Re: Secondary AD domains for students - good or more work when not needed?

[Terry Jolley <terry.jolley () PCC EDU>]

Hi All,

I am new to this Educause group and looking for advise or best practices.
We are a large community college and have just implemented Microsoft Active
Directory for all faculty, staff "employees" and classroom/general use
computers.

We now need to figure out how to handle student accounts. Do we add
students to the existing AD domain, possible using a "student" OU or do we
create a secondary AD Domain to create a security perimeter from our
employee domain?  We also would most likely move the classroom/general use
machines to this secondary domain if we go that route.

We would not want students to be able to login to a "employee" computer
joined to AD, but they should be able to login to a classroom, lab, general
use computer using their AD credentials.  We also currently use a defined
OU structure that separates classroom/general computers at the root level
from employee computers within the one domain..

Looking for any advise on this topic...We have some use cases where
"employees" will have to login to the classroom/general computers so AD
"trust" between the sub domains will be required. Again, reason for
secondary "student" domain is based on general security preferences, but if
there is a better way of handling while keeping everyone in one domain it
would be preferred..

Thank you for your time in this matter.
Terry Jolley
Portland Community College