Mobile Account Expire & Lion Server...

Affichage de 13 messages sur 3
Mobile Account Expire & Lion Server... Hart, Chris 02/07/12 14:52
All,

I am trying to assist a colleague on campus with a 10.7 lab situation regarding the persistence of student accounts. In other words, he would like the accounts to disappear at logout. In the past this has been done by re-mapping ldap attributes under the "Guest" account structure, but in the new lab configuration all student authentication will now be done via AD.

So we have been trying to deal with this issue via the Workgroup Manager under server 10.7.4 by managing the "Mobility" preference to delete the mobile account(s) in "0" hours, but we are not having any luck so far.

Has anyone else seen this behavior under 10.7.4 server and gotten it to behave correctly and actually delete the mobile account?

Am I interpreting "Delete mobile accounts: 0 hours after user's last login" correctly?

Thanks,

Dr. Chris Hart

_____________________________________________________
MacEnterprise, Inc
http://www.macenterprise.org

Subscription Options and Archives
http://lists.psu.edu/archives/macenterprise.html
Re: Mobile Account Expire & Lion Server... Graeme Challis 02/07/12 22:52
Hello Chris,

On 03/07/2012, at 7:52 AM, Hart, Chris wrote:
> I am trying to assist a colleague on campus with a 10.7 lab situation regarding the persistence of student accounts. In other words, he would like the accounts to disappear at logout. In the past this has been done by re-mapping ldap attributes under the "Guest" account structure, but in the new lab configuration all student authentication will now be done via AD.
>
> So we have been trying to deal with this issue via the Workgroup Manager under server 10.7.4 by managing the "Mobility" preference to delete the mobile account(s) in "0" hours, but we are not having any luck so far.
>
> Has anyone else seen this behavior under 10.7.4 server and gotten it to behave correctly and actually delete the mobile account?
>
> Am I interpreting "Delete mobile accounts: 0 hours after user's last login" correctly?
>
> Thanks,
>
> Dr. Chris Hart

Can't help you much with WGM, not using it here, sadly. I delete student AD accounts & home dir at logout with a logouthook (actually I make a "just in case" cp elsewhere on the volume, before removing). A loginhook sets up a default home directory from a template at login.

Perhaps that's the way forward for you too?

Cheers, Grae
---------------
Graeme Challis, Senior Consultant CAE   Phone (03) 5444-7599
Information & Communications Technology Fax       (03) 5444-7975
La Trobe University, Bendigo,           Mobile     042 719 0774
Victoria, Australia   3551              mailto:g.ch...@latrobe.edu.au
Re: Mobile Account Expire & Lion Server... Ben Harper 02/07/12 23:58
Hi Chris,

In 10.7.4, this should work fine.  Are the accounts you're testing with newly-created AD mobile accounts?  If you enter in Terminal:

dscl /Local/Default -read Users/<username>

for the AD account name in question, you should see the user record returned, including XML with lastLoginTimestamp and the correct time you last logged into the system with that account.  That time is what ManagedClient uses to determine whether a specific account is to be deleted at logout according to the Managed Preferences set for the machine.  In your case, if logout occurs >0 seconds since the lastLoginTimestamp time (which of course it always will), then the mobile account should be deleted.  

Also, are you sure you're creating a mobile account in the AD settings in Directory Utility (or via Managed Preferences), or is "Force local home directory on startup disk" checked (which is the default setting)?  If the latter is true, you'll want to uncheck the Force local home directory setting, and then check Create mobile account at login, or set Managed Preferences to create a mobile account at login after unchecking the Force setting, so a mobile account will actually be created on the system so ManagedClient can delete it for you.  If the above command didn't return a user record, then, that's also another sign you aren't getting a mobile account created.

--Ben