Educause Security Discussion mailing list archives
Re: Active Directory Data Model for University Business
From: Brad Judy <Brad.Judy () COLORADO EDU>
Date: Mon, 11 Dec 2006 15:31:03 -0700
William, This is an area I've spent some time on. ;-) I think you'll find that most schools use a single OU (or single group of OU's) for user objects that is separate from the OU structure that parallels campus business organization (where computers, groups, GPOs, etc would live). Here's a basic diagram of how things look on this campus: http://www.colorado.edu/its/windows2000/itsresources/ADdesign.pdf Since GPO's only apply to two types of objects (user objects and computer objects - despite their name, they do not apply to groups), then at first glance a department could only apply the computer portion of a group policy object. Luckily, Microsoft included a GPO function called "loopback processing" which will apply the user component of a GPO even when the user object is not located under the GPO. This essentially results in a user policy that doesn't follow the user everywhere the user goes (which was part of the point of the user portion), but it allows the user portion to apply. Does this get at your question? BTW: There are also schools who place users based on their primary affiliation rather than the "everyone in one bucket" approach. If you're looking into AD design issues, I also recommend checking in with the Windows in Higher Education list (http://windows-hied.org/) where a lot of AD discussion goes on. We hold an annual conference and some presentations from prior conferences are on the website. Sometime in the near future we should get the official list archive populated too. Brad Judy University of Colorado at Boulder -----Original Message----- From: William Custer [mailto:custerwl () MUOHIO EDU] Sent: Monday, December 11, 2006 1:22 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Active Directory Data Model for University Business Miami University is seeking contact with universities that have successfully implemented Active Directory on a large scale and modelled the Organizational Units and Group Policy classes to successfully fit a university business model. In particular, Active Directory places a User Account in one and only one Organizational Unit, but university personnel frequently hold more that one organizational role. Sub-groups of users can be built as exception lists, policy be associated with multiple groups of this kind, and most importantly, a User Account can be placed in multiple groups. A strategy like this seems to be required and hence makes use of more than one organizational unit for User Accounts largely irrelevant at minimum and beyond that unnecessarily confusing. Has anyone devised an elegant strategy that permits the same User Account to be associated with more than one 'group' and multiple groups to be associated with some policy?
Current thread:
- Active Directory Data Model for University Business William Custer (Dec 11)
- <Possible follow-ups>
- Re: Active Directory Data Model for University Business Brad Judy (Dec 11)