Here's the scenario: Access management wants users who need admin access to have another ID created to authenticate as admin. It is created in AD and I have made a script that runs on login to check for the specific prefix in the ID and if true adds that ID to the admin group. That all works fine, but we also want to disable that user id from logging in locally. On 10.6 I could just change the user shell to /usr/bin/false and everything would work fine, user could still authenticate from an admin prompt, and prevented login from login window. I just tested this on 10.8 and it prevented login from loginwindow and also prevented authentication from admin prompt.
I see there is a group called interactusers, which I interpret as Interactive Users. However, there are no members in that group.
Does anyone have any idea how I can accomplish this? If I don't find a built in solution, I could just adjust the script to pop up a message and force logoff.
