adclient.autoedit.mac.netlogin

System Preferences > Users & Groups (Accounts) has a login option: Allow network users to log in at login window:

If this option is deselected, Active Directory users will not be able to log into the computer. The configuration parameter adclient.autoedit.mac.netlogin controls whether this option can be deselected by users. By default, the parameter is true in the /etc/centrifydc/centrifydc.conf file:

adclient.autoedit.mac.netlogin: true

In this case, even if a user deselects the box, the box is selected again when adclient is restarted, effectively preventing a user from deactivating network login.

If you want to allow a user to deactivate network login, set the parameter to false. If a user deselects network login in System Preferences > Accounts, the next time adclient starts, network users will be unable to log in to the computer.