I work for a school division (K-12). While I am most interested in what works well on the Mac, Windows and Linux administrators must face the same issue and have analogous solutions.

Most of our computer in a given lab are roughly identical machines. Thus we have labs of new desktops, labs of old desktops, labs of new laptops (with 802.11n) and labs of old laptops (with 802.11g cards).

I'm looking for recommendations for the types of accounts to use. The Mac (and presumably other systems) supports several types of accounts, which I've detailed below.

My specific questions are:

  • Have I missed anything in my assessments of the different types of accounts?
  • Which sort of accounts would you recommend, for use by largely non-technical students in classes taught by largely non-technical teachers?
  • Would you use the same type of accounts on desktops and laptops?
  • Do you have tips to mitigate some of the problems? (ex. We use local accounts and allow the students to back up to the network? The teachers enforce a seating chart so that students always use the same machine? We can't think of a better way to teach students to back up files than allow them to lose major assignments?)
  • What advice do you offer for a student who uses different computers in different classes? (Possibly a nice new machine in Social Studies and an old laptop in English?)

Update: When describing systems you manage, can you please mention if any users or using laptops (or wireless connections), and if students are working with large files (such as doing audio or visual editing?)

Account Types:

Local Account

  • Pros:

    • Home folder exists on the computer itself; data access could not be faster
    • Unaffected by network issues
  • Cons:

    • Requires access to a specific computer
    • If the unit fails, data is lost
    • Need to create accounts for each user of the computer

Network Account

  • Pros:

    • Data is stored on a server, where it can be properly backed up
    • If an end-user computer fails, the data is safe
    • Accounts are stored in a directory system; you don't really care where a student logs in
    • No time is spent syncing
  • Cons:

    • File access speed is dependent upon network conditions
    • Some applications behave poorly or are really slow
    • Really should not be used wirelessly
    • Back-end services need to be working reliably:
      • AFP/NFS/SMB file share must be up and working
      • Directory service needs to be working for users to log in

Mobile Accounts

These try to be the best of both worlds. There are two extremes: one where you sync all the data, and one where no data is synced.

  • Mobile Accounts, No Syncing

    • Pros:

      • Users can lot into a range of machines, and a home folder is created for them
      • Data access is fast; it is right on the hard drive
      • File servers aren't needed to support it
    • Cons:

      • Initial log-in requires a working network and directory service
      • The user needs to use the same computer each time, or they will be unable to access their files
      • Home folders accumulate over time and aren't cleared out.
  • Mobile Accounts, Full Syncing

    • Pros:

      • Users can log into a range of machines, and their home folder is copied off of a file sharing server to the local hard drive (and changes are kept in sync).
      • Access is fast; the files are on the hard drive
      • Files also live on the server. If a client computer fails, the user can access their files on a different machine.
      • This is the ideal setup for a one-to-one laptop deployment.
    • Cons:

      • Syncing conflicts really confuse non-technical users. They don't know how to answer when they are told, "File X differs. Do you want to use the local version of the network version?"
      • Syncing a home-folder with lots of data is really slow. So much so that it is best for the user to always use the same computer.
      • Home folders accumulate over time and aren't cleared out.
      • Syncing requires back-end services to be functioning properly
      • Users need to spend time syncing before and after logging in (and syncing continous in the background as they work)
      • Especially is students are doing multimedia work, your file server can fill up really quickly. [I gather that quotas have not worked here well in the past.]
  • Mobile Accounts, Partial Syncing

    • Pros:

      • Less space on the file server is required when you don't sync certain files or folders (like movies, music, and photos)
      • Less strain is put on the network
    • Cons:

      • Certain files will only exist on one machine, and live and die with that machine.
      • If student expect to use various machines, you really need to make it clear which files will not be synced.
      • All problems given in the full syncing, except that the "syncing is really slow" issue is reduced.

Update -- a couple of variations occured to me, and I later saw that they are suggested in Apple's User Management v10.5 document, on p. 142 ("Using Mac OS X Portable Computers with Multiple Users").

