OS X Mavericks Server - Adding Groups

Along with adding users to your OS X Mavericks Server’s Open Directory you can also add groups to contain specific users to specific groups. For example, your sales team might have their own group called sales that provides them specific file sharepoints, jabber group and even add a special group mailing list for all users in that group. The group also allows you to specify different ACLs for each group.


  • Workgroup Manager
  • Command Line Goodness

First, I recommend following my guide adding users to add users to your Open Directory domain because groups are pretty useless without users! Anyway, onwards and upwards.

Server: No Groups Yet.
Server: No Groups Yet.

Okay, jump over to the Server app and load up the Groups section. If this is a base installation with Open Directory, you should only see one group in the Local Network Groups and it’s called Workgroup. By default, any user you add to the Open Directory domain will be added to this group. Given that I’m still rolling with characters from The Office, I’ll add some groups that relate to the users we added earlier. Click the plus in the bottom-left corner to add a new group.

Groups: Adding the Accounting Group.
Groups: Adding the Accounting Group.

First off, I’m going to make a group called Accounting. For the Full Name, enter Accounting and the Group Name will be accounting. Once you’ve entered those details, go ahead and click the Create button to add the group. Initially when you add the group there’s hardly any configuration aside from the name. Believe me, there’s more configuration to be done once you’ve added the group!

You’ll now be taken back to the list of groups, but now the group you just added will be in that list. Hooray! But we can’t celebrate yet because our group has no one in it! Let’s change that. Double click on your group to modify the settings and add/remove users.

Groups: Edit the Accounting Group
Groups: Edit the Accounting Group

Alrighty then, we can now modify some settings. First thing you’ll notice is that you can rename the “nice” name of the group, but you can’t change the shortname. Basically, if you didn’t name your group correctly the first time and you want to change its name, just delete the damn thing and create a new one. This may be more tedious if you’ve been using the group for a while, so make sure you do it right the first time. Next thing is giving the group a special shared folder on the Server, which is located at /Groups/<groupshortname> on the server. Enable this if you want that folder to be enabled, otherwise if you have your own folder structure you’re following, you can just add this group to the folder’s ACL.

Next is making the group members all buddies in Messages (or jabber). Enable it if you want the members to automatically be friends if they have the Messages app set up. If you’re not using the inbuilt Messages server, this option won’t need to be enabled. For the curious, if you enter the following command into Terminal, you’ll be shown all the groups and their Messages autobuddy status.

sudo serveradmin settings accounts

For example, if I were to enable or disable autobuddy via Terminal for the group accounting, I would enter the commands below:

sudo serveradmin settings accounts:GroupServices:EnableAutoBuddy:accounting = no # Disble autobuddy
sudo serveradmin settings accounts:GroupServices:EnableAutoBuddy:accounting = yes # Enable autobuddy

The next easy option is setting up a mailing list which, when email is sent to that address, will be sent to all the members of the group. This email address is the group’s short name. For example, accounting@pretendco.com or sales@pretendco.com. By default, only members of the group can send emails to that mailing list, otherwise, enable the “Allow mail from non-group members” to enable emails from anyone (yes, it’s literally everyone - not just people in the Open Directory domain).

Groups: Adding Users and Groups to Accounting.
Groups: Adding Users and Groups to Accounting.

It’s now time to add members to the group! Not only can you add users to a group, but you can also add groups to other groups! There’s a very cool hierarchy that you can configure with users and groups, but don’t over-complicate it otherwise your ACL precedence and inheritance are going to be very, very confusing. When you click the plus you can either start typing in a user name or group name (and it will auto suggest then click on the user to add it), otherwise, start typing browse then select Browse to bring up a list of all applicable users and groups that can be added to the group.

The Users and Groups Browse List.
The Users and Groups Browse List.

As per usual, you can add keywords and notes for the group. Once you’re done editing the group, click OK to save your changes.

Workgroup Manager

As with every other OS X Server release there has been a program called Workgroup Manager (internally I’ve heard the nickname Workgroup Mangler) which shows you all the users, groups, machines and machine groups for Open Directory domains. First off, Workgroup Manager isn’t distributed with Server so we need to download it seperately off Apple’s website so click here to download. Once you’ve downloaded and installed Workgroup Manager, open it up and connect to your server! Go to Server then click Connect…

Workgroup Manager: Connect to Server.
Workgroup Manager: Connect to Server.

