<html><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">You may need to manage this in Open Directory if you're using a golden triangle or local MCX management if not.<div><br></div><div>loginwindow's "Access Controls" are defined using Allow-List-Raw and Deny-List-Raw properties, which can define a group (referenced by it's GUID) that is or isn't able to login to a particular workstation. Don't forget to allow LocalUserLoginEnabled as well or you could lock your local users out of their workstations.</div><div><div><div><br></div><div>As an example, in the more complex "local" OD configuration:</div><div><br></div><div>1. Create a local group on the workstations.</div><div><br></div><div>2. Add the appropriate AD groups as members of that group. This can of course be changed later using ARD/SSH and dseditgroup if you decide there are more groups in AD you want to use.</div><div><br></div><div>For example:</div><div><br></div><div><span class="Apple-style-span" style="color: rgb(73, 73, 73); line-height: 20px; "><p style="margin-top: 0.6em; margin-right: 0px; margin-bottom: 1.2em; margin-left: 0px; padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; "><font class="Apple-style-span" color="#000000">sudo dseditgroup -o edit -a “DOMAIN\allowedadusers” -t group allowedusers</font></p></span></div><div><br></div><div><div>(DOMAIN\allowedadusers is the AD group given access.</div><div><br></div><div>allowedusers is a local group created on the workstations.)</div><div><br></div></div><div>After the group is in place, with the AD groups in it... use the loginwindow configuration to lock your computers down so that only the "allowedusers" group can log in- you can use Workgroup Manager to do this, then apply the same setting to all the other computers. </div><div><br></div><div>This only started working after about 10.5.5, before that you sometimes found yourself getting all users locked out, despite everything seeming to work.</div><div><br></div><div>It's pretty straightforward using Golden Triangle, or learning from what Apple do via Workgroup Manager and applying it en masse.</div><div><br></div><div>Let me know if can help further.</div><div><br></div><div>Cheers</div><div>David</div><div><br></div><div><br></div><div><br></div><div><br></div><div>On 03/04/2009, at 10:42 AM, Darryl Rosin wrote:</div><div><div><div><div><br class="Apple-interchange-newline"><blockquote type="cite"><br><font size="2" face="sans-serif"> I can't go buy anything for the Macs, so GP is not an option, AFAIK.</font> <br> <br><font size="2" face="sans-serif">thnaks!</font> <br> <br><font size="2" face="sans-serif">d<br> <br> <br> Darryl Rosin<br> <br> Server Administrator, Digital Arts Project<br> Griffith University AUC Developer Fund Coordinator<br> <br> Research Computing Services<br> Division of Information Services<br> South Bank Campus<br> Griffith University 4111 Australia<br> <br> <a href="mailto:d.rosin@griffith.edu.au">d.rosin@griffith.edu.au</a><br> t: 04 1876 0956<br> <br> PRIVILEGED – PRIVATE AND CONFIDENTIAL<br> This email and any files transmitted with it are intended solely for the use of the addressee(s) and may contain information which is confidential or privileged. If you receive this email and you are not the addressee(s) [or responsible for delivery of the email to the addressee(s)], please disregard the contents of the email, delete the email and notify the author immediately</font> <br> <br> <br> <table width="100%"> <tbody><tr valign="top"> <td><font size="1" color="#5f5f5f" face="sans-serif">From:</font> </td><td><font size="1" face="sans-serif">Matiu Carr <<a href="mailto:m.carr@auckland.ac.nz">m.carr@auckland.ac.nz</a>></font> </td></tr><tr valign="top"> <td><font size="1" color="#5f5f5f" face="sans-serif">To:</font> </td><td><font size="1" face="sans-serif">University Macintosh Technical Mailing List <<a href="mailto:unimactech@auc.edu.au">unimactech@auc.edu.au</a>></font> </td></tr><tr valign="top"> <td><font size="1" color="#5f5f5f" face="sans-serif">Date:</font> </td><td><font size="1" face="sans-serif">03/04/09 