Accounts in the Nexus system are inherently cross platform. Accounts are placed on the network file server (typically NetApps) and are then accessible from Unix, Waterloo Polaris and of course Nexus.
We wish to maintain UWuserids for all users, eg. j2smith. Nobody, including administrators, has privileges on his UWuserid account.
If the user is to have a OU administrator account, create a second account prepended with a bang, eg. !j2smith.
If the user has a AD-wide administrator account, create a third account prepended with two bangs, eg. !!j2smith.
If a user needs a second unprivileged account, postpend it with a 2. Eg. j2smith2
Any generic accounts should be constructed so that they would be unlikely to conflict with future UWuserid accounts. For example, shad23 for the Shad Valley program.
Presently, we use Unix to add the user's home directory to the NetApp, insert the user in the Unix PASSWD file and the NetApp PASSWD file, and to set the initial password.
Then, on W2K, we use ADMAN to add the user to AD, set his AD tree location, and supply his home directory and profile location.
The Unix portion of the task can be performed in one of two ways. One can use a command line tool like ACCT, or the student user can self-generate the account using the Nexus and Polaris login web browser.
The Nexus portion of the task can be performed in one of three ways, all of them use the ADMAN command. One can add a particular user with the commands:
adman > base //nexus/faculties/engineering/chemical/accounts/students > uwadd jblow > quit
This is not usually necessary for student accounts, because they are added in bulk daily using the commands:
adman > base //nexus > uwaddall > quit
(This step is done by Engineering Computing, it requires the !!account, and it takes a few hours to complete)
So when a student appears in UWdir, their account is on Nexus the next day.
The third way is to skip the uwadd variations of ADMAN and add the account manually.
adman > base //nexus/faculties/science/accounts/users > add user "Joe H Blow (jhblow)" sn="Blow" givenname="Joe" /account=jhblow /password=h2J34! > modify jhblow /homeDirectory=\\engfile\jhblow > modify jhblow /homeDrive=N: > modify jhblow /profilePath=\\hope\jhblow\windows2000 > modify jhblow /mail=jhblow@engmail.uwaterloo.ca > modify jhblow /wwwHomePage=http://www.eng.uwaterloo.ca/~jhblow
We store the user's profiles on his NetApp account in the \windows2000 subdirectory.
There is presently a bug in Windows 2000 which forces the profile linking to use encrypted passwords even if plaintext passwords are enabled. This bug is compounded by the fact that we can't presently force our NetApps to use encrypted passwords while we still have Windows95 clients of Waterloo Polaris.
So, the workaround is that we use a helper Unix box which imports the entire /home of the NetApp and re-exports the users' profiles using Samba. That is why, in the example about, the profile path goes through Hope.