Re: School Design for AD
- From: "Richard Mueller [MVP]" <rlmueller-nospam@xxxxxxxxxxxxxxxxxxxx>
- Date: Sat, 21 Apr 2007 12:21:17 -0500
I concur with the advice so far. In my experience, having more than one
domain adds complications. You need good reasons to have more than one.
I have supported several schools and the poster brings up excellent points.
The requirements for kindergarten students learning keyboarding skills is
different from 8th graders and teachers. However, I think Microsoft is
starting to realize this. One option is "Shared Computer Toolkit for Windows
XP". Info linked here:
http://www.microsoft.com/windowsxp/sharedaccess/overview.mspx
Password policies are one concern. I have found that even pre-schoolers can
easily logon with simple username/password combinations. I know this makes
it difficult to enforce more secure passwords elsewhere, but I would advise
against creating more domains simply to enforce stricter password policies.
You can makes passwords not expire for some users, and even passwords not
required (if necessary). These settings won't affect the other users.
--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--
"Herb Martin" <news@xxxxxxxxxxxxxx> wrote in message
news:O0vcn45gHHA.1312@xxxxxxxxxxxxxxxxxxxxxxx
<phil2627@xxxxxxxxx> wrote in message
news:1177097376.113262.250010@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
On Apr 20, 2:23 pm, "Herb Martin" <n...@xxxxxxxxxxxxxx> wrote:
<phil2...@xxxxxxxxx> wrote in messageThanks for the quick reply. We are just worried about:
- locking down the admin accounts
What does this mean (to you) precisely? You are always going to
have SOME admin account in every domain and these will be subject
to the same attacks no matter where they are located IF the network
is accessible.
- students being able to browse DCs (guessing we can "deny" the
student OU on "admin" DCs)
"Browse" means to see in Network Neighborhood and can be turned
off even though it offers very low security exposure (merely know the
share points or servers are there.)
ACCESS to those resources is controlled by PERMISSIONS.
You control permission by GROUPS not OUs though.
- have students login to student computers only (we'd also like to
Generally you WANT them to logon to the domain when they logon
to the computers -- you get easier CONTROL of them this way.
prevent the "log on to" box on the login screen)
You cannot but there are only limited choices for a machine:
1) The machine
2) The Domain of the machine
3) The Domains trusted by the machines domain
And since every domain in a forest effectively trusts every other domain
in that forest this means that multiple domains don't provide full
security
boundaries -- if they are in the same forest.
- different password policies for students vs staff (more strict for
staff)
You cannot do this with the built in features in a single DOMAIN.
Password polices are PER domain for domain accounts.
My advice is to make the password policies strict for everyone and
just teach students to deal with it. They will likely have less trouble
than the teachers who must be TRAINED to use good password
security -- if you make passwords strong and don't train them they
will just write them on the side of the monitor or some such place.
--
Herb Martin, MCSE, MVP
http://www.LearnQuick.Com
(phone on web site)
.
- Follow-Ups:
- Re: School Design for AD
- From: Kurt
- Re: School Design for AD
- References:
- School Design for AD
- From: phil2627
- Re: School Design for AD
- From: Herb Martin
- Re: School Design for AD
- From: phil2627
- Re: School Design for AD
- From: Herb Martin
- School Design for AD
- Prev by Date: Re: Remove Domain Controller
- Next by Date: Re: School Design for AD
- Previous by thread: Re: School Design for AD
- Next by thread: Re: School Design for AD
- Index(es):
Relevant Pages
|
