+ Post New Thread
Results 1 to 6 of 6
How do you do....it? Thread, Best Practices: LDAP/Active Directory and Account Provisioning in Technical; Hi all, I am just wondering seeing the different ways schools have their directory servers setup. What exactly does your ...
  1. #1

    Join Date
    May 2008
    Posts
    2
    Thank Post
    1
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Lightbulb Best Practices: LDAP/Active Directory and Account Provisioning

    Hi all,

    I am just wondering seeing the different ways schools have their directory servers setup. What exactly does your directory schema look like and how are the groups and organizational units setup for your different schools.

    1. How do you organize members in different schools?
    2. What groups do you have setup for students, teachers, parents, administrators, etc.?
    3. How do you manage large amounts of student accounts moving from one school or grade to another? Also, how do you handle student accounts who have graduated?
    4. What LDAP system do you use (Microsoft Active Directory, Novell eDirectory, OpenLDAP, etc.)?
    5. Anything else interesting you do that works well?


    If you have some good experience and could answer one or more of the questions, that would be greatly appreciated. It would be helpful to me, and I'm sure others would find it useful. Thanks much!
    Last edited by cgabbadon; 7th May 2008 at 09:48 PM.

  2. #2

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    16,323
    Thank Post
    903
    Thanked 1,802 Times in 1,551 Posts
    Blog Entries
    12
    Rep Power
    467
    1. Each group has there own OU. Administrators have there own OU Staff then in that its split up into support, teaching etc.

    2. Each group of users have there own group such as year of 2004 students and teaching staff.

    3. If they move school they will just get a new account in the new school. After students leave the accounts are disabled then in September they are deleted. We name each group after the year they started so there will be no change at each new academic year.

    4. Microsoft Windows Active Directory on Windows Server 2003

    We also filter staff and students differently students are locked down tight staff have a little more freedom. Some schools have two networks a curriculum and admin network. We have a flat network here and are in a multiple domain forest. That basically means lots of school connected together, students and staff can login other schools if they need to.

  3. Thanks to FN-GM from:

    cgabbadon (7th May 2008)

  4. #3

    Join Date
    May 2008
    Posts
    2
    Thank Post
    1
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Quote Originally Posted by FN-Greatermanchester View Post
    1. Each group has there own OU. Administrators have there own OU Staff then in that its split up into support, teaching etc.

    2. Each group of users have there own group such as year of 2004 students and teaching staff.

    3. If they move school they will just get a new account in the new school. After students leave the accounts are disabled then in September they are deleted. We name each group after the year they started so there will be no change at each new academic year.

    4. Microsoft Windows Active Directory on Windows Server 2003

    We also filter staff and students differently students are locked down tight staff have a little more freedom. Some schools have two networks a curriculum and admin network. We have a flat network here and are in a multiple domain forest. That basically means lots of school connected together, students and staff can login other schools if they need to.
    Thanks much - I appreciate your feedback!

  5. #4

    maniac's Avatar
    Join Date
    Feb 2007
    Location
    Kent
    Posts
    3,081
    Thank Post
    210
    Thanked 431 Times in 311 Posts
    Rep Power
    145
    Quote Originally Posted by cgabbadon View Post
    Hi all,

    I am just wondering seeing the different ways schools have their directory servers setup. What exactly does your directory schema look like and how are the groups and organizational units setup for your different schools.

    1. How do you organize members in different schools?
    2. What groups do you have setup for students, teachers, parents, administrators, etc.?
    3. How do you manage large amounts of student accounts moving from one school or grade to another? Also, how do you handle student accounts who have graduated?
    4. What LDAP system do you use (Microsoft Active Directory, Novell eDirectory, OpenLDAP, etc.)?
    5. Anything else interesting you do that works well?


    If you have some good experience and could answer one or more of the questions, that would be greatly appreciated. It would be helpful to me, and I'm sure others would find it useful. Thanks much!
    1. Devided firstly by students and staff, the students are then split by year group defined by year of entry so we don't have to change it every year, and the staff by administrators, teachers and support staff. Each OU has it's own polices etc. applied to it.

    2. Loads of different groups defined within our active directory that allows/disallow access to different resources on our network. I have lots of VBS scripts that read this group information at logon and act on it accordingly setting things like Internet Explorer Homepage, drives that are mapped, printer mappings etc. I think we have over 100 different groups for various things, mainly e-mail distribution lists.

    3. Students who have left get their account disabled and moved to an OU labelled Leavers. Same for staff. Once a year we purge these accounts and associated home areas, profiles etc. after taking a comprehensive backup just in case.

    4. Our LDAP is microsoft active directory on server 2003.

    5. I have some PHP scripts I've written which compare our student records in CMIS (our MIS system) to our active directory database, and it sends me an e-mail report notifying me of students in CMIS who don't have a network account, and students with a network account who no longer exist in CMIS so I can make sure every student in the school has a network account, and all the leavers get disabled ASAP. I could get it to make the adjustments automatically, but I like to do it manually so I know what's going on. This task is made easier by the fact we have Moodle which uses LDAP as it's auththentication, so my script uses the account information from moodle for the comparison purposes.

    Cheers,

    Mike.
    Last edited by maniac; 8th May 2008 at 01:44 AM.

  6. #5

    Join Date
    Dec 2010
    Posts
    1
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Hi All,

    I'm still hoping to get a response for this question: 3.How do you manage large amounts of student accounts moving from one school or grade to another?

    It is end of the year and we have to do it before christmas. Network admin guy asked me to find out. Any idea or suggestion would help. Thanks, Hamish

  7. #6

    SpuffMonkey's Avatar
    Join Date
    Jul 2005
    Posts
    2,265
    Thank Post
    55
    Thanked 284 Times in 190 Posts
    Rep Power
    135
    Quote Originally Posted by maniac View Post
    5. I have some PHP scripts I've written which compare our student records in CMIS (our MIS system) to our active directory database, and it sends me an e-mail report notifying me of students in CMIS who don't have a network account, and students with a network account who no longer exist in CMIS so I can make sure every student in the school has a network account, and all the leavers get disabled ASAP. I could get it to make the adjustments automatically, but I like to do it manually so I know what's going on. This task is made easier by the fact we have Moodle which uses LDAP as it's auththentication, so my script uses the account information from moodle for the comparison purposes.
    Mike.
    Hi Mike

    I'd be interested in seeing those scripts if you are willing to share - cheers



SHARE:
+ Post New Thread

Similar Threads

  1. Replies: 4
    Last Post: 14th July 2010, 04:16 PM
  2. SharePoint/SLK Account Provisioning - Automated
    By JT270678 in forum Virtual Learning Platforms
    Replies: 0
    Last Post: 24th April 2008, 05:00 PM
  3. Find the location of a user account in Active Directory
    By FN-GM in forum Wiki Announcements
    Replies: 0
    Last Post: 27th March 2008, 12:58 AM
  4. Replies: 7
    Last Post: 31st January 2008, 01:17 PM
  5. Authenticating MRBS against Active Directory using LDAP
    By Wizzer in forum Web Development
    Replies: 2
    Last Post: 26th January 2006, 05:21 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •