How To "lock Down" A Os X User Account Crude but effective way to maintain Macs

[taplinb 0]

Here's a quick summary of how one can configure OS X for use in public labs running Panther (10.3). It should also work with Tiger (10.4) but I dunno. There may be better ways, but this is quick and cheap:1. Install OS X fresh, or boot up your new Mac, and set the username to MacAdmin or the like. This is now the administrator account which users should never touch. Share this password only with trusted admins authorized to muck with critical systems.2. Install all the software you expect anyone to need in the default folders (usually Applications). Do not customize things too much. Keep it simple.3. In Apple -> System Preferences, set your prefs for Desktop, Dock, Screen Effects, etc. Do not enable anything under Sharing, and tweak network stuff as needed for your LAN or WAN including DNS.4. In System Preferences -> Accounts, make two new accounts: macuser and template. Set and record the accounts' passwords and share them only with qualified admins and junior admins. With macuser highlighted, click Set Auto Login, then Capabilities.5. In Capabilities, uncheck Remove Items from Dock, Open all System Preferences, and Change Password. You can also restrict which Applications run, but I don't see much harm in leaving that restriction off. Your call. Some disable games or delete them.6. Quit System preferences, logout, then login as the user "template". While in as template, set things exactly as you would want for the users. Be sure to test each application and define settings like default web page (in Safari and Internet Explorer).7. Logout, login again as MacAdmin. User the Print Center under Applications -> Utilities to configure any printers you might have. I favor direct TCP/IP printing, but some of you might still use Appletalk.8. Use the NetInfo Manager app, also in Utilities, to open up Security by first authenticating and then enabling the root account. Don't do this unless you have some understanding of UNIX administration or are willing to be very careful. It's brain surgery.10. Once root is enabled, open Utilities -> Terminal and "su" to become root. This makes you god of the system until you "exit" or quit Terminal.11. As root, and only if you are familiar with basic UNIX admin (much like on Linux or FreeBSD), copy /etc/rc to /etc/rc.backup, then edit /etc/rc with vi. At the bottom of the file, just above the exit line, add this: /etc/macuserfix.sh12. Save changes to /etc/rc, then use vi to create file /etc/macuserfix.sh which should include the text below (minus the leading spaces on each line): #!/bin/sh if [ ! -d /user/template ] then rm -r /users/macuser/.* > /dev/null 2>&1 rm -r /users/macuser/* cp -Rp /users/template/.CFU* /users/macuser > /dev/null 2>&1 cp -Rp /users/template/* /users/macuser > /dev/null 2>&1 chown -R macuser /users/macuser/ fi13. This little shell script is case-sensitive and must be done almost exactly as shown. Double-check. When confident, chmod +x /etc/macuserfix.sh.14. Now cd /users and make sure each account owns its own directory. You can do so with: chown [account] [account], e.g. chown macuser macuser.15. Exit, exit, unauthenticate, quit NetInfo Manager, then restart the Mac. After the restart, the Mac should log itself in as macuser with the settings you defined in step 7 above as template.16. If this was done right and works as expected, the user can only change a few things, and every reboot the Mac will set itself back to normal.There may be holes in this approach, and you may have to occasionally empty the Shared directory manually or via a shell script (could be automated to happen weekly), but for the most part the Mac should take care of itself.When you need to make changes, make big changes as MacAdmin and then set the user experience in the template account. Changes are automatically copied to macuser. Don't bothrr customizing macuser itself, as those settings are wiped and recreated every boot.

[OpaQue 15]

This topic is being approved only because of the fact that you are the owner of this post. However, please do not post further content which has an online presence on the internet.