Setting A Default Paper Size

printerThis post is in response to a reader request.

In Mac OS X, the default paper size is a setting that determines the size of paper that applications will try to print to unless the user chooses otherwise. For most systems and applications this defaults to US Letter.  In order to provide a positive user experience, especially for end users outside of the United States, it may be desirable to set a different default paper size.

The file that contains this preference is:
~/Library/Preferences/com.apple.print.PrintingPrefs.plist

This makes the preference domain: com.apple.print.PrintingPrefs

The Key that governs the preference is called : DefaultPaperID

DefaultPaperID contains a string value that corresponds to a paper size. See the chart below:

Paper Size String
US Legal na-legal
US Letter na-letter
A4 iso-a4
A5 iso-a5
JIS B5 jis-b5
B5 iso-b5
Envelope #10 na-number-10-envelope
Envelope DL iso-designated-long-envelope
Tabloid tabloid
A3 iso-a3
Tabloid Oversize arch-b
ROC 16K roc16k
Envelope Choukei 3 cho-3-envelope
Super B/A3 arch-b-extra

To set this preference with a script use the command below, replacing with the correct string for the intended paper size.

For a single user, run as the user:
defaults write ~/Library/Preferences/com.apple.print.PrintingPrefs DefaultPaperID

For all users, run as root:
defaults write /Library/Preferences/com.apple.print.PrintingPrefs DefaultPaperID

This process has been tested on Mac OS X v10.6 (Snow Leopard), v10.7 (Lion) and v10.8 (Mountain Lion).

I hope you find this useful.

Lock It Down

securityIn the previous article, we discussed the consumerized model of IT.  Now let’s have a look at a locked down model, and some guidelines that will help maintain sanity both for the IT group and the user community at large.

Why Lock Down?

After considering the consumerized model, one might think that it sounds so progressive & cost effective that no one should bother locking down computers any more.  Well, no solution is one-size-fits-all.  If there is an existing user community accustomed to a certain level of support and management, or if there are legal requirements to satisfy, we can’t simply board up the help desk and redirect the support line to the nearest Genius Bar.

By far, I see legal requirements as the most common and important reason to maintain a locked-down environment.  Legislation such as SOX & HIPAA, and standards such as PCI all place limits on how certain computer systems are allowed to operate.

In some organizations, it may be important to remove distractions and potential wrong turns in workflows.  There are still plenty of computer illiterate people in the workforce.  If these folks dominate an organization, it may be wise to limit the damage they can do through a series of electronically-enforced policies and restrictions.

No Admins

When implementing a locked-down model, I believe in one cardinal rule: In a locked-down environment no user outside the IT team should have administrative privileges.

If  this rule is broken, the environment is no longer locked down.  Administrative privileges are the keys to the proverbial kingdom.  A user with administrative privileges can change or remove any or all enforced settings, add or remove software as they see fit, and disable reporting to any inventory or compliance systems.  In short, IT cannot maintain any sort of Support Level Agreements or ensure compliance if the users have administrative privileges.

Even within the IT team, administrative privileges should be used only when necessary, meaning that IT staffers should be using non-admin accounts to do their routine work but have the means to elevate their access when needed and within carefully considered limits to balance security, accountability and efficiency.  An IT team that operates with administrative rights will usually have no idea of the issues faced by the typical non-admin user.  In addition, IT staffers are people too, and as such are prone to mistakes and bad judgement just like the rest of us.  Detailed and strict processes help to mitigate human error.

IT departments often face political pressure or directives from superiors to make exceptions to a “no-admins” policy.  If you find yourself in this position, I recommend preparing a cost-benefit analysis for your superior(s).  This report should include things like  data loss, lost productivity, support costs, and the costs of lost opportunities.  I have always felt that it is part of the job of an IT staff to let management and the business know when they’re trying to do something detrimental.  It is more desirable and generally less costly to prevent problems than fix them after the fact.  When an employer asks for something dumb, it’s a good idea to tell them it’s dumb and why it’s dumb in a quantifiable (and tactful) fashion.  If they still insist on the dumb thing, they can’t blame you for not doing your due diligence and informing them of the pitfalls.

When Not To Lock Down: Social Issues

Technology is often called upon to solve social issues.  I see this as a waste of time and resources as well as an unnecessary restriction of user capabilities.  Rather than limit everyone for fear that someone may misbehave, I feel it is much more productive to only punish the miscreant if misbehavior occurs.  There are many reasons to lock down computers and their functions, but in this sysadmin’s opinion, solving social issues should never be one of them.

