Educause Security Discussion mailing list archives

Re: Secondary AD domains for students - good or more work when not needed?

From: Eric Lukens <eric.lukens () UNI EDU>
Date: Thu, 20 Apr 2017 09:39:41 -0500

I would suggest one domain and putting the students into an OU of their own
and adding them to a group in AD. Then you can use group policy on your
computers to use a combination of the "Allow log on locally" and the "Deny
log on locally" setting to block/allow accounts from logging in at places
as necessary.

On Wed, Apr 19, 2017 at 11:32 PM, Terry Jolley <terry.jolley () pcc edu> wrote:

Hi All,

I am new to this Educause group and looking for advise or best practices.
We are a large community college and have just implemented Microsoft Active
Directory for all faculty, staff "employees" and classroom/general use
computers.

We now need to figure out how to handle student accounts. Do we add
students to the existing AD domain, possible using a "student" OU or do we
create a secondary AD Domain to create a security perimeter from our
employee domain?  We also would most likely move the classroom/general use
machines to this secondary domain if we go that route.

We would not want students to be able to login to a "employee" computer
joined to AD, but they should be able to login to a classroom, lab, general
use computer using their AD credentials.  We also currently use a defined
OU structure that separates classroom/general computers at the root level
from employee computers within the one domain..

Looking for any advise on this topic...We have some use cases where
"employees" will have to login to the classroom/general computers so AD
"trust" between the sub domains will be required. Again, reason for
secondary "student" domain is based on general security preferences, but if
there is a better way of handling while keeping everyone in one domain it
would be preferred..

Thank you for your time in this matter.
Terry Jolley
Portland Community College




-- 
============================================================
Eric C. Lukens       IT Security Compliance & Policy Analyst
Information Security          Innov Teaching & Tech Ctr 117D
University of Northern Iowa       Cedar Falls, IA 50614-0301
(319) 273-7434                 http://sites.uni.edu/elukens/
============================================================

Current thread:

Re: Secondary AD domains for students - good or more work when not needed? Terry Jolley (Apr 19)
- Re: Secondary AD domains for students - good or more work when not needed? Eric Lukens (Apr 20)
  - Re: Secondary AD domains for students - good or more work when not needed? Allen Wood (Apr 20)
- Re: Secondary AD domains for students - good or more work when not needed? Nicholas Garigliano (Apr 20)