Depends how you setup the attribute (search for extending schema in AD).
I wouldn't have the website do this based on authentication. You want to be sure they read it, so you would want to treat it like you do with other agreements i.e. EULA agreements and have the OK navigation button disabled unless and until they click 'I Agree' As for notification, use email and bug the crud out of them. Or bug their manager if they don't respond in x amount of days. I see the .mil in the addr, which tells me you likely have managers that don't like to be bothered with this kind of piddly stuff. :) As for whether or not to update in AD, I'm not one to agree so easily that adding a custom attribute or even using an existing one is so worth it. I suppose it depends and there are many pros and cons both directions I'm sure. I'd favor some other recording method in many instances myself. As for permissions, you would have to permissions to modify the attribute using the credentials provided. For the sake of tamper-resistance, I would guess that you would want to make this a restricted attribute field. You may additionally want to lock out or disable their account until they read this if it's that important. Makes me wonder how they'll get to the page if they're locked out, but.... Al -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D. Team EITC Sent: Monday, May 02, 2005 7:03 PM To: [email protected] Subject: RE: [ActiveDir] using GPO with scripts I like this idea of using the custom attribute in AD. I am assuming that I need to use ADSI or similar tool to create this Custom Attribute. Once the attribute is there. I would need to configure Active X script or something that will update this attribute when the user authenticates to the website correct? Do I need the web services account to run this script so that it has privileges to change the attribute within AD? Jeff -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Monday, May 02, 2005 4:43 PM To: [email protected] Subject: RE: [ActiveDir] using GPO with scripts "You could even tie into the change password functionality. Take away everyone's right to change their password in the directory and make them go to a website to do it, that website forces them to read that page first." and if they don't agree to what's listed on the HR site you can go ahead and lock their account ;-) I'd likely vote for a custom attribute in AD where you store the last time they've checked the HR website => you can then send out eMails to the user (and their manager) that it's time to re-confirm their HR data. We use this mechanism for many things (the place where you store the "last confirmation date" naturally depends on your environment - if AD is your main central directory, there's nothing bad in using it for this. /Guido -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Montag, 2. Mai 2005 22:23 To: [email protected] Subject: RE: [ActiveDir] using GPO with scripts Does it have to be displayed every 90 days or do they have to acknowledge reading it every 90 days? I expect the latter in case there are some sort of legal implications. Have the website be authenticated and have it update a custom created field in AD for each user as they acknowledge the page. Have a logon script that reads that attribute from AD and pops the IE window based on it. You could also have something else sending emails as the time approaches as well for people who don't log off and on or otherwise don't see the logon script (such as someone who logs in via VPN or logs into their workstation instead of the domain - like me). You could even tie into the change password functionality. Take away everyone's right to change their password in the directory and make them go to a website to do it, that website forces them to read that page first. Not that I would really recommend this strongly, but it is a mechanism that could be used. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D. Team EITC Sent: Monday, May 02, 2005 3:47 PM To: [email protected] Subject: [ActiveDir] using GPO with scripts I am looking for some help scripting or a way to have a GPO apply only at certain times. Basically I need to have users go to a website once every 90 days. Some HR requirement to keep their information up to date. Should I do this with a script some how or is there a way thru AD to accomplish this easier or perhaps a combination. Jeff List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