Another Mac sysadmin once said “you can’t teach a backpack not to carry a Playboy” in response to a request to ensure that “naughty pictures” couldn’t appear on a school’s computers.  If little Bobby is caught with a Playboy in his backpack, it is confiscated, he’s sent to the principal’s office and Bobby is given the prescribed punishment, all because Bobby has misbehaved.  If however, Bobby accesses similar material in a computer lab, the IT staff ends up taking much of the blame because it happened on a computer, even though it’s still Bobby that misbehaved.  Misbehavior is still misbehavior whether it involves a computer or not.  If little Bobby is looking at naughty pictures in school, that is a disciplinary issue to dealt with accordingly.  Similarly, if Sally in accounting is playing solitaire all day and not doing her work, then Sally’s boss needs to have a chat with her and/or start looking for a new Sally. Technology is a moving target and users, especially children, are very resourceful and have nothing but time on their hands.  An IT staff that tries to manage social issues with technology will find themselves fighting a battle that is impossible to win.

Only Lock What Is Necessary

Heavy handed restrictions are the most likely to be circumvented.  I have been to offices where end users have very expensive company-supplied computers on their desks but never use them because they find the draconian restrictions imposed by an overzealous IT staff make the systems unusable.  These employees end up bringing their own laptops to work, thus creating a de-facto Bring-Your-Own model that the IT group has absolutely no control over, and often no knowledge of.

Each restriction that is not legally or contractually mandated should be carefully examined to determine if it is actually necessary.  What risks are being mitigated, and what are the potential impacts on user productivity?  Does the potential risk outweigh lost productivity and/or user dissatisfaction?  Unless the answer to that last question is yes, the restriction shouldn’t be implemented.

I hope these ideas will help make your restrictions more sensible and useful.

Consumerized IT or Bring Your Own

openLock

On any given day, I’m likely to have some form of conversation that includes a discussion of why no one should have administrative privileges, or why everyone should have them and IT shouldn’t care.  To paraphrase Mr. Kenobi, both arguments are correct, from a certain point of view.

The core of the issue comes down to determining what is most important to an organization.  Some organizations need extreme control and security.  In these organizations, having computers and devices locked down and only capable of performing approved tasks is required, often by law.  Many other organizations may not be bound by these laws or have as great a need for security and may instead place greater value on creative freedom and the flexibility to be productive according to an individual’s own work habits and quirks.  Since the locked-down model has been the IT standard for decades, we’ll leave that topic alone for now and instead discuss some of the ideas behind a consumerized model.

What Is Consumerization

The consumerization of IT is a topic that is in relative infancy, but rapidly growing, sort of like “cloud computing” was just a short few years ago.  Being a young and evolving concept, it’s not uncommon to to find varying definitions, and what follows is my own working definition as of December 2011.

“The Consumerization of IT” describes a trend where organizations expect employees to own a computer, be able to use said computer, and be able to obtain service and support for that computer.

Similar to the fact that most employers expect their employees to own and maintain phones and the means to get to work, a company following a consumerized IT model expects employees to own and maintain a computer.  These organizations may give employees a stipend to purchase the computer or may even provide a computer, but offer little to no support for the device or common commercial software.  This approach is often referred to as a bring-your-own or “BYO” model.

The primary goals of IT in a BYO scenario are to provide access to proprietary data and software tools that the user community needs to accomplish the organization’s goals rather than duplicating the support efforts of Apple, Microsoft, et al.  Schools worry about the educational process and a bread company worries about making and selling bread.  Both leave the business of Mac OS X support to Apple, Word support to Microsoft and Photoshop support to Adobe.

Why It Works

At the dawn of IT, we had to cope with baby boomers who grew up with slide rules and musty encyclopedias.  These people needed legions of helpers to translate the digital voodoo that would allow them to do their jobs.  Baby boomers are now retiring in droves.  Their children and grandchildren don’t need the same kind of handholding.

Also consider the fact that the young people who have entered the workforce in the past several years, and will be entering it going forward, have grown up with computers almost since birth.  These people came through school using the Internet, word processors and cellular phones.  Children born on the day the Internet was opened to commercial activity have bachelor’s degrees now.  These young adults may have been using an iPhone for as long as or even longer than their employers.  Aside from having a level of competence with technology, and perhaps because of it, these employees are more likely to chafe against a tightly locked system.