Local Accounts, Single Login


  • Don't have to worry about forgotten passwords!
  • Access is fast and doesn't depend on network conditions
  • The user account can be created in the master image


  • It is a free-for all. You can't expect you work to be there the next time you log in (or worse, it may be modified!)
  • If it seems that your file is there most of the time, then something important will be lost when you need it

Guest Accounts


  • You log into a newly created, clean account every time


  • All files are lost on log-off
  • Work has to be saved externally
  • Multimedia usage becomes very difficult
Clinton Blackmore
  • http://managingosx.wordpress.com/2009/01/13/network-and-portable-home-slides/ talks about setting up network and mobile accounts, particularly what you might not want to sync with a mobile account. – Clinton Blackmore Jun 16 '09 at 19:56

6 Answers6


We're higher-ed, so not quite the same environment. On the other hand, we have on the order of 21,000 students to educate, so we're the size of some smaller K-12 school districts. And this is what works for us.

Each student has their own directory service login (three directories, actually. Active Directory, Novell eDirectory, and NIS+). Lab and classroom workstations vary widely but are 95% Windows machines. We leverage the Novell login-script to create drive mappings. Each user has a home directory, and many classes have a class directory for shared files (at least, those not already using Blackboard). Each model of machine has a consistent software environment installed on it, which takes some time for our desktop folk to cook up when we need to make changes.

Since workstations are effectively disposable, students either use their home directory or (much more often these days) a USB thumb-drive, not the local workstation to store data.

As we move to an AD-based login script, we'll be doing much the same thing. We have the advantage of a fast, reliable wired network in all buildings that these workstations can use. The login scripts only require access to the directory servers and typically run very fast (so long as all the servers being mapped to are up and talking). We've found that dedicated student accounts make single-sign-on a lot easier to put together, especially when developing web-based services such as a student portal. We've even managed to SSO Blackboard.

I am a big fan of network accounts and network storage for all users. I work in higher-ed and we can trust that people can remember their passwords. Which may be a bigger issue with younger users but probably not. Network storage is limited by your network speed but for the sizes of files and the types of documents most students are working on that's not a huge limiting factor. If it is you should be looking at what's wrong with your network and working on fixing the infrastructure problem there.

If you use centralized logon with script mounted home directories your students data will all be in one place all the time. Also it's what most higher ed organizations are doing for student data so it gives them good practice for what to expect when they get beyond your doors.

Laura Thomas
In our Mac-centric lab setting (university), here's what works:

NIS for user authentication. Linux server, DES hashes and Full Name in the Unix password file gives us compatibility from 10.2 to 10.5. Setup varies based on OSX version.

NFS for home directories. Linux server, NFSv3/NFSv4. 10.5 is very sensitive to NFS lockd working properly but otherwise solid. 10.4 cannot recover lost network shares... A timeout means a hard reboot (or remote SSH login, and a sudo command to kill a daemon and a soft reboot.) 10.3 works pretty well. For 10.5 we use automount for share management, a shell script in /Library/StartupItems on older versions.

Laptops are a crap shoot. They don't make good "lab" computers. 802.1g is sucky for NFS/NIS and with 10.4 network reliability (and no timeouts > 2-3 seconds) is a must for anything resembling "reliable" operation. 802.1n probably solves the bandwidth/performance concerns but I wouldn't try with anything less then 10.5.

In our cases, laptops have a single local user (the owner) and we only support NFS over wired network (and their assigned static IPs). Users use a pair of shell script to bring the NFS shares up and down as needed.

EDIT: I should add that this is for research labs with Master/Ph.D. students and so our data per user is on the order of 250GB+. The user count however is quite low. About 25 macs and as many Linux workstations and maybe a dozen servers and a total of 12-15TB of disks? About 50 daily active users.


I would recommend a Mac server and using the Apple Directory Service to manage the users:


It's an LDAP backend and similar to Active Directory in some ways. Since you're a Mac house, it is probably your best bet, although you /can/ authenticate Macs against Active Directory (and other LDAP based models) if you really want to.

