Educause Security Discussion mailing list archives
Re: Secondary AD domains for students - good or more work when not needed?
From: Allen Wood <awood () HILLCOLLEGE EDU>
Date: Thu, 20 Apr 2017 14:55:22 +0000
I agree with Eric on this one. I inherited a network with a “student” child domain. It works but the child domain isn’t necessary. Also, if you have on-premise Exchange, DAG will not work unless all servers are on the same domain… That’s one of my ongoing issues that I’ve decided to ignore for a little while. From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Eric Lukens Sent: Thursday, April 20, 2017 9:40 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Secondary AD domains for students - good or more work when not needed? I would suggest one domain and putting the students into an OU of their own and adding them to a group in AD. Then you can use group policy on your computers to use a combination of the "Allow log on locally" and the "Deny log on locally" setting to block/allow accounts from logging in at places as necessary. On Wed, Apr 19, 2017 at 11:32 PM, Terry Jolley <terry.jolley () pcc edu<mailto:terry.jolley () pcc edu>> wrote: Hi All, I am new to this Educause group and looking for advise or best practices. We are a large community college and have just implemented Microsoft Active Directory for all faculty, staff "employees" and classroom/general use computers. We now need to figure out how to handle student accounts. Do we add students to the existing AD domain, possible using a "student" OU or do we create a secondary AD Domain to create a security perimeter from our employee domain? We also would most likely move the classroom/general use machines to this secondary domain if we go that route. We would not want students to be able to login to a "employee" computer joined to AD, but they should be able to login to a classroom, lab, general use computer using their AD credentials. We also currently use a defined OU structure that separates classroom/general computers at the root level from employee computers within the one domain.. Looking for any advise on this topic...We have some use cases where "employees" will have to login to the classroom/general computers so AD "trust" between the sub domains will be required. Again, reason for secondary "student" domain is based on general security preferences, but if there is a better way of handling while keeping everyone in one domain it would be preferred.. Thank you for your time in this matter. [https://ssl.gstatic.com/ui/v1/icons/mail/images/cleardot.gif] Terry Jolley Portland Community College -- ============================================================ Eric C. Lukens IT Security Compliance & Policy Analyst Information Security Innov Teaching & Tech Ctr 117D University of Northern Iowa Cedar Falls, IA 50614-0301 (319) 273-7434 http://sites.uni.edu/elukens/ ============================================================
Current thread:
- Re: Secondary AD domains for students - good or more work when not needed? Terry Jolley (Apr 19)
- Re: Secondary AD domains for students - good or more work when not needed? Eric Lukens (Apr 20)
- Re: Secondary AD domains for students - good or more work when not needed? Allen Wood (Apr 20)
- Re: Secondary AD domains for students - good or more work when not needed? Nicholas Garigliano (Apr 20)
- Re: Secondary AD domains for students - good or more work when not needed? Eric Lukens (Apr 20)