+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 18
Mac Thread, Restrict logins to certain groups in Technical; Quick question - is there a way I can restrict logins on our Macs (which use AD authentication) to certain ...
  1. #1

    Join Date
    Mar 2007
    Posts
    427
    Thank Post
    16
    Thanked 16 Times in 10 Posts
    Rep Power
    19

    Restrict logins to certain groups

    Quick question - is there a way I can restrict logins on our Macs (which use AD authentication) to certain AD groups?

    I use this quite a lot in windows, but haven't seen a way in Macs yet. I thought Access Control would be it, but it doesn't seem to do what I'm after.

  2. #2

    Join Date
    Mar 2007
    Posts
    427
    Thank Post
    16
    Thanked 16 Times in 10 Posts
    Rep Power
    19
    I'm guessing the answer is no - what do the Access Control settings actually do then?

  3. #3

    Join Date
    May 2006
    Location
    West Bromwich
    Posts
    2,192
    Thank Post
    300
    Thanked 215 Times in 185 Posts
    Rep Power
    57
    There is a setting that allows you to select the groups/individual users you want to allow access to the machines. Give me a few minutes and I will upload a screen dump of the location.

  4. #4

    Join Date
    May 2006
    Location
    West Bromwich
    Posts
    2,192
    Thank Post
    300
    Thanked 215 Times in 185 Posts
    Rep Power
    57
    If you wish to lock down a single machine you can do it using the local system preferences. click on system prefs, then User accounts and then login option. You will see a tick box that allows you to allow network users. If you then click on options it should list all the users and groups both from the AD and OD.
    Local machine lock down.png

    You can also do it via the WGM. I think this is what you are looking at now since you mentioned access control lists. I've not done it using WGM so not entirely sure if there are problems or not.

    But from the looks of it the process should be something like this:

    Create a Computer group and then add the computers you want to restrict to the group. Once done go to the preferences section and then login and then access. Click on the + icon to the left of the box. You should then see the a screen like the one below.
    Networked Machine lockdown..png

    When the drawer of users pops open to the left (or right depending on how much screen is available) look at the top of this drawer. You can see a small blue globe. Click on this and choose your AD from the list. You should then see all of your AD users/groups. Once these are available you should be able to drag them into the box, allowing them access to the machines in the group.

    I hope this helps. As i say I've never needed to do this through WGM so not sure how well it works.

  5. #5

    Join Date
    Mar 2007
    Posts
    427
    Thank Post
    16
    Thanked 16 Times in 10 Posts
    Rep Power
    19
    Cheers for that, thats exactly what I've done - added some AD groups into that list but in the WGM, but it seems to let anyone log in regardless. I might try it on the local computer just to see if that works.

  6. #6

    Join Date
    Nov 2009
    Posts
    64
    Thank Post
    14
    Thanked 2 Times in 2 Posts
    Rep Power
    11
    Try using OD groups and see if that makes any difference. I've experienced issues where WGM does not apply settings to AD groups for some reason. I've gotten around this by nesting an AD group in an OD group, then using the OD group for preference management.

  7. #7

    Join Date
    Mar 2007
    Posts
    427
    Thank Post
    16
    Thanked 16 Times in 10 Posts
    Rep Power
    19
    Hmm tried OD and AD groups in the WGM and it lets any user login. I'll try the local setting and see what it does.


    EDIT: It seems our Macs just can't understand AD groups. If I set the preferences at the the WGM (using either AD or OD groups) it lets anyone login. if I set the preferences at the individual Macs (again using either AD or OD) groups it then doesn't let anyone log in!

    if I specify individual AD users at the individual Macs then it works, but thats not a useful option for me
    Last edited by GoldenWonder; 27th September 2010 at 03:53 PM.

