I recently took over administration of a system with 40 or 50 active users. because of the nature of the files my users work with, it is important that each user's file/program access rights be tightly controlled (to keep people from peeking where they don't belong), as well as be easily managable.

Instead of editing each user's permissions/rights individually (which would waste a nice chunck of my time), I was wondering if there was a nice, friendly GUI available that can help me NOT spend all day managing user groups/permissions? I need something that I can open up and configure all my users in just a few minutes. (install through rpm or apt-get, if possible)

In addition, there are a few hard-working, well-meaning users on my system that just do not know how to leave well enough alone. They like to go in and tweak their personal settings (desktop, icons, themes, display settings, etc). That is all well and good, but they don't know what they are doing (not very computer-friendly people) and end up destroying their accounts (ie-rendering them unusable). Is there something I can do/use to completely lock down ALL their settings so they cannot change *any* of their settings?
(I know how to configure sudoers so they have no access to system settings and the like, but i also need them to be unable to change their personal account settings) Any suggestions here?

If you really want to save time, develop a script to do the work for you. One command, and you're done. No pointy-clicky-ticky-tacky to get in the way. Plus, comments in the script explain how it works, how to use it, and what it does.

--- rod.

but my main problem is this- i don't even know where to begin scripting for this. I have written some handy scripts in the past for bash, but I can't think of where to start on this. I've done maintainance scripts, intelligent file transfers, but i'm clueless here.
Scripting or not, where do I start?
How do I go about stopping users from making changes (other than things like personal documents, etc..)

Well, whatever you would do manually, you can put in a script. The advantage of scripting is the ability of a script to do iteration. If you have a list of users either in a specially crafted file, or in some existing data, then you can loop over all users in the list, performing the same operations on each one.
It sounds like you might also need to make better use of user groups; assigning file & directory group ownership may make your life simpler. You can make users' configuration files read-only, but this may break some tools and/or render truly useful features unusable (file-open histories, as an example). Another defense against mis-configured user data is the ability to restore to a working state from backups. Setting up a daily or even more frequent rsync to another host is one good way to do it. It gives you the ability to do selective restores of only the broken pieces, since it makes a filesystem oriented copy, open to inspection by you or, optionally, the end-users themselves.

--- rod.

I don't understand how a GUI would actually help you here? By their very nature they are more restrictive as you are limited to the clicky and spinny things presented to you. What kinds of things would use up all your day, and what how do you see this being easier with a gui?

You've only one system you say... that sounds pretty simple to me...

0 members found this post helpful.

This is what many users fail to distinguish, IMHO. A GUI might make things easy to figure out the first two or three times, but is far from efficient when it has to be used repetitively. Short-term gain for long-term pain. In contrast, using scripts may take some up-front effort, but the payoff will be long-term. Moreover, the sooner you undertake the effort, the sooner the payoff starts.
There are other more subtle payoffs, too. Some of them, I've already hinted at, and others as well. Documenting your work for those that follow is fairly tricky when you have to explain how to click here and menu there (add to the problem what happens when the GUI changes across revisions). Explaining how to use a script is as simple as saying 'run thisScript withThisData'. Modifying the script to do things slightly differently to accommodate a special circumstance is something you won't likely be able to do with a GUI. Perhaps most importantly, if you wrote the script, you will have a much better understanding of what it does, and to know what effects (both good & bad) that it might have.

--- rod.

1 members found this post helpful.

So, i need to write a script that will help me manage my users' rights. Where do I start?

You start by defining "manage". What exactly do you need it to do?

Yeah we've asked for this a few times now. Do you actually know yourself what the work is?

Once you've done that, you start trying the commands that you think will manage one user's permissions. Doubtless, that will involve the use of commands like, chown, chgrp, & chmod, as well as any number of standard commands such as cp, cat, more or less (pun intended), ls etc. Try to create a 'recipe' that applies to one user. Once you've done that, see if there is a way to identify the rest of the users that are to be managed from an existing context, and if not, compile a list of user IDs that need to be managed. Turn your recipe into a full-on script by iterating over all users in your list.

A trivial example of the kind of progression I've described:
Now make a list of all users,
Modify the recipe, to iterate over all users in the list. Maybe edit the list as appropriate.
Does that help?
--- rod.