Workgroup Manager doesn’t provide an easy way to determine what groups a computer account belongs to, which can be a nuisance when trying to modify a computers group memberships. cgrplookup is a quick perl script written to assist the support group check what groups a computer is in, as certain preferences are managed per computer group.

Simply edit the script to point to your Open Directory address and supply part of the computer name (in the example below the serial number makes up the computer name). The script must run on a computer that is connected to the directory you want to search.

Example:

psyduck:~ user$ ./cgrplookup.pl YM819013ZE5
golbat.its.uow.edu.au uow-ym819013ze5$: educ22107
golbat.its.uow.edu.au uow-ym819013ze5$: educationshares

Download cgrplookup script

If you run multiple Apple software update servers in your organisation you can point them to another local software update server. This could save bandwidth costs not having to download the same files multiple times.

To point to a server that isn’t Apple’s, all you need to do is change one line change in:

/etc/swupd/swupd.plist

Find the key metaIndexURL and point it to your local server.

You could then use a DNS round robin to spread the load across multiple servers, or simply point individual clients are particular servers.

Best practice says that your everyday user account should not be an administrative user. The solution? Creating an alternate administrative user and then using those credentials when needed. Deploying in such a scenario to many computers can be confusing for users – in particular having to remember an alternate username and password combination that often will not fall under traditional password age policies. To this end, linking a local administrator account to a users password can simplify password management for users, while maintaining password age policies. Creating a symlink to the localadmin users password hash will make the regular users password the same as a local administrators.

First you need to know both the regular and local administrators GUID as the password hash file is the user GUID. In this example our local administrator account is “localadmin”.

dscl . -read /Users/localadmin GeneratedUID

Repeat the command replacing localadmin with the regular username.

You will need to remove the existing localadmin password hash. In this example localadmin’s GUID is “ABAE7944-FBDD-4FA6-8419-B24AC0293B0D”

sudo rm -R /var/db/shadow/hash/ABAE7944-FBDD-4FA6-8419-B24AC0293B0D

Finally put a symlink in place that points from the regular users password hash to localadmin’s hash. In this example the regular user password hash is “513B539B-7DB2-48C3-93B8-0C33C7B39722″.

sudo ln -s /var/db/shadow/hash/513B539B-7DB2-48C3-93B8-0C33C7B39722 /var/db/shadow/hash/ABAE7944-FBDD-4FA6-8419-B24AC0293B0D

In other words:  ln -s /var/db/shadow/hash/regular_user_GUID /var/db/shadow/hash/localadmin_GUID

Used in conjunction with a modular disk imaging solution this guide explains the basics to create a new user from the command line. The code can be used as a first run script, distributed through Apple Remote Desktop etc.

The “Directory Service command line utility” dscl allows creation and management of user records in Mac OS X. The example below creates a user called “Local Administrator” with a short name of “ladmin”. To set a secure password via a hash file is outlined at the end of the guide.

Create the user (via the short name)
dscl . -create /Users/ladmin

Set the user shell
dscl . -create /Users/ladmin UserShell /bin/bash

Set the user real name
dscl . -create /Users/ladmin RealName "Local Administrator"

Set the user unique ID remembering it must be unique. If you set an ID below 500 and use the “hide 500 users” login window default (defaults write /Library/Preferences/com.apple.loginwindow Hide500Users -bool TRUE) you can create hidden – to the average person – users.
dscl . -create /Users/ladmin UniqueID 510

Set group ID (20 is “Staff”)
dscl . -create /Users/ladmin PrimaryGroupID 20

Set home directory
dscl . -create /Users/ladmin NFSHomeDirectory /Users/edadmin

Set a password temporarily (as an encrypted password will be put in place so it is not stored in plain text)
dscl . -passwd /Users/ladmin temppassword

Set a password hint
dscl . -append /Users/ladmin AuthenticationHint "No hints!"

Finally add the user to admin group (or not in the case of a standard user)
dscl . -append /Groups/admin GroupMembership ladmin

and the _lpadmin group (so that printers can be controlled)
dscl . -append /Groups/_lpadmin GroupMembership ladmin

If a default home directory has been copied in place the  ownership will need to be changed to the newly created user. To use this script in a modular disk image solution such as InstaDMG the home directory could be “installed” via a package. If you want a default home folder from the machine do not worry about this step.
chown -R ladmin "/Users/ladmin/"

Setting the password

To keep the password secure as the script is stored in plain text, copying an encrypted password hash file from /var/db/shadow/hash/ of a user on another computer with the desired password will keep it out of plain sight. Once copied to the new computer the hash needs to be renamed to the GUID of the new user.

