OSX Server: should I use Open Directory?

Question

I'm currently setting up an OSX Server (Mavericks) in a small company (10.9 on the clients as well), and I'm trying to decide what the best approach is to manage accounts.

The accounts will not be used for roaming; everyone has their own workstation, and never has any desire to log into other machines. This appears to eliminate the need for home directories on the server.

Now I'm wondering whether I should create Local Network Users or Local Users (in both cases without a home directory on the server). What is the advantage of using Open Directory to manage Network Users rather than creating Local Users and leaving Open Directory switched off?

There are no other servers or off-site networks involved that we need to 'hook into', so that is not something that seems to lead to a requirement for an Open Directory server.

Is there any reason why I should not just create Local Users instead? What can they not do that Local Network Users can do?

EDIT: While I'm still interested in the answer to this, I've since elected to set up accounts using Open Directory. I could not find a reason not to, and I figured that there might be services that require it of which I'm unaware at this moment. This will hopefully ease future migration.

Answer 1

For a small company, it's not even clear you would set up network users to start with. The costs associated with setting up and running that might be more than it would cost to support a handful of Macs.

Without knowing a few items such as exactly how many accounts, how many Macs, how different the Mac users are (are you setting up a lab with 15 identical machines or is each belonging to a user that has software needs different than all the rest.) Also, your decisions on how much users should support themselves (or can even support themselves) would go into the decision on how best to manage IT time and dollars to support the users.

There often is no best answer other than starting with something that has a chance of working and then iterating as you learn what is really needed in your specific shop.

That being said, if you make Local Network Users they can log into client machines and use the services (file sharing, backup, etc..) from the server but not log directly into the server. Local Users get all the benefits of network users and also get a home directory stored on the server and can log in there as well.

I'd start with two resources for planning your deployment:

• Take Control of OS X Server by Charles Edge (to be published by Tidbits - currently available as pre-release chapters online)
• Apple Pro Training on OS X Server Essentials by Arek Dreyer and Ben Greisler

The former is easier to get started and organized more in terms of functional tasks and the latter is an exhaustive reference and covers about all the mechanics of how the software operates and is configured.

Answer 2

Local Network Users can also login to the local server, if you bind the server to itself in the Users & Groups preference, under Login Options, Network Account Server.

Officially, the only thing you lose by shutting off Open Directory is the ability to manage devices using Profile Manager and have "roaming" logins with centralized home directories. Un-officially, you also lose the massive administrative headache of Open Directory, which has been (and continues to be) the cause of untold frustration for sysadmins worldwide. I'm in the process of migrating my network users back to local users, because Open Directory is just too easy to break. Quite often, it breaks all by itself.

So, the answer to the original question is: Not unless you absolutely must.

http://help.apple.com/advancedserveradmin/mac/4.0/#/apdD1F7D8CA-CF07-40CE-B2D4-8E3ACF4BCA40