This application was originally developed for a mid-sized school district of about 13,000 students. All of our students have NDS and NetMail accounts. We needed a way for lead teachers or secretaries in our various buildings to manage the student accounts, but we were reluctant to give them NWAdmin, ConsoleOne or even Web-based account management access. The desire was to provide a simple tool to enable or disable a student's Internet service, email, and overall account. We also wanted them to be able to do password administration.
This ZIP file includes the code and documentation for the solution that was developed. The tool is LDAP-based and will log all account changes to a SysLog server if you wish. The code may be distributed as freeware on an as is basis.
The application has been tested in the following environment:
Server: NW5.1 SP4, DS 8.6.2 (with LDAP)
Client: Win2K, NWClient 4.83 SP1
Account Manager authentication is performed without querying the application's user for credentials by a utilizing a two stage method. First, a LDAP proxy user is created with rights to the relevant DS objects and attributes. The password for this proxy user is stored in encrypted form in the HKCU hive of the registry. When the application is executed the Netware ID of the logged in user is compared against the membership of a management group. If the user exists as a member of the management group they are able to then manage accounts.
Account Search Modes
1. Network ID
2. Last Name
3. First Name
4. <User Defined> (Student ID)
Users may be found in the tree starting from a base DN using any one of 4 DS attributes values, one of which is user defined. Any part of the attribute value may be entered for searching for the first three search modes. If multiple users are returned, the search results are placed in a drop down box for the manager to select a user, otherwise the current state of the users account are displayed and available to be changed.
This control simply enables or disables the users NDS account. Disabling the NDS account does not effect the users Netmail services.
This control enables or disables NetMail without effecting the users NDS account.
This control simply adds or removes the selected user from a predefined group that is in turn used to control access to Internet services. The group may be used in several ways to ultimately control Internet services for the user. Border Manager, Zen, and simple login script processes can leverage group membership to regulate Internet access.
This button presets the selected users password to the value held by the user-defined attribute. In our implementation this is the students ID number.
Since this tool was meant to be used by teachers or building secretaries in a mid-sized K12 environment, it has been made as simple as possible to use and every change made to an account is logged to a syslog server. Syslog servers are readily available for virtually any OS. All executions of the application are logged as well as all account changes and faults. The data logged includes, the manager's user ID, manager's machine name, manager's IP, action taken, timestamp, user DN, user CN, user first and last name, and the user defined attribute (Student ID in our case).
All settings are held in the users HKCU registry hive. This can be loaded from a reg file or via Zen when pushing the management application. The later approach works well because the application can be associated with the Managers group for a single point of rights and access management.
Command Line Parameters
There are four command line switches used to shut down one or more of the managed areas. They are:
/noacct disable the manager from making account changes
/noemail disable the manager from making email account changes
/noinet disable the manager from making Internet access changes
/nopwd disable the manager from presetting passwords
AcctMgr.rtf This documentation file
AcctMgr.jpg A screen shot of the application
AccrMgr.reg A registry file with example settings for the app
AcctMgr.exe The program code