The Window tab settings of the Login Properties control the appearance of the login window such as the heading, message, which users are listed if the "List of users" is specified, and the ability to restart or shut down. Window tab settings supports the following management modes: Never, Once, Always.
The following options are supported:
Heading
Selecting this box allows the user to click the time area of the menu bar to toggle through various computer information values such as hostname, IP address, and system version.
Apparently this changed around 10.10, but I don't think anyone realized it.
Message
Enter a message to display in the login Window.
Style
Set the following options to modify the login window style:
Name and password text fields
To only display the user name and password text boxes.
List of users able to use these computers
To display a graphical list of users that are allowed to log in.
Note: Users can click the account to use for log in and will be prompted for a password. You can set additional options to control which users are displayed in the list.
Show Other
To allow users to log in using the name and password text fields.
Show Restart
To display the restart button in the login window.
Show Shut Down
To display the shut down button in the login window.
The Options tab of the Login Properties controls miscellaneous login-related options and support the following Manage Modes: Never, Always.
The following options are supported:
Show password hint when needed and available
All Safeguard Authentication Services users always have a password hint of "Active Directory Domain Password" by default. This hint is configurable in the Safeguard Authentication Services configuration policy. Users are never allowed to set a password hint on a Safeguard Authentication Services account. Local or non- Safeguard Authentication Services accounts may have a password hint which was intentionally set by the user to remind them of their password.
Enable automatic login
Select to configure the operating system to boot directly to the desktop without presenting the user with a login screen. The operating system boots using the automatic login account configured locally under System Preferences, Accounts.
Enable console login
By default users can type >console at the login window to drop to a terminal login. This setting allows you to disable the ability to drop to a terminal login.
Enable Fast User Switching
Select to display the logged in user's name in the right-hand corner of the desktop. Selecting on the user name allows the user to switch to another account without logging out of their current desktop session.
Log out users after X minutes of inactivity
Select to automatically log out a user if he has been inactive for the specified number of minutes.
Local administrators may refresh or disable management
Select to allow administrators to disable or refresh login window management settings.
Set computer name to computer record name
This setting affects the computer’s Bonjour name. The new Bonjour name is name-#.local where name is the computer record name you specify and # uniquely identifies the computer if there are several computers with the same Bonjour name.
Enable external accounts
Select to store external accounts on removable storage devices such as a thumb-drive. You must insert the removable device before an external account can log in.
Enable guest account
Select to enable a guest account to log in without a password. When the guest user logs out, the home directory, documents and settings are removed from the system.
Start screen saver after X minutes
Select to modify your screen saver setting.
The Access tab settings of the Login Properties control which users are allowed to log in and support the following management modes: Never, Always.
Safeguard Authentication Services provides unified access control across all supported Unix platforms including macOS. Because of this, you should use the Safeguard Authentication Services access control policies to manage access control. The access control policies are found in the Access Control node in the Quest Software folder under Unix Settings.
The following option is supported:
Local-only users may login
Select to allow local users to log in; leave this option deselected to only allow Active Directory users to log in.
The Scripts tab settings of the Login Properties control scripts that run at login and logout; and, support the following management modes: Never, Always.
You can specify shell scripts that you want to execute when a user logs in or out on macOS. Scripts are stored in the policy settings so you can browse to local files or remote hosts to select the script to use. Scripts configured through Group Policy run as root with the trust value of FullTrust.
Note: Test scripts thoroughly before deploying them with Group Policy.
The following options are supported:
Login script
Specify the script to execute when the user logs in.
Also execute the client computer's LoginHook script
Select to allow the LoginHook script to execute. The LoginHook script is a locally configured script that runs at login.
Log-Out script
Specify the script to execute when the user logs out.
Also execute the client computer's LogoutHook script
Select to allow the LogoutHook script to execute. The LogoutHook script is a locally configured script that runs at log-out.
© 2025 One Identity LLC. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center