Re: Secondary AD domains for students - good or more work when not needed?

[Allen Wood <awood () HILLCOLLEGE EDU>]

I agree with Eric on this one.  I inherited a network with a “student” child domain.  It works but the child domain 
isn’t necessary.

Also, if you have on-premise Exchange, DAG will not work unless all servers are on the same domain… That’s one of my 
ongoing issues that I’ve decided to ignore for a little while.


From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Eric 
Lukens
Sent: Thursday, April 20, 2017 9:40 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Secondary AD domains for students - good or more work when not needed?

I would suggest one domain and putting the students into an OU of their own and adding them to a group in AD. Then you 
can use group policy on your computers to use a combination of the "Allow log on locally" and the "Deny log on locally" 
setting to block/allow accounts from logging in at places as necessary.

On Wed, Apr 19, 2017 at 11:32 PM, Terry Jolley <terry.jolley () pcc edu<mailto:terry.jolley () pcc edu>> wrote:
Hi All,

I am new to this Educause group and looking for advise or best practices.  We are a large community college and have 
just implemented Microsoft Active Directory for all faculty, staff "employees" and classroom/general use computers.

We now need to figure out how to handle student accounts. Do we add students to the existing AD domain, possible using 
a "student" OU or do we create a secondary AD Domain to create a security perimeter from our employee domain?  We also 
would most likely move the classroom/general use machines to this secondary domain if we go that route.

We would not want students to be able to login to a "employee" computer joined to AD, but they should be able to login 
to a classroom, lab, general use computer using their AD credentials.  We also currently use a defined OU structure 
that separates classroom/general computers at the root level from employee computers within the one domain..

Looking for any advise on this topic...We have some use cases where "employees" will have to login to the 
classroom/general computers so AD "trust" between the sub domains will be required. Again, reason for secondary 
"student" domain is based on general security preferences, but if there is a better way of handling while keeping 
everyone in one domain it would be preferred..

Thank you for your time in this matter.
[https://ssl.gstatic.com/ui/v1/icons/mail/images/cleardot.gif]
Terry Jolley
Portland Community College



--
============================================================
Eric C. Lukens       IT Security Compliance & Policy Analyst
Information Security          Innov Teaching & Tech Ctr 117D
University of Northern Iowa       Cedar Falls, IA 50614-0301
(319) 273-7434                 http://sites.uni.edu/elukens/
============================================================