Anyone who has ever used a shared computer in an institution will have experienced the restrictions placed on user accounts and some of the techniques used to manage data and to make sure the computers are used appropriately. A typical PC in a computer lab will be very different from a typical private studio machine and in my experience studio machines in educational environments tend to fall somewhere between the unrestricted access of a private machine and a locked down institutional computer.

Local Vs Network Accounts

The first decision facing anyone setting up a computer in a shared studio is whether to have all users using an account which is local to the machine or whether to use network accounts. It is almost a certainty that users will have networked accounts for use in other areas and in labs they can be useful. In studios my experience tells me that as well as using Macs, most people use a local account. The reason for this is usually that the principal advantage of networked accounts for the user (there are a slew of reasons why the IT department might favour networked accounts) is that the user’s data is stored on the network and as a result they can use any machine and have their data follow them.

While this works very well for students with a small “data payload” (word documents etc.) The issues around networked data storage and the bandwidth required to access it for time critical applications such as audio or video mean that in many institutions a single, local account is appropriate. Actually this is a big subject and I’ve heard of many educational institutions which have tried to implement “Live” networked accounts and while in principle they offer significant advantages, everyone I have come across who has tried to implement it in audio have had a difficult time with Mac applications objecting to having their plists stored on a network.

There is a compromise approach which is possible where on a per-user basis, a user logged in on a networked account will have their permission to use the machine verified by logging in using a networked account via an active directory just as with a standard network account. However setting up the smb active directory to “force local” gives a hybrid type of account meaning that on that machine, that user’s network account will operate locally. Access to the account’s networked storage can be provided, and usually is by providing a link to a network share to that user’s network storage, but each user logging on to that machine will have a local user account created. This approach can be seen as a best of both worlds as it is robust and offers access control like networked accounts but the performance of local storage. It can also be seen as offering the worst of both worlds as users can end up confused about whether their account is local or networked, this is understandable as it is both!

Lockdown Vs Freedom

In the scenario of a shared studio computer using a local account the potential for chaotic file “management” (or lack thereof) is huge. My personal favourite location to find inappropriately saved Pro Tools projects is the IO settings folder but the Desktop and a too slow USB drive are still the most popular…

It is inevitable on a shared computer that a proportion of the users will ignore guidelines or best practice when it comes to file management and I have tried various methods to steer lazy users towards storing their files in the right place. Removing the path of least resistance is often all that is needed. Examples include removing locations like Desktop and Documents from the sidebar in Finder and discouraging people from using the root of drives by removing the drives from the Desktop and replacing them with aliases to folders to which you want people to save their work. Both of these can help dramatically.

Read/Write Permissions

A more draconian alternative is to lock down locations by editing read/write permissions. By setting the permissions of a folder to Read Only for the user account it is straightforward to limit use of specific locations though in my experience this can be frustrating if over used. Something which particularly irritates me is people leaving files on the Desktops of studio machines and, like many people I have created desktop images with passive-aggressive messages to users on them about not leaving their stuff on the desktop. Easy to do but ultimately futile. Locking down the desktop is too heavy-handed but some years ago I remember trialling a script which deleted files on the desktop on startup. We had to abandon this as every time the computer had a serious crash students would lose anything they were temporarily storing on the desktop!

Deep Freeze

A last approach which is the ultimate version of the desktop deleting script is Faronics’ Deep Freeze. Locking down computers always has an effect on their usability and Deep Freeze takes an alternative approach. It freezes a snapshot of a computer in it’s desired state and after each reboot it returns to this pristine state, removing all changes made since the last reboot. This allows full access to the user to make any changes they like as they will be reset on reboot. I’m not sure I’d be interested in using this approach in a studio but it is ideal for loaned laptops. Just be sure to remember the PSU for the laptop as if the battery gives out your work is gone.