We have a web development team. Looks like they are actually trying to pawn this off elsewhere but I am fighting that now that I know more what they are wanting.
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Wednesday, May 04, 2005 9:53 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] using GPO with scripts Yep. To do something like that would require some coding of course. It also relies on the user going to the homepage on a regular basis and that they are able to run apps. Do you have to write this, or do you have web application dev teams? Al -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D. Team EITC Sent: Tuesday, May 03, 2005 4:14 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] using GPO with scripts Well found out some more information. Love how you get the full info when you need it. NOT Anyways. Seems the website is just a web interface to a database with their personnel information. They want to ensure the user visits the site every 90 days to make updates if needed. They are request a "Runonce" type operation for IE when the user launches IE that will send them to the Database every 90 days but of course not send the entire population there at once. So I am thinking a field within the personnel database that will be a timestamp. Now can I have our homepage run a script in the background that checks this field to see if the timestamp is greater than 90 days? And then if it is redirect them to the database website? Sounds better than dealing with login scripts and schema changes. Jeff -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, May 03, 2005 10:13 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] using GPO with scripts Yeah locking the account because they haven't read the doc yet seems a little counter productive but if it is that important... Go for it. Just warn the help desk staff ahead of time. :o) I agree with the staggered mechanism of alert the user and then alert their manager later if they haven't complied. If you want to get fancy you could even have a compliance reporting mechanism to put pressure on the managers. Reports go to the CEO showing compliance in percentages of the whole company at any given time (say monthly) and also percentages by division or group or whatever (depends on your size). A quickie alternative would be to store the info in an AD/AM instead of in AD. Don't have to extend the AD Schema then but can use the AD scripting knowledge you have. Obviously it could go into SQL Server as well but that seems a bit expensive for this. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, May 02, 2005 10:10 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] using GPO with scripts Depends how you setup the attribute (search for extending schema in AD). I wouldn't have the website do this based on authentication. You want to be sure they read it, so you would want to treat it like you do with other agreements i.e. EULA agreements and have the OK navigation button disabled unless and until they click 'I Agree' As for notification, use email and bug the crud out of them. Or bug their manager if they don't respond in x amount of days. I see the .mil in the addr, which tells me you likely have managers that don't like to be bothered with this kind of piddly stuff. :) As for whether or not to update in AD, I'm not one to agree so easily that adding a custom attribute or even using an existing one is so worth it. I suppose it depends and there are many pros and cons both directions I'm sure. I'd favor some other recording method in many instances myself. As for permissions, you would have to permissions to modify the attribute using the credentials provided. For the sake of tamper-resistance, I would guess that you would want to make this a restricted attribute field. You may additionally want to lock out or disable their account until they read this if it's that important. Makes me wonder how they'll get to the page if they're locked out, but.... Al -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D. Team EITC Sent: Monday, May 02, 2005 7:03 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] using GPO with scripts I like this idea of using the custom attribute in AD. I am assuming that I need to use ADSI or similar tool to create this Custom Attribute. Once the attribute is there. I would need to configure Active X script or something that will update this attribute when the user authenticates to the website correct? Do I need the web services account to run this script so that it has privileges to change the attribute within AD? Jeff -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Monday, May 02, 2005 4:43 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] using GPO with scripts "You could even tie into the change password functionality. Take away everyone's right to change their password in the directory and make them go to a website to do it, that website forces them to read that page first." and if they don't agree to what's listed on the HR site you can go ahead and lock their account ;-) I'd likely vote for a custom attribute in AD where you store the last time they've checked the HR website => you can then send out eMails to the user (and their manager) that it's time to re-confirm their HR data. We use this mechanism for many things (the place where you store the "last confirmation date" naturally depends on your environment - if AD is your main central directory, there's nothing bad in using it for this. /Guido -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Montag, 2. Mai 2005 22:23 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] using GPO with scripts Does it have to be displayed every 90 days or do they have to acknowledge reading it every 90 days? I expect the latter in case there are some sort of legal implications. Have the website be authenticated and have it update a custom created field in AD for each user as they acknowledge the page. Have a logon script that reads that attribute from AD and pops the IE window based on it. You could also have something else sending emails as the time approaches as well for people who don't log off and on or otherwise don't see the logon script (such as someone who logs in via VPN or logs into their workstation instead of the domain - like me). You could even tie into the change password functionality. Take away everyone's right to change their password in the directory and make them go to a website to do it, that website forces them to read that page first. Not that I would really recommend this strongly, but it is a mechanism that could be used. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D. Team EITC Sent: Monday, May 02, 2005 3:47 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] using GPO with scripts I am looking for some help scripting or a way to have a GPO apply only at certain times. Basically I need to have users go to a website once every 90 days. Some HR requirement to keep their information up to date. Should I do this with a script some how or is there a way thru AD to accomplish this easier or perhaps a combination. Jeff List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/