05:53 AM</font> </td></tr><tr valign="top"> <td><font size="1" color="#5f5f5f" face="sans-serif">Subject:</font> </td><td><font size="1" face="sans-serif">Re: [UniMacTech] AD authentication and restricting logins</font></td></tr></tbody></table> <br> <hr noshade=""> <br> <br> <br> <br><font size="3">On 2/04/2009, at 4:19 PM, Darryl Rosin wrote:</font> <br> <br><font size="2" face="sans-serif">So, I've got AD authentication happily working in my 10.5 labs, but I have a need to restrict access to some of the labs so that only certain users can logon. Can I do this with AD? I can move the users into a new group or directory OU if that's of any use.</font><font size="1" face="Monaco"> </font> <br> <br> <br><font size="3">If group policy can be applied, you can do something like what I describe here:</font> <br> <br><a href="http://itadmin.creative.auckland.ac.nz/FAQ/Network/ActiveDirectory/noAccessGroupPolicy/"><font size="3" color="blue"><u>http://itadmin.creative.auckland.ac.nz/FAQ/Network/ActiveDirectory/noAccessGroupPolicy/</u></font></a> <br><a href="http://itadmin.creative.auckland.ac.nz/FAQ/Network/ActiveDirectory/restrictAccessPolicy/"><font size="3" color="blue"><u>http://itadmin.creative.auckland.ac.nz/FAQ/Network/ActiveDirectory/restrictAccessPolicy/</u></font></a> <br> <br> <br><font size="3">Has anyone on this list used Centrify's products to integrate macs into active directory?</font> <br> <br><a href="http://www.centrify.com/"><font size="3" color="blue"><u>http://www.centrify.com/</u></font></a> <br> <br><font size="3">It came up obliquely in a posting on this list earlier in the year.</font> <br> <br><font size="3"><br> </font> <br><font size="1" face="Monaco">Mat</font> <br><font size="1" face="Monaco">--</font> <br><font size="1" face="Monaco">Matiu Carr <</font><a href="mailto:m.carr@auckland.ac.nz"><font size="1" color="blue" face="Monaco"><u>m.carr@auckland.ac.nz</u></font></a><font size="1" face="Monaco">></font> <br> <br><font size="1" face="Monaco">IT Manager</font> <br><font size="1" face="Monaco">National Institute of Creative Arts and Industries</font> <br> <br><font size="1" face="Monaco">+64 9 3737 599 x86511</font> <br><a href="http://www.people.auckland.ac.nz/Mat/"><font size="1" color="blue" face="Monaco"><u>http://www.people.auckland.ac.nz/Mat/</u></font></a> <br> <br> <br><tt><font size="2">_______________________________________________<br> unimactech mailing list<br> <a href="mailto:unimactech@auc.edu.au">unimactech@auc.edu.au</a><br> </font></tt><a href="http://www.auc.edu.au/mailman/listinfo/unimactech"><tt><font size="2">http://www.auc.edu.au/mailman/listinfo/unimactech</font></tt></a><tt><font size="2"><br> </font></tt> <br> <br> _______________________________________________<br>unimactech mailing list<br><a href="mailto:unimactech@auc.edu.au">unimactech@auc.edu.au</a><br>http://www.auc.edu.au/mailman/listinfo/unimactech<br></blockquote></div><br><div> <span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div><div>-----------------------------------------------</div><div>David Colville</div><div>Technical Director</div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><font class="Apple-style-span" color="#84AE54">Key Options Technology Pty Ltd</font></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><span class="Apple-style-span" style="color: rgb(119, 125, 143); ">Suite 108/250 Pitt St, Sydney NSW 2000</span></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><span class="Apple-style-span" style="color: rgb(119, 125, 143); ">E: <font class="Apple-style-span" color="#0000EE"><span class="Apple-style-span" style="text-decoration: underline; -webkit-text-decorations-in-effect: underline; "><a href="mailto:david@keyoptions.com.au">david@keyoptions.com.au</a></span></font><font class="Apple-style-span" color="#000000"> </font>T: 1300 721 769 - F: +61 2 9475 0837 - M: +61 412 200 855</span></div><div>iChat: <a href="mailto:davidcolville@mac.com">davidcolville@mac.com</a></div></div></div></span></div></span> </div><br></div></div></div></div></div></body></html>