AD Re-structure - need .EDU SysAdmin input.

We are in the process of putting an AD re-structure project in place, and a few -"unsolvable"- questions came up.

How did you guys structure your Students's and Alumni OUs? Per Program, Major, Course, Year student started/ Suppose to graduate.. etc..
How about security groups where some students in some courses require "Power User" or "Admin" level privileges? How dynamic are the groups ? Manual, or automated membership change?
We are about 4K workstations, 2 Forests (Administrative/Students one way trust) and ... 2 System Admins, 1 Exchange, 2 Desktop/Image guys. We feel like we are understaffed, but question is; how many hands are we short ? Any documents where we could find the suggest number of IT/ SysAdmins for such environment?
i have googled: site:edu .doc "AD structure", but so far, all generic stuff.

WOuld appreciate links and docs, or PM, if you dont feel like discussing your environment in open public. Security matters.

Thanks girls and boys.

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

MentholMoose

1. I guess it depends on how many users you have. My previous sysadmin job was at a small-ish private college (~2500 students enrolled) and IIRC we had one big Students OU and one Alumni OU.
2. We did not grant any students Power User or Administrator privileges on any of our machines. Groups were used to provide access to course- or major-specific applications and membership was done with scripts using data from admissions.
3. Not sure about this one.
4. EDU IT seems to be very collaborative. If you try calling some other colleges I bet you can get a sysadmin on the phone and they will provide some more feedback. I did this once to find out how some other schools were managing their applications (basically to get a sanity check on the plans we had to implement VDI) and everyone I called was happy to discuss their environment.

Qord

1.One big OU for all active students and alum. By default, any account with no activity for a set amount of time is automatically disabled, which then gets moved to a disabled accounts OU.

2.No students get any special groups (except for those that need to use the fancy color printers for classes that pay a lab fee for them) Those printers each get their own group to grant access. However, all users are local admins on student machines. We use DeepFreeze to keep things fresh (for the most part) so this doesn't concern us much. Control over programs is done via group policy and something called keyserver.

3.I’d definitely call that short. One single physical location/campus? Do you have remote locations/offices?

4.For this I’d say to try asking around in the “Education” forum in Spiceworks community page. I've gotten some good answers there before. Educause also might have some good resources and best practices for you to check out.

JBrown

Qord wrote: »

3.I’d definitely call that short. One single physical location/campus? Do you have remote locations/offices?

Our campuses spread around the city, with 100 to 1000 workstations per campus.

Qord wrote: »

4.For this I’d say to try asking around in the “Education” forum in Spiceworks community page. I've gotten some good answers there before. Educause also might have some good resources and best practices for you to check out.

That looks a good place to start. Thanks man.

[QUOTE=MentholMoose]
4. EDU IT seems to be very collaborative. If you try calling some other colleges I bet you can get a sysadmin on the phone and they will provide some more feedback. I did this once to find out how some other schools were managing their applications (basically to get a sanity check on the plans we had to implement VDI) and everyone I called was happy to discuss their environment.
[/QUOTE]

Gotta give it a try. I found something interesting, on Cornell's website. They have published some of their designs, structure, and AD structure. I will shoot them an email, and see where is taking us.

We do have the design/structure and looking for "re-assurance" on the OU side. Would not want it come back to bite us in the ass closer to the implementation.

crrussell3

edugeek.net is also a very good resource to use, even if you aren't working in Education IT. A lot of their issues are issues that non-profits have to deal with, so lots of good solutions on there.

sratakhin

1. Why would you want to divide your students into different OUs? Do you want to apply different group policies or delegate management of accounts to others? Do you want to move their user and computer accounts when they change majors?
2. If you migrated to Windows 8, you can use VMs with Hyper-V. It's better to grant people access to VMs instead of physical boxes. If you use Windows XP/7 - VMWare Player or Workstation.
3. Definitely.

lsud00d

Note: I wasn't an AD admin at my uni but I did have AD priv's since I worked in IT so I perused. If I had to guess I would put AD user objects at around ~40k

1. Student's were in one OU. When you graduate or are inactive for 2 semesters your account is purged. Only thing Alumni get is a different email address which is handled by the Alumni center.
2. Students did not have any extra privileges. Group memberships for certain things (access to downloadable software) was tied into the mainframe.
3. Do you feel that you are understaffed? On the surface of things it sounds like you might be 1-2 FTE short.
4. There are some good suggestions, also checked out linkedin, mailing lists, or any conference organizations your school might be a part of.

JBrown

We went with combination of all of the above

) Did some back and force with MS premier support, and to keep project going decide to go with something simple. Thanks all for your input.