Centrify DirectControl on Mac OS X 10.XQuestion:
How do the login script GPs below work?:
- User Configuration > Centrify Settings > Mac OS X Settings > Scripts (Login/Logout) > "Specify Multiple Login Scripts"
- Computer Configuration > Centrify Settings > Mac OS X Settings > Scripts (Login/Logout) > "Specify Multiple Login Scripts"
Will they work over VPN for a full-time remote user?Answer:
When the User Configuration GPs are configured and the machine is in a "connected" state at login, the scripts are copied from the network SYSVOL
location to the local /var/centrifydc/loginscripts/user/ADuser.name/
path on the Mac. (Where ADuser.name is the username of the actual logged on AD user.)
When the Computer Configuration GPs are configured and the machine is in a "connected" state at login, the scripts are copied from SYSVOL to the local /var/centrifydc/loginscripts/machine/ path on the Mac.
After this initial connected login and script delivery, the scripts will stay in their respective local folders and will subsequently execute at each login thereafter- even while offline. Notes
- Both User and Computer login script GPs are triggered during a "connected" login. If there is no active "connected" session, the scripts will not be delivered immediately at login.
- Script files configured under the Computer Configuration login script GP can also be delivered during a group policy refresh while the Mac is still in "connected" mode.
- This means that although Computer Configuration login scripts can be delivered at any connected group policy refresh interval, User Configuration login scripts can only be delivered during a connected login.
Since remote users using a VPN are not in a connected state until after
login occurs, and they manually connect to the VPN - this means they will only be able to receive login scripts set up under Computer Configuration after connecting to the VPN.Workaround:
To have remote users also be able to receive User Configuration login scripts, follow the steps below:
- Make sure that the VPN Is set up correctly for Centrify by following:
- Login as the Local Admin and enable Fast-User Switching:
- System Preferences > Users & Groups > Login Options> Show fast user switching menu as: (Either choose Full Name, Account Name, or icon.)
- Connect to the VPN interface, and verify the VPN shows as "connected."
- Open up the Terminal.app (/Applications/Utilities/Terminal.app) and type adinfo and press ENTER
- Verify that CentrifyDC mode: Connected
- If not, the following command may need to be run to restart adclient: sudo /usr/share/centrifydc/bin/centrifydc restart
- run adinfo again and verify CentrifyDC mode: Connected.
- Click on the current user's name in the upper right hand corner of the screen and choose "Login Window..."
- Log into the machine as the AD user, open up terminal and type adinfo and hit enter to verify that CentrifyDC mode is "Connected" still.
- Double check the /var/centrifydc/loginscripts/user/ADuser.name/ folder to make sure the script has been successfully delivered.
For additional info on the login script GPs, see: