Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-5138: How do the login script group policies work for remote users?

Centrify Identity Service, Mac Edition ,  

12 April,16 at 11:14 AM

Applies to: Centrify DirectControl on Mac OS X 10.X

Question:

How do the login script GPs below work?:
  • User Configuration > Centrify Settings > Mac OS X Settings > Scripts (Login/Logout) > "Specify Multiple Login Scripts"
  • Computer Configuration > Centrify Settings > Mac OS X Settings > Scripts (Login/Logout) > "Specify Multiple Login Scripts"
Will they work over VPN for a full-time remote user?


Answer:

When the User Configuration GPs are configured and the machine is in a "connected" state at login, the scripts are copied from the network SYSVOL location to the local /var/centrifydc/loginscripts/user/ADuser.name/ path on the Mac. (Where ADuser.name is the username of the actual logged on AD user.)

When the Computer Configuration GPs are configured and the machine is in a "connected" state at login, the scripts are copied from SYSVOL to the local /var/centrifydc/loginscripts/machine/ path on the Mac.


After this initial connected login and script delivery, the scripts will stay in their respective local folders and will subsequently execute at each login thereafter- even while offline.  


Notes
  • Both User and Computer login script GPs are triggered during a "connected" login. If there is no active "connected" session, the scripts will not be delivered immediately at login.  
  • Script files configured under the Computer Configuration login script GP can also be delivered during a group policy refresh while the Mac is still in "connected" mode.
  • This means that although Computer Configuration login scripts can be delivered at any connected group policy refresh interval, User Configuration login scripts can only be delivered during a connected login.

Since remote users using a VPN are not in a connected state until after login occurs, and they manually connect to the VPN - this means they will only be able to receive login scripts set up under Computer Configuration after connecting to the VPN.


Workaround:

To have remote users also be able to receive User Configuration login scripts, follow the steps below:
  • Make sure that the VPN Is set up correctly for Centrify by following:
  • Login as the Local Admin and enable Fast-User Switching:
    • System Preferences > Users & Groups > Login Options> Show fast user switching menu as: (Either choose Full Name, Account Name, or icon.)
  • Connect to the VPN interface, and verify the VPN shows as "connected."
  • Open up the Terminal.app (/Applications/Utilities/Terminal.app) and type adinfo and press ENTER
  • Verify that CentrifyDC mode: Connected 
    • If not, the following command may need to be run to restart adclient:  sudo /usr/share/centrifydc/bin/centrifydc restart
    • run adinfo again and verify CentrifyDC mode: Connected.
  • Click on the current user's name in the upper right hand corner of the screen and choose "Login Window..."
  • Log into the machine as the AD user, open up terminal and type adinfo and hit enter to verify that CentrifyDC mode is "Connected" still. 
  • Double check the  /var/centrifydc/loginscripts/user/ADuser.name/ folder to make sure the script has been successfully delivered.
 
For additional info on the login script GPs, see:

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.