I like it! Except for the Active-Directory suggestion, all the methods I thought of were, shall we say, risky—they might have failed through accidental non-cooperation of users. This is much better, I think. Sure, a user could still munge up the works by refusing to go along with the program, but it'd be a lot harder to do inadvertently.