Administrators in separate ou?

**cheeseslice** · 12th May 2011, 02:35 PM

Hi,

I'm in the process of making up some group policies and the AD and I'm wondering the structure you would use for teachers that would also be administrators, like IT teachers for example.

At the minute I have:

Managed

-Computers

-Groups

-Staff

-Students
--Year2010
--Year2011

The problem I have is that I have been told they want the workstation totally restricted for both students and staff, except for one or two ICT teachers.

So I'm just wondering how best to arrange this for a school environment, do you just leave the teachers with admin rights in their own ou with a separate group policy?

**clareq** · 12th May 2011, 02:40 PM

If it's only one workstation, make the IT teachers local administrators. Personally no teacher has admin rights on the domain - local admin rights on their assigned laptop only.

**j17sparky** · 12th May 2011, 02:42 PM

You define administrator rights based on group membership not OU. Or do you not want any of your lockdown policies to apply to them either?

If so just make an extra level above the teachers OU, then within that "normal teachers" & "it teachers". Then apply your GPOs as needed

**alexsanger** · 12th May 2011, 02:47 PM

No admin rights of any sort for any member of staff other than the techs! Not even local admin - which does after all have the permissions to remove the computer from the domain, hence compromising network security. Power User is the most anyone needs, and even then that gives enough permission to install all kinds of junk and cause problems. You'll be expected to support whatever is installed on the machines and sort out whatever problems it causes, so you should be the only one to install any of it. It also allows control over the software catalogue, and keeps you on top of licensing.

**cheeseslice** · 12th May 2011, 02:58 PM

Thanks for the quick replies, I have never set up a network for a server for this sort of environment before so I'm not quite sure what the norm is.

This will seem a bit off topic but how do you deal with updates to your workstations? do you use wsus?

The reason I ask is because this network is tiny, one server 20 workstations. I'm afraid wsus would kill the server but I'm not sure, it was suggested that the IT teacher in the room should have rights so that they can do updates (because this is how it has been done before) but I didn't think that was a particularly smart idea.

Once I have the server installed I will only be back if something breaks, hopefully remotely. They don't have any technical support on site.

**clareq** · 12th May 2011, 03:03 PM

I use WSUS for 1400 workstations. The server copes fine. The likelihood of something breaking will be much less if no-one but you have admin rights!

**alexsanger** · 12th May 2011, 03:05 PM

I would still use WSUS, so long as you have enough storage for the downloads. If this is going to be supported remotely I would set up email notifications wherever possible. That way you can sort things pro-actively, rather than waiting to break-fix. Keeping permissions tight will reduce the chances of software problems, and you look good for reducing the support overhead for the teachers. Perhaps set them up an admin account to use separately if needed, but have all normal user accounts secured.

**j17sparky** · 12th May 2011, 03:13 PM

*Can of worms* I hate WSUS. Personally if I only had 20 PCs to look after I'd be tempted to not use it. WSUS has been too unreliable ime.

**cheeseslice** · 12th May 2011, 03:27 PM

If I was going to go for wsus I would be installing the bare minimum but the other problem that I have is the server only as 2x250gb drives in raid 1 (software) This is partition in half for OS and users Data & shares.

I'm nearly tempted to turn automatic updating off all together, just have the server and workstations stay as they are.

**alexsanger** · 12th May 2011, 03:33 PM

I've experienced two very good reasons for not ignoring updates over the years - Sasser, and Conficker. I'm still reaping the rewards of my predecessors overlooking the importance of a good update policy on this network some 8 months later...

**j17sparky** · 12th May 2011, 03:37 PM

Originally Posted by cheeseslice

If I was going to go for wsus I would be installing the bare minimum but the other problem that I have is the server only as 2x250gb drives in raid 1 (software) This is partition in half for OS and users Data & shares.

I'm nearly tempted to turn automatic updating off all together, just have the server and workstations stay as they are.

Without knowing exactly which updates you are going to deploy (windows xp, 7, office) I'd say your disk space may cause you a problem. My current WSUS share is 60gb

**cheeseslice** · 12th May 2011, 04:22 PM

updates would be for windows 7 and office.

How bad an idea would it be to set each workstations automatic updates, I know that would increase the bandwidth and there isn't any central control as such but it would get me around the problem of no space.

**alexsanger** · 12th May 2011, 04:35 PM

The onus will still be on the teacher to respond to prompts for any that do not run completely automatically. Better than nothing though.

How about a £50 USB HDD for the server? Performance and fault tolerance really aren't issues, so it might just do the job.

**j17sparky** · 12th May 2011, 05:21 PM

Ask your LEA if they have a WSUS server you can pull from.

LinkBack

Thread Tools

Search Thread

Administrators in separate ou?

Similar Threads

No administrators on the machine except Administrator, whoops

OS x 10.6 administrators course

Technical Administrators (3x posts)

sims administrators for beginners

The Ultimate Administrators Toolbox

Thread Information

Users Browsing this Thread

Posting Permissions