This section details special macOS features:
This section details special macOS features:
Safeguard Authentication Services allows you to give local administrator rights to Safeguard Authentication Services users on individual macOS systems. This gives a user the ability to administer his own system while still using Active Directory for authentication. It also allows macOS system administrators "admin" access on macOS systems without a shared local account.
To grant Safeguard Authentication Services accounts administrator rights
Modify the /etc/opt/quest/vas/vas.conf file and add the following section to the Safeguard Authentication Services configuration using a text editor:
[vas_macos] admin-users = pats@example.com
For example, with the pico text editor, enter:
$ sudo pico /etc/opt/quest/vas/vas.conf
Note: If there is already a [vas_macos] section in the vas.conf file, just add or modify the admin-users key following the existing section. You can also manage this option through Group Policy.
For the value of the admin-users key, use a comma-separated list of Active Directory User Principal Names (UPN) for Safeguard Authentication Services users with administrator rights. The Domain Users option also supports groups of users.
Specify the group in the Domain\groupname format.
Either step ensures that Safeguard Authentication Services processes the new configuration.
Verify that the configured users have administrator rights by checking their group memberships using the following command line (the example is for a user called pspencer):
$ groups pspencer
If pspencer was correctly configured to have local administrator rights, you see the local admin, appserveradm, and appserverusr groups listed in the output. The pspencer user is then able to use his user credentials for authorizing administrative tasks started from the System Preferences application.
The password hint is displayed for all Active Directory users when you have macOS configured to provide password hints. The password hint is used to notify a user of a website where they can reset their password, or to remind a user that the account they are using requires a domain password. The default value for the authentication-hint is Windows Domain Password.
Before macOS will display authentication hints, you must enable the Show password hints option through the log in options.
After enabling password hints, after several incorrect login attempts, the password hint displays.
You can manage this hint centrally on the domain controller through Group Policy.
NOTE: For security reasons, if mapped users change their password hint, it is intentionally reset to the generic Windows domain password hint the next time they log in.
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center