- Jamf Nation Community
- Products
- Jamf Pro
- Re: Prevent users from changing their PC name and ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Prevent users from changing their PC name and creating an account?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-29-2016 12:54 PM
Is there a way so I can prevent users from changing their Mac name and also prevent them from creating their own local account? Some of these users require admin rights so I can't take those away. Currently I have a policy in place that forces the name to change to what is on file in JSS but if users change the Mac name, it screws with AD and kicks them off the domain. Any suggestions other than locking out the sharing preference pane?
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-29-2016 01:25 PM
Not what you're looking for, but I'd tackle this by identifying what they need the admin rights for, and finding ways to grant those rights without giving them full admin. (self-service options, adding them to specific groups, etc).
Other than that, I'd set up some sort of smart group to watch for additional local accounts being set up, with email alerts, and then act on those notifications.
I don't do it for the same reasons, but I have a couple of EA's and smart groups for things such as any "non-standard" accounts with local admin rights. I've told all of our IT staff that seeing a machine flagged does NOT mean someone screwed up, most of the time there is a legitimate reason, but it simply means "this is something to check on, and make sure if it is legit, that the reason is documented". A similar approach might work for you - document which users "need" admin rights, create a group of their computers, then set an alert for any new local accounts.
As for changing the name... I'm assuming you're familiar with the standard "PEBCAK, ID10T errors, etc? I call this kind of issue "PIMP". "Problem is Management's Problem" (aka not mine). Get management to implement some sort of rules of behavior, with some teeth. User changes their computer name? User's boss deals with it, not you. Requires a supportive management team, but solves SO many things when they realize that not everything in IT is the technical staff's problem.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-29-2016 05:05 PM
Have you thought about restricting Sharing and Users and Groups in System Preferences via a config profile?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-30-2016 10:44 AM
I'd go with restricting the relevant system preferences as well.
It's possible for a user to hack their way around it but they'd have to be really determined!
Taking a config management approach you could also:
- Add a script to auto-delete any local accounts apart from the local admin you put on there
- Use the maintenance option in a policy to reset computer names to the ones in the JSS
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-04-2016 09:00 AM
You can try this .. It's a script to update the computer name to the binding name. You may want to create it as a policy..
Or you can do what I'm doing.. Create configuration profile for loginwindow, under the options tab there is an option to set computername to computer record name. This will grey out the computer name box in the sharing tab, stopping users from changing it.. Unless they un-enroll from casper
