Here are some simple VBScripts that can be added to a log on script or similar to pre-fill these for the user. Once you know the registry location where the identity information is stored it is quite easy to fill those values as part of a login script.

Microsoft Office

' Original MS Office script written by David Isaacs
Set oShell = CreateObject("WScript.Shell")

On Error Resume Next

strUsername = oShell.ExpandEnvironmentStrings("%USERNAME%")
strUserdomain = oShell.ExpandEnvironmentStrings("%USERDOMAIN%")

Set oUser = GetObject("WinNT://" & strUserdomain & "/" & strUsername & ",user")

oShell.RegWrite "HKCU\Software\Microsoft\Office\Common\UserInfo\UserInitials", strUsername
oShell.RegWrite "HKCU\Software\Microsoft\Office\Common\UserInfo\UserName", oUser.Fullname

Adobe Acrobat Pro and Reader

This will set the full name, office, email address and your company for multiple versions of Acrobat and Acrobat reader. You can add even more versions by adding extra lines to the array.

Also if you modified Acrobat to install with Acrobat.com disabled, but now wish to enable it this will enable it. We originally had it disabled, but found email and network form submission did not work properly until it was enabled.

The method for accessing the AD User object was posted by Mike Walker in this thread.

' Configure Adobe Acrobat default settings
' Written by James Rudd
Set oShell = CreateObject("WScript.Shell")
Set oFso = CreateObject("Scripting.FileSystemObject")

' Set the different registry paths for Acrobat
Dim regPaths(2)
regPaths(0) = "HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\9.0\"  'For Acrobat Pro 9
regPaths(1) = "HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\"  'For Acrobat Reader 9
regPaths(2) = "HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\8.0\"  'Same for Acrobat Reader 8

On Error Resume Next

' Create the ADSystem Information Object
Set objADSystemInfo = CreateObject("ADSystemInfo")
' Get the current information into a new Object
Set objUser = GetObject("LDAP://" & objADSystemInfo.UserName)

For Each regPath In regPaths
 'Enable Acrobat.com by deleting key that contains disabling entries.
 oShell.regdelete regPath & "Workflows\"

 'Set Acrobat Identity Info
 oShell.RegWrite regPath & "Identity\tEMail", objUser.mail, "REG_SZ"
 oShell.RegWrite regPath & "Identity\tName", objUser.givenName & " " & objUser.sn, "REG_SZ"
 oShell.RegWrite regPath & "Identity\tFirstName", objUser.givenName, "REG_SZ"
 oShell.RegWrite regPath & "Identity\tLastName", objUser.sn, "REG_SZ"
 oShell.RegWrite regPath & "Identity\tCorporation", "Your Company Name", "REG_SZ"
 oShell.RegWrite regPath & "Identity\tDepartment", objUser.physicalDeliveryOfficeName, "REG_SZ"

 'Set Default Acrobat Collaboration details
 oShell.RegWrite regPath & "ShareIdentity\tEMail", objUser.mail, "REG_SZ"
 oShell.RegWrite regPath & "ShareIdentity\tFullName", objUser.givenName & " " & objUser.sn, "REG_SZ"
 oShell.RegWrite regPath & "ShareIdentity\tCorporation", "Your Company Name", "REG_SZ"
 oShell.RegWrite regPath & "ShareIdentity\tDepartment", objUser.physicalDeliveryOfficeName, "REG_SZ"
Next

Combined

The following script combines both Office and Acrobat data in to one, and reuses the same data objects rather than use two different connection techniques.

' Configure Adobe Acrobat and MS Office user settings
' Written by James Rudd

Const strCompanyName = "Your School Name"

Set oShell = CreateObject("WScript.Shell")
Set oFso = CreateObject("Scripting.FileSystemObject")

' Create the ADSystem Information Object
Set objADSystemInfo = CreateObject("ADSystemInfo")
' Get the current information into a new Object
Set objUser = GetObject("LDAP://" & objADSystemInfo.UserName)

