Disabled Active Directory users

[scastle]

Hi, I work for a University computing lab. We currently have a small (16 machine) Mac Lab that logs on to Active Directory, using Apple’s Active Directory plug in.

My problem is that if a student causes trouble, we have a system that disables his or her account.

The thing is, I tried it out on the Macs today. I disabled my own (non admin) account and tried to log in. I was able to log in.

I have a few questions:

Does the Active Directory plug in on the Mac handle disabled users correctly by default (apparantly not, judging by my experience)?
If it doesn’t, is there any way I can configure it to do this?
Is there any other way I can do this? Such as writing a log in script that checks if the user is disabled and logs him or her out?
Sadly, I don’t think I’ll be able to get my boss to commit to spending money on third-party authentication products, such as “AdmitMac”.

[scastle]

It’s working now.

For security and audit reasons, we use a custom written tool to enable/disable accounts. It seems something went wrong, and although the tool logged me as disabling my account, it didn’t, then disabled it when I tried to re-enable the account.

[Author]

Posts