Is there a way so I can prevent users from changing their Mac name and also prevent them from creating their own local account? Some of these users require admin rights so I can't take those away. Currently I have a policy in place that forces the name to change to what is on file in JSS but if users change the Mac name, it screws with AD and kicks them off the domain. Any suggestions other than locking out the sharing preference pane?
Question
Prevent users from changing their PC name and creating an account?
+9
+15Not what you're looking for, but I'd tackle this by identifying what they need the admin rights for, and finding ways to grant those rights without giving them full admin. (self-service options, adding them to specific groups, etc).
Other than that, I'd set up some sort of smart group to watch for additional local accounts being set up, with email alerts, and then act on those notifications.
I don't do it for the same reasons, but I have a couple of EA's and smart groups for things such as any "non-standard" accounts with local admin rights. I've told all of our IT staff that seeing a machine flagged does NOT mean someone screwed up, most of the time there is a legitimate reason, but it simply means "this is something to check on, and make sure if it is legit, that the reason is documented". A similar approach might work for you - document which users "need" admin rights, create a group of their computers, then set an alert for any new local accounts.
As for changing the name... I'm assuming you're familiar with the standard "PEBCAK, ID10T errors, etc? I call this kind of issue "PIMP". "Problem is Management's Problem" (aka not mine). Get management to implement some sort of rules of behavior, with some teeth. User changes their computer name? User's boss deals with it, not you. Requires a supportive management team, but solves SO many things when they realize that not everything in IT is the technical staff's problem.
+9Have you thought about restricting Sharing and Users and Groups in System Preferences via a config profile?
+18I'd go with restricting the relevant system preferences as well.
It's possible for a user to hack their way around it but they'd have to be really determined!
Taking a config management approach you could also:
- Add a script to auto-delete any local accounts apart from the local admin you put on there
- Use the maintenance option in a policy to reset computer names to the ones in the JSS
+11You can try this .. It's a script to update the computer name to the binding name. You may want to create it as a policy..
Or you can do what I'm doing.. Create configuration profile for loginwindow, under the options tab there is an option to set computername to computer record name. This will grey out the computer name box in the sharing tab, stopping users from changing it.. Unless they un-enroll from casper
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.