Some Management

Whether it’s software distribution, managing compliance with legal guidelines, providing critical software patches, or configuring an email account, even organizations that have consumerized IT will benefit from some degree of client management.

Since the end user will be in ultimate control of the computer, it is important to have clear communication between IT and the user regarding the management tools used and what is expected of each party.  A balance must be struck between the privacy needs of the employee and the security needs of the employer, and the stipulations of that balance should be well understood by both parties.

How It Works

Since the end user has administrative privileges, common IT terms like “push” and “lock” don’t apply.  To have effective management, we need to link compliance with desired and/or required items.  Examples might include automatically locking out a user’s directory service account if their computer doesn’t comply with security requirements or removing network access and/or email configurations if the device fails to meet other agreed-upon management requirements.  In this way, we are able to give the end user the tools they need, but only when they agree to and comply with the organization’s policies and requirements.

Software installations and even many management tasks may be delivered by a client-driven mechanism, such as The Casper Suite’s Self Service tool or similar mechanisms; although there will likely be some settings such as those discussed above that will be enforced as a mandatory requirement of participating in the BYO program.

It is important to design the systems and processes involved to be as simple, user friendly and foolproof as possible.  While today’s end users tend to be more savvy than their predecessors, not everyone is a technology nerd, and shouldn’t be expected to be one.  Apple users in particular expect things to “just work.”  Maintaining that same high level of usability should be a requirement of any BYO project.  If something can be done in two clicks, don’t make the user do it in three.  Make sure interfaces are labeled well and consistently.  Finally, always use the system yourself.  You can’t relate to your users’ frustrations very well if you never use the systems they use.  If you find yourself not wanting to use a system, that’s a great indication that the system needs work.

I hope this overview proves useful.  We may explore these concepts further in future articles if there is significant response.

More Lion Preferences

lionI’m all for progress, and I at least try to work with new systems before I succumb to what I call “changephobia” (apologies to anyone with a psychiatry degree) and try to undo the progress.  Be that as it may, we all have to support the changephobic, so we may be called upon to make Lion behave more like Snow Leopard.

In an effort to ease this burden, here’s a compilation of user interface changes in Lion and how to revert them back to familiar behavior for your changephobic charges.

Note: If this information is a bit confusing, refer to the documentation on managing preferences in your client management software.  If you don’t have client management software, type “man defaults” into Terminal to learn how to make use of this information at the command line.

Hidden Scrollbars

Scroll bars appear on demand by default in Mac OS X Lion.  The scroll bars, or lack thereof, are governed by .Globalpreferences.plist.

The key that governs when scrollbars appear is called AppleShowScrollBars.

The key contains a string item with the following possible values:

  • Automatic – Default Lion behavior.  Scroll bars are visible when scrolling with an Apple trackpad and always visible with a mouse.
  • WhenScrolling – Scroll bars only appear when scrolling, regardless of pointing device.
  • Always – Scroll bars are always visible.

Applications Retain Open Windows

Apps now remember where you were and/or what you were doing when you quit.  For example, if Safari is running with  www.apple.com and YouTube open in tabs and the Safari preferences window open and one quits Safari without closing those windows, the next time Safari is launched, a tabbed window with apple.com and YouTube will open as will the preferences window.  On one hand, this seems pretty useful.  The app remembered where I was! On the other hand, when I attach my laptop to the conference room presentation system, I may not want Safari to show my colleagues my bank statement, Aunt Gussie’s secret carrot cake recipe or something not quite appropriate for the office.

This behavior is also managed by .GlobalPreferences.plist.

The relevant key is NSQuitAlwaysKeepsWindows.

This key stores boolean values, either true (default Lion behavior) or false (apps don’t remember your windows).

Dock Indicator Lights Are Missing

This is an odd case.  I have been hearing and reading reports of this behavior, that is the blue dots that have appeared under the Dock icons for open applications are missing, however my own observations have shown that the indicator lights are on by default.  Whatever the case may be, this is also manageable behavior.

Since we’re working with Dock behavior, the preference file in question is com.apple.dock.plist.

The key is show-process-indicators.

This key uses a boolean value where true means the indicators will be present, and false means they will be missing.

User Library Folders Are Hidden

It makes sense that Apple, being a self-proclaimed consumer device company, would hide things that the typical, non IT-savvy, user wouldn’t need to see and probably wouldn’t understand.  Not all users were created equal, and some of the more savvy folks will miss the ability to get at their Library folder.

