Help

Restrict Logins to specific AD group

rstasel
Valued Contributor

Posted on ‎11-16-2016 09:22 AM

Hi All,

I'm going to be rolling out new lab environments in the next few weeks, and part of that is integrating with AD, which is Campus Wide, rather than our OD environment that is only our school. Our labs are restricted to our students, however.

Apparently, Apple has had a bug since at least 10.9 that prevents Configuration Profiles from restricting logins to specific users in AD. And while I can set it manually on my test computer (System Prefs, Users, Login Options, Network Users), I obviously can't do that manually on 150 computers. Has anyone figured out how to script setting those restrictions so they can be set during imaging, or on startup via Casper? This is quite literally my last hurdle in this whole endeavor (well, until I round the corner and find others).

Thank you!

0 Kudos
1 REPLY 1

rstasel
Valued Contributor

Posted on ‎11-16-2016 06:23 PM

Think I figured it out. This seems to work.

https://www.jamf.com/jamf-nation/discussions/4591/restrict-logon-to-specific-active-directory-groups#responseChild22732

Script is: 

#!/bin/bash

dscl . -create /Groups/com.apple.loginwindow.netaccounts
dscl . -create /Groups/com.apple.loginwindow.netaccounts PrimaryGroupID 206
dscl . -create /Groups/com.apple.loginwindow.netaccounts Password *
dscl . -create /Groups/com.apple.loginwindow.netaccounts RealName "Login Window's custom net accounts"

dscl . -create /Groups/com.apple.access_loginwindow
dscl . -create /Groups/com.apple.access_loginwindow PrimaryGroupID 223
dscl . -create /Groups/com.apple.access_loginwindow Password *
dscl . -create /Groups/com.apple.access_loginwindow RealName "Login Window ACL"

dseditgroup -o edit -n /Local/Default -a ADGroup -t group com.apple.loginwindow.netaccounts
dseditgroup -o edit -n /Local/Default -a com.apple.loginwindow.netaccounts -t group com.apple.access_loginwindow
0 Kudos