Re: Active Directory Data Model for University Business

[Brad Judy <Brad.Judy () COLORADO EDU>]

William,

This is an area I've spent some time on.  ;-)

I think you'll find that most schools use a single OU (or single group
of OU's) for user objects that is separate from the OU structure that
parallels campus business organization (where computers, groups, GPOs,
etc would live).  Here's a basic diagram of how things look on this
campus:
http://www.colorado.edu/its/windows2000/itsresources/ADdesign.pdf

Since GPO's only apply to two types of objects (user objects and
computer objects - despite their name, they do not apply to groups),
then at first glance a department could only apply the computer portion
of a group policy object.  Luckily, Microsoft included a GPO function
called "loopback processing" which will apply the user component of a
GPO even when the user object is not located under the GPO.  This
essentially results in a user policy that doesn't follow the user
everywhere the user goes (which was part of the point of the user
portion), but it allows the user portion to apply.  

Does this get at your question?  

BTW: There are also schools who place users based on their primary
affiliation rather than the "everyone in one bucket" approach.  

If you're looking into AD design issues, I also recommend checking in
with the Windows in Higher Education list (http://windows-hied.org/)
where a lot of AD discussion goes on.  We hold an annual conference and
some presentations from prior conferences are on the website.  Sometime
in the near future we should get the official list archive populated
too.

Brad Judy

University of Colorado at Boulder
 

-----Original Message-----
From: William Custer [mailto:custerwl () MUOHIO EDU] 
Sent: Monday, December 11, 2006 1:22 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Active Directory Data Model for University Business

Miami University is seeking contact with universities that have
successfully implemented Active Directory on a large scale and modelled
the Organizational Units and Group Policy classes to successfully fit a
university business model.

In particular, Active Directory places a User Account in one and only
one Organizational Unit, but university personnel frequently hold more
that one organizational role.  Sub-groups of users can be built as
exception lists, policy be associated with multiple groups of this kind,
and most importantly, a User Account can be placed in multiple groups.
A strategy like this seems to be required and hence makes use of more
than one organizational unit for User Accounts largely irrelevant at
minimum and beyond that unnecessarily confusing.

Has anyone devised an elegant strategy that permits the same User
Account to be associated with more than one 'group' and multiple groups
to be associated with some policy?