Restrict Particular Username Logins

ernstcs
Contributor III

Hi all. For a long time we've implemented a cached login policy that would run a 'killall loginwindow' command for a particular user, this would stop a posted generic user for certain machines in another lab coming into the Mac lab to use it. However, we've been finding that they are somehow getting around it on systems, that the policy is somehow not catching all of the attempts. These are AD bound machines and it is an AD bound account. I am working on other methods that remove the AD account from the equation to really eliminate the issue, but that gets political. AD can do some limitations, but Macs don't necessarily recognize those settings. Does anyone have any other recommendations for ensuring this works 100% of the time for a particular username? This would be on 10.8 systems. Thanks!

1 REPLY 1

jagress
New Contributor III

Two ideas...

1 - If the policy at login isn't working consistently, how about a LaunchDaemon that does the same thing?

2 - I believe there was a way to do this in Workgroup Manager (or at least do some sort of restrictions on who can/cannot log in), so that could probably be done with MCX in Casper.