On Mon, Jul 18, 2011 at 3:09 PM, Ski Kacoroski <[email protected]> wrote:
> 1. ad.nsd.org > Single top level domain for staff and students. We are concerned because > this will allow students to log into staff computers and see resources in > the entire domain. If you have a setup like this, have you seen problems > with students getting into machines/resources they should not? My $0.02 is that you should avoid creating additional domains as much as possible. It sounds like you want a multi-domain setup mostly for security, and I personally don't think that you get a big enough security gain in a multi-domain setup to offset the additional administrative costs in a K-12 environment. Controlling who has access to what in a single domain is relatively easy with policies and setting appropriate permissions. Yes, if a tech is careless, they can leave something more open, and a student could access it, but that can happen even in a multiple domain setup. Also consider, that while it may break policy, it is likely students have access to the teachers station anyway, no matter how you setup your domains. In my experience it is very difficult to get teachers to be really concerned about security. Teachers often share their credentials with their student TA, and the technically inclined students who help them fix problems that cannot be handled by the typically understaffed K12 IT departments. I am going to guess that you will have a maximum of about 22,000 accounts and somewhere between 2000-2500 computers since Northshore has ~20,000 students. This should be able to be handled easily by a single domain. With a single domain you have less work to duplicate by creating policies in multiple locations. You have less domain controllers to maintain. You will have to put it some more effort into making sure you setup the policies and permissions correctly. Even Microsoft doesn't seem to say that a separate domain creates a security boundary. ] http://technet.microsoft.com/en-us/library/cc756901(WS.10).aspx ] By contrast a domain is not a security boundary because within a forest ] it is not possible for administrators from one domain to prevent a malicious ] administrator from another domain from accessing data in their domain. On Tue, Jul 19, 2011 at 9:29 AM, Dennis <[email protected]> wrote: > I'm not super familiar with the school district, but looking at their > site they would seem to have tens of thousands of ldap objects so it > may be beneficial to segregate these out into separate domains. For K-12 schools, I don't think this really does much. Since 90-95% of the accounts will usually be student accounts, and the rest will be staff. Even If there is slow browsing because of the large number of objects it isn't likely to be improved on the student side by breaking out the small percentage of staff accounts into a separate domain. Chris Francy _______________________________________________ Tech mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
