Skip to main content
Solved

Device-bound AD Accounts are able to login into Macs

  • June 10, 2015
  • 7 replies
  • 23 views
P
Forum|alt.badge.img+6

Hey,

we have device bound Active Directory - Accounts for our Windows 7 PCs.
This is how it should work, the account sem87rz is only able to login into PC87.
In the Windows environment everything works fine.

But really strange is that this accounts are able to login into all Macs (Yosemite 10.10.3) in the pool.
How is that possible?
The Macs where bound to AD via Directory Bindings on JSS (Version 9.65).

Best answer by Philibb

I found a solution to deny the login for those Accounts.

I created a Config Profile with JSS -> Login Windows -> Access
There i denied the Login with the GUID for each Account.

It seems to work.

Thanks to all.

    7 replies

    davidacland
    Forum|alt.badge.img+18
    • davidacland
    • Valued Contributor
    • June 10, 2015

    By default, an AD bound Mac will allow logins from any user account, from any domain in the forest.

    How are you restricting access on the Windows side?

    P
    Forum|alt.badge.img+6
    • Philibb
    • Author
    • Contributor
    • June 10, 2015

    Hi @davidacland ,

    We restrict the access at the active directory -> user properties -> accounts -> logon to -> (Here we write the device name which is allowed to get a login with the account)

    For Example: right klick on sem87rz -> accounts -> logon to -> PC87

    davidacland
    Forum|alt.badge.img+18
    • davidacland
    • Valued Contributor
    • June 10, 2015

    Ah ok, I've never had a site using that functionality before so couldn't comment on whether it is supposed to work. Although it would imply a server side restriction, the fact that its not working for you would indicate that there is a client side requirement as well and that its just not supported by OS X.

    S
    Forum|alt.badge.img+12
    • sean
    • Contributor
    • June 10, 2015

    It may be possible with a third party AD plugin.

    Alternatively, set up a LaunchDaemon that runs a script on login, checks the username against the allowed user and if it doesn't match kill the login window.

    Can you read the attribute from a mac client, perhaps with ldapsearch or dscl?

    W
    Forum|alt.badge.img+10
    • wdpickle
    • Contributor
    • June 10, 2015

    @davidacland is correct on a windows box the users can be restricted through a "domain wide" group policy. Macs don't handle GPOs like a windows box

    P
    Forum|alt.badge.img+6
    • Philibb
    • Author
    • Contributor
    • June 11, 2015

    Thanks @sean ,

    Do you have a login script that checks for the forbidden users and if it does´t match to kill the login window?

    Maybe i could write all forbidden users in that script, not nice but it may work.

    P
    Forum|alt.badge.img+6
    • Philibb
    • Author
    • Contributor
    • Answer
    • June 11, 2015

    I found a solution to deny the login for those Accounts.

    I created a Config Profile with JSS -> Login Windows -> Access
    There i denied the Login with the GUID for each Account.

    It seems to work.

    Thanks to all.

    Terms & ConditionsCookie settingsAccessibility statement