Creating bulk computer objects without accessing ARS console

I want my SAs to create bulk computer objects under the OUs they have access. But I do not want them to have rights to login to ARS console. Is it possible? If yes, how?

Please help.

  • You can have them run Powershell scripts under their creds that use the New-QADComputer cmdlet with the -proxy switch.  This will direct the request through the ARS server.  Just to be sure, they should run the cmdlet connect-qadservice -service <ars server FQDN> before the above cmdlet in the script.

  • Thanks Johnny very much for the quick reply. I have a few more questions:

    1. Do I have to installed ARS PowerShell to the SA's computers?

    2. What kind of rights do they have to have in the ARS server?

    3. Can I keep the bulk of the script in the ARS server to reduce the maintenance tasks? Let the trigger by there in the SAs' computers.

    Thanks again

  • broy32000 said:

    Thanks Johnny very much for the quick reply. I have a few more questions:

    1. Do I have to installed ARS PowerShell to the SA's computers?

    Either that or setup an "admin" server for them to RDP into that has the cmdlets installed there.

    2. What kind of rights do they have to have in the ARS server?

    You could assign the relevant group the built-in "Computers - Create computers" access template on the OU(s) where you want them to create the accounts.

    3. Can I keep the bulk of the script in the ARS server to reduce the maintenance tasks? Let the trigger by there in the SAs' computers.

    As an alternative approach, you could implement this as a Workflow on the ARS server that triggers a script that creates the accounts.  The script itself could be stored on the ARS server and referenced by the workflow.  The script could be built in such a way that it reads a file containing the names of the computer accounts that the admins want to create.  They would just create the file in a pre-defined location and in a pre-defined format.  (for example: <computer account name><tab><target OU distinguished name>).

    The admins could trigger the workflow from the ARS web interface and the only rights they would require at that point would be to see and trigger the workflow.

    Thanks again

  • Johnny,

      Your reply to my 3rd question above is very interesting. That leads me to request you the following:

    A.  I can create profiles for SAs in ARS Web interface. How do I make them see only the ones (menu, command) that I want them to see. I want to restrict their rights to the OUs they should have. 

    B. From workflow can I direct the script residing at ARS server to refer to the data file (CSV) under the control of the admins? ( I will test this soon)

     

    Sorry for asking potentially naïve questions

  • Delegation is managed through Access Templates that are applied to your OUs via the ARS MMC.

    See pg 67 on in the QuestOneActiveRoles_6.9_AdminGuide_(English).pdf

    Regarding item B)

    Let's say you have a D: drive on your ARS server and on this drive a folder called D:\ARS_Work\Add_Computers.

    You would have your admins store the names in the a file in this folder - let's call it "Computers_To_Add.txt"

    Within your script, you just load the contents of the file thus:

    $ComputersToAdd = import-csv "D:\ARS_Work\Add_Computers\Computers_To_Add.txt"

    $ComputersToAdd | %{

    New-QADComputer -name $_.ComputerName -ParentContainer $_.TargetOU

    }

    NOTES

    1:  The code assumes that your file is comma delimited and has a header row of ComputerName,TargetOU

    2. The code shows a local file path for your input file, a UNC path (even pointing to a share) would be perfectly acceptable as well.