Depends how you setup the attribute (search for extending schema in AD).

I wouldn't have the website do this based on authentication.  You want
to be sure they read it, so you would want to treat it like you do with
other agreements i.e. EULA agreements and have the OK navigation button
disabled unless and until they click 'I Agree' 


As for notification, use email and bug the crud out of them.  Or bug
their manager if they don't respond in x amount of days. I see the .mil
in the addr, which tells me you likely have managers that don't like to
be bothered with this kind of piddly stuff.  :)

As for whether or not to update in AD, I'm not one to agree so easily
that adding a custom attribute or even using an existing one is so worth
it. I suppose it depends and there are many pros and cons both
directions I'm sure.  I'd favor some other recording method in many
instances myself. 

As for permissions, you would have to permissions to modify the
attribute using the credentials provided.  For the sake of
tamper-resistance, I would guess that you would want to make this a
restricted attribute field.  You may additionally want to lock out or
disable their account until they read this if it's that important.
Makes me wonder how they'll get to the page if they're locked out,
but....


Al 

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D.
Team EITC
Sent: Monday, May 02, 2005 7:03 PM
To: [email protected]
Subject: RE: [ActiveDir] using GPO with scripts

I like this idea of using the custom attribute in AD.  I am assuming
that I need to use ADSI or similar tool to create this Custom Attribute.


Once the attribute is there.  I would need to configure Active X script
or something that will update this attribute when the user authenticates
to the website correct?   Do I need the web services account to run this
script so that it has privileges to change the attribute within AD?

Jeff

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier,
Guido
Sent: Monday, May 02, 2005 4:43 PM
To: [email protected]
Subject: RE: [ActiveDir] using GPO with scripts

"You could even tie into the change password functionality. Take away
everyone's right to change their password in the directory and make them
go to a website to do it, that website forces them to read that page
first." 

and if they don't agree to what's listed on the HR site you can go ahead
and lock their account ;-)

I'd likely vote for a custom attribute in AD where you store the last
time they've checked the HR website => you can then send out eMails to
the user (and their manager) that it's time to re-confirm their HR data.
We use this mechanism for many things (the place where you store the
"last confirmation date" naturally depends on your environment - if AD
is your main central directory, there's nothing bad in using it for
this.

/Guido

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Montag, 2. Mai 2005 22:23
To: [email protected]
Subject: RE: [ActiveDir] using GPO with scripts

Does it have to be displayed every 90 days or do they have to
acknowledge reading it every 90 days?

I expect the latter in case there are some sort of legal implications.  

Have the website be authenticated and have it update a custom created
field in AD for each user as they acknowledge the page. 

Have a logon script that reads that attribute from AD and pops the IE
window based on it. You could also have something else sending emails as
the time approaches as well for people who don't log off and on or
otherwise don't see the logon script (such as someone who logs in via
VPN or logs into their workstation instead of the domain - like me). 

You could even tie into the change password functionality. Take away
everyone's right to change their password in the directory and make them
go to a website to do it, that website forces them to read that page
first.
Not
that I would really recommend this strongly, but it is a mechanism that
could be used. 





-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D.
Team EITC
Sent: Monday, May 02, 2005 3:47 PM
To: [email protected]
Subject: [ActiveDir] using GPO with scripts

I am looking for some help scripting or a way to have a GPO apply only
at certain times.  Basically I need to have users go to a website once
every 90 days.  Some HR requirement to keep their information up to
date.  Should I do this with a script some how or is there a way thru AD
to accomplish this easier or perhaps a combination. 

Jeff


List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Reply via email to