Solved

AD in education

Posted on 2013-10-28
10
188 Views
Last Modified: 2013-11-12
If any of you manage a domain/AD in schools/colleges/universites, how do you segregate staff and pupi;/student access?

Is it a completely seperate domain? My concern especially for young pupils is if you enforce a complex password policy they are likely to forget it, whereas if you deploy 2 password policies, a more lax one for younger students and a more stringent one for staff, arent you putting your network at risk? I just wondered how you deal with this in education type networks.
0
Comment
Question by:pma111
10 Comments
 
LVL 9

Accepted Solution

by:
Ashok Dewan earned 72 total points
ID: 39605464
For that you might have to create separate OU(organizational unit) for pupils to append different polices for them.
0
 
LVL 6

Assisted Solution

by:ButlerTechnology
ButlerTechnology earned 72 total points
ID: 39605465
I work at a SUNY and we use a single domain model.  I don't think that you are putting your network at risk having two policies based on your users. I would make it a point to stress the least principle and possible re-think resource permission.

Tom
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 72 total points
ID: 39605473
Different policies are something I've seen done  via forum posts...I'm not in the Ed.  If you are on 2008 and above (domain functional level) you can use FineGrained Password policies to apply different policies to users groups.

Two factor authentication is also another idea (they would only need a PIN) but then they have to remember their card or key.  That is also a bigger investment.

As far as password strength; I recently watched this video from derbycon   http://www.youtube.com/watch?v=qR-qRUbeKAo   a true "hacker" can get all of them...this guy is better than most.

Thanks

Mike
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39605474
Just a note you can't link different GPOs to OUs, password policy via group policy for domain accounts is only applied at the domain level.

Thanks

Mike
0
 
LVL 3

Author Comment

by:pma111
ID: 39605482
I guess it was just the whole principal of the setup, and whether you have a single domain for all your servers, and all users staff/pupils. Or whether you have a seperate domain just for pupils and put your college/university/schools administration side (i.e. applications payroll, finance etc) on a segmented domain/network?
0
 
LVL 22

Assisted Solution

by:Joseph Moody
Joseph Moody earned 71 total points
ID: 39605505
We have a single domain and separate users by faculty and students. Every user (even administration) are standard users.

We use fine grain passwords for our users. A tougher password for teachers, smaller password for students. Students also have very limited network access - they can only access two student servers and an application share.
0
 
LVL 3

Author Comment

by:pma111
ID: 39605562
>Students also have very limited network access - they can only access two student servers and an application share.

How is that tied down? My worry was if you had say an everyone share by mistake in the domain meant for staff only - then potentially every student could access it too.
0
 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 71 total points
ID: 39605951
Personally it is better to keep single forest single domain. If you are looking for more administrative work when it comes to AD then adding a second child domain will do this. Policies and Administration are isolated but you still have "transitive trusts" between both root and child domains (so you can still mess up permissions!).

If you have a 2008 forest funcational level or plan on upgrading then why not leverage the new features that are in AD to simplify management.

Most companies use to have multiple child domains to have the ability to do multiple password policies but it is a management nightmare. This is also get more complex when performing upgrades to newer version of AD.

Will.
0
 
LVL 24

Assisted Solution

by:Sandeshdubey
Sandeshdubey earned 71 total points
ID: 39606617
Avoid having a multi-domain forest .In pre-Windows Server 2008-based AD, creating multiple domains would typically be necessary to accomodate different password policies - but, with the introduction of Fine Grained Password Policy in Windows 2008 DFL, this is no longer the case.The best option is Fine Grained Password Policy  which will suit the requrement instead of creating multi-domain forest.

Fine Grained Password Policy
http://technet.microsoft.com/en-us/library/cc770394(v=ws.10).aspx
http://blogs.technet.com/b/askpfeplat/archive/2013/10/07/fine-grain-password-policy-for-active-directory-2008-domain-does-not-apply.aspx

Note:By default Windows 2003 can have only One Password Policy per Domain and the same should be deployed in domain Password policy and if you want your Users to get a different one then Upgrade to Windows 2008.
0
 
LVL 78

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 71 total points
ID: 39607171
Yes if you don't pay attention to details when assigning permissions then you will get the unintended consequences of the files being available for all.  

Don't forget NTFS file permissions as they go along with Share Permissions and the most restrictive wins.

What many places do is separate the root directories i.e. x:\staff  x:\student and apply the appropriate NTFS file permissions and enable inheritance so if you do screw up with the share permissions the NTFS file permissions will protect you
0

Join & Write a Comment

Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
I'm a big fan of Windows' offline folder caching and have used it on my laptops for over a decade.  One thing I don't like about it, however, is how difficult Microsoft has made it for the cache to be moved out of the Windows folder.  Here's how to …
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now