Matt Simmons
  • We are definitely using Apple's Open Directory as our directory service. – Clinton Blackmore Jun 04 '09 at 17:19
  • Why not go with Network Accounts, then? And why shouldn't they be used wirelessly? – Matt Simmons Jun 04 '09 at 19:37
  • I can't find where I read that it is officially unsupported by Apple. http://discussions.apple.com/thread.jspa?threadID=1536359 goes over some reasons; basically, with 30 laptops in a room that have their own wireless access point, the bandwidth per user will go through the floor. We used it for some time, and it kind of worked, but performance is poor. – Clinton Blackmore Jun 04 '09 at 20:20
  • We haven't had any trouble with network accounts on the desktops, although things ought to be zippier using local or mobile/synced accounts. – Clinton Blackmore Jun 04 '09 at 20:34

If you're able to use linux, you may be interested in LTSP (Linux Terminal Service Project)

Essentially, you'd need a fairly robust central server (and redundancy, as if this thing is gone, you're basically toast), and a decently managed network. Everything would be stored on this machine. I'd have to check, but I don't believe any kind of syncing is required (everything is done on the fly) so having at LEAST 100mbit is going to be required, however as was previously mentioned, students shouldn't be saving something that large anyways.

The great thing about this method is that all preferences and programs are "mobile" and can easily be used on one computer as well as the next.

Tedd Johnson
  • I was stoked about using some of our really old and now decommissioned machines as edubuntu thin-client labs, but the idea met with lots of resistance and I've given up on it. – Clinton Blackmore Jun 04 '09 at 20:22
  • Yes, it's a shame the kind of resistance to open source software. I've given up on trying to convince people, and just done it, and left people guessing as to "what this cool new program thingy is" – Tedd Johnson Jun 04 '09 at 20:27
  • Despite being in an organization dedicated to preparing tomorrow's generation, much of the resistance is simply resistance to change. My co-workers know Mac administration, and many of our staff members are digital immigrants and are uncomfortable with computers -- even the Mac. Beyond that, people here are seemingly sold on the idea of not teaching movie editing, but of teaching iMovie, on not teaching word processing, but of teaching Word. A wider exposure might better prepare those who will solve tomorrow's problems with tomorrow's tools. – Clinton Blackmore Jun 04 '09 at 20:53
  • As a recent student at a high school of over 2000 students, I'm one of the very few who ever used linux, thanks entirely to my own choices outside of achidemia. Certainly I'm the only one of my peers who ended up in sysadministration (many went into computer science majors, but never learned systems, going instead straight for programming). Our education system is not doing a good job of "preparing for the future" when it comes to technology, which is a terrible shame. I hope you, as an education IT person, will voice your complaint loud and proud. – Tedd Johnson Jun 04 '09 at 21:10

Here is my current line of thinking for laptop labs which are used by multiple students throughout the day. It comes down to using mobile accounts without syncing.

In each class, we tell the teacher to assign a particular computer to a particular student. [If the same student is in a different class that uses computers, they will almost certainly user a different computer, and that is okay, as in Science they won't need to access Social Studies assignments.] The login screen shows users who have logged into a given unit before; and an "other" option with a username and password entry field for those who have not logged into it before. After the initial login, the student should see their name on the login screen. If they do not, they have the wrong computer (and, although they can log in, none of their files will be there.)

There is no syncing involved. The account will act like a local account, except that any user with an entry in the Open Directory can log into the machine and create an account. We will provide easy access to network storage so students can back up their files (and we will assume that most students, especially elementary students, will not make use of this option).

Additionally, I think it would be worthwhile to put the home folders (/Users) on a different partition. That way, if there is a logical hard drive error or the OS is otherwise broken, there is a chance that the user's files will be okay and we can simply re-image the system partition.

This same option could work for one-to-one laptop deployments and desktops, and we could do it for consistancy, but I'm not convinced it is optimal in those cases.

Addendum: Next year, we are planning on running OS X 10.4 on our older computers, and 10.5 on the newer ones. We've been concerned that a given user might use both and create files with newer software that can't be read with the older software (or worse, have their iPhoto or iMovie database upgraded for them, rendering the older software unusable with their data). With this no-syncing, use-a-different-computer in different classes setup, the problem is neatly avoided.

The problem in its stead is that users may have bits and pieces of their work on different machines. I'm hoping that if we explain things to them, they'll catch on quickly enough and not do this.

Clinton Blackmore
