Re: School Design for AD

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance


<phil2627@xxxxxxxxx> wrote in message
news:1177097376.113262.250010@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
On Apr 20, 2:23 pm, "Herb Martin" <n...@xxxxxxxxxxxxxx> wrote:
<phil2...@xxxxxxxxx> wrote in message

Thanks for the quick reply. We are just worried about:

- locking down the admin accounts

What does this mean (to you) precisely? You are always going to
have SOME admin account in every domain and these will be subject
to the same attacks no matter where they are located IF the network
is accessible.

- students being able to browse DCs (guessing we can "deny" the
student OU on "admin" DCs)

"Browse" means to see in Network Neighborhood and can be turned
off even though it offers very low security exposure (merely know the
share points or servers are there.)

ACCESS to those resources is controlled by PERMISSIONS.

You control permission by GROUPS not OUs though.

- have students login to student computers only (we'd also like to

Generally you WANT them to logon to the domain when they logon
to the computers -- you get easier CONTROL of them this way.

prevent the "log on to" box on the login screen)

You cannot but there are only limited choices for a machine:

1) The machine
2) The Domain of the machine
3) The Domains trusted by the machines domain

And since every domain in a forest effectively trusts every other domain
in that forest this means that multiple domains don't provide full security
boundaries -- if they are in the same forest.

- different password policies for students vs staff (more strict for
staff)

You cannot do this with the built in features in a single DOMAIN.

Password polices are PER domain for domain accounts.

My advice is to make the password policies strict for everyone and
just teach students to deal with it. They will likely have less trouble
than the teachers who must be TRAINED to use good password
security -- if you make passwords strong and don't train them they
will just write them on the side of the monitor or some such place.

--
Herb Martin, MCSE, MVP
http://www.LearnQuick.Com
(phone on web site)


.

Relevant Pages

  • Re: School Design for AD
    ... I concur with the advice so far. ... off even though it offers very low security exposure (merely know the ... You control permission by GROUPS not OUs though. ... And since every domain in a forest effectively trusts every other domain ...
    (microsoft.public.win2000.active_directory)
  • Re: Why Linux is Better than Windows. **My Linux Experience**
    ... >connections, home computer uses use admin accounts, and no fs security. ... >ntfs does but it is limitted in XP home ...
    (comp.os.linux.misc)
  • Re: Admin Priveleges Not Working
    ... Jeff & Marina, ... admin accounts on all the clients were disabled after ... joining the domain as a security precaution,(advice given ... policy mmc - error "You do not have permission to perform ...
    (microsoft.public.backoffice.smallbiz2000)
  • RE: Default Admin Account
    ... On the default admin accounts on US Military machines, ... To borrow ... What do IT Security experts and pen-testers think about the default ...
    (Pen-Test)
  • How many administrators
    ... I know what security problems this will have, ... Can I have 4 accounts as administrators and will all these ... all 4 admin accounts show when the computer is started up each time. ... Using XP Pro SP1 as a stand alone family computer. ...
    (microsoft.public.windowsxp.security_admin)