As an Ex-Teacher, I think the problems of Pupils messing with other Pupils accounts means they should have the same settings as teachers. If they forget the password it should be worksheets for three weeks!
However point take, there are some accounts that should have higher security settings, perhaps this is a real design flaw in AD,.... -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kennedy, Jim Sent: 26 April 2006 15:44 To: [email protected] Subject: RE: [ActiveDir] Root Place Holder justification I view number 1 security issues more at the GPO level than the resource level. Password and lockout policies on accounts. For example in my environment (public school) I could make a case that Teachers need a strong password policy and a quick lockout while the students do not (and should not because they typo passwords so often). We don't do that and only have a single domain but it is a valid example. I could only get the above with teachers in one domain and students in another. But that is a case for two domains, not the empty root domain that it seems the OP is being pushed towards. > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Dave Wade > Sent: Wednesday, April 26, 2006 10:29 AM > To: [email protected] > Subject: RE: [ActiveDir] Root Place Holder justification > > > > Number "1" of these really drive me nuts and at this point I usually > start shouting. As domains do NOT limit resource access, i.e. users in > Domain "A" can access resources in domain "B" (In fact that's the > usual reason for have trusts between domains) and together way round, > how can you justify different Security Requirments. They are in effect > both securing the same objects. > > Number "2" tends to become irrelevant if you have Exchange because > that stuffs everything back into the GC that the AD designers took > out, and you really needs GCs everywhere. > > Number "3" => Is a good reason to start rationalizing. > > Having said that when I worked for Compaq I produced a number of > designs with an Empty Root and as others have said, these were always > passed by both Microsoft and Anderson Consulting as they were then. > Personally I would like to see the business benefit that all those > extra DC's deliver. (That is business benefit to the customer not to > the server supplier and Microsoft). > > Dave. > > P.S. Please not the above are my personal views and not those of > Stockport Council.. > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Kennedy, Jim > Sent: 26 April 2006 14:56 > To: [email protected] > Subject: RE: [ActiveDir] Root Place Holder justification > > > Your subject is your answer. They need to justify a root domain. Is > there an actual reason for it? > > There are only three reasons to have one, imho....(cut and pasted from > a google search) > > 1. Security requirements are different (password, lockout, and > Kerberos policies must be applied at the domain level). > 2. To control/limit replication (but note the recommendations for > number of objects in a domain with slow links - if the slowest link is > 56 kbps, the domain should have no more than 100,000 users). > 3. Because you inherit a multiple domain setup. > > I question number three myself. I would rather clean it up than > continue with a past decision but I guess that depends upon the impact > to operations and the complexity of consolidation. > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris > > Sent: Wednesday, April 26, 2006 9:37 AM > > To: ActiveDir.org > > Subject: [ActiveDir] Root Place Holder justification > > > > Does anyone have any official documentation as to the justification > > for a root place holder, pro's and con's ? > > > > Where I am - I have started at one domain and can see no reason to > > expand on that - they only have 6 DC's now in a single domain - yet > > the partner they have chosen is recomending a root place > holder with 5 > > > DC's and then 8 in the child domain (they are NOT even supplying the > > tin) and I wanted some decent amo - a little bit stronger > than schema > > and Ent admin separation. > > > > I know at DEC the concensus was the desire to eliminate and > I believe > > Guido and Wook have stated this for the past two DEC's > > > > I have searched this list and can find no relevant articles. > > > > Many thanks > > > > Regards > > > > Mark > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > ********************************************************************** > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. As a public body, the Council may be required to > disclose this email, or any response to it, under the Freedom of > Information Act 2000, unless the information in it is covered by one > of the exemptions in the Act. > > If you receive this email in error please notify Stockport e-Services > via [EMAIL PROTECTED] and then permanently remove it from > your system. > > Thank you. > > http://www.stockport.gov.uk > ********************************************************************** > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
