Disable deskop and documents via AD accounts

SHB
New Contributor

I am looking to disable editing desktop and documents on our network and so far I am not having much look.

Our Macs are linked to AD and people login with there AD accounts.

We have a suite of Macs and want to make sure people save to network drives and not the devices.

So either a script that runs on login and making it so that all accounts are setup as Guest accounts on the Macs would work I guess but not sure how to do this.

I have used scripts like the following and they all work when logged into the device but error via Jamf.

sudo -u $USER chflags uchg ~/desktop
sudo -u $USER chflags uchg ~/documents

 

The Errors 

 

Script result: sudo: unknown user: chflags
sudo: error initializing audit plugin sudoers_audit sudo: unknown user: chflags sudo: error initializing audit plugin sudoers_audit

I was looking at ideally doing it via a login script as then I can exclude the admin account etc to make sure things can still be done if needed.

 

 

 

 

1 ACCEPTED SOLUTION

dsavageED
Contributor III

You need to define who the logged in user is, recommended method at the moment looks like;

ACTIVE_USER=$( echo "show State:/Users/ConsoleUser" | scutil | awk '/Name :/ && ! /loginwindow/ { print $3 }' )

sudo -u $ACTIVE_USER chflags uchg /Users/$ACTIVE_USER/Desktop

View solution in original post

2 REPLIES 2

dsavageED
Contributor III

You need to define who the logged in user is, recommended method at the moment looks like;

ACTIVE_USER=$( echo "show State:/Users/ConsoleUser" | scutil | awk '/Name :/ && ! /loginwindow/ { print $3 }' )

sudo -u $ACTIVE_USER chflags uchg /Users/$ACTIVE_USER/Desktop

SHB
New Contributor

Thank you, worked first time 😀