Among Mac OS X Server's new capabilities is its built-in client management. Using Workgroup Manager, you can manage just about every aspect of the Mac OS X user experience for any computers that are bound to a shared directory (most commonly a NetInfo or LDAP domain). You can configure most pieces of the user environment initially, allowing users to create their own personalised modifications -something often known as managing a preference once - or you can set preferences to be always managed, creating an environment that the user can't change. Adding even more flexibility to the Mac OS X managed client model, Apple allows you to configure preferences for individual users, groups, or workstations using computer lists.
The problem some Mac OS X administrators stumble over is the high degree of flexibility in the management options. Layering preferences for users, groups and workstations can make it confusing as to which preferences will be managed when a user logs in. The confusion grows, especially for users, if they're members of multiple managed groups, such as workgroups. That's because each group they select may deliver a different user experience or restrictions on modifying that experience or accessing resources.
And since you can also manage preferences based on computer lists, the experience can change when a user simply moves from one workstation to another. The result: bewildered users, who have no way of knowing which workstations are part of which computer lists - or even that computer lists exist in the first place.
So, how do you clear up this confusion? Easy: keep it simple and plan ahead. Rather than applying preferences in whichever way seems best initially, plan out how you will manage each one. Look at the various preference panes in workgroup manager. Figure out which ones you will use in your network, and then decide which users or computers they apply to. If you only plan a limited number of managed groups and you limit most users to being members of a single managed group, then apply preferences based on groups. When users are part of multiple managed groups, they must pick a group at log-in. If they are part of groups with widely varying preferences, this will get confusing for them - and you, too.
Generally speaking, users are distinct enough that you can create a single managed group for them. As an example, first year students, middle school teachers, graphic designers, administrative assistants -- all are pretty distinct groups in terms of what they need and how they work. Remember, even if you limit users to a single group, you can still make them members of additional non-managed groups for setting permissions and access to network resources.
Decide which preferences are most appropriate to assign based on computer lists. Printers, dock items, access to applications based on what's installed on workstations, system preferences access - all are logical choices for management by computer list. With the exception of items that are additive, however, keep computer list management as consistent as possible.
Many administrators frown on applying preferences base on individual users, feeling that it's better to apply preferences by group. While this is a good general guideline, doing so can become confusing, especially if some members of a group need slightly different management but essentially the same preferences and permissions as the rest of the group.
For example, all employees in a human resources department may have the same environmental needs. But department managers may also need to print to an additional printer and be able to adjust some settings that are always managed for the group at large. In this case, you can apply the additional preferences to those one or two users.
One way to do so is with the comments or keywords features in Workgroup Manager, which can be used to identify their job functions and extra needs and can be used to easily locate them by sorting or searching the user list. That's far easier and less confusing than applying multiple group memberships or creating a computer list just for their workstations, which may not be the only place they log in.
How do multiple preferences interact with one another? For preferences that are list-based, multiple assignments are combined or added together into one big list that's applied to the user experience. In other words, dock items assigned to a computer list are added to dock items for a managed group and items assigned to a user. For all other preferences, when the same preference pane is managed at multiple levels, the user-defined preferences override those configured based on computer lists, which in turn override preferences for managed groups.
Ryan Faas has been an IT professional and technology writer who has specialised in Macintosh systems for nearly 10 years and currently manages the Mac OS X Server and Macintosh workstations for a community college in Upstate New York. He is also co-author of Troubleshooting, Maintaining, and Repairing Macs