1. Install OS X fresh, or boot up your new Mac, and
set the username to MacAdmin or the like. This is
now the administrator account which users should
never touch. Share this password only with trusted
admins authorized to muck with critical systems.
2. Install all the software you expect anyone to need
in the default folders (usually Applications). Do not
customize things too much. Keep it simple.
3. In Apple -> System Preferences, set your prefs for
Desktop, Dock, Screen Effects, etc. Do not enable
anything under Sharing, and tweak network stuff
as needed for your LAN or WAN including DNS.
4. In System Preferences -> Accounts, make two new
accounts: macuser and template. Set and record
the accounts' passwords and share them only with
qualified admins and junior admins. With macuser
highlighted, click Set Auto Login, then Capabilities.
5. In Capabilities, uncheck Remove Items from Dock,
Open all System Preferences, and Change Password.
You can also restrict which Applications run, but I
don't see much harm in leaving that restriction off.
Your call. Some disable games or delete them.
6. Quit System preferences, logout, then login as the
user "template". While in as template, set things
exactly as you would want for the users. Be sure
to test each application and define settings like
default web page (in Safari and Internet Explorer).
7. Logout, login again as MacAdmin. User the Print
Center under Applications -> Utilities to configure
any printers you might have. I favor direct TCP/IP
printing, but some of you might still use Appletalk.
8. Use the NetInfo Manager app, also in Utilities, to
open up Security by first authenticating and then
enabling the root account. Don't do this unless you
have some understanding of UNIX administration
or are willing to be very careful. It's brain surgery.
10. Once root is enabled, open Utilities -> Terminal
and "su" to become root. This makes you god
of the system until you "exit" or quit Terminal.
11. As root, and only if you are familiar with basic
UNIX admin (much like on Linux or FreeBSD),
copy /etc/rc to /etc/rc.backup, then edit /etc/rc
with vi. At the bottom of the file, just above the
exit line, add this: /etc/macuserfix.sh
12. Save changes to /etc/rc, then use vi to create file
/etc/macuserfix.sh which should include the text
below (minus the leading spaces on each line):
#!/bin/sh
if [ ! -d /user/template ]
then
rm -r /users/macuser/.* > /dev/null 2>&1
rm -r /users/macuser/*
cp -Rp /users/template/.CFU* /users/macuser > /dev/null 2>&1
cp -Rp /users/template/* /users/macuser > /dev/null 2>&1
chown -R macuser /users/macuser/
fi
13. This little shell script is case-sensitive and must
be done almost exactly as shown. Double-check.
When confident, chmod +x /etc/macuserfix.sh.
14. Now cd /users and make sure each account
owns its own directory. You can do so with:
chown [account] [account], e.g.
chown macuser macuser.
15. Exit, exit, unauthenticate, quit NetInfo Manager,
then restart the Mac. After the restart, the Mac
should log itself in as macuser with the settings
you defined in step 7 above as template.
16. If this was done right and works as expected, the
user can only change a few things, and every
reboot the Mac will set itself back to normal.
There may be holes in this approach, and you may have to occasionally empty the Shared directory manually or via a shell script (could be automated to happen weekly), but for the most part the Mac should take care of itself.
When you need to make changes, make big changes as MacAdmin and then set the user experience in the template account. Changes are automatically copied to macuser. Don't bothrr customizing macuser itself, as those settings are wiped and recreated every boot.
