Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Disable login for Network Accounts

Posted on 2014-03-04
14
Medium Priority
?
1,658 Views
Last Modified: 2014-03-10
Hello,
I have computers (10.8.5) enabled with option "Allow network users to login" as per the attached. (Last Option)

I have to disable this option on many computers, I am looking for a Terminal Command to disable this option.

Regards,
A
Bildschirmfoto-2014-03-04-um-14..png
0
Comment
Question by:Ackles
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 6
14 Comments
 
LVL 30

Expert Comment

by:serialband
ID: 39903436
Try
sudo defaults read /Library/Preferences/com.apple.loginwindow.plist

Open in new window

to see if you have that entry listed there.

If it's there, you should be able to
sudo defaults delete /Library/Preferences/com.apple.loginwindow.plist  NAME_OF_ENTRY

Open in new window


Which verison of OSX is that?  That's no longer available as an option on my current Mavericks system that's joined to the domain.  I'm not sure where it might be, otherwise.  I do have a lion system I can check later on, but don't have access to it now.
0
 
LVL 11

Author Comment

by:Ackles
ID: 39903478
Hi,
As mentioned in the question OS=10.8.5

When I run the first command following is the output:


admin$ sudo defaults read /Library/Preferences/com.apple.loginwindow.plist
{
    MCXLaunchAfterUserLogin = 1;
    MCXLaunchOnUserLogout =     {
        a = 1;
    };
    OptimizerLastRunForBuild = 25494688;
    OptimizerLastRunForSystem = 168297728;
    RetriesUntilHint = 0;
    SHOWFULLNAME = 1;
    lastUser = loggedIn;
    lastUserName = a;
}


Please tell me what has to be next...

A
0
 
LVL 30

Expert Comment

by:serialband
ID: 39903529
Sorry, I did see the 10.8.5, but blanked out when I was typing.

I don't see an entry there in your plist.  I guess it's somewhere else.  I'll have to get to a lion machine to see where it might be.

A work around would be to leave the Active Directory domain then rejoin it when needed.  I don't have access to Open Directory now, so I don't remember how I'd do that on the command line.
dsconfigad -leave [-localuser username] [-localpassword password]

Open in new window

# Bind the AD
dsconfigad -f -a (computer name) -domain (domain) -u (user name) -p (password) -mobile enable

Open in new window


# Create the AD search paths
/usr/bin/dscl /Search -create / SearchPolicy CSPSearchPath
/usr/bin/dscl /Search/Contacts -create / SearchPolicy CSPSearchPath
/usr/bin/dscl /Search -append / CSPSearchPath "$csp"
/usr/bin/dscl /Search/Contacts -append / CSPSearchPath "$csp"

Open in new window

0
Ask an Anonymous Question!

Don't feel intimidated by what you don't know. Ask your question anonymously. It's easy! Learn more and upgrade.

 
LVL 11

Author Comment

by:Ackles
ID: 39903540
Sorry, but this is Production & I can't go with the suggested workaround....

Please take your time when you get your hands on Mountain Lion.
0
 
LVL 30

Expert Comment

by:serialband
ID: 39904031
After some digging, I found something about the com.apple.access_loginwindow group, except I'm not sure exactly what to do with it yet.

dseditgroup -o read group com.apple.access_loginwindow

http://www.jaharmi.com/2010/02/27/local_logins_succeed_but_network_logins_fail_on_active_directory_bound_mac_os_x_leopard
0
 
LVL 30

Expert Comment

by:serialband
ID: 39904137
You mainly have to create the group to deny access.  You can delete the group when you want to enable access again.

The group gets created when you click on the option button.  Once created, there are 2 nested groups in there when you allow network access and only one when you don't.  From the command line, you should be able to just create & delete the group.

