We have multiple dual-boot classrooms where students wanting to restart into Windows are prevented by the OSX admin prompt because other accounts are logged in.
Has anyone come up with a way to get around this, so that standard users (students with AD accounts) can restart a Mac without having to force shut-down?
Given that this would only happen when Fast User Switching is enabled, I have to assume that function is on on your Macs. Is there a requirement to leave that on? Do your students need to be able to fast user switch? If not, I would say the easiest way to stop this would be to turn that off and keep it disabled with something like an MCX settings or Config Profile.
If that isn't an option for you, you should be able to create a Self Service item that would run a script with admin rights to reboot the Mac.
Thanks for the response. Yes, fast user switching is enabled, but even if it was turned off, users leaving themselves logged in and then walking off, the next user that comes along still has the same problem. This does however make it easier for us to restart the machine if 'user x' has been inactive for 'y minutes', which is probably a better line of thinking in trying to overcome this problem.
I'd still be keen to hear of anyone elses experiences in this situation.
@mdonovan, I think @mm2270 is right on the money - craft a script that you can put in Self Service that will force reboot the Mac to the Windows partition. I'm not sure entirely how you would script that (my scripting skills are pretty limited in this regard), but it's doable. I'll play around with something and see if I can come up with something.
Thanks Andrew. However, I think I should clarify the earlier premise. I am talking about when a user walks up to a Mac, sees the login window, but when clicking Restart at the bottom of the screen, an OSX window appears in the middle of the screen asking for an admin username & password to be entered to allow the restart of the Mac to occur despite other users being logged in.
A Self-Service item in this situation would not be of any help as a user would need to be logged in first.
* Apologies, yes, they could log in and then open Self-Service, but this is outside the scope of what we are trying to achieve, in that the process has to be as transparent and hassle-free as possible for students.
The first step is to disable Fast User Switching as @mm2270 mentioned. A Standard OS X user cannot log out someone else.
A Standard OS X user also cannot unlock someone else's locked session and he can't access any tools to let him do this while the screen is locked under someone else's credentials.
Therefore, the user must push the power button and crash the computer. Not desirable. You must think of an incentive to get the previous user to log out or set a very short time to automatically log out someone when the computer is idle.
A long time ago, the management for one of my groups had me modify the authorization database to allow a Standard user to unlock other Standard user accounts. It was a stupid idea and not one I'd recommend ever doing for security and HR reasons. But it worked.
@tijones's note works great for me in Mojave - very helpful in a lab setting. This causes the computer to restart whenever you click restart without prompting for authentication (or notifying you that someone else is logged in, for that matter).
sudo security authorizationdb write system.restart allow
Also, you can allow the ability to shutdown by writing the same 'allow' preference to the system.shutdown domain.
sudo security authorizationdb write system.shutdown allow
I'm not sure of the significance, but when you do this, you are changing the from a 'evaluate-mechanisms' class to a 'rule' class for the entry in the authorizationdb. (https://scriptingosx.com/2018/05/demystifying-root-on-macos-part-4-the-authorization-database/). Is there a way to maintain the evaluate-mechanisms class and do this?
I know this is an old thread, but I have a need for this. @slemp's script works if I send it out via ARD. I have the script saved as a "Script" in Jamf, have a policy set to run it on every computer, yet it fails. Any idea as to why?
#!/bin/bash sudo security authorizationdb write system.restart allow sudo security authorizationdb write system.shutdown allow