I know that I can manually create a configuration and enter the groups / users that can log into a machine, but how would I go about this via script?
I have a first run script that is getting all of the relevant AD information, including groups that can log into the machine, but I don't know how to turn around and apply it to the machine.
I imagine this could be done through AuthorizationDB or something. Sadly, I've no idea how.. I suppose I'd take the easy way (at least in the short term) and write a LaunchAgent that would kill 'loginwindow' process for any user that not in some list... That wouldn't prevent SSH connection, but can deal with that though the com.apple.access_ssh group.