Applies to: All versions of Centrify DirectControl on Mac OS X
Question:
There are some Mac systems which are restricting network logins by the option at:
System Preferences > Users & Groups > Login Options > "Allow network users to log in at login window"
According to the KB at:
It is advised to leave this option enabled and set to allow "All network users", however, there does not seem to be a group policy to configure this setting.
Is it possible to set this System Preference option via GP?
Answer:
The "Allow network users to log in at login window" is actually dictated by the presence of a local group on the Mac called "com.apple.access_loginwindow" under the following conditions:
- If the group exists and there are users or groups in its membership list, then those are the only network accounts which can log into this Mac.
- If the group exists, but it contains no members (an empty group), then the "Allow network users to log in at login window" checkbox will be disabled and no network users can login.
- If the group does not exist, then the "Allow network users to log in at login window" checkbox will be enabled, and all (authorised) network users can log in
Therefore to make sure that the setting is enabled and "All network users" is selected, the local Mac group "com.apple.access_loginwindow" must be removed from the system.
This can be done with the following command:
sudo dseditgroup -o delete -T group com.apple.access_loginwindow
This command can be pushed out using the "Specify commands to run" GP:
- Make sure the centrify_unix_settings.xml template has been added into the Centrify Settings group policy node.
- Enable and configure GP at:
Computer Configuration / Centrify Settings / Common UNIX settings / "Specify commands to run"
- Add the command:
- sudo dseditgroup -o delete -T group com.apple.access_loginwindow
- Go to the Mac receiving this GP and run: adgpupdate
- Check in the System Preferences > Users & Groups > Login Options and the setting should now be fully enabled.
Note: This method uses native commands built into OS X.
On OS X 10.6 systems, the adclient.autoedit.mac.netlogin configuration parameter could be used instead. Please see the following KB: