Custom AD add-ons continue! A script to manage who can log on to a machine.
Ed. Note: It would be possible to do this with a loginwindow SACL on the local systems, but this login hook will match the local machine’s hostname with a list of acceptable machines held in AD. Thus it’s a much more Windows-like way of doing this and helps the Mac fit in a bit more into the AD way of doing things.The below script will check if an AD user is restricted to specific workstations, and log them out when they aren’t permitted to use the one they’re trying to log in to. Make sure to customize the error dialog to your environment:
<code>
#!/bin/sh
###created on November 27th 2006
###by Joe Swenson
###when calling from a login hook, make sure to pass along the $1 variable
###example: /bin/sh /path/to/accesscontrol.sh $1
###variables
machinename=`scutil --get LocalHostName`
workstations=`dscl localhost -read /Active Directory/All Domains/Users/$1 SMBUserWorkstations | cut -c21- | sed 's/,/ /g'`
permitted=`echo $workstations | grep -w $machinename | wc -l`
if [ `echo $workstations | wc -w` = 0 ]; then
exit 0
elif [ `echo $permitted` = 1 ]; then
exit 0
else
### dialog box
### this must be one line
osascript -e 'tell application "SystemUIServer"' -e 'activate' -e 'display dialog "You are not permitted to log onto this system with this account. You are now being logged off." buttons {"OK"} default button "OK"' -e 'end tell'
#### remove local home directory & logout
rm -R /Users/$1/
/usr/bin/killall -HUP loginwindow
fi
exit 0
</code>
by 
Recent Comments