Ackles
asked on
Disable login for Network Accounts
Hello,
I have computers (10.8.5) enabled with option "Allow network users to login" as per the attached. (Last Option)
I have to disable this option on many computers, I am looking for a Terminal Command to disable this option.
Regards,
A
Bildschirmfoto-2014-03-04-um-14..png
I have computers (10.8.5) enabled with option "Allow network users to login" as per the attached. (Last Option)
I have to disable this option on many computers, I am looking for a Terminal Command to disable this option.
Regards,
A
Bildschirmfoto-2014-03-04-um-14..png
ASKER
Hi,
As mentioned in the question OS=10.8.5
When I run the first command following is the output:
admin$ sudo defaults read /Library/Preferences/com.a pple.login window.pli st
{
MCXLaunchAfterUserLogin = 1;
MCXLaunchOnUserLogout = {
a = 1;
};
OptimizerLastRunForBuild = 25494688;
OptimizerLastRunForSystem = 168297728;
RetriesUntilHint = 0;
SHOWFULLNAME = 1;
lastUser = loggedIn;
lastUserName = a;
}
Please tell me what has to be next...
A
As mentioned in the question OS=10.8.5
When I run the first command following is the output:
admin$ sudo defaults read /Library/Preferences/com.a
{
MCXLaunchAfterUserLogin = 1;
MCXLaunchOnUserLogout = {
a = 1;
};
OptimizerLastRunForBuild = 25494688;
OptimizerLastRunForSystem = 168297728;
RetriesUntilHint = 0;
SHOWFULLNAME = 1;
lastUser = loggedIn;
lastUserName = a;
}
Please tell me what has to be next...
A
Sorry, I did see the 10.8.5, but blanked out when I was typing.
I don't see an entry there in your plist. I guess it's somewhere else. I'll have to get to a lion machine to see where it might be.
A work around would be to leave the Active Directory domain then rejoin it when needed. I don't have access to Open Directory now, so I don't remember how I'd do that on the command line.
# Create the AD search paths
I don't see an entry there in your plist. I guess it's somewhere else. I'll have to get to a lion machine to see where it might be.
A work around would be to leave the Active Directory domain then rejoin it when needed. I don't have access to Open Directory now, so I don't remember how I'd do that on the command line.
dsconfigad -leave [-localuser username] [-localpassword password]
# Bind the ADdsconfigad -f -a (computer name) -domain (domain) -u (user name) -p (password) -mobile enable
# Create the AD search paths
/usr/bin/dscl /Search -create / SearchPolicy CSPSearchPath
/usr/bin/dscl /Search/Contacts -create / SearchPolicy CSPSearchPath
/usr/bin/dscl /Search -append / CSPSearchPath "$csp"
/usr/bin/dscl /Search/Contacts -append / CSPSearchPath "$csp"
ASKER
Sorry, but this is Production & I can't go with the suggested workaround....
Please take your time when you get your hands on Mountain Lion.
Please take your time when you get your hands on Mountain Lion.
After some digging, I found something about the com.apple.access_loginwind ow group, except I'm not sure exactly what to do with it yet.
dseditgroup -o read group com.apple.access_loginwind ow
http://www.jaharmi.com/2010/02/27/local_logins_succeed_but_network_logins_fail_on_active_directory_bound_mac_os_x_leopard
dseditgroup -o read group com.apple.access_loginwind
http://www.jaharmi.com/2010/02/27/local_logins_succeed_but_network_logins_fail_on_active_directory_bound_mac_os_x_leopard
You mainly have to create the group to deny access. You can delete the group when you want to enable access again.
The group gets created when you click on the option button. Once created, there are 2 nested groups in there when you allow network access and only one when you don't. From the command line, you should be able to just create & delete the group.
See if the group exists / view the group
dscl . -read /Groups/com.apple.access_l oginwindow
Add the group
dseditgroup -o create . com.apple.access_loginwind ow
Delete
dseditgroup -o delete -n . com.apple.acces_loginwindo w
The group gets created when you click on the option button. Once created, there are 2 nested groups in there when you allow network access and only one when you don't. From the command line, you should be able to just create & delete the group.
