may want to use FireFox where teachers at Jones may want to use Safari. This does not interfere with standards such as Energy Saver preferences, file permissions, etc. while still allowing the school to choose their default browser. Complete Standardization is ideal, but not always realistic.

Manage Preferences in One Location

As we took a look at managing preferences in the previous articles, we mentioned the concept of Preference Priority. That User preferences override Workgroup preferences is an example. By definition, we in the IT world are always overworked and busy, and it can often be tempting to take the path of least resistance when assigning preferences. Not paying close attention to where preferences are assigned can and will lead to increased work when trying to troubleshoot what went wrong. It is important that you follow a uniform standard throughout your directory system and only manage preferences in one location.

A good example of this would be dock preferences. In a previous article we discussed a first grade class that had to use the Computer Graphics Lab instead of the regular computer lab for their class. Although the 1st Graders only had Type To Learn and Safari in their dock, the Computer Group had Photoshop in its Dock preferences. The result was confusion for the 1st graders when half of them accidentally clicked on Photoshop instead of Safari by mistake. Instead, you should have managed all dock preferences in workgroups. That way, no matter what computer the user logs in on, they are presented with the same dock.

As a general rule I use the following guidelines:

Hardware related preferences - Manage in the Computer Group
• Energy Saver
• Printers
• Login Options

Software related preferences - Manage in the Workgroup
• Dock Layout
• Default Web Browser
• Application Permissions

Limited Exceptions Only - Manage by the User or Computer

Workgroup Manger can be a very complicated tool, for maintaining your Open Directory systems. However, by following these simple Best Practices you can help alleviate many problems, and provide a much simpler troubleshooting process.

By Eric Danley


Workgroup Manager: A Step by Step Guide

Workgroup Manager Icon.png

In Introducing Workgroup Manager we defined common terms, and became familiar with navigating the Workgroup Manager interface. In the second piece in the series on Workgroup Manager I will provide a step by step guide to 3 of the most common Workgroup Manager tasks: Creating a new user, adding a new computer to the directory, and managing preferences. Before continuing on to Workgroup Manager Best Practices, and Basic troubleshooting in parts 3 and 4.

Hit the link for Workgroup Manager: A Step by Step Guide to Common Mac OS X Server Tasks

Creating a New User:

In any modern environment be it a school, non-profit, or enterprise a System Administrator will often find themselves with new clients that need access to the network. Workgroup Manager (WGM) makes it easy to add a new user your Open Directory (OD) database.

1. Connect to Workgroup Manager by launching the WGM application, and entering your directory credentials. Remember, these are typically different than your server admin login and often use the diradmin account. By default, you are presented with the Accounts and Client view.

Workgroup Manager:

2. Click the new user button found in the top right side of the toolbar. This will create a new user and allow you to edit their information on the right inspector pane.

3. Enter the account name, and a shortname will automatically be created. If you’d like, you may add additional shortnames or edit the one provided. Next up is the User ID which is the numerical identifier to the account within the database. As will be discussed in the Workgroup Manager: Best Practices article, User IDs are a great way to keep your database organized.

4. Finally, enter your default password in both fields and click save. Thats it! You’ve added a user to your Directory System. That was easy enough, so lets delve into some of the more advanced control you have over accounts. Along the top tab bar in the inspector pane go ahead and click the advanced tab.

WGM: New User Advanced

5. Here you begin to get into the more advanced functionality that WGM offers. What I’d like to highlight for a moment is the “Options…” button below the User Password Type.

WGM: Password Options

6. This is where you can set the password policy for an account. Disabling an account on a specific date is a good security control for a temporary employee, or perhaps a substitute teacher and disabling after a certain number of failed attempts can help defend against a “Bruce Force” attack on an account. More importantly you can set your minimum password policies here with automatic reset prompts, minimum characters, and force a password change on the next login. This last one is particularly useful after first creating an account with the default username and password.

WGM: Groups Assignment

7. The Groups tab is where you set well, any group memberships. This window introduces a different interface dynamic that is repeated throughout the application. By clicking the grey plus beside the other groups table you open a drawer on the side of the WGM window. From here you can drag the necessary groups (Shit & Command click work) into the other groups field to make assignments. The account with inherit all relevant preferences and settings from the assigned groups, but more about that later.

WGM: Create Home

8. The next tab is the “Home” tab, and here is where you can create and assign disk quotas (maximum size of the home) for the accounts home directory. The directories that show up here are those bound to and defined by your open directory system.

9. The next tabs allow you to tie your user account to an OS X “Squirrel Mail” email account if you use that system, and the print quota can set limits to the amount of pages printed per day. Simple and self explanatory.

WGM: Info

10. The info tab is underutilized in my opinion, and allows you to add a lot of functionality to your OD system. By taking the time to put this information into your directory system you can log into it with Address Book and propagate their address book cards.

