Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-3500: How to enable the "Allow network users to log in at login window" option on Mac systems via GP

Mac & PC Management Service ,  

12 April,16 at 11:11 AM

Applies to: All versions of Centrify DirectControl on Mac OS X

 
Question:
 
There are some Mac systems which are restricting network logins by the option at:
 
  System Preferences > Users & Groups > Login Options > "Allow network users to log in at login window"
 










 
 
 
According to the KB at:
It is advised to leave this option enabled and set to allow "All network users", however, there does not seem to be a group policy to configure this setting.











 
 
Is it possible to set this System Preference option via GP?

 
Answer:
 
The "Allow network users to log in at login window" is actually dictated by the presence of a local group on the Mac called "com.apple.access_loginwindow" under the following conditions:
  • If the group exists and there are users or groups in its membership list, then those are the only network accounts which can log into this Mac.
     
  • If the group exists, but it contains no members (an empty group), then the "Allow network users to log in at login window" checkbox will be disabled and no network users can login.
     
  • If the group does not exist, then the "Allow network users to log in at login window" checkbox will be enabled, and all (authorised) network users can log in
 
Therefore to make sure that the setting is enabled and "All network users" is selected, the local Mac group "com.apple.access_loginwindow" must be removed from the system.
 
This can be done with the following command:
 
  sudo dseditgroup -o delete -T group com.apple.access_loginwindow
 
 
This command can be pushed out using the "Specify commands to run" GP: 
  1. Make sure the centrify_unix_settings.xml template has been added into the Centrify Settings group policy node.
     
  2. Enable and configure GP at:

    Computer Configuration / Centrify Settings / Common UNIX settings / "Specify commands to run"
     
  3. Add the command: 
    • sudo dseditgroup -o delete -T group com.apple.access_loginwindow
       
  4. Go to the Mac receiving this GP and run: adgpupdate
     
  5. Check in the System Preferences > Users & Groups > Login Options and the setting should now be fully enabled.
 
 
 
Note: This method uses native commands built into OS X.
On OS X 10.6 systems, the adclient.autoedit.mac.netlogin configuration parameter could be used instead. Please see the following KB:

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.

Related Articles

 articleKB-3000: Troubleshooting login issues on Mac systems. articleKB-2159: No domain users are able to login to Mac systems after a reboot. articleKB-6041: How to show current license type in use by adclient articleKB-4911: How to enable extended debug logging for capturing group policy issues articleKB-6040: How to change the license type in use after adclient successful joined to the AD? articleKB-6642: Getting started with 802.1X for Mac - Configuration Overview articleKB-6056: How to report the group policy settings that are in effect for the local computer? articleKB-5765: How to block OS X updates via Group Policy articleKB-6038: How to specify the license type to use when joining the server to AD using adjoin?