See if the group exists / view the group
dscl . -read /Groups/com.apple.access_l
Add the group
dseditgroup -o create . com.apple.access_loginwind
Delete
dseditgroup -o delete -n . com.apple.acces_loginwindo
ASKER
It shows how to enable the user, I am looking for a command to disable the setting.
ASKER
Sorry, I saw your post later, I will try & let you know
ASKER
Hello,
When I run the command to see the groups, I get the following result:
dscl . -read /Groups/com.apple.access_l oginwindow
AppleMetaNodeLocation: /Local/Default
GeneratedUID: E62C0966-77C1-4271-8B0B-29 2E9FE7204A
GroupMembers:
NestedGroups: ABCDEFAB-CDEF-ABCD-EFAB-CD EF0000003D ABCDEFAB-CDEF-ABCD-EFAB-CD EF0000003E
Password: *
PrimaryGroupID: 206
RealName:
Login Window ACL
RecordName: com.apple.access_loginwind ow
RecordType: dsRecTypeStandard:Groups
Can you advise what next?
When I run the command to see the groups, I get the following result:
dscl . -read /Groups/com.apple.access_l
AppleMetaNodeLocation: /Local/Default
GeneratedUID: E62C0966-77C1-4271-8B0B-29
GroupMembers:
NestedGroups: ABCDEFAB-CDEF-ABCD-EFAB-CD
Password: *
PrimaryGroupID: 206
RealName:
Login Window ACL
RecordName: com.apple.access_loginwind
RecordType: dsRecTypeStandard:Groups
Can you advise what next?
ASKER
Any suggestions?
Sorry, I've been busy, and didn't have any free time to check experts-exchange earlier.
Delete the group then add it back with the commands I've given. To find out more about the command run man dseditgroup If the group exsits, the checkbox goes off, unless the netaccounts group is a member of this group.
You could also remove ABCDEFAB-CDEF-ABCD-EFAB-CD EF0000003E, or group 62 (netaccounts), from that group. The other one 3D, or 61, is localaccounts. Keep the localaccounts, but you can delete netaccounts from the group. This isn't exactly needed, unless you have other group members that you wish to remain. You only have localaccounts and netaccounts, which means you didn't click the options box to restrict members to specific groups.
When you first uncheck the check box, the group is created without the netaccounts group as a member. The next time it's checked, it adds the netaccounts group to it. When you click on the options box, group members are added to this group to restrict access to just those members. If you just want to allow the default of everyone, you just need to add netaccounts to this group.
Delete the group then add it back with the commands I've given. To find out more about the command run man dseditgroup If the group exsits, the checkbox goes off, unless the netaccounts group is a member of this group.
You could also remove ABCDEFAB-CDEF-ABCD-EFAB-CD
When you first uncheck the check box, the group is created without the netaccounts group as a member. The next time it's checked, it adds the netaccounts group to it. When you click on the options box, group members are added to this group to restrict access to just those members. If you just want to allow the default of everyone, you just need to add netaccounts to this group.
ASKER
Hi,
It's ok, I understand.
I wrote the following command & it gives this error:
dseditgroup -o delete -n ABCDEFAB-CDEF-ABCD-EFAB-CD EF0000003E . com.apple.acces_loginwindo w
Error locating specified node.
I am not sure of the syntax, could you please have a look?
It's ok, I understand.
I wrote the following command & it gives this error:
dseditgroup -o delete -n ABCDEFAB-CDEF-ABCD-EFAB-CD
Error locating specified node.
I am not sure of the syntax, could you please have a look?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks a Lot!!!
Open in new window
to see if you have that entry listed there.If it's there, you should be able to
Open in new window
Which verison of OSX is that? That's no longer available as an option on my current Mavericks system that's joined to the domain. I'm not sure where it might be, otherwise. I do have a lion system I can check later on, but don't have access to it now.