We running Mac OS X Server 10.5.8 with Mac OS X 10.5.8 clients. Students use network logins to, well, log in.
I've been asked to deny internet access to a specific user. I was told that a good way to do it is to create a user workgroup called "No Internet Access" and manage settings there. (Specifically, I told parental controls to allow access to no sites, and blacklisted all the installed web browsers).
Now, when the user authenticates to log in, they are greeted with this dialog:
Workgroups for <username>
Grade 7 Students
No Internet Access
It is unlikely that the student would willing choose "No Internet Access" to be their base group.
Looking in Workgroup Manager at the student's record, it shows their primary group ID is the grade 7 group, and "No Internet Access" is listed as another group they belong to.
I looked at the managed preferences for all the computers pertaining to logins. They are set to their defaults. Specifically, the computer groups' preference for Logins -> Access has the defaults:
- [unchecked] Ignore workgroup nesting
- [checked] Combine available workgroup settings
Based on my reading of Tips and Tricks for Mac Administrators, this should be correct, the user should not be asked which group they belong to, and settings from all applicable groups should be applied. How can I achieve that result?
Edit: I've decided to add some additional information from the Tips and Tricks for Mac Management White Paper (via Apple in Education, via the author's site).
On page 21, it says:
With Leopard MCX, workgroup preference settings are combined by default into a single set of values. This means that instead of having to choose between the Math, Science, or Language Arts workgroups when logging in, a user can just authenticate and be taken directly to the desktop. All the settings for each of those workgroups are composited together, providing you with all the Dock items and a composite of all the other settings.
On page 40, an example is given in which settings are combined from different 'domains', one computer group, two (user) workgroups, and one individual user's settings.
[When johnd logs into a leopard client,] the items staged in the Dock from left to right are: computer group, first workgroup alphabetically, second workgroup, user. Items within the workgroup are staged alphabetically.
Nowhere is there an indication that groups are nested; indeed, I can see no sensible (non-flat) heirarchy for groups like Math, Science, and Language Arts.
I strongly believe that there is a way to apply settings from two unrelated user workgroups such that a user of OS X 10.5.x or newer does not need to choose their workgroup. This is what I seek to achieve.
The problem is that you've assigned the user to be a part of two groups. OS X can get very confused if everything isn't set up just right. Instead, you should be using a hierarchy of groups.
For example, User X should only be a member of the No Internet group, and the No Internet group should be a member of the Grade 7 Students Group. (yes, groups can be members of other groups). Since the two groups are setting unrelated, non-conflicting managed preferences, the preferences "trickle down" and are all applied to members of the No Internet group.
Expanding on this idea, you could create a group called "All Users" that has settings you apply to every account, then two groups that are members of that group called "Teachers" and "Students", with appropriate settings, and then groups under "Students" for each grade level (and then a group under each grade level called "No Internet" to block internet access, if you so choose).
You could also do it the dirty, unrecommended way and manage the no internet settings directly on the user account but I would advise highly against it.
I was able to have my users skip the Workgroup selection screen by editing the login preferences. (I’m using OS X Lion Server 10.7.3. as well as the matching 10.7 version of Admin Tools.)
Combine available workgroup settings (Mac OS X v10.5 or later)