By default, an AD bound Mac will allow logins from any user account, from any domain in the forest.

How are you restricting access on the Windows side?

Hi @davidacland ,

We restrict the access at the active directory -> user properties -> accounts -> logon to -> (Here we write the device name which is allowed to get a login with the account)

For Example: right klick on sem87rz -> accounts -> logon to -> PC87

Ah ok, I've never had a site using that functionality before so couldn't comment on whether it is supposed to work. Although it would imply a server side restriction, the fact that its not working for you would indicate that there is a client side requirement as well and that its just not supported by OS X.

It may be possible with a third party AD plugin.

Alternatively, set up a LaunchDaemon that runs a script on login, checks the username against the allowed user and if it doesn't match kill the login window.

Can you read the attribute from a mac client, perhaps with ldapsearch or dscl?

@davidacland is correct on a windows box the users can be restricted through a "domain wide" group policy. Macs don't handle GPOs like a windows box

Thanks @sean ,

Do you have a login script that checks for the forbidden users and if it does´t match to kill the login window?

Maybe i could write all forbidden users in that script, not nice but it may work.

I found a solution to deny the login for those Accounts.

I created a Config Profile with JSS -> Login Windows -> Access
There i denied the Login with the GUID for each Account.

It seems to work.

Thanks to all.