Device-bound AD Accounts are able to login into Macs

Philibb
New Contributor III

Hey,

we have device bound Active Directory - Accounts for our Windows 7 PCs.
This is how it should work, the account sem87rz is only able to login into PC87.
In the Windows environment everything works fine.

But really strange is that this accounts are able to login into all Macs (Yosemite 10.10.3) in the pool.
How is that possible?
The Macs where bound to AD via Directory Bindings on JSS (Version 9.65).

1 ACCEPTED SOLUTION

Philibb
New Contributor III

I found a solution to deny the login for those Accounts.

I created a Config Profile with JSS -> Login Windows -> Access
There i denied the Login with the GUID for each Account.

It seems to work.

Thanks to all.

View solution in original post

7 REPLIES 7

davidacland
Honored Contributor II
Honored Contributor II

By default, an AD bound Mac will allow logins from any user account, from any domain in the forest.

How are you restricting access on the Windows side?

Philibb
New Contributor III

Hi @davidacland ,

We restrict the access at the active directory -> user properties -> accounts -> logon to -> (Here we write the device name which is allowed to get a login with the account)

For Example: right klick on sem87rz -> accounts -> logon to -> PC87

davidacland
Honored Contributor II
Honored Contributor II

Ah ok, I've never had a site using that functionality before so couldn't comment on whether it is supposed to work. Although it would imply a server side restriction, the fact that its not working for you would indicate that there is a client side requirement as well and that its just not supported by OS X.

sean
Valued Contributor

It may be possible with a third party AD plugin.

Alternatively, set up a LaunchDaemon that runs a script on login, checks the username against the allowed user and if it doesn't match kill the login window.

Can you read the attribute from a mac client, perhaps with ldapsearch or dscl?

wdpickle
Contributor

@davidacland is correct on a windows box the users can be restricted through a "domain wide" group policy. Macs don't handle GPOs like a windows box

Philibb
New Contributor III

Thanks @sean ,

Do you have a login script that checks for the forbidden users and if it does´t match to kill the login window?

Maybe i could write all forbidden users in that script, not nice but it may work.

Philibb
New Contributor III

I found a solution to deny the login for those Accounts.

I created a Config Profile with JSS -> Login Windows -> Access
There i denied the Login with the GUID for each Account.

It seems to work.

Thanks to all.