We are just piloting EEPC which for now we have decided to stay at version 5. My hope was to have administrators setup and manage the properties of the Users and Machines to keep sticky fingers from changing settings on the fly. For user assignments to machines, we do not want to assign groups as we want this to be user level.
I was hoping to have a Service Desk level admin role that could do user assignments to machines as well as the typical recovery and password resets and little else. What I'm discovering, however, is it seems to be an all or nothing scenario when testing an account being able to assign users to machines. Either I allow the "Update Properties" option on Machines (under Admin Rights) to enable the ability assigne users to machines which then provides complete access to all properties, or I uncheck this option and they can't do the assignment.
Am I missing something or is it really that black and white. I don't want the Service Desk changing machine properties other than the user assignments. Please tell me there is a way around this.Message was edited by: turnercl on 10/12/10 1:59:01 PM CDT
Recovery can be done with "minimal" rights, but assigning users to machines cannot.
It is also interface difference, as for recovery they use WebHelpDesk, but for assignments EEM console.
I would review your strategy and question why you need to manage user-machine assignments in "manual" mode.
Any administrative assignments can be managed via scripts automatically, if there is a pattern to it.
Unfortunately there is no pattern to assigning users to machines so it has to be manual and the interface we intended to use for recovery would be the same EEM. I realize you can use the WebHelpdesk but we will not be using this. Sadly, this is not a strategy choice, it is the nature of how our systems are assigned. Any random laptop can be assigned to any random person in our organization of 10,000 users, and we do not want to have groups of users assigned to the systems as this takes away the control of who can access what system and we would have difficulty even identifying what the groupings would be.
We obviously have to alter some aspect of how we manage this but I don't see any way for us to auto assign basic user access to a machine via predetermined groups.
Unless you create your own app doing this kind of administration (with some scripting behind), I do not see solution to your problem.
EEPC is great for organizations that each PC is used almost exclusively by one person. That person account can be easily assigned during product installation with minimal custom scripting. Some people use Simon's AutoDomain script. You should look at that one, to get some ideas what is possible and what not.
Reread some of what was said here. I thought you could only assign user access to the device via the console? How can you do it locally at the machine?
Again ... am I missing something? Or is only via scripting that this can be done?Message was edited by: turnercl on 10/14/10 7:47:43 AM CDT
Scripting is neccessary. And scripts can be run locally (from user or admin PC) or remotely on database or other server (that talks to database).
What you do is to have EEPC admin account credentials burried into a script. Whole script must be protected from disassembly to obtain those admin credentials in a clear text.
I think what Peter mean is create your own application maybe web based with php or asp to run scrip in behind to do what you want..
for example to query who lastcheckinto particular machine
you can set a page to read $machine then run script command
sbadmcl -command:GetLastCheckinDate -Machine:$machine -adminuser:adminact -adminpwd:****
So you don't have to actualy give them permission & password and you can control on what they can do..