I do this by having a scheduled task running under sufficient admin rights read a file containing the calnet ID, full name, and optionally special groups.
The file is restricted access to those people I need to have add rights (I retain removal rights to full Admins). The job checks for accounts not already in the group, and adds new ones. I my case I also add the CalNet ID and full name to a text file I use for lookups when running various server commands that normally returns just IDs. It is all Window CMD stuff with a bit of AWK thrown in. I'm sure it could be moved to PowerShell if needed. The job is scheduled every 10 minutes, which does the job. Decouples the request from the authority nicely. Graham On 11/20/14 9:00 AM, Richard DESHONG wrote: > Thanks Guy and Keenan, it sounds like what I was expecting. I'm sure > that CSS can set up the computer group and the security group. > > What's missing is a way to allow a staff member to add and remove users > from the security group. I have admin rights to our OU, but not to the > CSS OU that contains the computers. And it would be really nice to be > able to give this function to several staff so issues can be mitigated. > Hopefully without training staff on using A/D tools. > > On Thu, Nov 20, 2014 at 8:55 AM, Keenan Parmelee > <[email protected] <mailto:[email protected]>> wrote: > > We do this in the labs we have in the Residence Halls. Just create > a user group in AD with the users you want to restrict access to, > then apply a User Restriction Rights GPO to those machines. > > --- > Keenan Parmelee > Technical Services Manager > Student Affairs Information Technologies > (510) 643-9937 <tel:%28510%29%20643-9937> > http://rescomp.berkeley.edu > > On Thu, Nov 20, 2014 at 8:41 AM, Richard DESHONG > <[email protected] <mailto:[email protected]>> wrote: > > We have a small number of computers that we'd like to restrict > to a given set of students. I am looking for a low maintenance, > low cost solution. > > Some details: > There are about 900 students. The list doesn't change much > during the semester. The computers are joined to the campus > domain and are being maintained by CSS. Students currently use > their Calnet ID's to log in. > > -- > Richard DeShong, Systems Analyst, Athletic Study Center, > U.C.Berkeley > 164 Chavez Student Center, Berkeley, CA, 94720-4220 > 510-642-5123 <tel:510-642-5123> asc.berkeley.edu > <http://asc.berkeley.edu> > > > > ------------------------------------------------------------------------- > The following was automatically added to this message by the > list server: > > To learn more about Micronet, including how to subscribe to or > unsubscribe from its mailing list and how to find out about > upcoming meetings, please visit the Micronet Web site: > > http://micronet.berkeley.edu > > Messages you send to this mailing list are public and > world-viewable, and the list's archives can be browsed and > searched on the Internet. This means these messages can be > viewed by (among others) your bosses, prospective employers, and > people who have known you in the past. > > > > > > -- > Richard DeShong, Systems Analyst, Athletic Study Center, U.C.Berkeley > 164 Chavez Student Center, Berkeley, CA, 94720-4220 > 510-642-5123 asc.berkeley.edu <http://asc.berkeley.edu> > > > > ------------------------------------------------------------------------- > The following was automatically added to this message by the list server: > > To learn more about Micronet, including how to subscribe to or unsubscribe > from its mailing list and how to find out about upcoming meetings, please > visit the Micronet Web site: > > http://micronet.berkeley.edu > > Messages you send to this mailing list are public and world-viewable, and the > list's archives can be browsed and searched on the Internet. This means > these messages can be viewed by (among others) your bosses, prospective > employers, and people who have known you in the past. > -- Graham Patterson, Systems Administrator Lawrence Hall of Science, UC Berkeley 510-643-2222 "...past the iguana, the tyrannosaurus, the mastodon, the mathematical puzzles, and the meteorite..." - directions to my office. ------------------------------------------------------------------------- The following was automatically added to this message by the list server: To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site: http://micronet.berkeley.edu Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet. This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