A user can access their own Library folder with Finder in two ways, both using the Go menu.  The first method is to hold down the Option key when exposing the Go menu.  This causes “Library” to appear between “Home” and “Computer”.  The second method is to choose the “Go to Folder” menu item and type the path (~/Library) into the drop down sheet.

From the command line, a user could execute the following command:

open ~/Library

The following command will make the Library folder permanently visible in Finder.

chflags nohidden ~/Library

Scripting tip: if you read your users from dscl into a variable, using a for loop, and the explicit path to each user’s Library (using the users variable) you can make this change for all users.

That’s the first batch I’ve found.  If you have noticed any other new behavior you’d like to be able to change, let me know in the comments.

Lion Scroll Behavior

lionNow that Lion has been released, some of you may have  noticed the new scroll behavior.  For those of you who haven’t yet, scroll behavior is reversed in Lion as compared to previous versions of Mac OS X, and matches the scroll behavior in iOS.  This means that when you move your fingers/wheel down, content moves down and when you move your fingers/wheel up, content moves up.

Apple calls the new behavior “natural”.  Whether you love it or hate it, you may be called upon to change it.  Luckily, this is a setting stored in a standard plist file , making it easy to manage.

The preference file involved is .GlobalPreferences.plist

The key is com.apple.swipescrolldirection

Values are true (Lion behavior) and false (previous behavior).

To change the scroll behavior for the current user (there are no line breaks in this command)…

defaults write ~/Library/Preferences/.GlobalPreferences  com.apple.swipescrolldirection -bool <value>

To change the scroll behavior for all users (there are no line breaks in this command either)…

defaults write /Library/Preferences/.GlobalPreferences  com.apple.swipescrolldirection -bool <value>

For example: the following command will make scrolling in Lion behave as it did in prior versions of Mac OS X, for the current user (again, no line breaks).

defaults write ~/Library/Preferences/.GlobalPreferences  com.apple.swipescrolldirection -bool false

Note that the behavior will not change until after a logout.  When changing the setting via the System Preferences GUI, it would seem that System Preferences is also forcing a re-read of the .GlobalPreferences.plist file.  If any readers know how to force that re-read, please share that information in the comments.

I have not yet tested it, but all indications point toward this working as an MCX setting.  This should work just as well as managing any other .GlobalPreferences item with MCX.

Scripting: Using cut to Capture Information

terminalIn the previous article we discussed using grep and awk to harvest information.  The final example in that article may have left us wanting.  In this article, we’ll discuss some additional options that the cut command can give us.

As we discussed, the following command:

diskutil info / | grep "Volume Name:" | awk '{print $3}'

would output the name of our boot volume, assuming there were no spaces in it.  However, if our target Mac had a factory standard boot volume called “Macintosh HD”, we’d need to change our command to:

diskutil info / | grep "Volume Name:" | awk '{print $3,$4}'

If there were more than one space in our volume names, well, it all becomes a bit much to manage. Unfortunately, awk doesn’t provide a method to display word X and all following words, so we will look to another command called cut.

According to its man page, cut is designed to “cut out selected portions of each line of a file”.  Cut can work with “words”, like awk, or it can work with characters.  We’ll look at working with words first.  Unless specified otherwise, cut assumes that words are delimited (separated) by tab characters.  If the delimiter is something other than a tab, the delimiter must be defined using the “-d” option.  After defining the delimiter, we must tell cut which words we would like to output.  We do this using the -f option, followed by a number indicating the word’s position.  Unlike awk, we do not need a “$” or other character to indicate our word selection, just the number.  Also unlike awk, we can specify a range, including “X-” which tells cut to return the word at position X and everything after it, which we will do below.

diskutil info / | grep "Volume Name:" | cut -d ' ' -f 19-

The “-d” option has indicated that our delimiter is a space.  The “-f” option has asked for words 19 through the end of the line.  This may seem a bit confusing because if you look at the output of the first two commands, it would seem that we would be interested in word number 3 and onward.  It would appear that diskutil’s output contains both spaces and tabs, and a bit of trial and error helped to arrive at the number 19.  This command will return our boot volume’s name regardless of the number of spaces in the name.