On Error Resume Next

'Office Details
oShell.RegWrite "HKCU\Software\Microsoft\Office\Common\UserInfo\UserInitials", objUser.sAMAccountName, "REG_SZ"
oShell.RegWrite "HKCU\Software\Microsoft\Office\Common\UserInfo\UserName", objUser.givenName & " " & objUser.sn, "REG_SZ"
' If set by installer Company Name is overidden on load.
oShell.RegWrite "HKCU\Software\Microsoft\Office\Common\UserInfo\Company", strCompanyName, "REG_SZ"

' Set the different registry paths for Acrobat
Dim regPaths(2)
regPaths(0) = "HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\9.0\"  'For Acrobat Pro 9
regPaths(1) = "HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\"  'For Acrobat Reader 9
regPaths(2) = "HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\8.0\"  'Same for Acrobat Reader 8

For Each regPath In regPaths
 'Enable Acrobat.com by deleting key that contains disabling entries.
 oShell.regdelete regPath & "Workflows\"

 'Set Acrobat Identity Info
 oShell.RegWrite regPath & "Identity\tEMail", objUser.mail, "REG_SZ"
 oShell.RegWrite regPath & "Identity\tName", objUser.givenName & " " & objUser.sn, "REG_SZ"
 oShell.RegWrite regPath & "Identity\tFirstName", objUser.givenName, "REG_SZ"
 oShell.RegWrite regPath & "Identity\tLastName", objUser.sn, "REG_SZ"
 oShell.RegWrite regPath & "Identity\tCorporation", "Your Company Name", "REG_SZ"
 oShell.RegWrite regPath & "Identity\tDepartment", objUser.physicalDeliveryOfficeName, "REG_SZ"

 'Set Default Acrobat Collaboration details
 oShell.RegWrite regPath & "ShareIdentity\tEMail", objUser.mail, "REG_SZ"
 oShell.RegWrite regPath & "ShareIdentity\tFullName", objUser.givenName & " " & objUser.sn, "REG_SZ"
 oShell.RegWrite regPath & "ShareIdentity\tCorporation", strCompanyName, "REG_SZ"
 oShell.RegWrite regPath & "ShareIdentity\tDepartment", objUser.physicalDeliveryOfficeName, "REG_SZ"
Next

As part of this rename we needed to change their Novell eDirectory account and home directory. We also needed to ensure linked systems such as an LDAP authenticated Moodle site and an IDM linked Active Directory (AD) domain were properly updated.

To perform the user account and folder rename we used Mass User from HBWare. This is a great program we already used for creating and managing home directories and quotas. There was a small bug in the rename area, but it was quickly fixed when brought to Hans’ attention.
Note: Before beginning you need to have a list of the old usernames and the new usernames. A simple two column Excel or CSV file would be fine.

Novell

Create Mapping File: The mapping file is used by Mass User to know what to rename the existing username to.

Use NDS Report ( http://www.novell.com/coolsolutions/tools/13908.html ) to create a list of all the accounts. You only want the DN and CN fields. Save this as an Excel or CSV file.

NDS Report: Select Student OU

NDS Report: Choose only CN

Create a new MS Access file and import the account list
Import the text / excel file that lists the old and new account names.
You now need to create a query that maps the cn to the old account name, and then use this to generate a list of the full old dn and the new account name.

Access: Mapping Query

Access: Query Results

You can then export this as a text file.

Access: Export as text file

Access: Export Delimited

You will need to set the field separate as ‘=’ and set the test qualifier to none.

Access: = as Delimiter and no Text Qualifier

You should end up with each line having format:
OLDNAME.OU.C=NEWNAME
Once the mapping file is generated you can apply it either to individual OUs (e.g. year groups), or to the entire Users container. I would recommend applying to small containers initially to allow checking for errors. After verifying all renames were performed correctly you can then apply the rename to your entire users’ container.

Mass User: Rename

IDM 3.0 – Active Directory

Before doing the mass rename we did some simple tests of renaming eDirectory accounts to see how they replicated to Active Directory. We determined that the individual renames were successfully propagated through IDM to automatically change the pre-2000 and logon name fields to match the new eDirectory account.
When performing the mass rename of accounts, AD was checked after doing each OU to check propagation was successful. We experienced no problems with IDM and all accounts were successfully synchronised with Active Directory.

