| Mobile Account Expire & Lion Server... | Hart, Chris | 02/07/12 14:52 | All,
I am trying to assist a colleague on campus with a 10.7 lab situation regarding the persistence of student accounts. In other words, he would like the accounts to disappear at logout. In the past this has been done by re-mapping ldap attributes under the "Guest" account structure, but in the new lab configuration all student authentication will now be done via AD. So we have been trying to deal with this issue via the Workgroup Manager under server 10.7.4 by managing the "Mobility" preference to delete the mobile account(s) in "0" hours, but we are not having any luck so far. Has anyone else seen this behavior under 10.7.4 server and gotten it to behave correctly and actually delete the mobile account? Am I interpreting "Delete mobile accounts: 0 hours after user's last login" correctly? Thanks, Dr. Chris Hart _____________________________________________________ MacEnterprise, Inc http://www.macenterprise.org Subscription Options and Archives http://lists.psu.edu/archives/macenterprise.html |
| Re: Mobile Account Expire & Lion Server... | Graeme Challis | 02/07/12 22:52 | Hello Chris,
Can't help you much with WGM, not using it here, sadly. I delete student AD accounts & home dir at logout with a logouthook (actually I make a "just in case" cp elsewhere on the volume, before removing). A loginhook sets up a default home directory from a template at login. Perhaps that's the way forward for you too? Cheers, Grae --------------- Graeme Challis, Senior Consultant CAE Phone (03) 5444-7599 Information & Communications Technology Fax (03) 5444-7975 La Trobe University, Bendigo, Mobile 042 719 0774 Victoria, Australia 3551 mailto:g.ch...@latrobe.edu.au |
| Re: Mobile Account Expire & Lion Server... | Ben Harper | 02/07/12 23:58 | Hi Chris,
In 10.7.4, this should work fine. Are the accounts you're testing with newly-created AD mobile accounts? If you enter in Terminal: dscl /Local/Default -read Users/<username> for the AD account name in question, you should see the user record returned, including XML with lastLoginTimestamp and the correct time you last logged into the system with that account. That time is what ManagedClient uses to determine whether a specific account is to be deleted at logout according to the Managed Preferences set for the machine. In your case, if logout occurs >0 seconds since the lastLoginTimestamp time (which of course it always will), then the mobile account should be deleted. Also, are you sure you're creating a mobile account in the AD settings in Directory Utility (or via Managed Preferences), or is "Force local home directory on startup disk" checked (which is the default setting)? If the latter is true, you'll want to uncheck the Force local home directory setting, and then check Create mobile account at login, or set Managed Preferences to create a mobile account at login after unchecking the Force setting, so a mobile account will actually be created on the system so ManagedClient can delete it for you. If the above command didn't return a user record, then, that's also another sign you aren't getting a mobile account created. --Ben |