11. The last tab is the Windows tab, and it allows you to setup the user account so that it can be accessed from a (cough…) windows box.

Adding a New Computer to the Directory

Although managing your user accounts may be the most obvious use for an Open Directory system and Workgroup Manager, it is certainly not the only use. Arguably managing your computers is just as valuable a feature.

WGM: New Computer

1. There are only two steps required to add a computer to your network. First, if you look at the blue circle with the white plus in the toolbar you should notice that it changed from New User, to New Computer. Go ahead and press it. Then place the name of the computer, and a different short name if you’d like (I don’t find the short name to be a particularly useful feature, but if you’ve got a good use for it let me know in the comments.)

WGM: New Computer - MAC

2. The final step is critical when adding a computer to the Open Directory system. Click on the network tab, giving you 3 fields. The ethernet field needs to have the Ethernet ID or MAC Address as this is how the directory system locates and identifies the machine. Note, it sometimes seems counter-intuitive but even if the computer will only be connecting to the network wirelessly, for example a notebook computer, it still must be the Ethernet ID and not the Airport ID. The other fields allow you to control how the computer sees the network, and is optional.

Managing Preferences:

The aspect of Workgroup Manager that will likely consume the largest amount of time is adjusting preferences to control the user experience. With WGM you can do anything from controlling a user’s dock to blocking access to certain applications. It would take a lot more time then I have right now to go over each and every preference so instead we will go over the fundamentals of managing preferences.

The most critical piece of information you need to learn is the priority of preferences, the order of which preferences are applied.

Users > Computers > Computer Group > Workgroups

Users are greater than Computers which are greater than Computer Groups which are greater than Workgroups. This means that if the same preference is managed in multiple places the system will defer to the highest level. For example, lets say all members of the 1st grade workgroup are managed and only have access to Type to Learn and Safari but the regular computer lab is closed for maintenance causing them to use the computer graphics lab instead. The computer graphics computer list is managed so that Adobe Photoshop is on the dock of all computers in the group. Since computer groups get priority over workgroups this means that your workgroup preference saying that 1st graders only get Type To Learn and Safari will be overwritten and the students will see Type To Learn, Safari, and Adobe Photoshop. This could cause confusion for the teacher, and certainly for the students and would not be the best way to handle this situation. Instead, you could have created a Computer Graphics Workgroup and placed the preference to have Photoshop on the dock there.

Another example would be that all groups are managed to limit their access to applications such as Skype, except for lab assistants who are setup with access in their user preferences because it is used to communicate to the tech department. We will look into this concept again in the next article discussion of best practices.

Workgroup Manager: Preferences

Actually managing preferences is in itself very easy, but it requires thought and planning to control problems such as the one described above. In order to manage any preference you first need to select for what user, group or computer you want to manage. Do this by returning to the left side of the interface, and using the tab bar across the top choose what type of record you want to edit. Once you’ve chosen the record type, chose a specific record from the list on the left. Then across the top toolbar, click on the preferences icon which will bring up the preference pane shown above.

WGM Options

Clicking on each icon will bring up a list of options specific to each preference type. For example, applications will allow you select specific apps to allow or deny the record access to. The “System Preferences” preference does not actually give you access to manage system preferences but allows you to control access to those system preferences by the record type e.g. you could eliminate teachers access to the software update preference, or the network settings. Once you manage a preference, the gray and white mouse icon appears next to the preference as a visual reminder.

The last concept to recognize when managing preferences is the “Never, Once, Always” option. Across the top of each specific preference you have radio buttons with the above options. These control how the preferences are applied. Never of course means that the preference is not managed for that particular record. Once, means that the preference will only be applied upon the records next login and after that access will be returned. This is a great way to add an app to the dock, while still giving the user the ability to remove that item later. Setting the preference to Always means that your settings will always apply and cannot be overridden by the user.

As you can see, managing preferences can be a very complicated endeavor. However with good planning and a firm understanding of the two concepts discussed above you can help reduce any conflicts, and avoid any confusion for the end user.

Be sure to check back next week for my article on Workgroup Manager: Best Practices, and the final article in this series Workgroup Manager: Basic Troubleshooting. Thanks, and be sure to post any questions or comments in the comments section below.

By Eric Danley


Introducing Workgroup Manager

Workgroup Manager Icon.png

In Mac OS X server, Apple provides us with a selection of tools to help us manage our server development. One of the most commonly used tools is Workgroup Manager, a fantastic piece of software, but like many pieces of software WGM can prove daunting. This is the first in a series of articles that will provide a basic understanding of Workgroup Manager, step by step instructions for common tasks, best practices, and basic troubleshooting.

