NoMAD Login Question - Account Creation Issue

ukdboyd
New Contributor

Working on getting NoMAD and NoMAD login to work correctly, and had a question. Users are able to login with NoMAD Login, and the local account is being created. However, I've noticed that when I look at the local accounts on the Mac, the actual User Name is not being displayed. In other words, under Current User, I see a blank space where I would normally see the account name. Looking at Advanced Options for that account, the "Full Name" field is blank. Any ideas on how I can get that populated when the account is created by NoMAD Login?

Thanks!

6 REPLIES 6

nstrauss
Contributor II

@ukdboyd Are you using AD and do your AD accounts have givenName and sn attributes populated? NoMAD Login by default will use those two attributes, set them as firstName/lastName variables, and then set the local account full name by adding firstName + lastName.

If you aren't using those attributes, try creating or filling them out for a test user, and then create a local account with NoMAD Login. Full name should then be created as expected.

If you don't populate those today and don't plan to in the future, you could try using cn as full name instead. When poking around the code I found a new preference named UseCNForFullName. Could set that to true and then try again. Since every account has to have a cn that might work for you. Not sure what version that preference made it into, but definitely make sure you're using the latest. As of writing this believe that's 1.3.0.

achristoforatos
Contributor II

Every user that logs in is an admin... any advice on how to stop this?

tdclark
Contributor

@achristoforatos

Here are the NoMAD Login Preferences - you can play around with them, but you can see that there is a CreateAdminUser boolean. Change that.

achristoforatos
Contributor II

@tdclark I've been through that so many times. I am not sure what I am doing wrong though. Below are my prefs:

!/bin/bash

domain=""
background_image="/private/var/tmp/DarkGrey.jpg"
background_image_alpha="0"
keychain_add="YES"
logo="/private/var/tmp/logo-white-trans.png"
login_screen="YES"
admin="False"
userplaceholder="Collegiate username"

Set default AD domain

defaults write /Library/Preferences/menu.nomad.login.ad.plist ADDomain "$domain"

Set background image

defaults write /Library/Preferences/menu.nomad.login.ad.plist BackgroundImage "$background_image"

Set background image transparency

defaults write /Library/Preferences/menu.nomad.login.ad.plist BackgroundImageAlpha -int "$background_image_alpha"

Set login window logo

defaults write /Library/Preferences/menu.nomad.login.ad.plist LoginLogo "$logo"

Username placeholder

defaults write /Library/Preferences/menu.nomad.login.ad.plist UsernameFieldPlaceholder -string "$userplaceholder"

Enable user as admin

defaults write /Library/Preferences/menu.nomad.login.ad.plist CreateAdminUser -bool "$admin"

Enable or disable login screen

defaults write /Library/Preferences/menu.nomad.login.ad.plist LoginScreen -bool "$login_screen"

Adds a NoMAD entry into the keychain

defaults write /Library/Preferences/menu.nomad.login.ad.plist KeychainAddNoMAD -bool "$keychain_add"

Should NoLo create a Keychain if none exists

defaults write /Library/Preferences/menu.nomad.login.ad.plist KeychainCreate -bool "$keychain_add"

Set security authorization database mechanisms with authchanger

/usr/local/bin/authchanger -reset -AD

Kill loginwindow process to force NoMAD Login to launch

/usr/bin/killall -HUP loginwindow

exit 0

tdclark
Contributor

@achristoforatos

CreateAdminUser
This key is sent in the NoLoAD defaults domain. If set to YES then any local user created at login will be placed into the local admin group and therefore be a local administrator on the Mac. If set to NO, or if the key is omitted, then local user creation will default to non-administrative accounts.

I haven't really played with that key, my users are admins until they lose that privilege, so I'm just repeating what I found. Maybe at the end of your script echo the created username and use dscl to lower their rights... not sure if that would work or not... or run a script after log in which does that... hmm... there's probably a way my brain is just fried today.

achristoforatos
Contributor II

@tdclark I was going to go with a script to run after to change that item since I've tried this many different ways and it just keeps creating admins. I just wanted to try and avoid anything extra. Thanks!