restricting access

[sketch]

I want to restrict access to our AD-integrated Macs to specific groups. At present we are not using an OD server, nor will we for a while, so don’t bother suggesting it .

If you look in the /Library/Preferences/DirectoryService/ActiveDirectory.plist file you’ll see

dsRecTypeStandard:ComputerLists

1.3.6.1.4.1.1466.115.121.1.15
dsAttrTypeStandard:Computers
1.3.6.1.4.1.63.1000.1.1.1.1.10
dsAttrTypeStandard:MCXFlags
1.3.6.1.4.1.63.1000.1.1.1.1.16
dsAttrTypeStandard:MCXSettings
1.3.6.1.4.1.63.1000.1.1.1.1.19
dsAttrTypeStandard:Keywords
1.3.6.1.4.1.63.1000.1.1.1.11.4
dsAttrTypeStandard:Group
2.5.4.3
dsAttrTypeStandard:RecordName

the part I’m interested in is

1.3.6.1.4.1.63.1000.1.1.1.11.4
dsAttrTypeStandard:Group

as the Group object in the computer list attribute is what permits/denies access to a system.

I feel like I’m on the edge of figuring this out but I need some fresh brain cells (it’s the end of the day and mine are fried). We thought we’d try a group policy (allow local logon), but we struck out on that one (for some reason it seemed to work at some point, but now it’s not. Probably a fluke; mistyping the password or something).

[Anonymous]

Tiger is supposed to respect AD group policies and I’m told it’s in the beta already. Maybe you could afford to wait a few more months.

::M::

[sketch]

unfortunately I can’t wait for Tiger. This update should have been deployed a couple weeks ago.

Yes, I have WGM. What procedure are you proposing?

[Author]

Posts