Jamf Nation Community

spowell01 · ‎05-01-2013

This isn't really a jamf related question, but figured I would throw it out there anyway. We occasionally get a request from someone in one of the school offices to disable computer access for a particular student for a specific amount of time( a day or a week usually). Now in a windows environment we can simply disable the users active directory account and they cannot login. The way we have things configured on our macs( cached mobile accounts so the users can login off network) disabling the active directory account has no effect on the students ability to login. Is this just the nature of mobile accounts, or am I missing something?

mscheffler · ‎05-01-2013

You could change their login password on the server and have Casper push a policy to restart their computer. Then they can't login until you change the password back to what they know.

kraigschroth · ‎05-01-2013

If you're using Portable Home Folders, the mac will use the local ds db to authenticate if it can't reach the DC or if it gets a "fail" response -- and failover to the local ds db. Alternately, you could write a policy to the computer that has a local home directory with a script to execute logout on the "login" hook. Dirty, but would do the trick. And save you from whatever LDAP problems you might bump your head into.

edit -- *scoped to the computer. Haven't had enough coffee yet.

bentoms · ‎05-01-2013

I thought disabling the account would stop them from logging in when on the domain... Hmmm I'll check tomorrow.

spowell01 · ‎05-10-2013

did you have a chance to test in your environment bentoms?

Jamf Nation Community

prevent student login on mac - Active Directory and mobile accounts