How are you doing auth? Do your wireless controllers or RADIUS servers have the ability to restrict by groups? If so, you could create a little PoSH code that updated the wireless access groups each night (or at whatever interval makes sense based on the user churn) and then use the groups for access.
I work at a university... everyone here has one or more affiliations (example: students, staff, faculty, gta, gra, student staff, etc.) that are used to populate groups. Many of our services then use those affiliations for provisioning access. The hardest thing about that model is deciding which group 'wins' if the person has multiple affiliations (which is common). For wireless we use Cisco (for now) controllers and Microsoft NPS for RADIUS. It has been bullet-proof for 10 years now. We are doing several million RADIUS transactions per day against two physical DCs. /jim ----- James Rupprecht IT Architect, Microsoft Enterprise Systems The University of Kansas Information Technology Office: +1 785 864-0116<tel:+17858640116> E-mail: [email protected]<mailto:[email protected]> Skype: [email protected]<sip:[email protected]> From: [email protected] [mailto:[email protected]] On Behalf Of Brian Desmond Sent: Thursday, January 19, 2017 2:06 PM To: [email protected] Subject: [NTSysADM] RE: Deny read on an OU Tree Unless your AD is in List Object Mode (unlikely and not really recommended usually), the ACL on every single object isn't evaluated before returning search results. Deny's also work a little differently in AD than on the file system so this probably isn't something you want. Thanks, Brian Desmond w - 312.625.1438 | c - 312.731.3132 From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Kennedy, Jim Sent: Thursday, January 19, 2017 1:17 PM To: '[email protected]' <[email protected]<mailto:[email protected]>> Subject: [NTSysADM] Deny read on an OU Tree Putting up a wireless SSID for staff using a Cisco WCL. Best way to do this is a straight OU lookup but I can only point it at one OU. There are multiple OU's I need to target that are all under 'Elyriaschools' [cid:[email protected]] As you can see Students have sub ou's for the year they are allegedly going to graduate. I want to deny read to all those years, the entirety of the Students OU. You would think a deny on the account that does the LDAP lookups on 'Students' would deny on all the sub OU's. But it doesn't, I have to put a deny on each Year. Am I missing something, can I do a single deny somehow on Students? Each school year a new folder is created in Students for the incoming Kindergarten folks....you know we will forget to do this next fall.
