On Mon, Jul 18, 2011 at 4:33 PM, Robert Au <[email protected]> wrote: > On Jul 18, 2011, at 3:22 PM, Atom Powers wrote: > >> On Mon, Jul 18, 2011 at 3:09 PM, Ski Kacoroski <[email protected]> wrote: >>> 1. ad.nsd.org >>> Single top level domain for staff and students. We are concerned because >>> this will allow students to log into staff computers and see resources in >>> the entire domain. If you have a setup like this, have you seen problems >>> with students getting into machines/resources they should not? >> >> Although we use Samba (so take my comments with a bucket of NaCl), we >> have something like this. Our biggest headache is the inability to set >> domain policies specific for staff or students. Everybody is in the >> same domain so they all get the same policies. I don't know you you >> can set domain policies based on group membership in a real AD domain. > > I am very much not an AD expert, but my impression was that one could > segregate users into different OUs, and then assign group policies based > on those OUs. > > http://technet.microsoft.com/en-us/library/cc783140%28WS.10%29.aspx > > Perhaps I am missing what you are trying to do, though.
I'm not super familiar with the school district, but looking at their site they would seem to have tens of thousands of ldap objects so it may be beneficial to segregate these out into separate domains. Otherwise browsing would get very slow quickly. I like the staff.ad.* students.ad.* Just out of curiosity are we talking about OpenLDAP as the directory service in operation or do we have a hybrid situation where some Samba servers have spns setup in the AD to authenticate users? Thanks, Dennis O. _______________________________________________ Tech mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