Moodle

For Moodle we wished for users to retain their own accounts including all their settings and course information. To do this the username stored in the Moodle Database (DB) would need to be changed to the new username.
Before making changes to Moodle I recommend putting the site in admin mode and temporarily disabling your LDAP authentication. I only put the site in Admin mode and then had problems during migration as some students had attempted to logon after I had renamed the eDirectory accounts, but before migrating Moodle accounts. This created new user accounts in Moodle that prevented the update queries running due to duplicate key name problems (ie the old account would not rename to new one if one has already been created with the new name)
First you need to import your list of old and new account names into the database. If you already have it in a separate DB on your Moodle server you can use that, otherwise it is best to just to create a new table in the Moodle DB.
I used this query to check the mapping fields. You will need to adjust the fields and collation types for your own setup.
I use the IDNumber field to store the full DN, if you use a different field you will need to adjust this.

Validation:

# Shows the current username, the new username and the new IDNumber field for validation check.
SELECT mdl.`username` , ern.`StudentId` , replace( `idnumber` , mdl.`username` , ern.`StudentId`
COLLATE latin1_swedish_ci )
FROM moodle.`mdl_user` mdl, sbhsdata.`oasisStudentIdMap` ern
WHERE mdl.`username`
COLLATE latin1_general_ci = ern.`OldStudentId`

Update:

# Replaces the IDNumber field with the new username.
UPDATE moodle.`mdl_user` mdl, sbhsdata.`oasisStudentIdMap` ern
SET `idnumber` = replace( `idnumber` , mdl.`username` , ern.`StudentId` COLLATE latin1_swedish_ci )
WHERE mdl.`username`
COLLATE latin1_general_ci = ern.`OldStudentId`

# Replaces the mdl_user field with the new username.
UPDATE `mdl_user` mdl, `rename` ren
SET mdl.`username` = ren.`newname`
WHERE mdl.`username`= ren.`oldname`
Note: As can be seen by the queries, during the migration I did two separate updates, one to update the IDNumber field and another to update the mdl_user field. When I had completed migration I realised I had only needed to update the mdl_user field as Moodle would automatically update the value in IDNumber at next log on.

Round Up

The migration to the new accounts went well with no problems from student passwords or accounts, although we had a few instances of students using the old username instead of the new one.

Since performing the change we have also implemented a Papercut system which would have required the additional step of renaming all of its accounts to ensure student balances were carried across.

A great tool is Wisesoft Password Control which allows you to just type in the username, it will display info about the account and give you the option to change the password, enable/disable the account and unlock the account.
It is ideal to make available to teachers for resetting the student passwords if you use the Delegate control option in AD Users and Computers for your student OU’s.

The other useful tool on the website is a pair of tools Bulk Password Control and Bulk Modify. These allow you to bulk reset the password for a large group of students, or modify the attributes for a large number of users. It can read these in from a CSV file, and match the CSV entires to either sAMaccountName or some other user attribute. You can also set the attribute based on their existing attributes.

After downloading it will ask you for a code that you can get with a free registration on their site.

What ABE does is hide any file or folder that a user does not have access to. So for example the folder where you store all your users home drives, would usually appear jam packed with folders, most of which would return an Access Denied error. However, with ABE installed users would only see the folders they have access to, usually their own.

This is great especially if you are coming from a Novell background where this is the standard behaviour. It is also very useful in a school situation to keep the students from seeing things they shouldn’t.

To use ABE you need to download the management tools from Microsoft ABE Management Tools, then after installation either enable it on all shares or bring up properties and manually add it to shares.

A better description and walk through is available WindowsNetworking: Implementing Access-Based Enumeration in Windows Server 2003 R2

Links in this post:

• Windows Server 2003 Access-based Enumeration Overview
• Download Server 2003 Access-based Enumeration
• Implementing Access-Based Enumeration in Windows Server 2003 R2

Some additional notes:

To use the DET mail server you can either add mail.det.nsw.edu.au to the mail section of your php.ini file or add it to the
Admin -> Server -> Email: SMTP Hosts section.
If you wish to restrict to sending to DET emails you can add following to the Allowed email domains : “education.nsw.gov.au det.nsw.edu.au“.
Make sure to test the mail server settings before adding any restrictions to domains.

