By default, anyone with Active Directory credentials can log into a Mac that has been bound to Active Directory. Imagine a malicious insider walk up and log into a Mac that belongs to your executive, or someone in HR or finance while the computer owner is at lunch. This article will show you how to restrict who can log into a Mac through Centrify's Active Directory group policy settings. Restricting access to only specific Active Directory users or groups not only help protect against unauthorized access, but also help you comply with FISMA, SOX, HIPAA, and other regulatory standards.
1. In Group Policy Management, create a GPO and enable: Computer Settings > Policies > Centrify Settings > DirectControl Settings > Login Settings > Manage login filters
2. Select either "Allow login to the system" or "Deny login to the system" then add the users or groups that you want to allow or deny login access.
a) Click on the List button. A new window will appear.
b) Click on the Add button. Another window will appear.
c) Enter a keyword into the Name field for the Active Directory user or group that you want to add, then click on Find Now. Make sure your IT/helpdesk team can log into the Mac.
3. Apply the GPO to an OU of target devices or use Security Filtering to apply the setting to a specific computer group in Active Directory.
4. Run adgpupdate on the Mac and log out to apply the setting.
When an unauthorized user tries to log in, the login screen will shake.
This article provides instructions for restricting login access to Macs that are in Auto Zone mode. If your Macs are in Zone mode, use the login role to grant login access. Most Centrify Mac customers are in Auto Zone. To learn more about Zones: Differences between Zone and Auto Zone modes.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.