Hi all. For a long time we've implemented a cached login policy that would run a 'killall loginwindow' command for a particular user, this would stop a posted generic user for certain machines in another lab coming into the Mac lab to use it. However, we've been finding that they are somehow getting around it on systems, that the policy is somehow not catching all of the attempts. These are AD bound machines and it is an AD bound account. I am working on other methods that remove the AD account from the equation to really eliminate the issue, but that gets political. AD can do some limitations, but Macs don't necessarily recognize those settings. Does anyone have any other recommendations for ensuring this works 100% of the time for a particular username? This would be on 10.8 systems. Thanks!
