10 Replies Latest reply on Aug 31, 2016 8:27 AM by patgmac1

    Restrict logon for specific AD groups

    philcebutv Apprentice

      Does anyone know how we can restrict logon for only specific AD groups using AM


      Basically we don't want students logging in to staff machines.


      There was a plist com.apple.loginwindow before in WGM where in you can allow or deny specific users or OD groups. I created this particular plist into a profile but it doesn't seem to work anymore. Moreover the profile is looking for Generated UIDs which I could not figure out what attribute in AD I would use. Digging deeper when an iMac is binded to AD I can use dscl command interactively and browse/read the attributes of an AD group -  there is actually a Generated UIDs on those AD groups but this does not work when use in Profiles.

      Thanks in advance.