• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 202
  • Last Modified:

AD in education

If any of you manage a domain/AD in schools/colleges/universites, how do you segregate staff and pupi;/student access?

Is it a completely seperate domain? My concern especially for young pupils is if you enforce a complex password policy they are likely to forget it, whereas if you deploy 2 password policies, a more lax one for younger students and a more stringent one for staff, arent you putting your network at risk? I just wondered how you deal with this in education type networks.
7 Solutions
Ashok DewanFreelancerCommented:
For that you might have to create separate OU(organizational unit) for pupils to append different polices for them.
I work at a SUNY and we use a single domain model.  I don't think that you are putting your network at risk having two policies based on your users. I would make it a point to stress the least principle and possible re-think resource permission.

Mike KlineCommented:
Different policies are something I've seen done  via forum posts...I'm not in the Ed.  If you are on 2008 and above (domain functional level) you can use FineGrained Password policies to apply different policies to users groups.

Two factor authentication is also another idea (they would only need a PIN) but then they have to remember their card or key.  That is also a bigger investment.

As far as password strength; I recently watched this video from derbycon   http://www.youtube.com/watch?v=qR-qRUbeKAo   a true "hacker" can get all of them...this guy is better than most.


Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

Mike KlineCommented:
Just a note you can't link different GPOs to OUs, password policy via group policy for domain accounts is only applied at the domain level.


pma111Author Commented:
I guess it was just the whole principal of the setup, and whether you have a single domain for all your servers, and all users staff/pupils. Or whether you have a seperate domain just for pupils and put your college/university/schools administration side (i.e. applications payroll, finance etc) on a segmented domain/network?
Joseph MoodyBlogger and wearer of all hats.Commented:
We have a single domain and separate users by faculty and students. Every user (even administration) are standard users.

We use fine grain passwords for our users. A tougher password for teachers, smaller password for students. Students also have very limited network access - they can only access two student servers and an application share.
pma111Author Commented:
>Students also have very limited network access - they can only access two student servers and an application share.

How is that tied down? My worry was if you had say an everyone share by mistake in the domain meant for staff only - then potentially every student could access it too.
Will SzymkowskiSenior Solution ArchitectCommented:
Personally it is better to keep single forest single domain. If you are looking for more administrative work when it comes to AD then adding a second child domain will do this. Policies and Administration are isolated but you still have "transitive trusts" between both root and child domains (so you can still mess up permissions!).

If you have a 2008 forest funcational level or plan on upgrading then why not leverage the new features that are in AD to simplify management.

Most companies use to have multiple child domains to have the ability to do multiple password policies but it is a management nightmare. This is also get more complex when performing upgrades to newer version of AD.

SandeshdubeySenior Server EngineerCommented:
Avoid having a multi-domain forest .In pre-Windows Server 2008-based AD, creating multiple domains would typically be necessary to accomodate different password policies - but, with the introduction of Fine Grained Password Policy in Windows 2008 DFL, this is no longer the case.The best option is Fine Grained Password Policy  which will suit the requrement instead of creating multi-domain forest.

Fine Grained Password Policy

Note:By default Windows 2003 can have only One Password Policy per Domain and the same should be deployed in domain Password policy and if you want your Users to get a different one then Upgrade to Windows 2008.
David Johnson, CD, MVPOwnerCommented:
Yes if you don't pay attention to details when assigning permissions then you will get the unintended consequences of the files being available for all.  

Don't forget NTFS file permissions as they go along with Share Permissions and the most restrictive wins.

What many places do is separate the root directories i.e. x:\staff  x:\student and apply the appropriate NTFS file permissions and enable inheritance so if you do screw up with the share permissions the NTFS file permissions will protect you
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Tackle projects and never again get stuck behind a technical roadblock.
Join Now