Solved

AD in education

Posted on 2013-10-28
10
189 Views
Last Modified: 2013-11-12
If any of you manage a domain/AD in schools/colleges/universites, how do you segregate staff and pupi;/student access?

Is it a completely seperate domain? My concern especially for young pupils is if you enforce a complex password policy they are likely to forget it, whereas if you deploy 2 password policies, a more lax one for younger students and a more stringent one for staff, arent you putting your network at risk? I just wondered how you deal with this in education type networks.
0
Comment
Question by:pma111
10 Comments
 
LVL 9

Accepted Solution

by:
Ashok Dewan earned 72 total points
ID: 39605464
For that you might have to create separate OU(organizational unit) for pupils to append different polices for them.
0
 
LVL 6

Assisted Solution

by:ButlerTechnology
ButlerTechnology earned 72 total points
ID: 39605465
I work at a SUNY and we use a single domain model.  I don't think that you are putting your network at risk having two policies based on your users. I would make it a point to stress the least principle and possible re-think resource permission.

Tom
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 72 total points
ID: 39605473
Different policies are something I've seen done  via forum posts...I'm not in the Ed.  If you are on 2008 and above (domain functional level) you can use FineGrained Password policies to apply different policies to users groups.

Two factor authentication is also another idea (they would only need a PIN) but then they have to remember their card or key.  That is also a bigger investment.

As far as password strength; I recently watched this video from derbycon   http://www.youtube.com/watch?v=qR-qRUbeKAo   a true "hacker" can get all of them...this guy is better than most.

Thanks

Mike
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 57

Expert Comment

by:Mike Kline
ID: 39605474
Just a note you can't link different GPOs to OUs, password policy via group policy for domain accounts is only applied at the domain level.

Thanks

Mike
0
 
LVL 3

Author Comment

by:pma111
ID: 39605482
I guess it was just the whole principal of the setup, and whether you have a single domain for all your servers, and all users staff/pupils. Or whether you have a seperate domain just for pupils and put your college/university/schools administration side (i.e. applications payroll, finance etc) on a segmented domain/network?
0
 
LVL 22

Assisted Solution

by:Joseph Moody
Joseph Moody earned 71 total points
ID: 39605505
We have a single domain and separate users by faculty and students. Every user (even administration) are standard users.

We use fine grain passwords for our users. A tougher password for teachers, smaller password for students. Students also have very limited network access - they can only access two student servers and an application share.
0
 
LVL 3

Author Comment

by:pma111
ID: 39605562
>Students also have very limited network access - they can only access two student servers and an application share.

How is that tied down? My worry was if you had say an everyone share by mistake in the domain meant for staff only - then potentially every student could access it too.
0
 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 71 total points
ID: 39605951
Personally it is better to keep single forest single domain. If you are looking for more administrative work when it comes to AD then adding a second child domain will do this. Policies and Administration are isolated but you still have "transitive trusts" between both root and child domains (so you can still mess up permissions!).

If you have a 2008 forest funcational level or plan on upgrading then why not leverage the new features that are in AD to simplify management.

Most companies use to have multiple child domains to have the ability to do multiple password policies but it is a management nightmare. This is also get more complex when performing upgrades to newer version of AD.

Will.
0
 
LVL 24

Assisted Solution

by:Sandeshdubey
Sandeshdubey earned 71 total points
ID: 39606617
Avoid having a multi-domain forest .In pre-Windows Server 2008-based AD, creating multiple domains would typically be necessary to accomodate different password policies - but, with the introduction of Fine Grained Password Policy in Windows 2008 DFL, this is no longer the case.The best option is Fine Grained Password Policy  which will suit the requrement instead of creating multi-domain forest.

Fine Grained Password Policy
http://technet.microsoft.com/en-us/library/cc770394(v=ws.10).aspx 
http://blogs.technet.com/b/askpfeplat/archive/2013/10/07/fine-grain-password-policy-for-active-directory-2008-domain-does-not-apply.aspx

Note:By default Windows 2003 can have only One Password Policy per Domain and the same should be deployed in domain Password policy and if you want your Users to get a different one then Upgrade to Windows 2008.
0
 
LVL 79

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 71 total points
ID: 39607171
Yes if you don't pay attention to details when assigning permissions then you will get the unintended consequences of the files being available for all.  

Don't forget NTFS file permissions as they go along with Share Permissions and the most restrictive wins.

What many places do is separate the root directories i.e. x:\staff  x:\student and apply the appropriate NTFS file permissions and enable inheritance so if you do screw up with the share permissions the NTFS file permissions will protect you
0

Featured Post

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
MS Endpoint Protection 2 26
Cannot Change Local DNS 9 46
Domain administrator account is locked out 31 67
lock down downloads folder 8 58
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

825 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question