Articles December 2, 2006 at 9:40 am

Respecting AD account workstation restrictions

Custom AD add-ons continue! A script to manage who can log on to a machine.

Ed. Note: It would be possible to do this with a loginwindow SACL on the local systems, but this login hook will match the local machine’s hostname with a list of acceptable machines held in AD. Thus it’s a much more Windows-like way of doing this and helps the Mac fit in a bit more into the AD way of doing things.The below script will check if an AD user is restricted to specific workstations, and log them out when they aren’t permitted to use the one they’re trying to log in to. Make sure to customize the error dialog to your environment:

<code>
#!/bin/sh
###created on November 27th 2006
###by Joe Swenson
###when calling from a login hook, make sure to pass along the &#36;1 variable
###example: /bin/sh /path/to/accesscontrol.sh &#36;1

###variables
machinename=`scutil --get LocalHostName`
workstations=`dscl localhost -read /Active Directory/All Domains/Users/&#36;1 SMBUserWorkstations | cut -c21- | sed 's/,/ /g'`
permitted=`echo &#36;workstations | grep -w &#36;machinename | wc -l`

if &#91; `echo &#36;workstations | wc -w` = 0 &#93;; then
	exit 0
	
elif &#91; `echo &#36;permitted` = 1 &#93;; then
	exit 0
	
else
### dialog box
### this must be one line
   osascript -e 'tell application "SystemUIServer"' -e 'activate' -e 'display dialog "You are not permitted to log onto this system with this account. You are now being logged off." buttons {"OK"} default button "OK"' -e 'end tell'
#### remove local home directory &amp; logout
	rm -R /Users/&#36;1/
	/usr/bin/killall -HUP loginwindow
fi
exit 0
</code>

Leave a reply

You must be logged in to post a comment.