Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-5138: How do the login script group policies work for remote users?

Mac & PC Management Service ,  

12 April,16 at 11:14 AM

Applies to: Centrify DirectControl on Mac OS X 10.X


How do the login script GPs below work?:
  • User Configuration > Centrify Settings > Mac OS X Settings > Scripts (Login/Logout) > "Specify Multiple Login Scripts"
  • Computer Configuration > Centrify Settings > Mac OS X Settings > Scripts (Login/Logout) > "Specify Multiple Login Scripts"
Will they work over VPN for a full-time remote user?


When the User Configuration GPs are configured and the machine is in a "connected" state at login, the scripts are copied from the network SYSVOL location to the local /var/centrifydc/loginscripts/user/ path on the Mac. (Where is the username of the actual logged on AD user.)

When the Computer Configuration GPs are configured and the machine is in a "connected" state at login, the scripts are copied from SYSVOL to the local /var/centrifydc/loginscripts/machine/ path on the Mac.

After this initial connected login and script delivery, the scripts will stay in their respective local folders and will subsequently execute at each login thereafter- even while offline.  

  • Both User and Computer login script GPs are triggered during a "connected" login. If there is no active "connected" session, the scripts will not be delivered immediately at login.  
  • Script files configured under the Computer Configuration login script GP can also be delivered during a group policy refresh while the Mac is still in "connected" mode.
  • This means that although Computer Configuration login scripts can be delivered at any connected group policy refresh interval, User Configuration login scripts can only be delivered during a connected login.

Since remote users using a VPN are not in a connected state until after login occurs, and they manually connect to the VPN - this means they will only be able to receive login scripts set up under Computer Configuration after connecting to the VPN.


To have remote users also be able to receive User Configuration login scripts, follow the steps below:
  • Make sure that the VPN Is set up correctly for Centrify by following:
  • Login as the Local Admin and enable Fast-User Switching:
    • System Preferences > Users & Groups > Login Options> Show fast user switching menu as: (Either choose Full Name, Account Name, or icon.)
  • Connect to the VPN interface, and verify the VPN shows as "connected."
  • Open up the (/Applications/Utilities/ and type adinfo and press ENTER
  • Verify that CentrifyDC mode: Connected 
    • If not, the following command may need to be run to restart adclient:  sudo /usr/share/centrifydc/bin/centrifydc restart
    • run adinfo again and verify CentrifyDC mode: Connected.
  • Click on the current user's name in the upper right hand corner of the screen and choose "Login Window..."
  • Log into the machine as the AD user, open up terminal and type adinfo and hit enter to verify that CentrifyDC mode is "Connected" still. 
  • Double check the  /var/centrifydc/loginscripts/user/ folder to make sure the script has been successfully delivered.
For additional info on the login script GPs, see:

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.