Users in SLK

Mar 14, 2009 at 12:04 PM
When we are setting a new assignment, the list of students that appears includes those who are disabled in Active Directory. Is there anyway to exclude disabled users from this list so that teachers can't set assignments for them?

Where does the list of students come from? Is it looking 'live' at Active Directory or is it stored in a database somewhere?

I'd really appreciate your help
Daniel
Coordinator
Mar 19, 2009 at 4:45 AM
Hi Daniel,

That's a really interesting point. The list of users is those who have the SLK Learner permission on the site, whether directly or via a group.

Should we be displaying disabled users. Probably, they might only be temporarily disabled, for instance as punishment for abusing the network, in which case they definitely need to be able to be assigned to. It may be worth while indicating that they are disabled. What does everyone else think?

Richard
SLK Co-ordinator
http://blog.salamandersoft.co.uk
Mar 19, 2009 at 2:49 PM
I tend to agree. If the users are permanently disabled or disabled for an extended period of time they could be moved out of an AD Group that has the SLK Learner Permission to remove them from the view. The other alternative would be to provide an option on the page to show/hide disabled users.
Apr 30, 2009 at 2:30 PM
Hi Richard

We use SIMS .net as our Student Management System (as do most schools in the UK) which automatically creates an account in Active Directory for each of our students. This account is rather 'unfriendly' in terms of the username and password and our students have a different account in AD for their network login, so we consolidate them both together. The consolidation process disables one AD account and leaves the other account enabled for every user, thus meaning each user only has to have one username and password for everything.

The problem comes about when you try and assign a piece of work to a list of learners. All of the learners appear twice in the list because it is picking up enabled and disabled accounts. Teachers have found this list unweildy and have also been accidently ticking the disabled accounts (which means the students will never get to see the assignment because they never log in with that account).

I initially thought we could get around this problem by going through and manually deleting all of the disabled accounts as they don't appear to be needed after consolidation but I've since discovered this causes other problems. For example, the SIMS provisioning tool which creates the account in the first place gets stuck when it tries to remove an account which isn't there any more.

I believe any school who uses SIMS, the SIMS provisioning service, and consolidates their accounts with another will experience the same problem with SLK.

Is there any temporary solution that I might be able to do just for us whilst this is being considered? Am I able to get into the SLK code to tweak the import so that it only brings in 'active' accounts not disabled ones?

Many thanks
Daniel
Coordinator
Apr 30, 2009 at 3:51 PM
Hi Daniel,

I'm very familiar with the SLG and consolidating users - I've done a fair bit of work around automatic consolidation of accounts with SLG.

I assume that you are using the AD class groups to assign the SLK Learner permissions to. You could remove the disabled accounts from the class group, unless they just get put back in the next time provisioning occurs, but this would be a big job.

The SLK code is freely available for anyone to download and modify from the source tab at the top. You'll need experience of C# and Active Directory programming to make the change though, or find someone who has - the disabled attribute of a user is a bit tricky to determine.

Regards,
Richard
Apr 30, 2009 at 4:02 PM

Hi Richard

You are exactly right: we are using the AD class groups to assign SLK learner permissions and I have already manually deleted all the disabled users as you suggested. This does resolve the problem within SLK, but creates a problem when the SIMS provisioning scripts run. They get stuck every time they try and delete a user (probably because they have already gone). I have to keep manually removing the ‘blockage’ from the provisioning tool (can be several times a day).

I use the following user filter in SharePoint to prevent disabled accounts being imported into SharePoint when you run the Profile Import Tool:

(&(objectCategory=person)(objectClass=user)( !(userAccountControl:1.2.840.113556.1.4.803:=2)))

I was kind of hoping I could add this somehow to the SLK... wishful thinking I suspect.

Thank you for all your help Richard.

Kind regards

Daniel

========================================================================
This email has been sent from the West Sussex LA system. If you have
cause for complaint regarding the content of this email please contact
abuse@wsgfl.org.uk
========================================================================
Coordinator
May 4, 2009 at 8:45 PM
Hi Daniel,

Getting the users from domain groups has some quite messy code, but take a look at GetSPUserInfoFromDirectoryEntry in EnumerateDomainGroups.cs in slk/dll.

Richard
Coordinator
Jun 3, 2009 at 8:09 PM

After working with Daniel I've added an option to SLK to prevent loading disabled users in AD groups and showing them when assigning work. I think that the requirement for this is going to be pretty specific to the case where you are using Sims class groups, so don't recommend it as a general solution. For more details see http://blog.salamandersoft.co.uk/2009/05/29/HidingDisabledUsersInActiveDirectoryGroupsOnTheSLKAssignmentPropertiesPage.aspx and you can download a version with it in on the 1.3.2 Development Builds page.

Richard