Recovery can be done with "minimal" rights, but assigning users to machines cannot.
It is also interface difference, as for recovery they use WebHelpDesk, but for assignments EEM console.
I would review your strategy and question why you need to manage user-machine assignments in "manual" mode.
Any administrative assignments can be managed via scripts automatically, if there is a pattern to it.
Unfortunately there is no pattern to assigning users to machines so it has to be manual and the interface we intended to use for recovery would be the same EEM. I realize you can use the WebHelpdesk but we will not be using this. Sadly, this is not a strategy choice, it is the nature of how our systems are assigned. Any random laptop can be assigned to any random person in our organization of 10,000 users, and we do not want to have groups of users assigned to the systems as this takes away the control of who can access what system and we would have difficulty even identifying what the groupings would be.
We obviously have to alter some aspect of how we manage this but I don't see any way for us to auto assign basic user access to a machine via predetermined groups.
Unless you create your own app doing this kind of administration (with some scripting behind), I do not see solution to your problem.
EEPC is great for organizations that each PC is used almost exclusively by one person. That person account can be easily assigned during product installation with minimal custom scripting. Some people use Simon's AutoDomain script. You should look at that one, to get some ideas what is possible and what not.
Reread some of what was said here. I thought you could only assign user access to the device via the console? How can you do it locally at the machine?
Again ... am I missing something? Or is only via scripting that this can be done?
Scripting is neccessary. And scripts can be run locally (from user or admin PC) or remotely on database or other server (that talks to database).
What you do is to have EEPC admin account credentials burried into a script. Whole script must be protected from disassembly to obtain those admin credentials in a clear text.
I think what Peter mean is create your own application maybe web based with php or asp to run scrip in behind to do what you want..
for example to query who lastcheckinto particular machine
you can set a page to read $machine then run script command
sbadmcl -command:GetLastCheckinDate -Machine:$machine -adminuser:adminact -adminpwd:****
So you don't have to actualy give them permission & password and you can control on what they can do..