AD in a school environment

[Thomas]

Hello

I am slowly starting to use AD in the school where I work.
I have recently upgraded the server from NT4 to 2000.

Before, the users have had their username with their class
ID first, like: 1atom - which is Tom in class "1a". This
was for grouping purposes. This make us change their
username every year when they change classes.

I wish to use another system where I want the users to
have the same username throughout their school period here.

What I am wondering is how this is best done.. I wish to
have the classes grouped together. Is it a good idea to
make an OU for each class? Will it then be a problem in
the following year when I wish to change the OU to "2a"
instead? Or maybe the easisest way is to simply move the
users to the "2a" OU.

This school has several different classes. When the
students have tests we must prevent permissions for some
areas for some students. Up until now we have done this
manually. I know this is a bad explanation - but is there
anyone out there who have the same experience and have had
the same needs (and found a soulution) - and wish to share
it?

Thanks in advance

 

[Simon Geary]

OU's are not used to assign permissions, this is a function of groups. So if
you wish to prevent certain students accessing certain folders you will
assign the permissions to groups and the OU structure will be irrelevant.

As for your OU design, I would try to stick to something that does not
require either OU's or user accounts to be renamed on an annual basis. How
about creating a separate OU for each class and giving each pupil a unique
account that they will keep throughout school. Then when pupils change years
you can just move the accounts to a new OU.

But consider why you want to have separate OU's, do you have a technical
reason for wanting to keep separate years in separate OU's? Are you going to
assign different group policies to each year or used administrative
delegation? If the answer to both these questions is no then maybe you don't
even need to create multiple OU's. Why not have just one OU called Pupils?

 

[Thomas]

The grouping of users in OUs wasn't for assigning
perimissions. The reason for this was to more easily
assign permissions manually; for example if I had to
disable the whole class I could easily mark all the users
in one OU and then disable them. This was so that I didn't
have to name the users with the class name in front.

I think I will make OUs for each class. And when the
pupils get one year older I will move them to the new OU
which corresponds to their new class name. This will be
the best thing. For now.

Is there anybody who has experience with other solutions?
This sounds like the best solution the more I think of
it.. But maybe there are some holes that I don't see..
hm..

 

[andi]

This seems to be a 'generic' grouping students issue rather than a
specific AD one, so while we don't use AD I can still comment

We group them by year of entry using two digits so the year that have
just started are 03jones, 03smith, 03brown etc - through to our
current top year who would be 99jones, 99smith, etc

We find that on the whole we want to give permissions by entire year
groups and then only remove one or two individuals.

 

[wcrouse]

Hi
I work in a school also. It's important to keep in mind that AD and
security groups are very different things.
In the AD, think broadly so you don't lock yourself in to a structure
that in a year or two will no longer fit. For instance, I have OU's
such as 'Students', 'Administrators', and 'Faculty'. You can get more
granular in subfolders if you really think you need to.
Regarding Security groups, think in particulars. Security groups are
where I break students down into classes, and here too I have groups
for particular classes with their rosters. Security groups can also do
double duty as mail distribution groups should the need arise, so
think in those terms as well.
It gets more complex from there. We are considering instituting a
tablet PC program in the coming year, which means participating
classes/students will need varying degrees of access during the school
day depending on whether they are notetaking, browsing, or testing. I
also have to control unauthorized users/ machines from just plugging
in (or tuning in, for wireless) at random. That means manageable
switches with several virutal local networks (VLANS) each configured
in a certain way.
The point is, once you start down this road your needs will only
really become visible some distance in the future. So be a generalist
at the beginning to preserve your options as your network matures.

 

[paul]

Hello,

Consider this: a bundle of scripts that can create 2000 users with their
homedirectory and some other private folders, with the proper rights to
those folders and local group membership (their classes) in just 5
minutes... (I'm working on it... and its a 'success' but I haven't
implemented it in real schoollife)... The only thing you need is some
sort of database (excel, db, access, foxpro, ...) Every new schoolyear
I'll change the students' disk with a new one (unexpensive...) and
re-apply the whole process. It's good for security reasons (at least
change password every year)...

You could mail me, but I can't promise anything concerning deadlines and
so.

Paul
webmaster@xxxxxx_sint-lodewijkscollege.be
remove the xxxxxx_