File permissions are something systems administrators deal with every day. Usually when somebody can’t read something on the server, and they need you to figure out why. In multi-user environments, however, what people can’t read is often as important as what they can, and by default the Mac OS X Finder may allow people to read far more than your users expect.

The sales team need VPN for travel. The finance department needs Windows File Sharing. Freelancers need to deliver work via FTP, but they shouldn’t ever be able to log in from the console. Your server needs to offer a variety of services, but you don’t want to offer every service to every user with an account. Using the access panel built into the Server Admin application, you can set finely grained controls over which users and groups can utilize which services.

While never technically required (though often politically desirable), hiding local administrative accounts on Leopard workstations and laptops is one of the most popular requests we receive from IT personnel. The most common scenario is removing a pre-existing administrative account from view. This is a typical approach when building a disk image for manual cloning or installation via NetInstall, and in this article we’ll take a look at the steps it requires.

Disk mirroring, where data is written to two disks simultaneously, is a great low cost method to protect against single-disk failure and improve read-intensive performance. Apple’s Disk Utility provides an easy way to set two disks up as a RAID mirror prior to installation. Once the operating system has been installed, though, OS X can’t mirror an existing drive without completely reformatting. Unless, of course, you choose to do some from the command line.

If you’ve ever had to troubleshoot a Mac OS X machine, you probably know how invaluable the system logs can be. By simply opening the Console application in the Utilities folder, you can browse the information logged by almost any process on the machine. But how can you compare that data over a large number of systems, or look at the logs for a machine that isn’t right in front of you? It’s simply a matter of properly configuring syslogd.

If you aren’t lucky enough to have corporate servers that run AFP, you’ve probably had just about enough of the .DS_Store files that Mac OS X leaves lying around your Windows SMB and Linux NFS shares. While the files are turned off by default in Leopard, there are enough Tiger and Panther servers around to drive underfunded IT departments mad.

Providing a consistent user experience across multiple machines is a common way for system administrators to minimize troubleshooting time and facilitate training. A new user begins work with a standardized environment, designed for their organization and familiar to those around them.

One of the best features of OS X is the built-in ability to clone a customized installation to other machines. By creating a .dmg image of an existing installation in Disk Utility, then using the “Restore” feature to copy it to another disk, you can install a pre-configured OS onto any number of Macintosh workstations.

It’s been a year since Apple first shipped “Leopard”, its fifth retail version of OS X. Which means it’s been about a year since I started hearing people complain about Leopard’s truncated printer controls. Many users still haven’t discovered that the printing options in 10.5 are hidden behind that unlabeled blue arrow, and those that have are tired of constantly expanding the print dialog just to do their jobs.

Security policy means different things to different companies. In some environments, using managed preferences to control external drive access would be considered draconian. In others, leaving the Airport card plugged in (or firewire ports connected) is thought of as irresponsible. What can a systems administrator do to limit hardware use on company machines?