If you administer Macs that are joined to an Active Directory, you either need to buy expensive Mac client-side extensions to apply Windows Group Policy, or you can extend your AD schema to include Mac attributes. Neither of these options are to be taken lightly, so when I needed to deny login for a particular group on our Active Directory (in this case alumni who no longer have access to on-campus computers), I wanted a simpler, scriptable solution. Thanks to our helpful software engineer at Apple, I was pointed in the direction of dsmemberutil, a command-line utility provided in OS X to determine group membership. Using that, I created the following script:
#!/bin/bash
result=`dsmemberutil checkmembership -U $1 -G alumni_only`
compare="user is a member of the group"
if [ "$result" = "$compare" ]; then
kill `ps -ef | fgrep loginwindow | grep -v grep | awk '{print $2}'`
fi
To make this work for any Active Directory group, just replace “alumni_only” with the name of your AD group. The kill line basically shuts down the loginwindow process and returns the user back to the login screen. I haven’t found a way to pop up a warning to the user when this happens, so I added in a message to be displayed at the login prompt.