“Could you unlock my account?”
I’ve been going through some old emails as part of some general email tidying and archiving, and I realized that I haven’t gotten a “Could you unlock my account?” email in quite a while. Last year, starting with Mac OS X Server 10.4.7, I stopped setting up local accounts on my Mac servers and started tying them into the same directory service that the PCs and email servers use. Looking over my old emails, I realized just how much work went into my setting up accounts, resetting passwords when people locked themselves out, making sure password rules were followed, figuring out the best way to send someone their password securely, maintaining password change websites on those servers, etc., etc., etc.
Now, it’s much better. Distributing passwords is pretty simple, as I can just tell them “Your login and password for the server are the same ones that you use for your email.” I don’t know what that password is (which is better from a security standpoint anyway), but they should. Even better, when they change their email password, they know to use the same password for the server. (If they don’t, that’s when I’ll get an email and all I have to do then is remind them of that fact.) Also, if someone manages to lock themselves out of my server, they’ve locked themselves out of everything. Email, their PC (if they use one), the intranet, the whole shebang. Which means I’m probably not the one getting the call to unlock them as the call should be shunted to the Accounts folks. Even better, once they’re unlocked, their server access automatically unlocks as well. It especially helps with account maintenance, as once they’ve left, their access on my server goes away too. Nice, neat, and no more “Could you unlock my account?” emails.