To find the GUID of the new user
dscl . -read /Users/ladmin GeneratedUID

This will output the GUID that can then be used to remove the existing temporary hash and move the real password hash in place. The following example assumes the the hash file is located in /tmp/usercreate/ as ladmin_hash).

rm /var/db/shadow/hash/GUID_NUMBER_HERE
mv /tmp/usercreate/ladmin_hash /var/db/shadow/hash/GUID_NUMBER_HERE

Alternatively as a simple script the GUID can be stored in a variable to then copy the new hash into place.

#!/bin/sh
ladminGUID=`/usr/bin/dscl . -read /Users/ladmin GeneratedUID | cut -f2 -d " "`
#remove and place new password hash
rm /var/db/shadow/hash/"$ladminGUID"
mv /tmp/usercreate/ladmin_hash /var/db/shadow/hash/"$ladminGUID"

File permissions for the password hash

-rw------- root wheel

Apple has published a guide on best practice to secure Mac OS X installations in it’s Security Configuration guide. Here are a few commands that are handy on any Mac OS X computer.

Require password to wake from sleep

defaults -currentHost write com.apple.screensaver askForPassword-int 1

Disable automatic login

defaults write /Library/Preferences/.GlobalPreferences com.apple.userspref DisableAutoLogin -bool yes

Disable IR control

defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool no

Disk images assist in desktop deployment by ensuring each computer is configured mostly the same, provides a time effective solution to deploying each computer and simplifies desktop management down the track amongst other things. The traditional process of creating the image is to setup a computer exactly as required and then to take a snapshot using any number of the disk imaging tools available. The method is very simple to follow and very effective. Unfortunately once you need to begin supporting multiple configurations the traditional method falls flat.

Enter modular imaging. With the capability of adding to or subtracting from the image on the fly while maintaining the exact foundation on all desktops, modular imaging has numerous advantages over the older snapshot based solution.

Packages

Just the same as applications are installed, modular imaging leverages the package distribution process to build the image. Each application is installed as the image is being built rather than by a human manually installing the application on the master computer. The image will be built exactly the same the first or tenth time it is created and not change unlike building images manually will.

Some applications are already installed by packages but most are simple drag and drop installs without an installation process. Such applications will need to be packaged so that they can be inserted into your image. Fortunately there are various applications available for free and commercially (see links) that wrap the application up in Apple’s package format.

Although the necessity of packaging everything may appear to complicate the image creation process the same packages can also be leveraged by post deployment strategies keeping deployed desktops up to date through Apple Remote Desktop, Casper and other similar solutions.

System Configuration

In Mac OS X every configuration is a file change. If the file that was changed can be located it could be packaged and slotted into the image. Alternatively actions can be performed by “payload free” packages that rather than install files will run a script. Further again to running scripts at installation time, first run on boot scripts can be used to complete final configuration after the desktop has been imaged.

Modular imaging may appear complicated on first investigation but once the methodologies of newer imaging processes are understood the possibilities and advantages quickly become apparent. Whether it is each version of an image created exactly the same each time it’s built or modified through to removing the need to recreate a brand new image next time an updated piece of hardware is released, the flexibility of modular imaging is the next natural step from traditional imaging.

Links

InstaDMG - solution to creating modular images.
Iceberg – free package authoring application.
Apple Remote Desktop – software deployment and remote control.
Casper – commercial desktop management and deployment solution.
fseventer – watches file system changes that aids you in determination of which file is needed for repackaging installers.

Type:

more /etc/systemserialnumbers/xsvr

to output the server’s serial number and registered user.

dirt is a command line goodie that lets you test directory services without the pain of logging in and out to discover if it will let you authenticate. For example:

dirt -u username -n

will check if the user name exists in any of the directories defined on the computer and list what directory it was found in.

To force software updates residing on Mac OS X software update server removed everything in the /usr/share/swupd/html folder.

In part 1 we looked at how Workgroup Manager allows you to manage users, groups, computers, shares and preferences. This article will give you an overview of two more administration applications called Server Administrator and Server Monitor .

Server Administrator

Server Administrator allows you to configure Mac OS X Server’s services such as file sharing, network services including DHCP and other internet services. Beyond service configuration the application provides you with statistics and logs.

Configuration of services is similar to setting up options in other day to day applications. The interface consists of tabs, fields and pull down menus. All service configurations are done in the Settings tab. To turn on a service such as Windows file sharing it’s as easy as configuring the service and then clicking Start Service in the main toolbar.

Statistics can be viewed of most services via the Overview, Connections and Graphs . Depending on the service, information that is displayed ranges from how long the service has been running, to the amount of users and throughput. Raw logs can also be accessed for most services.

Server Monitor

Server Monitor gives you valuable feedback on the status of your servers with information from what version of the operating system is in use, to the temperature and speed of the fans in systems that support it. As with Server Administrator you can add more than one server to monitor.

Mac OS X Server’s Admin Tools provide every administrator with a collection of applications designed to make administration as easy as Apple is legendary for. I hope that you have a better understanding of what app does what. This concludes the two part article Get to Know Mac OS X Admin Tools.