Windows Server 2008 R2 Thread, Administrators in separate ou? in Technical; Hi,
I'm in the process of making up some group policies and the AD and I'm wondering the structure you ...
12th May 2011, 02:35 PM #1
- Rep Power
Administrators in separate ou?
I'm in the process of making up some group policies and the AD and I'm wondering the structure you would use for teachers that would also be administrators, like IT teachers for example.
At the minute I have:
The problem I have is that I have been told they want the workstation totally restricted for both students and staff, except for one or two ICT teachers.
So I'm just wondering how best to arrange this for a school environment, do you just leave the teachers with admin rights in their own ou with a separate group policy?
IDG Tech News
12th May 2011, 02:40 PM #2
If it's only one workstation, make the IT teachers local administrators. Personally no teacher has admin rights on the domain - local admin rights on their assigned laptop only.
12th May 2011, 02:42 PM #3
You define administrator rights based on group membership not OU. Or do you not want any of your lockdown policies to apply to them either?
If so just make an extra level above the teachers OU, then within that "normal teachers" & "it teachers". Then apply your GPOs as needed
12th May 2011, 02:47 PM #4
No admin rights of any sort for any member of staff other than the techs! Not even local admin - which does after all have the permissions to remove the computer from the domain, hence compromising network security. Power User is the most anyone needs, and even then that gives enough permission to install all kinds of junk and cause problems. You'll be expected to support whatever is installed on the machines and sort out whatever problems it causes, so you should be the only one to install any of it. It also allows control over the software catalogue, and keeps you on top of licensing.
12th May 2011, 02:58 PM #5
- Rep Power
Thanks for the quick replies, I have never set up a network for a server for this sort of environment before so I'm not quite sure what the norm is.
This will seem a bit off topic but how do you deal with updates to your workstations? do you use wsus?
The reason I ask is because this network is tiny, one server 20 workstations. I'm afraid wsus would kill the server but I'm not sure, it was suggested that the IT teacher in the room should have rights so that they can do updates (because this is how it has been done before) but I didn't think that was a particularly smart idea.
Once I have the server installed I will only be back if something breaks, hopefully remotely. They don't have any technical support on site.
12th May 2011, 03:03 PM #6
I use WSUS for 1400 workstations. The server copes fine. The likelihood of something breaking will be much less if no-one but you have admin rights!
12th May 2011, 03:05 PM #7
I would still use WSUS, so long as you have enough storage for the downloads. If this is going to be supported remotely I would set up email notifications wherever possible. That way you can sort things pro-actively, rather than waiting to break-fix. Keeping permissions tight will reduce the chances of software problems, and you look good for reducing the support overhead for the teachers. Perhaps set them up an admin account to use separately if needed, but have all normal user accounts secured.
12th May 2011, 03:13 PM #8
*Can of worms* I hate WSUS. Personally if I only had 20 PCs to look after I'd be tempted to not use it. WSUS has been too unreliable ime.
12th May 2011, 03:27 PM #9
- Rep Power
If I was going to go for wsus I would be installing the bare minimum but the other problem that I have is the server only as 2x250gb drives in raid 1 (software) This is partition in half for OS and users Data & shares.
I'm nearly tempted to turn automatic updating off all together, just have the server and workstations stay as they are.
12th May 2011, 03:33 PM #10
I've experienced two very good reasons for not ignoring updates over the years - Sasser, and Conficker. I'm still reaping the rewards of my predecessors overlooking the importance of a good update policy on this network some 8 months later...
12th May 2011, 03:37 PM #11
Without knowing exactly which updates you are going to deploy (windows xp, 7, office) I'd say your disk space may cause you a problem. My current WSUS share is 60gb
Originally Posted by cheeseslice
12th May 2011, 04:22 PM #12
- Rep Power
updates would be for windows 7 and office.
How bad an idea would it be to set each workstations automatic updates, I know that would increase the bandwidth and there isn't any central control as such but it would get me around the problem of no space.
12th May 2011, 04:35 PM #13
The onus will still be on the teacher to respond to prompts for any that do not run completely automatically. Better than nothing though.
How about a £50 USB HDD for the server? Performance and fault tolerance really aren't issues, so it might just do the job.
12th May 2011, 05:21 PM #14
Ask your LEA if they have a WSUS server you can pull from.
By azc in forum Windows 7
Last Post: 24th March 2011, 12:16 PM
By nicholab in forum Courses and Training
Last Post: 17th January 2011, 08:11 AM
By somabc in forum Educational IT Jobs
Last Post: 1st November 2008, 01:50 AM
By thegrassisgreener in forum MIS Systems
Last Post: 30th November 2007, 04:42 PM
By ICTNUT in forum Scripts
Last Post: 15th August 2005, 11:38 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)