Inside the MacOS is an option to apply a Service Access Control List (SACL) when bound to Active Directory. This option gives us as admins the ability to limit which users can authenticate to a Mac using AD credentials. This does NOT affect local Admin users.

Customisation
This rendition of the script is designed for use with Self Service, it will challenge the user to enter their username. This could be automated via a login policy through Jamf( Change line 28 to secureUser="$3" and use a policy trigger of login), however this design was for use by IT to assist with the Mac setup.

Please be aware that the current Transparency Consent and Control (TCC) will prevent a user being challenged unless the jamf binary has been approved via MDM. Please read the following article

Preparing your organization for User data protections on macos 10.14