  8. #8

    Join Date
    Nov 2009
    Posts
    64
    Thank Post
    14
    Thanked 2 Times in 2 Posts
    Rep Power
    11
    Is your OD server running the same OS as the clients? (i.e. 10.5 server and 10.5 clients)

  9. #9

    Join Date
    May 2006
    Location
    West Bromwich
    Posts
    2,192
    Thank Post
    300
    Thanked 215 Times in 185 Posts
    Rep Power
    57
    I will have a test tomorrow to see if mine do the same. We can find out then if its a general issue rather than just yours

  10. #10

    Join Date
    Mar 2007
    Posts
    427
    Thank Post
    16
    Thanked 16 Times in 10 Posts
    Rep Power
    19
    Quote Originally Posted by MarsRed View Post
    Is your OD server running the same OS as the clients? (i.e. 10.5 server and 10.5 clients)
    Yes, its all Snow Leopard, all bought at the same time

  11. #11

    Join Date
    May 2006
    Location
    West Bromwich
    Posts
    2,192
    Thank Post
    300
    Thanked 215 Times in 185 Posts
    Rep Power
    57
    I have just tested this out with my own machine and user account.

    I added my machine to a Computer list in the OD and configured this computer list for restricted access. I have 2 AD groups in the list. 1 is a group for all pupils and the other a group for all staff. The only user not in these groups is mine. Upon restarting the client machine (to pick up the new managed preferences) I tried my sons account (he's in reception), the login window shook. I then proceeded to try my login and logged in fine. I tried another staff users login whose details I can remember, and they could not log in. So the restrictions are working fine.

    However, if I added my user to the all staff group, I could no longer login. But if I removed my account from the group again, I still could NOT log in. Only when I restart the client does the removal from an account take effect.

    The Settings I used are Deny on the access for both groups.

    There may be a conflict of group membership causing the issue. I don't know. What I do know though is that the restricted network access does seem to work.

    Sorry if that's no help to you.

  12. #12

    Join Date
    Mar 2007
    Posts
    427
    Thank Post
    16
    Thanked 16 Times in 10 Posts
    Rep Power
    19
    Hmm sounds like I have to Deny access, and then allow to selected users. However I don't think this will work as I want to deny access to students in general, but allow access to a specific set of students. But as they are members of students groups in general this might not work, as the Deny for 'all students' would include them!

  13. #13

    Join Date
    May 2006
    Location
    West Bromwich
    Posts
    2,192
    Thank Post
    300
    Thanked 215 Times in 185 Posts
    Rep Power
    57
    The first thing I would do is get a restriction working. Once you can confirm there are no issues with regards to the restrictions taking place, you can send start to plan the process. If it were meI would perhaps look at creating a dedicated group in the OD or AD and join these users that are to be allowed access to these machines. Then add this group to the list.

    I never tried using the Allow option. I can give it a go if you want to see what happens.

    Deny takes precedence over Allow according to WGM.

  14. #14

    Join Date
    Mar 2007
    Posts
    427
    Thank Post
    16
    Thanked 16 Times in 10 Posts
    Rep Power
    19
    Thats sort of what I'm trying to do. According to the documentation, if you add groups to the Access control list, only those groups that are explicitly allowed can log in. So I created 3 groups in OD, which contain AD groups of Staff,students and admins who are allowed to login. Result is still anyone can login! I'll try some deny settings but thats not how its supposed to work when reading Apples documentation.

    The AD group for student only contains a dozen users (which is linked to the OD group) and the Staff/Admins contains the single overall group for each. Because, as you say, Deny take precedence I wanted to create and Allow only whitelist type of restriction.

  15. #15

    Join Date
    Mar 2007
    Posts
    427
    Thank Post
    16
    Thanked 16 Times in 10 Posts
    Rep Power
    19
    One step forward, two steps back! I bound the Macs to OD and they then immediately started to pick up the access control policy, but it also mean the allowed users got no preferences (empy dock apart from finder etc) so I don't know what happened there!



SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Replies: 3
    Last Post: 10th September 2010, 08:27 AM
  2. Cmis with AD logins
    By fil_b in forum MIS Systems
    Replies: 13
    Last Post: 19th March 2010, 12:05 PM
  3. Replies: 8
    Last Post: 8th June 2009, 11:32 AM
  4. Logins for every child.
    By Jiser in forum Windows
    Replies: 18
    Last Post: 15th October 2008, 12:53 PM
  5. Mapping AD groups to Unix groups
    By localzuk in forum *nix
    Replies: 23
    Last Post: 11th February 2007, 09:57 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •