On 07/19/2011 09:29 AM, Dennis wrote:
On Mon, Jul 18, 2011 at 4:33 PM, Robert Au
<[email protected]> wrote:
On Jul 18, 2011, at 3:22 PM, Atom Powers wrote:
On Mon, Jul 18, 2011 at 3:09 PM, Ski Kacoroski<[email protected]> wrote:
1. ad.nsd.org
Single top level domain for staff and students. We are concerned because
this will allow students to log into staff computers and see resources in
the entire domain. If you have a setup like this, have you seen problems
with students getting into machines/resources they should not?
Although we use Samba (so take my comments with a bucket of NaCl), we
have something like this. Our biggest headache is the inability to set
domain policies specific for staff or students. Everybody is in the
same domain so they all get the same policies. I don't know you you
can set domain policies based on group membership in a real AD domain.
I am very much not an AD expert, but my impression was that one could
segregate users into different OUs, and then assign group policies based
on those OUs.
http://technet.microsoft.com/en-us/library/cc783140%28WS.10%29.aspx
Perhaps I am missing what you are trying to do, though.
I'm not super familiar with the school district, but looking at their
site they would seem to have tens of thousands of ldap objects so it
may be beneficial to segregate these out into separate domains.
Otherwise browsing would get very slow quickly. I like the
staff.ad.* students.ad.*
Just out of curiosity are we talking about OpenLDAP as the directory
service in operation or do we have a hybrid situation where some Samba
servers have spns setup in the AD to authenticate users?
This is for AD not ldap or Samba. Within AD it is pretty easy to set up
policies based on OU membership so that is not a problem.
cheers,
ski
--
"When we try to pick out anything by itself, we find it
connected to the entire universe" John Muir
Chris "Ski" Kacoroski, [email protected], 206-501-9803
or ski98033 on most IM services
_______________________________________________
Tech mailing list
[email protected]
https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech
This list provided by the League of Professional System Administrators
http://lopsa.org/
