Symptom
You cannot do one or more of the following activities as expected:
- Open applications
- Burn discs (CD and DVD)
- Remove items from the Dock
- Use certain System Preferences features
- Change your password
Solution
Features designed to restrict use of a Macintosh computer
There are two circumstances in which it is normal for use of your computer to be restricted. The first circumstance is if an Admin user of your computer has placed restrictions on your non-Admin user account. This is done via the Capabilities feature of the Accounts preference pane. Capabilities can manage your ability to use applications, burn discs, remove items from the Dock, use certain System Preferences features, and change your password. Capabilities is further described in technical document 107180, "
Mac OS X 10.2: How to Manage User Access to Applications, System Preferences, and Disc Burning via 'Capabilities'".
The second circumstance is when your computer has visited, or been used on, a network on which computers are managed by Workgroup Manager, a component of Mac OS X Server. Workgroup Manager can remotely control the same settings on your computer as Capabilities (and more) when you join a managed network as a Guest Computer.
How to determine which affects your computer
First you need to know if you are an Admin user. Open the System Preferences application, and look for the Accounts icon. If the Accounts icon is dimmed (unavailable), you are not an Admin user. If it is not dimmed, click it. Look in the Type column to see if your account type is "Admin".
If you are not an Admin user, stop here and ask an Admin user of the computer if your account has been restricted via the Capabilities feature. If it has been, you may stop here and resolve the issue with the help of your Admin user.
Admin users cannot be managed via Capabilities. If any user who is not managed via Capabilities experiences the symptoms above, the computer may have been used on a network on which Workgroup Manager is active. You would most likely encounter Workgroup Manager in a school, though it could be present anywhere Mac OS X Server is used.
When can Workgroup Manager control your computer?
Workgroup Manager cannot take control of your computer without, figuratively speaking, its permission. Remote management products made by Apple only allow a network administrator to control a computer after specific actions have been taken at that computer to allow such control. In the case of Workgroup Manager, "permission" is given when the computer makes an attempt during startup to connect to a NetInfo and/or LDAP server, which may subsequently manage the computer. In Mac OS X, the default setting is for your computer to attempt to connect to the NetInfo and LDAP servers (if any are present) that are specified via DHCP. This means your computer will allow itself to be managed via this method until you specifically deselect this default setting.
Note: Rest assured that the degree of control Workgroup Manager has over your computer does not allow the network administrator to remotely access or delete files on your computer. Thus falling under inadvertent control of Workgroup Manager does not constitute any risk for your data. This default setting is designed to ease network management for education environments and other large deployments of managed computers. This setting is not likely to inadvertently affect your computer, but its affects are easily undone in the event that it does.
Reversing or preventing inadvertent managed settings
You must be an Admin user of the affected computer to remove the managed settings. Under any circumstance, only an Admin user is authorized to remove managed settings.
To undo the restrictions placed on your computer by Workgroup Manager, see technical document 107172, "
Workgroup Manager: How to Clear Cached Settings".
To prevent Workgroup Manager from managing your computer in the future, deselect the default NetInfo and/or LDAP connection that allows Workgroup Manager to manage use of your computer. See technical document 107279, "
Mac OS X 10.2: How to Disable NetInfo and LDAP Connections at Startup".