The other option when working with cut is to simply count characters.  This precludes a need to define a delimiter.  By counting characters, we can find the same information with the following command:

diskutil info / | grep “Volume Name:” | cut -c 30-

This line will return character number 30 and all characters that follow it.  Like the example using the -d and -f options, this will return our boot volume’s name regardless of the number of spaces in the name.

We see that cut can provide us with some capabilities that awk doesn’t.  Hopefully this examination will help you to capture data in your own scripts.

The commands in this article have been tested on Mac OS X versions 10.5.8 and 10.6.7 (build 10J869).  Thanks go to Lisa at lisacherie.com for assistance in testing the commands used in this article.

Scripting: Getting Volume Details Using grep and awk

terminalAs sysadmins, we often need to write scripts that will interact with hard disks or other volumes on a client computer.  These scripts usually need some information about the volume(s) being worked with, such as a device identifer, UUID, etc..

I often see my fellow sysadmins making assumptions such as a Mac’s boot volume will be known by the device identifier “disk0s2”.  While this is often the case, it is by no means guaranteed.  For my money, often being correct isn’t acceptable, especially when always being correct can be achieved with a relatively short command. In this vein, I will outline some commands to harvest various volume information below.

Device Identifier

Some disk management commands require a device identifier.  The device identifier is in the format diskXsY.  diskX refers to a physical device.  sY refers to a volume or “slice” of diskX.

diskutil info / | grep "Device Identifier" | awk '{print $3}'

Volume UUID

The Volume UUID, or Universally Unique IDentifier, is a unique ID code generated for every volume.  The UUID is required for some disk operations.  Volume UUIDs are persistent regardless of your currently booted system.

diskutil info / | grep "Volume UUID" | awk '{print $3}'

Volume Name

Sometimes we’ll need to know the name, also referred to as the “label”, of a volume.  This is the name we see displayed in Finder.

diskutil info / | grep "Volume Name:" | awk '{print $3}'

Breaking It Down

You may have noticed a pattern in the commands above.    All of the sample commands begin with “diskutil info.”  Simply executing “diskutil info” followed by a volume, will output a list of information about that volume.  In the example commands above, we use “/”, which refers to the current boot volume.  By replacing “/” with “/Volumes/<otherVolumeName>” we can retrieve information from other volumes mounted on the Mac.  The pipe or “|” character passes the output from this command to the next one.

The next command is “grep”, followed by a quoted term.  Grep is a very powerful UNIX tool, but here, we’re using one of its most basic functions.  Grep will look within the text that it receives as input, in this case the output of “diskutil info /”, for the search term we’ve provided.  If the term is found, grep returns the entire line (s) on which our search term appears.  The grep output is then piped to the next command.

awk is another powerful tool;  books with page counts in the hundreds have been written about it.  Like grep, we are using one of awk’s more simple functions here.”awk ‘{print $X}'” takes the input it is given, the output of the grep statements in these examples, and returns the “word” at position X.  I’ve put “word” in quotes because awk doesn’t define word the same way as the English language does.  To awk, a word is a string.  Words are separated by spaces.  If we run our last example command (diskutil info / | grep “Volume Name:”) on a system booted to a volume called “BootDrive”, the output from the first two parts of the command  is ”   Volume Name:      BootDrive”.  In this case, “Volume” is word 1, “Name:” is word 2, and finally “BootDrive” is word 3.  This is why we ask awk to return word 3.

Note that if your volume name has a space in it, such as the factory default “Macintosh HD”, the command listed above would only return the first word of your volume name, for example, “Macintosh”.  To get awk to return multiple words, multiple words can be referenced inside the brackets, separated by commas.  For example “awk ‘{print $3,$4}'” would return the words at positions 3 and 4, with a space between.  We could repeat this for as many words as you need.  such as “awk ‘{print $X,$Y,$Z…..<and so on>}'”.  It is not necessary to choose consecutive words either.  “awk ‘{print $1,$5}'” would work just as well.  Referencing empty word positions will not generate any output, meaning that if we executed “diskutil info / | grep “Device / Media Name” | awk ‘{print $3,4}'” on a system with a boot volume called “BootDrive”, our output would be simply “BootDrive”.

Well, I hope some of you have found this exploration useful.  Future articles will build on what we’ve discussed here.

Casper Suite: Firmware Updates Extension Attribute

casperSuiteAs promised, here is the follow up to my previous post.

