[UniMacTech] AD authentication and restricting logins

David Colville david at keyoptions.com.au
Fri Apr 3 14:12:28 EST 2009 

You may need to manage this in Open Directory if you're using a golden  
triangle or local MCX management if not.

loginwindow's "Access Controls" are defined using Allow-List-Raw and  
Deny-List-Raw properties, which can define a group (referenced by it's  
GUID) that is or isn't able to login to a particular workstation.   
Don't forget to allow LocalUserLoginEnabled as well or you could lock  
your local users out of their workstations.

As an example, in the more complex "local" OD configuration:

1. Create a local group on the workstations.

2. Add the appropriate AD groups as members of that group.  This can  
of course be changed later using ARD/SSH and dseditgroup if you decide  
there are more groups in AD you want to use.

For example:

sudo dseditgroup -o edit -a “DOMAIN\allowedadusers” -t group  
allowedusers


(DOMAIN\allowedadusers is the AD group given access.

allowedusers is a local group created on the workstations.)

After the group is in place, with the AD groups in it... use the  
loginwindow configuration to lock your computers down so that only the  
"allowedusers" group can log in- you can use Workgroup Manager to do  
this, then apply the same setting to all the other computers.

This only started working after about 10.5.5, before that you  
sometimes found yourself getting all users locked out, despite  
everything seeming to work.

It's pretty straightforward using Golden Triangle, or learning from  
what Apple do via Workgroup Manager and applying it en masse.

Let me know if can help further.

Cheers
David




On 03/04/2009, at 10:42 AM, Darryl Rosin wrote:

>
> I can't go buy anything for the Macs, so GP is not an option, AFAIK.
>
> thnaks!
>
> d
>
>
> Darryl Rosin
>
> Server Administrator, Digital Arts Project
> Griffith University AUC Developer Fund Coordinator
>
> Research Computing Services
> Division of Information Services
> South Bank Campus
> Griffith University 4111 Australia
>
> d.rosin at griffith.edu.au
> t: 04 1876 0956
>
> PRIVILEGED – PRIVATE AND CONFIDENTIAL
> This email and any files transmitted with it are intended solely for  
> the use of the addressee(s) and may contain information which is  
> confidential or privileged.  If you receive this email and you are  
> not the addressee(s) [or responsible for delivery of the email to  
> the addressee(s)], please disregard the contents of the email,  
> delete the email and notify the author immediately
>
>
> From:	Matiu Carr <m.carr at auckland.ac.nz>
> To:	University Macintosh Technical Mailing List  
> <unimactech at auc.edu.au>
> Date:	03/04/09 05:53 AM
> Subject:	Re: [UniMacTech] AD authentication and restricting logins
>
>
>
>
>
> On 2/04/2009, at 4:19 PM, Darryl Rosin wrote:
>
> So, I've got AD authentication happily working in my 10.5 labs, but  
> I have a need to restrict access to some of the labs so that only  
> certain users can logon. Can I do this with AD? I can move the users  
> into a new group or directory OU if that's of any use.
>
>
> If group policy can be applied, you can do something like what I  
> describe here:
>
> http://itadmin.creative.auckland.ac.nz/FAQ/Network/ActiveDirectory/noAccessGroupPolicy/
> http://itadmin.creative.auckland.ac.nz/FAQ/Network/ActiveDirectory/restrictAccessPolicy/
>
>
> Has anyone on this list used Centrify's products to integrate macs  
> into active directory?
>
> http://www.centrify.com/
>
> It came up obliquely in a posting on this list earlier in the year.
>
>
>
> Mat
> -- 
> Matiu Carr  <m.carr at auckland.ac.nz>
>
> IT Manager
> National Institute of Creative Arts and Industries
>
> +64 9 3737 599 x86511
> http://www.people.auckland.ac.nz/Mat/
>
>
> _______________________________________________
> unimactech mailing list
> unimactech at auc.edu.au
> http://www.auc.edu.au/mailman/listinfo/unimactech
>
>
> _______________________________________________
> unimactech mailing list
> unimactech at auc.edu.au
> http://www.auc.edu.au/mailman/listinfo/unimactech

-----------------------------------------------
David Colville
Technical Director
Key Options Technology Pty Ltd
Suite 108/250 Pitt St, Sydney NSW 2000
E: david at keyoptions.com.au T:  1300 721 769 - F:  +61 2 9475 0837 - M:  
+61 412 200 855
iChat: davidcolville at mac.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://auc.uow.edu.au/pipermail/unimactech/attachments/20090403/60729979/attachment.html

More information about the unimactech mailing list