Enter details for your local server to connect. For example, the address will be the FQDN (remember what that stands for?) so my server will be mavericks.pretendco.com. If you want to make any edits you’ll need to be logged in as the Master Directory Administrator (or any other user you’ve given Server administration rights to). If you’re just connecting to browse the Open Directory domain, log in as any admin user (for example, my Server Administrator login for the Server machine gives me read-only access to the Open Directory domain). Next, enter the applicable password. Hit Connect to… you know… connect.

Workgroup Manager: Connect to mavericks.pretendco.com
Workgroup Manager: Connect to mavericks.pretendco.com

If all goes well and you’ve entered the correct details you should now be shown a list of all the users in your Open Directory domain! Hooray!

Workgroup Manager: The User List.
Workgroup Manager: The User List.

You’ll notice that in the list of users, any user that has a pencil in their icon means that they have administration rights for the Open Directory domain you’ve connected to. Anyway, just above the list of users are four icons, the second one from the left is Groups - click it.

Workgroup Manager: The Group List.
Workgroup Manager: The Group List.

Excellent, we can now see all the groups in the Open Directory domain. Clicking on any group will show you the basic settings for the group, you can also change memberships for the group and even the Group Folder. Have a look around in Workgroup Manager, but make sure you know what changes you’re making, you could permanently damage a user or group by making the wrong change (word of advice, don’t change short names or IDs).

Command Line Goodness

Accessible via Terminal is the very powerful command dseditgroup which as you might guess, allow you to edit directory service groups. The name of the command however is a bit of a misnomer given that you can do more than just edit the group. I personally think the command should be called dsgroup but that’s just me. Anyway, now onto the usefulness of this command. Given that we’ve been playing with the group accounting, let’s use this command to show us details about the group!

dseditgroup -o list accounting

Essentially what we’re doing here is using the -o flag (otherwise known as operation), we specify that we’re requesting a list of the accounting group. Here’s the output of dseditgroup for the group accounting on my system:

dsAttrTypeStandard:GroupMembership -
dsAttrTypeStandard:Member -
dsAttrTypeStandard:GeneratedUID -
dsAttrTypeStandard:OwnerGUID -
dsAttrTypeStandard:AppleMetaRecordName -
dsAttrTypeStandard:AppleMetaNodeLocation -
dsAttrTypeStandard:RecordType -
dsAttrTypeStandard:GroupMembers -
dsAttrTypeStandard:PrimaryGroupID -
dsAttrTypeStandard:RealName -
dsAttrTypeStandard:RecordName -

Another useful command if you just want to check to see if a particular user is a member of a particular group, you can enter the following:

dseditgroup -o checkmember -m <usershortname> <groupshortname>

For example, if I want to check to see if Oscar Martinez is a member of Accounting, I can enter this:

dseditgroup -o checkmember -m omartinez accounting

You should get the response below:

yes omartinez is a member of accounting

Or if if the user isn’t a member of the group, you’ll get the following response:

no jhalpert is NOT a member of accounting

Finally, another way of looking up groups via the command line is by using dscl, or the Directory Service command line utility. To get a list of all the groups in the local Open Directory domain, you would use the command below:

dscl /LDAPv3/ -list /Groups

This give you the shortname of each group:


If you prefer to get a little bit more information, you can also request a specific value like GeneratedUID, RealName, AppleMetaRecordName or Member. If I wanted to get a list of the shortnames of members for each group I could enter something like below:

dscl /LDAPv3/ -list /Groups Member

Which will in turn show me all the groups and their members (as requested):

accounting      aschrute kmalone omartinez
admin           masterdiradmin mscott
administration  omartinez cbratton mpalmer kmalone dphilbin ehannon aschrute tflenderson kkapoor
management      mscott phalpert
sales           abernard jhalpert dschrute shudson phalpert rhoward plapinvance
staff           root
workgroup       jhalpert mscott phalpert dschrute rhoward abernard aschrute kkapoor omartinez dphilbin ehannon tflenderson kmalone plapinvance shudson mpalmer cbratton ictadmin