Changing the default Template in Mac OS X
If you’re administering a network of mac computers, you can’t underestimate the power of altering the default template.
The idea is simple: you can make sure that when new accounts are created, they already have the preferences set up exactly the way you need them. There are several scenarios where this technique can be used or where it presents an advantage:
Network Users - rather than time and hard drive consuming creation of users, customising the default profile will allow Mac OS X to create new accounts as soon as users are authenticated.
fast user churn - I administer some macbooks for a short citizen media course: the users share the macs extensively for a few months, at the end of which the machines need to be quickly prepared for new users. All I have to do is apply any patches, delete the old users, and make new user accounts. The new user accounts are already set-up with all the user preferences, guide documents and iTunes libraries ready to go.
the self-cleaning oven - Great for store demonstration machines or Kiosk-mode. You have computers that you think people are going to mess up. That’s fine, but you need a way to make sure the user account re-sets itself. Setting up a log-out script to delete the user’s files and recreate from the default template is a simple and powerful way of doing this.
Create an account, and configure it the way you want. Make sure you go into each program and configure it the way you want it. Empty the trash, log-out and log in as a local administrator user. Then go to /Applications/Utilities/Terminal(.app) and enter the following:
(Don’t type in the line numbers: I use those to make comments below)
1 2 3 4 5 6 7 8 9 10 11 | sudo su mv /System/Library/User\ Template/English.lproj /System/Library/User\ Template/English.lproj.bak ditto -rsrcFork /Users/$shortname /System/Library/User\ Template/English.lproj rm -R /System/Library/User\ Template/English.lproj/.Trash rm -R /System/Library/User\ Template/English.lproj/.bash_history rm -R /System/Library/User\ Template/English.lproj/Library/Preferences/com.apple.recentitems.plist rm -R /System/Library/User\ Template/English.lproj/Library/Keychains rm -R /System/Library/User\ Template/English.lproj/Library/Preferences/com.apple.keychainaccess.plist rm -R /System/Library/User\ Template/English.lproj/Library/Preferences/com.apple.internetconfig.plist chown -R root:wheel /System/Library/User\ Template/English.lproj exit |
Code Comments:
- Line 1:
- In terms of security, it’s not actually recommended to do this. Using Sudo Su means that I’m essentially acting as root, which potentially can do great damage to the system. The alternative is to write ’sudo’ in front of the remaining lines, but I’m a bit lazy for that. It’s up to you.
- Line 2:
- This just backs up the default user template. I leave restoring the back-up as an exercise for the reader
Replace ‘English’ with your default language: have a look around the relevant directory if you’re unsure what apple has called it. - Line 3:
- Replace $shortname with the short name of the user you’ve used to create the template.
- Lines 4-6:
- Cleanup: makes sure that the trash, recent items and bash (terminal) history are all empty.
- Lines 7-8:
- This deletes the default keychain. If you don’t delete this, the template will try to use the $username keychain, which can be a problem. If the end user experiences any errors, they’ll be given the option to create a fresh keychain, which is what they should do.
- Line 9:
- Safari and Firefox use a system setting that uses an absolute path (/Users/$username/Desktop) for the default save path (instead of ~/Desktop). Tut tut. Deleting this .plist will set the proper values when the account is created.
- Line 10:
- Finally you’ll need to change the ownership of the profile to the system rather than the $username user.
- Line 11:
- This exits the ’su’ mode (so obviously, you can miss it out if you’ve been entering lots of ’sudo’s instead).
One or two final (or penultimate) notes:
New users will have the same files, documents and settings you originally set up. Be aware you may be replicating large amounts of files between accounts for things like iTunes (we decided we didn’t care), and large profiles will take a while to create.
iPhoto (as of iLife 7, anyway) is worth mentioning because it doesn’t play totally nicely: new users will have to re-select their default iPhoto library the first time they log in. I think the default is “~/Pictures/iPhoto Library”
October 20th, 2007 at 12:07 pm
Hi, i used this on an osx server for work group manager to create customized user home folders. What im finding now is that when one user creates a file/folder and places it into a group folder, other members of the group can’t open it. Just to clarify, it is a permissions issue? if so, after over 200-300 users already created, is there a way to change the permissions with too much pain!
October 20th, 2007 at 12:47 pm
I haven’t played around with user templates in OSX, but it sounds like you’ve got a permissions problem (that’s unrelated to the template). You should be able to tell the permissions using the ls command (e.g. ls -l), which should tell you the owner and group associated with the file/folder. If you need to modify the permissions, privileged users can use chown, unprivileged users can use chgrp (if they’re the owner of the file). If the file is already assigned to the correct group but other members can’t access it, you (or the owner) may have to use chmod to change the permissions so that members of the group have access (whether you want to give them read or read-write access is up to you/the user). If you want subsequent files in the group folder to be given the group permission when files are placed in there, you may want to investigate using the setgid bit. If the setgid bit on a directory entry is set, files in that directory will have the group ownership as the directory, instead of than the group of the user that created the file. The setgid bit can be set using the chmod command. If you’re not feeling too confident, it’s probably worth reading the man pages for chmod, chown, chgrp, and reading up on file system permissions: http://en.wikipedia.org/wiki/File_system_permissions
October 20th, 2007 at 1:11 pm
Hi Ray,
As SB says, it sounds like the permissions issues is to do with this group folder - what are the permissions of the newly created file? where’s the folder located (network or local)? What was the behaviour like before you created the default template? You may find options in Workgroup Manager to change the default permissions of files created in the group folder, if WM is what is sharing it.
OS X should be resetting the permissions of the files in any template to the new user’s when creating the account, which is why it seems unlikely that it’s related to the template itself. Otherwise the user wouldn’t be able to access their own files, everything in the template being owned by root:wheel.
The method above is really for templates for local accounts which authenticate to the network, rather than whole accounts stored on OS X Server. Having said that, it’s an area I’m interested in myself, so I’d be interested in any information you have. I’m guessing that, where locally the machine would create new accounts as they’re needed, Server forces you to create the accounts ahead of time? If so, that sounds like a bit of a pain.