thank you for the reply.

the command does add the desired user to the group. Unfortunately I do not see a way in dseditgroup to flag the setting to be "only these network users" it adds the users but stays as the default "all network users"

@Eyoung Perhaps you can report on multiple AD accounts on the Macs & act then?

With a one-to-one I'd much rather just turn the option off before the kids get wise to it. Worst case in the final setup for the system, we hit the button.

It's odd. there has to be a defaults write to just flip that switch!

@gregneagle you do realize you have to physically be at JNUC2015 to collect all the beer we all owe you for all your help. :)

Lol, still trying @donmontalvo? I'll give you an A for effort, that's for sure.
I have a feeling Greg's response might be that if any of us want to buy him beer, we need to physically be at the conferences he attends.

Oh, that reminds me. I need to get back to you! I did see your email from the other day so Im not ignoring you :)
I'll send you a response in just a bit.

@gregneagle thank you Very much for the dseditgroup command. Unfortunately... it seems to disable network users from logging in?!? I set it as a login policy set to run once

Below is my script content, I assume I am missing something from what you originally posted.. or is it due to being set to run at login at the first login for a network user? thanks

!/bin/sh

script to add the user loggin in to the network accout group and then make it so that only that user can log in

/usr/sbin/dseditgroup -o create com.apple.access_loginwindow
/usr/sbin/dseditgroup -o edit -a localaccounts -t group com.apple.access_loginwindow
/usr/sbin/dseditgroup -o edit -a com.apple.loginwindow.netaccounts -t group com.apple.access_loginwindow

eyoung: You forgot to do the first part: which was to add your desired user to the com.apple.loginwindow.netaccounts group as discussed earlier in the thread. Without that, you desired network user won't be in the list of allowed users -- in fact most likely that list will be empty and no network users will be able to login at all.

can I claim that I did not read the post 5 times over the weekend and just looked at the answer before I had my coffee this morning and thats why i'm such a dumbass? :-)

Testing with the WHOLE command now. thank you again for the help.

Ok. Tested with all the parts. Still just disables network accounts from logging in

I tried it as one command, and then separated into two scripts run in sequence, same results.

Post your entire script. I did test this before I posted and it works as expected here.

Also:
Read the contents of both groups after your script runs:

dscl . read /Groups/com.apple.loginwindow.netaccounts
dscl . read /Groups/com.apple.access_loginwindow

Do they have the expected memberships?

!/bin/sh

/usr/sbin/dseditgroup -o edit -a $3 -t user com.apple.loginwindow.netaccounts
/usr/sbin/dseditgroup -o create com.apple.access_loginwindow
/usr/sbin/dseditgroup -o edit -a localaccounts -t group com.apple.access_loginwindow
/usr/sbin/dseditgroup -o edit -a com.apple.loginwindow.netaccounts -t group com.apple.access_loginwindow

the output of the reads are:

bash-3.2$ dscl . read /Groups/com.apple.loginwindow.netaccounts
AppleMetaNodeLocation: /Local/Default
GeneratedUID: 0EAD561B-4B2F-48B9-8030-DE45EA3D740C
PrimaryGroupID: 502
RecordName: com.apple.loginwindow.netaccounts
RecordType: dsRecTypeStandard:Groups
bash-3.2$ dscl . read /Groups/com.apple.access_loginwindow
AppleMetaNodeLocation: /Local/Default
GeneratedUID: 78BDE4D1-EF82-47B2-9CBB-404B99D672F9
NestedGroups: ABCDEFAB-CDEF-ABCD-EFAB-CDEF0000003D 0EAD561B-4B2F-48B9-8030-DE45EA3D740C
PrimaryGroupID: 501
RecordName: com.apple.access_loginwindow
RecordType: dsRecTypeStandard:Groups
bash-3.2$

@Eyoung are you running this script via the JAMF binary at either login or self service?

Those are the only two places that the username is passed to $3.

@gregneagle thank you again for the help. this is unfamiliar territory for me. I'm sure I am missing something obvious causing the issues myself :-)

the output of the reads are: bash-3.2$ dscl . read /Groups/com.apple.loginwindow.netaccounts AppleMetaNodeLocation: /Local/Default GeneratedUID: 0EAD561B-4B2F-48B9-8030-DE45EA3D740C PrimaryGroupID: 502 RecordName: com.apple.loginwindow.netaccounts RecordType: dsRecTypeStandard:Groups

And com.apple.loginwindow.netaccounts has no users/members, so clearly $3 is empty/undefined when you run that script. This causes your issue: since there are no users in com.apple.loginwindow.netaccounts, no network users may login.

bash-3.2$ dscl . read /Groups/com.apple.access_loginwindow AppleMetaNodeLocation: /Local/Default GeneratedUID: 78BDE4D1-EF82-47B2-9CBB-404B99D672F9 NestedGroups: ABCDEFAB-CDEF-ABCD-EFAB-CDEF0000003D 0EAD561B-4B2F-48B9-8030-DE45EA3D740C PrimaryGroupID: 501 RecordName: com.apple.access_loginwindow RecordType: dsRecTypeStandard:Groups bash-3.2$

GAH. I was NOT testing the iterations IN the JAMF binary. If I run it as a policy @ login (as I intend to) it (of course) works!

@donmontalvo and @mm2270 we should all pitch in and just have a few kegs delivered to Disney.

Absolutely!!

@jhbush1973 wrote:

@donmontalvo and @mm2270 we should all pitch in and just have a few kegs delivered to Disney.

As long as I don't have to deliver it to @gregneagle in a tutu. That train left the station a long time ago.

@Eyoung, I have gotten in the habit of testing policy scripts from the command line with parameters. I usually use blank (empty quoted string) or meaningless parameters for each of the ones I don’t care about.

path/to/script "" "blah" "user_id"

You also have to run with appropriate privileges.