Master Mac OS X Users and Groups by Making Your Mac Think It's a Server
Back in the days before Mac OS X, Mac users had much greater control over the users and groups on their computers as well as over personal file sharing. In Mac OS X, however, Apple decided to reserve the capability to create and manage groups of users and to offer the capability to create share points outside the Mac OS X public folders (including those for individual users and the public folder for all users of a computer) for Mac OS X Server. This simplified user management for individual computers under Mac OS X, but it placed significant limits on what could be done when configuring a home network (or a small office network in which Mac OS X Server is cost-prohibitive).
Mac OS X and Mac OS X Server both rely on varying types of directory databases to store user, group, and computer information. In the case of Mac OS X, local user and group information is stored in a NetInfo database called a domain. Mac OS X Server also relies on a local NetInfo domain for some functions—although for shared network users it uses Open Directory domains based on the LDAP standard (early versions of Mac OS X Server did rely on the same NetInfo paradigm that still persists in Mac OS X). This means that Mac OS X isn’t lacking the capability for user and group management so much as it is lacking tools to perform that management.
Managing Local Groups to Share Resources Between Users
By creating additional folders outside of any user’s home folder you can create folders that can be used by multiple users of the computer but with more flexibility than what is made available through the Shared folder, which is accessible to every user. This can be helpful with home computers as well as a shared computer in a small office or classroom. You can also change the permissions on the Shared folder or any of the folders inside of a home folder to facilitate or limit access by users based on group membership. Group membership affects access to files and folders, whether a user logs in at a computer or connects via file sharing from another computer.
Ironically enough, one of the tools that you can use to manage local users and groups is Workgroup Manager, Apple’s tool for managing users and groups on Mac OS X Server. Workgroup Manager is included with Apple server tools, which can be downloaded and installed on any Mac OS X Tiger computer. Typically, these tools are used for remote administration of Mac OS X Server. However, Workgroup Manager includes a local directory mode that can be used to manage Mac OS X as well (the other tools function only with Mac OS X Server).
In theory, you can use Workgroup Manager to create and edit user accounts. However, using Workgroup Manager is not as easy as using the Accounts pane in System Preferences. More importantly, there are some important features for Mac OS X local user accounts (most notably the creation of home folder) that cannot be accomplished using Workgroup Manager. As a result, you should really manage only groups and preferences (if you choose to) using Workgroup Manager. Actual user account management should be done through System Preferences.
To use the Workgroup Manager local directory mode, launch it and, when presented with the Connect dialog box, click Cancel. Then choose View Directories from the Server menu (or use the Apple+D key combination). You will see an alert telling you that you are not connected to a server directory node, to which you can simply click OK. Before you can manage users or groups, you need to authenticate to the directory by clicking on the lock icon in the upper right of the Workgroup Manager window and entering an administrator username and password for the computer.
Figure 1 shows the Accounts section of Workgroup Manager (if this isn’t displayed, click the Accounts button in the toolbar). To manage groups, click on the Groups tab (the one that has an icon of three people) in the left pane of the window. You will see the existing nonsystem groups. To edit an existing group, select it in the list. To add a new group, click the New Group button in the toolbar.
Figure 1 The Groups tab in Workgroup Manager
Whether you are editing an existing group or a new group, use the right pane to enter a name and short name for the group. They can be the same or different—for most local group uses, groups are displayed by their short names. Each group need to have a name and short name that are different from other groups on the system.
You can specify a group ID number as well, although like names and short names, they must be unique numbers. By default, Workgroup Manager will assign group ID numbers in the range typically used by Mac OS X Server (beginning with 1025), and you can use these numbers as long as your computer is not part of an Mac OS X Server directory structure. If you choose to assign numbers, numbers in the 600 range should be safe in most other cases. Be sure not to use any number below 100 because they are reserved for system groups needed for Mac OS X to function. Any of the groups created for user accounts will most likely be in the 500 range and should be avoided as well (the first user account is assigned 501 and each additional account is the next highest number).
After you enter a group name, short name, and group ID, click the Save button to create the group or save your changes. You can then add users to the group by clicking the plus sign button next to the Members listbox, which displays a drawer containing the available users and groups on the computer. Make sure that the tab at the top of drawer is set to display users instead of groups (the tab with the single person icon) and double-click on each user that you want to add to the group. This drawer contains every system-level user account as well as actual users (to avoid potential problems, only work with actual users). To remove users, select the users in the Members listbox and then click the minus sign button. When you’re finished, click the Save button.
Once you’ve created a group, you can use that group to set permissions for access to various files and folders on your computer. You can do this by either using the chmod Unix command from the Terminal or by using the Get Info command on a selected item in the Finder. If you use the Finder’s Get Info window, expand the Details section of the Ownership and Permissions part of the window and select a group from the Group pop-up menu (you might need to click the padlock and authenticate as the owner of the item or as an administrator of the computer). You can also choose what level of access members of the group have to the item.