See if the group exists / view the group
dscl . -read /Groups/com.apple.access_loginwindow

Add the group
dseditgroup -o create . com.apple.access_loginwindow

Delete
dseditgroup -o delete -n . com.apple.acces_loginwindow
0
 
LVL 11

Author Comment

by:Ackles
ID: 39904209
It shows how to enable the user, I am looking for a command to disable the setting.
0
 
LVL 11

Author Comment

by:Ackles
ID: 39904214
Sorry, I saw your post later, I will try & let you know
0
 
LVL 11

Author Comment

by:Ackles
ID: 39905631
Hello,
When I run the command to see the groups, I get the following result:

dscl . -read /Groups/com.apple.access_loginwindow
AppleMetaNodeLocation: /Local/Default
GeneratedUID: E62C0966-77C1-4271-8B0B-292E9FE7204A
GroupMembers:
NestedGroups: ABCDEFAB-CDEF-ABCD-EFAB-CDEF0000003D ABCDEFAB-CDEF-ABCD-EFAB-CDEF0000003E
Password: *
PrimaryGroupID: 206
RealName:
 Login Window ACL
RecordName: com.apple.access_loginwindow
RecordType: dsRecTypeStandard:Groups

Can you advise what next?
0
 
LVL 11

Author Comment

by:Ackles
ID: 39908620
Any suggestions?
0
 
LVL 30

Expert Comment

by:serialband
ID: 39909321
Sorry, I've been busy, and didn't have any free time to check experts-exchange earlier.

Delete the group then add it back with the commands I've given.  To find out more about the command run man dseditgroup  If the group exsits, the checkbox goes off, unless the netaccounts group is a member of this group.

You could also remove ABCDEFAB-CDEF-ABCD-EFAB-CDEF0000003E, or group 62 (netaccounts), from that group.  The other one 3D, or 61, is localaccounts.  Keep the localaccounts, but you can delete netaccounts from the group.  This isn't exactly needed, unless you have other group members that you wish to remain.  You only have localaccounts and netaccounts, which means you didn't click the options box to restrict members to specific groups.

When you first uncheck the check box, the group is created without the netaccounts group as a member.  The next time it's checked, it adds the netaccounts group to it.  When you click on the options box, group members are added to this group to restrict access to just those members.  If you just want to allow the default of everyone, you just need to add netaccounts to this group.
0
 
LVL 11

Author Comment

by:Ackles
ID: 39909467
Hi,
It's ok, I understand.

I wrote the following command & it gives this error:

dseditgroup -o delete -n ABCDEFAB-CDEF-ABCD-EFAB-CDEF0000003E . com.apple.acces_loginwindow
Error locating specified node.

I am not sure of the syntax, could you please have a look?
0
 
LVL 30

Accepted Solution

by:
serialband earned 2000 total points
ID: 39913590
That's for deleting an entire group, not for editing group membership.  It's necessary for operating on the directory services.  If you're just changing membership in the local group, you just need to use dscl.  You should be sure that the group exists.  You can also restrict it to specific group members as well.

Here's the delete command to remove the group from the NestedGroups to disable Network user access.
dscl . -delete /Groups/com.apple.access_loginwindow NestedGroups ABCDEFAB-CDEF-ABCD-EFAB-CDEF0000003E

Open in new window

Here's the append command to put it back and allow network user access.
dscl . -append /Groups/com.apple.access_loginwindow NestedGroups ABCDEFAB-CDEF-ABCD-EFAB-CDEF0000003E

Open in new window

0
 
LVL 11

Author Closing Comment

by:Ackles
ID: 39918139
Thanks a Lot!!!
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Syslogd is a utility that traps and logs messages sent by running processes. It is configured with the syslog.conf file, which consists of lines containing a pair of fields: "the selector field which specifies the types of messages and priorities to…
Do you come here a lot? Are you lazy like me and don't want to go through the "trouble" of having to click your Dock's Safari icon and then having to click your Experts Exchange Favorites bookmark to get here? Well then this article is for you.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Please read the paragraph below before following the instructions in the video — there are important caveats in the paragraph that I did not mention in the video. If your PaperPort 12 or PaperPort 14 is failing to start, or crashing, or hanging, …

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question