Instructions mostly of value to Chemistry IT staff, including our particular conventions used.
Table of Contents
Follow the Cornell process for creating a GuestID using Quest (ARS Console)
Our GuestID OU in Chemistry:
Naming convention:
- Know that newly created GuestID will be all lower case. Don't be fooled by the creation UI. :-)
- For research groups, use the Group's name (usually PI's last name) along with short name expressing something about its use. For instance, the non-Cornell institute person or people using the GuestID work at.
Password tips
- Select the password generator in the UI.
- No need to record since user's-created password will override as part of activation process
Our "Guest-Only Group":
- AS-Guest
Usually creating a GuestID for VPN access. Thus:
If that's the case, don't forget to add the new GuestID to our Departmental VPN:
- AS-CHM-DeptVPN
Q and A
Directly after creation, why is the Guest-Only Group, AS-Guest, not showing up in "Member of" for this AD object?
- Answer: Until user responds to CIT's emailed instructions, including creating their password for this new GuestID, the object is not a member of AS-Guest.
- Details: This action in turn adds them to the following groups:
- OIT-IDM-guests-gs
- OIT-IDM-guests-ls (a nested group)
- And presumably also subsequently removes them from these groups:
- Domain Users
- O365-LicenseExchange (a nested group)
- Users (a nested group)
- Details: This action in turn adds them to the following groups:
Sample email to send to person getting new GuestID
- Edited from Remedy ticket <INC000001865243>.
To: blah@blah.edu
Cc: The sponsor in the research group and/ or group's PI
Per xx's request, in the yy group here at Cornell University, we have created a GuestID to enable you to access the yy group's "hh" server.
You should have recently received an email from CIT with instructions on activating your GuestID. It was sent to the address I am using for this message, <blah@blah.edu>. Their process includes you creating a password, which my group will not know. (I've pasted below the info CIT provided me about what you can expect to do.)
You may share your GuestID/ password credentials with your trusted colleagues at your institution in ways which facilitate your research. Such shared use is accountable to you, naturally.
Once you have activated your GuestID, please test it by accessing our departmental VPN. The following web page has info on where to get the Cornell-provided Cisco VPN software you should use, links to fuller documentation on using Cornell's VPN services, and more specific instructions on using a "departmental" VPN, as you'll be doing:
https://confluence.cornell.edu/x/K_NRF
Here are some details which apply to your GuestID, using the above web site's "Sample instructions" as a guide:
(1) Your GuestID is: <gid-name-used>
Use the password you set up for this GuestID when you activated it.
(2) Our departmental VPN is: AS-CHM-DeptVPN
Thus, for VPN access, the full name you will use is:
gid-name-used@AS-CHM-DeptVPN
Please let me know if you can or cannot get through the VPN. Once you have successfully used the VPN, we can then connect you to hh!
Yours in service, -Oliver.
P.S. Here is the information CIT shared with me:
------------------------
The guest will receive a confirmation email containing a link they must follow to complete the activation of their GuestID, which includes creating their password. You do not need to give the password (from step 6 above) to the guest, since they will not use it. (The Active Directory process requires that it be created. We are investigating the possibility of automating the password creation step.)
The guest must follow the instructions in that email message within seven days from the time the GuestID was created. If no action is taken by the guest, the ID will be deleted after seven days.
------------------------