[MacTUG] Profile Manager: Limit logon to certain AD groups

Wed Oct 9 16:01:31 EDT 2013

Hi Stephen

Some background info:
We have been limiting access to the DV Lab macs using AD groups. It was working fine with Workgroup Manager in 10.6 but I have not been able to replicate it in 10.8, despite the fact that (as the link to the image shows) I can see where I can add AD groups, and it does 'intelligently' see them. I say 'intelligently' because when I start typing the name of the AD group (such as the one that I am using Env-Labs-Digital-Video) and click find, it will show my the list of AD groups that start with what I typed (i.e. Typing Env-Labs and then hitting the return will list all the AD groups starting with Env-Labs). When it displays the list of groups it can even see how many users are in the group. So all that is working quite well.

According to the documentation that I have read, if their are no groups or users in the "Allow" or "Deny" sections of the Login Window>Access screen (the one in the link in my original posting), Apple assumes that these empty fields mean there are no access control settings.

If either of these has entries, this automatically turns on access control. All this makes sense.Except it is not working, haha

Currently I have only one user in this group yet anyone can log in. I have tried putting users in the Deny section and tried different groups, and a few other things, and I cannot get it to kick in! It is a bit frustrating to say the least. I have a bit of a 'plan b' if I can't get this to work, but I would like this bloody thing to work.

------------------------------------
Donald Duff-McCracken
Technical Services Manager
Mapping, Analysis & Design
Faculty of Environment
University of Waterloo
(519) 888-4567 x32151
https://uwaterloo.ca/environment-computing/about/people/donald-duff-mccracken

------------
To request help from MAD please use Request Tracker. For info see:
https://rt.uwaterloo.ca/~wwwrt/cgi-bin/rtuser.pl

------------
This email communication is intended as a private communication for the sole use of the primary addressee and those individuals listed for copies in the original message. The information contained in this email is private and confidential and If you are not an intended recipient you are hereby notified that copying, forwarding or other dissemination or distribution of this communication by any means is prohibited.  If you are not specifically authorized to receive this email and if you believe that you received it in error please notify the original sender immediately.

From: Stephen Markan <smarkan at uwaterloo.ca<mailto:smarkan at uwaterloo.ca>>
Date: Wednesday, 9 October, 2013 1:43 PM
To: Donald Duff-McCracken <dsmccrac at uwaterloo.ca<mailto:dsmccrac at uwaterloo.ca>>, MacTUG <mactug at mailman.uwaterloo.ca<mailto:mactug at mailman.uwaterloo.ca>>
Subject: Re: [MacTUG] Profile Manager: Limit logon to certain AD groups

Does not work in what way? What is the Group you are adding to the allowed list?

From: Donald Duff-McCracken <dsmccrac at uwaterloo.ca<mailto:dsmccrac at uwaterloo.ca>>
Date: Wednesday, October 9, 2013 12:13 PM
To: MacTUG <mactug at mailman.uwaterloo.ca<mailto:mactug at mailman.uwaterloo.ca>>
Subject: [MacTUG] Profile Manager: Limit logon to certain AD groups

Hi all…

I knew how to do this with Workgroup Manager (WGM) and I can see how I "should" be able to do in in Profile Manager (PM) but it does not seem to work.

The issue with PM is that I do feel it is "half baked" and while it does some things better then WGM I feel that a) it does not have all the functionality built out in it that WGM had/has and b) that some of that functionality is flakey. I am not sure if this is the case for this feature.

You would think this would work:
[IMG<http://s1297.photobucket.com/user/Don_Duff_McC/media/Work%20Pics/ScreenShot2013-10-09at120733PM_zps8f1e956e.png.html][IMG>]http://i1297.photobucket.com/albums/ag28/Don_Duff_McC/Work%20Pics/ScreenShot2013-10-09at120733PM_zps8f1e956e.png[/IMG][/URL]

It does not.

Anyone out there playing with this?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.uwaterloo.ca/pipermail/mactug/attachments/20131009/9de5e29c/attachment-0001.html>