BTW, I didn’t see any mention of the use of Directory Utility, which I find useful for visualization. You can use this tool to view/add/edit/delete the local groups, although it’s not useful for that on a mass scale. I add it to my Dock.
It’s /System/Library/CoreServices/Directory Utility.app. Or, you can open it from the Users & Groups System Preferences (Login Options, method to access it varies depending on whether the system is bound to a network directory or not). Once you launch it, you can choose to Keep in Dock.
In Directory Utility, go to Directory Editor, view your Groups in the Local/Default node.
Did anyone get this working under 10.10.x (of 10.11)
I can set the login to only a specific Domain group (AD) but when I restart I cannot logon. Not even with the local admin...
Will investigate further but maybe someone else has found the issue ?
Hi,
Sorry to resurrect this thread again. I am as well looking to restrict logon for specific groups in AD on all or our iMacs. We don't have a >1000 users but will be getting there in a few times.
Does com.apple.loginwindow works for this? and what attribute in AD should I be using objectSid?
Really appreciate any feedback on this
Phil.
I'm trying to figure this out as well. I can't find a setting in JSS that reflects System Preferences -> Users & Groups -> Login Options -> Options -> Only these network users -> add in some groups from the AD
The closest thing I find in JSS is Profile -> Login Window -> Access -> Allow. However, this seems to reference groups in JSS not AD, the purpose of which I can't quite figure out, but regardless is not what we need.
Anyone know what I'm missing? Please tell me this is a setting that can in fact be managed without more silly custom scripting...
Nevermind, I just discovered the central folks bound the JAMF server to an LDAP system not Active Directory, so we have user query but not groups.... le sigh....
I don't suppose anyone knows a way to address this outside of me convincing them to move the server....
@ebonweaver the setting to restrict logins to AD groups is a configuration profile - restrictions. You can add AD groups there in the access tab and it doesn't matter if your JAMF server isn't bound to AD/LDAP as long as the client Macs are.
Unfortunately, the configuration profile still doesn't actually work and just lets everyone log in. I haven't tested in a while but that was my experience with Sierra.
@nigelg from what I can see it's as I said, it only works if your JSS is bound to the same domain as the clients, because it's resolving and sending down SID information, not some generic group name that the client resolves on its own. At some unknown time when our organization get things aligned I'll be able to confirm or deny that. I wish it was more generic and would allow just setting a group name that the client did a dynamic lookup on, but JSS has proven not so flexible.
@ebonweaver
I was refering to this third party bug, listed in the release notes as recently as 10.5.0
[D-005532] macOS configuration profiles with a Login Window payload that is configured to deny users and groups the ability to log in fail to do so.
Its not listed for 10.5.0 either as a bug that was fixed or as a third party bug. Maybe its fixed.
