Mac Geekery

One of the great dillemas of Mac admins is how to give users the ability to actually USE their machines, without the monkeys gumming up the works constantly. One of the easiest ways to do this is by using Open Directory. But what if you don’t have an Open Directory server?

Create a Power Users group. It gives users the ability to install the applications they want, without letting them modify things like network settings.

Working off of this tip from Mac OS X Hints, I created this method:

1. Download the server tools, and put Workgroup Manager either local on your machine or on an external drive (I use my Shuffle)
2. Open Workgroup Manager and edit the local directory
3. Create a group called powerusers
4. Nest the local Admin group in this group
5. Edit /etc/authorization (I use Property List Editor for this, but any plain text editor will work too) and find these entries:
   • com.apple.desktopservices
   • system.device.dvd.setregion.initial
   • system.install.admin.user
   • system.install.root.admin
   • system.install.root.user
   • system.privilege.admin
6. remove “admin” and replace with “powerusers” in all of these case

The “powerusers” group will now have installation rights, but not admin rights (can’t change system settings, use sudoers, can’t over-ride group management, etc.).
And since they can’t over-ride group management, you can apply preferences to the group using WGM (such as blocking them from using certain apps, etc)

There are still some flaws in this scheme, however, as there is in Windows, because it requires that apps and installers follow proper rules when operating, and few, (especially VISE installers) do not. I’ll have a rant on installers and poorly designed sotware another day.

Note: The system.device.dvd.setregion.initial is in there because if you’re including this in your image, and you never use the DVD drive in between unboxing the system, imaging it, then handing it to the user… well you end up with a support call.