Hit the link for an Introduction to Workgroup Manager.

Apple provides a series of tools with each copy of Mac OS X Server to help you manage and maintain your server. These tools can be found either on the Admin Tools CD included in the Mac OS X Server box or can be downloaded here. For this tutorial I will be focusing on version 10.5 of the admin tools included with Leopard server. If you are not yet running Leopard on your Open Directory Server you can still use these tools as long as you are running server version 10.4.11

Definition of Common Terms:

Workgroup Manager (WGM) - used to manage your Open Directory structure, or more directly, it is used to manage the users, groups, and computers on your network.
User - Anyone who has an account and logs into your network
Group - A collection of users
Workgroup - A collection of users with managed or controlled preferences
Computer - A Mac or PC with managed or controlled preferences
Computer List - A collection of computers with managed or controlled preferences
Open Directory - The database system used on Mac OS X Server to store your user login and preference information

Workgroup Manager Connect

Navigating the Workgroup Manager Interface:

Upon launching WGM you a first asked to log into your Open Directory server. This can be in either DNS or IP format such as or If you don’t know the information offhand you can click the browse button to get a list of servers accessible via. bonjour. You will need to provide the login information for your open directory which is typically tied to an account called diradmin. This is not the same admin login information for the server itself, or if it is it shouldn’t be for security reasons. Of course you can choose to store your login information into your keychain, but this should only be done if you are on a secure computer. You wouldn’t want to walk away from your desk, and come back to a student deleting everyone’s login!

Workgroup Manager:

Once logged in you get access to the full WGM interface. The interface is a standard Apple server interface with the client account or computer on the rest, with the attributes you are editing on the right. Across the top is your toolbar which like most OS X apps can be modified to your liking.

WGM Toolbar

In the top left corner is the globe on a platter. Clicking this will open the Server Admin application which is used to control and monitor the server services such as Apple File Sharing, DHCPP, DNS, etc. Next up are the Accounts and Preferences panes. These two act as toggle switches to control the interface below. Clicking the Accounts tab gives you access to either the account settings of a particular user/computer or the membership of a Workgroup/Computer List. The preferences button is used to toggle access to well the preference pane. This is where you control the settings of a particular user/group/computer list and will be of particular importance in a school setting.

Continuing across the toolbar is the new user button (which will change to a new group/computer/computer list as appropriate,) and the delete button for removing a character or computer from the directory. Next up is the refresh button which is really only needed if there is more than one person working on the directory system at the same time (a practice I don’t recommend). Finally, we have new window and search. The new window button will open a new window connected to the same directory system. The search window allows for search of your records.

The rest of the interface is divided into two panes, the left would be your record pane, and the right is your inspector pane. Quite simply, you choose the record from the left and edit it on the right. At the top of each of these panes is a tab bar, we’ll hold off on the left tab bar for just a moment and talk about the one on the right one.

The right tab bar is part of the dynamic interface that changes based on the type of record you are editing. Each tab will open up a different part of the record to edit.

WGM Options

Now lets go back to the left tab bar. This tab bar controls the dynamic interface and gives you access to each of the four types of records: User, Group, Computer, Computer List. Clicking on each of these tabs will change the list of records on the left, and change the inspector tab on the right.

The final part of the interface is the preferences tab. When the preference button is pressed on the toolbar, the interface changes to replace the inspector pane with the preference pane. From here you can choose each preference and change or modify the settings for each record.

Next up, step by step directions for common tasks.

By Eric Danley


Uninstall MySQL on Mac OS X 10.5 Leopard

In an effort to migrate a SMF forum from siteground to my own personal leopard server running on a Mac Mini I managed to install MySQL 5.1 but also completely hose the permissions during the migration process. In the process of creating users for the new MySQL database I lost all access.

However, reinstalling MySQL is not as easy to do as you my think. The following are the standard tactics you might try:


  1. Reinstall the package - FAIL
  2. Delete the package receipt, then reinstall the package - FAIL
  3. Delete the database, and start over from scratch - Psuedo Fail


The MySQL database install with leopard is split in two different locations, both of which are invisible and require root access.

To remove MySQL from Mac OS X perform the following steps:

Open terminal and enter

cd /usr/local/

You will see 1 or more entries that begin with mysql, in my case I had a file called mysql-5.1.32-osx10.5-x86 Remove this file, remember its owned by root so you will need to use sudo

sudo rm -Rv mysql-5.1.32-osx10.5-x86

Put in your admin password and watch as this part of MySQL database is removed. Next we'll removed the shared part of the database. Type the following:

sudo rm -Rv /usr/shared/mysql

After this is done MySQL is completely gone from your system, now you can go ahead and reinstall!


Trying Squarespace

Trying out Squarespace as a new host for and related sites.

Page 1 2