If using Novell or Mac OS you will need to use a different LDAP browser as AD Explorer only works with Active Directory.
For Novell I usually use the free Windows program Softerra LDAP Browser (MSI).
There are a few Java based LDAP browsers that should work with Mac. A good Java based LDAP browser is JXplorer this should work on Mac, Windows and Linux. For some more info on Mac and LDAP look at this article on LDAP in Mac OS X Server from the Mac Dev Center, it is not fully applicable as it also has home drive mapping but it does contain some useful info.

Paul Ganderton has made his Geography HSC site avaliable for guests. You can also view some of the other course on our Moodle site. Look for this logo which means guest access is allowed.

Bulk Operations: Some people asked about bulk deletion of users and courses.
This section has been moved to Moodle: Bulk Deletion Operations.

Presentations:

• Note: There is a file embedded within this post, please visit this post to download the file.
• Note: There is a file embedded within this post, please visit this post to download the file.
• Note: There is a file embedded within this post, please visit this post to download the file.
• Note: There is a file embedded within this post, please visit this post to download the file.
• Note: There is a file embedded within this post, please visit this post to download the file.

Plugins used by Moodle

Some of the items shown during talk are produced by plugins to Moodle. Below is a list of some of our favourites:

• Book: Allows structuring resource pages with chapters and pages.
• Gallery: Shows slide shows and generates thumbnails of images. You can upload a zip file containing an entire folder structure of pictures, and auto-generate albums and sub-albums from it.
• Course Menu: Creates a Tree Structure as a block on side of page to assist navigation.
• Note: There is a file embedded within this post, please visit this post to download the file. On the main SBHS Moodle page there is also a Library block that sends search queries to our Sentral library page. This will need to be customised by schools to point to their Sentral system or the new DET My Library system (only accessible inside DET WAN). Just modify the block_library.php file to point to your Library search page. To install place the library directory in your Moodle blocks folder.

You need to use the Security Template editor to create a template restricting rights to the C drive and deploy it with your group policies. The same procedure can be used to create a Security Template for use with Active Directory.

Instructions:

1. Open MMC from run
2. Add Remove Snap-in
3. Add Security Templates and Close
4. By default this only shows C:\Windows\security\templates. I prefer to store mine on the network so add a new network folder.
5. Right click (RC) Security Templates and add a New Template Search Path to network folder
6. You can then either copy an existing template using RC on template and Save As to network folder or start from scratch.
7. Expand chosen template then File System folder
8. RC either on File System object or in right hand pane and Add File
9. Click C: and OK and it should expand to %SystemDrive%
10. You can now adjust the permissions for the default groups.
11. When finished make sure to RC on the template and click Save. You can also set a description before saving.

I recommend going into Advanced and removing the two entires for Users allowing them to Create Folders and Create Files. This will prevent students and users creating files on C: drive.

You can create similar entires for other folders such as program files, etc. You can also allow students access to folder if required by certain programs or groups. Remember under Novell, because computers are not part of domain you can not use items you have added such as groups or individual users.

Adding to Group Policy in ConsoleOne

1. Open up the WS Policy Package, Windows XP tab and the Windows Group Policy item.
   If you are using Zen 7 continue, if using Zen 6.5 click Edit and jump to point 3 in AD below.
2. Click Import Policies
3. Click Import Security Settings File and browse to the security template you created and import.
4. Make sure Security Settings is ticked under Applied Settings Types
5. Click OK to save

Adding to Group Policy in Active Directory

1. Open Group Policy Management console
2. Browse to chosen GPO or create a new one, and go to Edit mode.
3. Expand Computer Config -> Windows Settings -> Security Settings
4. RC on Security Settings and choose Import Policy
5. Browse to the security template you created and Open. You may also wish to clear any existing settings in GPO.
6. Exit Edit mode

Multiple Security Templates can be created for different machines.
We allow staff to create files on C: (mainly to keep personal photos and music off network) so we have separate Security Template for Staff and Student PCs.

http://www.microsoft.com/technet/sysinternals/Networking/AdExplorer.mspx

You can connect to your AD server without knowing any LDAP paths, just use your standard login.

Can also take snapshots to allow you to see what effect changes have on AD.

Another Great tool from Sysinternals

http://www.sysinternals.com/

SysInternals was taken over by Microsoft so they also have new URL http://www.microsoft.com/technet/sysinternals/