• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 200
  • Last Modified:

AD in education

If any of you manage a domain/AD in schools/colleges/universites, how do you segregate staff and pupi;/student access?

Is it a completely seperate domain? My concern especially for young pupils is if you enforce a complex password policy they are likely to forget it, whereas if you deploy 2 password policies, a more lax one for younger students and a more stringent one for staff, arent you putting your network at risk? I just wondered how you deal with this in education type networks.
0
pma111
Asked:
pma111
7 Solutions
 
Ashok DewanCommented:
For that you might have to create separate OU(organizational unit) for pupils to append different polices for them.
0
 
ButlerTechnologyCommented:
I work at a SUNY and we use a single domain model.  I don't think that you are putting your network at risk having two policies based on your users. I would make it a point to stress the least principle and possible re-think resource permission.

Tom
0
 
Mike KlineCommented:
Different policies are something I've seen done  via forum posts...I'm not in the Ed.  If you are on 2008 and above (domain functional level) you can use FineGrained Password policies to apply different policies to users groups.

Two factor authentication is also another idea (they would only need a PIN) but then they have to remember their card or key.  That is also a bigger investment.

As far as password strength; I recently watched this video from derbycon   http://www.youtube.com/watch?v=qR-qRUbeKAo   a true "hacker" can get all of them...this guy is better than most.

Thanks

Mike
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
Mike KlineCommented:
Just a note you can't link different GPOs to OUs, password policy via group policy for domain accounts is only applied at the domain level.

Thanks

Mike
0
 
pma111Author Commented:
I guess it was just the whole principal of the setup, and whether you have a single domain for all your servers, and all users staff/pupils. Or whether you have a seperate domain just for pupils and put your college/university/schools administration side (i.e. applications payroll, finance etc) on a segmented domain/network?
0
 
Joseph MoodyBlogger and wearer of all hats.Commented:
We have a single domain and separate users by faculty and students. Every user (even administration) are standard users.

We use fine grain passwords for our users. A tougher password for teachers, smaller password for students. Students also have very limited network access - they can only access two student servers and an application share.
0
 
pma111Author Commented:
>Students also have very limited network access - they can only access two student servers and an application share.

How is that tied down? My worry was if you had say an everyone share by mistake in the domain meant for staff only - then potentially every student could access it too.
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
Personally it is better to keep single forest single domain. If you are looking for more administrative work when it comes to AD then adding a second child domain will do this. Policies and Administration are isolated but you still have "transitive trusts" between both root and child domains (so you can still mess up permissions!).

If you have a 2008 forest funcational level or plan on upgrading then why not leverage the new features that are in AD to simplify management.

Most companies use to have multiple child domains to have the ability to do multiple password policies but it is a management nightmare. This is also get more complex when performing upgrades to newer version of AD.

Will.
0
 
SandeshdubeyCommented:
Avoid having a multi-domain forest .In pre-Windows Server 2008-based AD, creating multiple domains would typically be necessary to accomodate different password policies - but, with the introduction of Fine Grained Password Policy in Windows 2008 DFL, this is no longer the case.The best option is Fine Grained Password Policy  which will suit the requrement instead of creating multi-domain forest.

Fine Grained Password Policy
http://technet.microsoft.com/en-us/library/cc770394(v=ws.10).aspx 
http://blogs.technet.com/b/askpfeplat/archive/2013/10/07/fine-grain-password-policy-for-active-directory-2008-domain-does-not-apply.aspx

Note:By default Windows 2003 can have only One Password Policy per Domain and the same should be deployed in domain Password policy and if you want your Users to get a different one then Upgrade to Windows 2008.
0
 
David Johnson, CD, MVPOwnerCommented:
Yes if you don't pay attention to details when assigning permissions then you will get the unintended consequences of the files being available for all.  

Don't forget NTFS file permissions as they go along with Share Permissions and the most restrictive wins.

What many places do is separate the root directories i.e. x:\staff  x:\student and apply the appropriate NTFS file permissions and enable inheritance so if you do screw up with the share permissions the NTFS file permissions will protect you
0

Featured Post

Free recovery tool for Microsoft Active Directory

Veeam Explorer for Microsoft Active Directory provides fast and reliable object-level recovery for Active Directory from a single-pass, agentless backup or storage snapshot — without the need to restore an entire virtual machine or use third-party tools.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now