One of the long-standing complaints from IT departments about Mac OS X is the lack of a granular administration system. Users are either administrators or they aren’t; It’s a simple and appealing set up for home studios, but a serious problem for companies laboring under HIPAA and Sarbanes-Oxley regulation. In our earlier series on how to master Open Directory, we deployed centrally managed network accounts for Macintosh. Administrators who need finer control of the user environment can build on that deployment to manage account preferences.

Open Workgroup Manager, and select the “Preferences” button from the toolbar at the top of the window. The panel on the right will change to display the preferences available for control through Open Directory. While you can manage preferences for individual accounts, it’s significantly more scalable (not to mention less confusing) to utilize groups for these purposes. Select the second button at the top of the left hand column (illustrated with three silhouettes) to do so.

Using the icons on the right, you can then choose which Applications users may or may not launch, determine their write privileges for external media, establish which System Preferences settings they can change, and more. These are the Managed Client for OS X (also known as MCX) preferences.

For most preferences, you can set the frequency to “Once” (meaning the setting is a default that can be overwritten by the user) or “Always” (meaning the user cannot change the settings at all). Many offer “Often” as well (meaning the setting is editable but reset on each login), useful for public machines but outgrown by Leopard’s new Guest account.

Some preferences, however, either can’t be set through user groups (such as Login and Energy Saver options), or make little sense on a per-user basis (like network proxies, available printers, or Software Update). For these settings, you’ll want to set machine-based preferences.

Leopard Server splits computer-based management into two panes, one for individual machine accounts (illustrated by a single box) and the second now just for machine “groups”.

You’ll create accounts by adding their name and MAC address (also called Ethernet ID). Machine accounts are also created dynamically when a computer binds to your Open Directory domain. Once your accounts are in place, you can add them to the groups, and manage preferences for every user on a given machine.

Combined with the locked administrative System Preferences on each workstation, managed account preferences allow administrators to truly define account policy for their Macintosh users.