Solved

AD in education

Posted on 2013-10-28
10
190 Views
Last Modified: 2013-11-12
If any of you manage a domain/AD in schools/colleges/universites, how do you segregate staff and pupi;/student access?

Is it a completely seperate domain? My concern especially for young pupils is if you enforce a complex password policy they are likely to forget it, whereas if you deploy 2 password policies, a more lax one for younger students and a more stringent one for staff, arent you putting your network at risk? I just wondered how you deal with this in education type networks.
0
Comment
Question by:pma111
10 Comments
 
LVL 9

Accepted Solution

by:
Ashok Dewan earned 72 total points
ID: 39605464
For that you might have to create separate OU(organizational unit) for pupils to append different polices for them.
0
 
LVL 6

Assisted Solution

by:ButlerTechnology
ButlerTechnology earned 72 total points
ID: 39605465
I work at a SUNY and we use a single domain model.  I don't think that you are putting your network at risk having two policies based on your users. I would make it a point to stress the least principle and possible re-think resource permission.

Tom
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 72 total points
ID: 39605473
Different policies are something I've seen done  via forum posts...I'm not in the Ed.  If you are on 2008 and above (domain functional level) you can use FineGrained Password policies to apply different policies to users groups.

Two factor authentication is also another idea (they would only need a PIN) but then they have to remember their card or key.  That is also a bigger investment.

As far as password strength; I recently watched this video from derbycon   http://www.youtube.com/watch?v=qR-qRUbeKAo   a true "hacker" can get all of them...this guy is better than most.

Thanks

Mike
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
LVL 57

Expert Comment

by:Mike Kline
ID: 39605474
Just a note you can't link different GPOs to OUs, password policy via group policy for domain accounts is only applied at the domain level.

Thanks

Mike
0
 
LVL 3

Author Comment

by:pma111
ID: 39605482
I guess it was just the whole principal of the setup, and whether you have a single domain for all your servers, and all users staff/pupils. Or whether you have a seperate domain just for pupils and put your college/university/schools administration side (i.e. applications payroll, finance etc) on a segmented domain/network?
0
 
LVL 22

Assisted Solution

by:Joseph Moody
Joseph Moody earned 71 total points
ID: 39605505
We have a single domain and separate users by faculty and students. Every user (even administration) are standard users.

We use fine grain passwords for our users. A tougher password for teachers, smaller password for students. Students also have very limited network access - they can only access two student servers and an application share.
0
 
LVL 3

Author Comment

by:pma111
ID: 39605562
>Students also have very limited network access - they can only access two student servers and an application share.

How is that tied down? My worry was if you had say an everyone share by mistake in the domain meant for staff only - then potentially every student could access it too.
0
 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 71 total points
ID: 39605951
Personally it is better to keep single forest single domain. If you are looking for more administrative work when it comes to AD then adding a second child domain will do this. Policies and Administration are isolated but you still have "transitive trusts" between both root and child domains (so you can still mess up permissions!).

If you have a 2008 forest funcational level or plan on upgrading then why not leverage the new features that are in AD to simplify management.

Most companies use to have multiple child domains to have the ability to do multiple password policies but it is a management nightmare. This is also get more complex when performing upgrades to newer version of AD.

Will.
0
 
LVL 24

Assisted Solution

by:Sandeshdubey
Sandeshdubey earned 71 total points
ID: 39606617
Avoid having a multi-domain forest .In pre-Windows Server 2008-based AD, creating multiple domains would typically be necessary to accomodate different password policies - but, with the introduction of Fine Grained Password Policy in Windows 2008 DFL, this is no longer the case.The best option is Fine Grained Password Policy  which will suit the requrement instead of creating multi-domain forest.

Fine Grained Password Policy
http://technet.microsoft.com/en-us/library/cc770394(v=ws.10).aspx 
http://blogs.technet.com/b/askpfeplat/archive/2013/10/07/fine-grain-password-policy-for-active-directory-2008-domain-does-not-apply.aspx

Note:By default Windows 2003 can have only One Password Policy per Domain and the same should be deployed in domain Password policy and if you want your Users to get a different one then Upgrade to Windows 2008.
0
 
LVL 80

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 71 total points
ID: 39607171
Yes if you don't pay attention to details when assigning permissions then you will get the unintended consequences of the files being available for all.  

Don't forget NTFS file permissions as they go along with Share Permissions and the most restrictive wins.

What many places do is separate the root directories i.e. x:\staff  x:\student and apply the appropriate NTFS file permissions and enable inheritance so if you do screw up with the share permissions the NTFS file permissions will protect you
0

Featured Post

Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article runs through the process of deploying a single EXE application selectively to a group of user.
A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question