Chat now with support
Chat with Support

Safeguard Authentication Services 5.0.1 - macOS Administration Guide

Privileged Access Suite for Unix Installation Safeguard Authentication Services macOS components Safeguard Authentication Services client configuration Special macOS features Limitations on macOS Group Policy for macOS Certificate Autoenrollment Glossary

Special macOS features

This section details special macOS features:

Local administrator rights for users

Safeguard Authentication Services allows you to give local administrator rights to Safeguard Authentication Services users on individual macOS systems. This gives a user the ability to administer his own system while still using Active Directory for authentication. It also allows macOS system administrators "admin" access on macOS systems without a shared local account.

Granting accounts administrator rights

To grant Safeguard Authentication Services accounts administrator rights

  1. Modify the /etc/opt/quest/vas/vas.conf file and add the following section to the Safeguard Authentication Services configuration using a text editor:
    admin-users =

    For example, with the pico text editor, enter:

    $ sudo pico /etc/opt/quest/vas/vas.conf

    Note: If there is already a [vas_macos] section in the vas.conf file, just add or modify the admin-users key following the existing section. You can also manage this option through Group Policy.

    For the value of the admin-users key, use a comma-separated list of Active Directory User Principal Names (UPN) for Safeguard Authentication Services users with administrator rights. The Domain Users option also supports groups of users.

  2. Specify the group in the form, Domain\groupname.

    Either step ensures that Safeguard Authentication Services processes the new configuration.

  3. Verify that the configured users have administrator rights by checking their group memberships using the following command line (the example is for a user called pspencer):
    $ groups pspencer

    If pspencer was correctly configured to have local administrator rights, you see the local admin, appserveradm, and appserverusr groups listed in the output. The pspencer user is then able to use his user credentials for authorizing administrative tasks started from the System Preferences application.

Active Directory user password hint

The password hint is displayed for all Active Directory users when you have macOS configured to provide password hints. The password hint is used to notify a user of a website where they can reset their password, or to remind a user that the account they are using requires a domain password. The default value for the authentication-hint is "Windows Domain Password".

Before macOS will display authentication hints, you must enable the Show password hints option through the log in options.

After enabling password hints, after several incorrect login attempts, the password hint displays.

You can manage this hint centrally on the domain controller through Group Policy.

Note: For security reasons, if a mapped user changes his password hint, it is intentionally reset to the generic Windows domain password hint the next time he logs in.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating