DLU Administrators Policy changed to DLU users policy (but only one User container)

Hello forum!

We are trying to create a setup not unlike the one posted before here:
DLU Administrators Policy changed to DLU users policy 

I've successfully made it so that one single user can log in to one devices as only user and one device as administrator.

In our scenario we have two types of devices and two types of users:
Devices: Student laptops and everything else
Users: Students and staff

The goal is to have staff always log in as administrator on both staff and student devices.
and students log in as administrators *only* on student devices.

The current setup has two folders and 3 DLU polices:
Folders: Student and staff
Policies:
Default DLU (applied on all devices, user group = Users+, no restrictions)
DLU - Admin for student (applied on a single student account, user group = Administrator+, Exclude workstation list "every folder except student folder")
DLU - Admin for staff (applied to a single staff account, user group = Administrator+, no restrictions)

Our eDir user sources has 1 container:
Users (all users, no sub-containers)

Is there another way to design this reliable with/without least privileged method?
Is it possible to automatically group users without sub-containers?

Our user can be identified based on the first letter.

  • 0  

    If its working?  Why do you want to change it?  What issues are you seeing?  I can always think of other ways to do stuff, but they may or may not be better.

    Why do you have all your users in a single OU?  That is a tad unusual...

    You can setup Contextless Login with the OES Client.  ZCM Logins are Contextless.

    --

    You could have a Teacher DLU Policy Assigned Directly to the Teacher Devices.  Set to Include the Teachers User OU  (If you had one.)

    Student Devices you could just assign to the student devices directly...since everyone will be an Admin...no need to care if its a teacher or student.

    Though most would want Students to only be "Users" and in such a case you also assign the "Teachers DLU"  Policy to the Teachers User OU.  So it will apply even to the Student's Devices.

    --

    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button

    Be sure to "Like" My (and a few others) Cool Solutions below! 

    https://community.microfocus.com/members/craigdwilson/bookmarks

  • 0 in reply to   

    There are more OUs but in this case both students and teachers are in the same. They are distinguished from each other based on attributes for every other system like WiFi and firewall.

    If I had the tool to sort users in to dynamic ZENworks groups (like devices) I could for example tell all accounts starting with s or e to be in one or the other group.

    The only ways forward I see right now is to manually sort users into groups. (That is 500+ new users per year.) The other is to rebuild our core catalogue.

  • Verified Answer

    +1   in reply to 

    This sounds more like an eDirectory Management Question.  There are many ways to automate all this stuff directly in edirectory both at the point of creation as well as afterwards.  While IDM would be one solution, it would likely be overkill with many command line tools available to do all of this from batch files based on the constraints you want....though that would only be needed for after the fact since you can use templates as part of creation so they start in the correct groups right away.

    --

    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button

    Be sure to "Like" My (and a few others) Cool Solutions below! 

    https://community.microfocus.com/members/craigdwilson/bookmarks