People who have followed this blog will know that I like zero touch. Unfortunately, firmware updates usually require physically touching a computer. In the absence of a scriptable robot that can go around to users’ desks pressing buttons, this process is hard to automate. Thankfully, firmware updates are relatively infrequent compared to other Apple Software Updates.

Using an Extension Attribute in the Casper Suite, I have been able to achieve the following goals…

  • Automate Apple Software Updates without continually running Software Update on computers that only have firmware updates available.
  • Generate a list of computers that require firmware updates.  This list is given to technicians as a work list of computers to visit and run the firmware updates on.

Here’s the script to use in the Extension Attribute (I call it “Available FWUs”)…

#!/bin/bash
# Populate "Firmware Updates Available" extension attribute
# Get firmware update count
fwupdcount=`softwareupdate -l | grep -c -e Firmware -e firmware -e EFI -e SMC`
echo "<result>$fwupdcount</result>"

The fourth line is looking for available software updates with names that contain the terms “Firmware”, “firmware”, “EFI”, and “SMC”.  This covers all of the firmware updates I can find on apple.com/support.  If additional terms become needed in the future, one can add ” -e <desiredTerm>” to the command between “SMC” and the final backtick.

The result will be an integer.  An Advanced Search for computers with Available FWUs more than 0 will give you the firmware update work list.  I use a Smart Computer Group containing computers with Available SWUs more than 0 and Available FWUs less than 1 as the scope for an automated Software Update policy.

I hope this is helpful!

Note: Recent Apple firmware updates haven’t been requiring manual interaction.  This process may not be needed if your environment consists solely of new hardware.

Reprint: Extending the Casper Suite with Dummy Packages

mt-cover-0909Questions about this article have come up in conversations with other Mac sysadmins.  As the reprint rights have since reverted back to me, I’m glad to share the content.

This content is copyright © 2009 by Miles A. Leacy IV.  Permission is granted to redistribute the article in it’s unaltered form.

Download the article at the link below (opens in a new window):

https://drive.google.com/open?id=1Qax-mKcTWgBnu9IANZGORyaiLDG65VV1

A few notes:

  • The Dummy Package/Dummy Receipt workflow is no longer necessary as of Casper Suite version 7.  Extension Attributes provide the same functionality in a much more usable (not to mention supported) fashion.
  • The script contained in the article can be altered to be used in an Extension Attribute. This will be covered in a follow up post on this site.
  • You may want to add terms other than “Firmware” to the script, such as “SMC”, “EFI”, etc., to cover all known firmware updates.

I hope some of you will find this article useful.

Lion Server

lionSo, the rumors were true.  Or they weren’t.  Or  both.

According to Apple’s website, there will, in fact, be a Lion Server.  However, it seems that it will not be sold in its own box, but rather Lion server is going to be a component of Mac OS X Lion.

Currently, there are only four paragraphs and three low-resolution screenshots available to the general public, but here’s what I’ve been able to glean.

  • There will be no separate Server OS.  Lion Server is a set of tools in Mac OS X Lion.
  • Profile Manager – A system for “profile-based setup and management for Mac OS X Lion” and iOS.  From the screenshot, it looks like Lion Server will provide iPhone Configuration Utility functionality for both iOS and Mac OS X Lion.
  • Wiki – Apple devotes one of the four paragraphs to this item.  They mention Podcasts, so this admin assumes that Podcast Producer or its replacement will be present.
  • Wireless File Sharing for iPad (via WebDAV- another paragraph is devoted to this item.  Only the iPad is specifically referenced.
  • Other services mentioned: Users and groups, Push notifications, File sharing, Calendaring, Mail, Contacts, Chat, Time Machine, VPN, Web

My questions…

  • What is a “profile” as defined by Profile Manager and what is configured and contained in/by it?
  • Is wireless file sharing for iPad truly for iPad only?  Is this an oversight in the Lion preview info, or are iPhones and iPod Touch devices left out in the cold by this feature?
  • Does “users and groups” refer to the next iteration of Open Directory?  I’d assume so, but Apple often surprises us.
  • Since Lion Server is a component of the client OS, are there any charges for it?  This seems unlikely unless Apple is changing its model.  One possibility (and pure speculation on this Admin’s part) is that the server components could be a paid download from the Mac App Store.  I doubt that Apple would introduce CALs.

To me, it makes sense that Lion Server is part of, or an add-on to, the client OS.  Mac OS X Server has always been a superset of Mac OS X.

Apple’s Mac OS X Lion page:
http://www.apple.com/macosx/lion/