70 Chapter 4 Setting Up User Accounts
Working with Privileges
You can give a user account full or limited control over domain administration. When
giving limited administrative control, you can choose which users and groups the user
can administer, and what kind of control the user has over those users and groups.
You can change a user’s domain privileges for Open Directory domains. You can’t
change privileges for a local user account or an account stored in domains that are not
Open Directory.
Full and limited administrators use Workgroup Manager to administer and manage
users.
In Workgroup Manager, use the user account’s Privileges pane to set privileges.
Removing Administrative Privileges from a User
Users with no administrative privileges can use Workgroup Manager to view (but not
change) accounts in a directory domain.
You can change a user’s domain privileges for LDAPv3 directory domains. You can’t
change privileges for a local user account or an account stored in a non-LDAPv3
directory domain.
To remove a user’s administrative privileges:
1 In Workgroup Manager, click Accounts.
2 Select the user account you want to work with.
To select an account, click the globe icon above the accounts list, choose the directory
domain where the user’s account resides, and then select the user.
3 To authenticate, click the lock and enter the name and password of a directory domain
administrator.
4 In Privileges, choose None from the “Administration capabilities” pop-up menu and
click Save.
Giving a User Limited Administrative Capabilities
You can allow users who don’t need full administrative control the ability to perform
common administrative tasks by giving them limited administrative control.
For example, you might want student lab assistants to reset other students’ passwords
but not to edit the groups they belong to. Similarly, you might want school staff to edit
student user information but not their managed preferences.
When a user has limited administrative control, after authenticating in Workgroup
Manager, the Workgroup Manager interface only allows users to perform tasks assigned
to the limited administrator.