|
This
is what I run - it assumes a SQL database containing tables staff (basic
personal details) and tel_staff (phone numbers)
Our
user IDs are the same as the payroll numbers (which makes this easy!) and the
function GetAdsPath returns the path if the user exists or "not found" if they
don't exist (some members of staff don't have network accounts). Some staff have
more than one phone number, hence the check to see if it's the second time a
user has been found. Clearnull is a function which checks for NULL and replaces
it with N/A (because things fall over in AD if you try and set values to
NULL!)
Steve
sql="select department,section,
jobtitle,staff.staff_no,ext, surname from staff left join tel_staff on
tel_staff.staff_no=staff.staff_no"
RS2.Open
sql,db2
Do While Not
RS2.EOF
id=trim(rs2("staff_no"))
ext=clearnull(trim(rs2("ext")))
If
id<>oldid Then
strUserPath=GetAdsPath(rs2("staff_no"))
If strUserPath <>"Not Found" And id <>oldID
Then
Set
usr=getobject(strUserPath)
usr.telephonenumber=ext
usr.title=clearnull(rs2("jobtitle"))
usr.company=clearnull(rs2("department"))
usr.department=clearnull(rs2("section"))
usr.setinfo
End
If
Else
usr.telephonenumber=usr.telephonenumber & "/" &
ext
usr.setinfo
End
If
oldid=id
rs2.MoveNext
Loop
RS2.Close
Any chance of you
sharing the skeleton of the script?
-----Original
Message-----
From: Ken
Cornetet [mailto:[EMAIL PROTECTED]
Sent: Friday, July 18, 2003 12:40
PM
To:
[EMAIL PROTECTED]
Subject: RE: [ActiveDir] Locking Down
User Information Fields in AD
I solved this
problem the easy way by writing a perl program to read user information (phone
number, address, etc) out of our master HR database and compare it to what's
in AD. If it's different, AD gets updated. This runs every few
hours.
Users can change
their AD info all they want, but in a couple of hours, it goes back to what we
want.
-----Original
Message-----
From: Rogers,
Brian [mailto:[EMAIL PROTECTED]
Sent: Friday, July 18, 2003 12:08
PM
To:
'[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Locking Down
User Information Fields in AD
Yea...they
exist..but for the 50 thousand dollar pricetag on them (for even our small
environment)...we couldn't justify the cost.
-----Original
Message-----
From: Joe
[mailto:[EMAIL PROTECTED]
Sent: Friday, July 18, 2003 11:31
AM
To:
[EMAIL PROTECTED]
Subject: RE: [ActiveDir] Locking Down
User Information Fields in AD
True
to your overall statement, if you lock things down and only allow updates
through interfaces with business rules you can completely control what goes
out there.
I am
curious about your initial statement, are you saying you have something that
injects into the AD internal processes and will inflict business rules on
updates irregardless of source? I wasn't aware anyone had something like
that but fully figured someone would do it if MS didn't. OR are you simply
saying what I said above, you lock things down and only allow updates
through interfaces with business rules?
-----Original
Message-----
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Hazelman,
Doug
Sent: Friday, July
18, 2003 4:29 AM
To:
[EMAIL PROTECTED]
Subject: RE: [ActiveDir] Locking Down
User Information Fields in AD
Joe,
There are
<plug> third party tools that do allow you to define "rules" for
property validation that are enforced on the server side and not the
client side so that they can't be bypassed. You can define that
the phone number must be in the format (xxx) xxx-xxxx and it will not
allow x to be anything but numeric. This format is OK if you're
a North America only company, it gets more complex if you need to support
multiple country phone number formats. These tools also allow for a
simplified and customizable web interface for users to go to for
making the change themselves </plug>.
-doug
Director of
Product Management
Aelita
Software
From: Joe
[mailto:[EMAIL PROTECTED]
Sent: Friday, July 18, 2003 8:33
AM
To:
[EMAIL PROTECTED]
Subject: RE: [ActiveDir] Locking Down
User Information Fields in AD
Oops
I missed that piece. TelephoneNumber is type 2.5.5.12 which is case
insensitive unicode string. You need that because people want to put in ()
and -. unfortunately they can also add other letters/characters.
-----Original
Message-----
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick
Kingslan
Sent:
Thursday, July 17, 2003 1:14 AM
To:
[EMAIL PROTECTED]
Subject: RE: [ActiveDir] Locking
Down User Information Fields in AD
Maybe someone
can indicate how to restrict the field to numeric only (it's not
already??? Huh - never tried, I guess.....), I suspect it's a
schema mod - but I thought that I answered the rest of the
question, did I not?
Rick
Kingslan MCSE, MCSA, MCT
Microsoft MVP - Active
Directory
Associate Expert
Expert Zone -
www.microsoft.com/windowsxp/expertzone
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Wright, T. MR
NSSB
Sent: Wednesday,
July 16, 2003 9:27 PM
To:
'[EMAIL PROTECTED]'
Subject: [ActiveDir] Locking Down
User Information Fields in AD
Just
curious how I would go about stopping a user from being able to update
their address, website, etc under their own
account. AD...
Basically I want
them only to be able to update their own phone # and nothing else and I
would also like to force it to be strictly a numeric only field (which
it isn't by default.)
� |
