+ Post New Thread
Results 1 to 14 of 14
Windows Server 2008 R2 Thread, Administrators in separate ou? in Technical; Hi, I'm in the process of making up some group policies and the AD and I'm wondering the structure you ...
  1. #1

    Join Date
    Apr 2011
    Posts
    52
    Thank Post
    3
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Administrators in separate ou?

    Hi,

    I'm in the process of making up some group policies and the AD and I'm wondering the structure you would use for teachers that would also be administrators, like IT teachers for example.

    At the minute I have:

    Managed

    -Computers

    -Groups

    -Staff

    -Students
    --Year2010
    --Year2011

    The problem I have is that I have been told they want the workstation totally restricted for both students and staff, except for one or two ICT teachers.

    So I'm just wondering how best to arrange this for a school environment, do you just leave the teachers with admin rights in their own ou with a separate group policy?

  2. #2
    clareq's Avatar
    Join Date
    Dec 2005
    Location
    Doncaster
    Posts
    777
    Thank Post
    57
    Thanked 199 Times in 131 Posts
    Rep Power
    103
    If it's only one workstation, make the IT teachers local administrators. Personally no teacher has admin rights on the domain - local admin rights on their assigned laptop only.

  3. #3


    Join Date
    Oct 2006
    Posts
    3,414
    Thank Post
    184
    Thanked 356 Times in 285 Posts
    Rep Power
    149
    You define administrator rights based on group membership not OU. Or do you not want any of your lockdown policies to apply to them either?

    If so just make an extra level above the teachers OU, then within that "normal teachers" & "it teachers". Then apply your GPOs as needed

  4. #4
    alexsanger's Avatar
    Join Date
    Oct 2009
    Location
    London
    Posts
    117
    Thank Post
    21
    Thanked 23 Times in 21 Posts
    Rep Power
    15
    No admin rights of any sort for any member of staff other than the techs! Not even local admin - which does after all have the permissions to remove the computer from the domain, hence compromising network security. Power User is the most anyone needs, and even then that gives enough permission to install all kinds of junk and cause problems. You'll be expected to support whatever is installed on the machines and sort out whatever problems it causes, so you should be the only one to install any of it. It also allows control over the software catalogue, and keeps you on top of licensing.

  5. #5

    Join Date
    Apr 2011
    Posts
    52
    Thank Post
    3
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Thanks for the quick replies, I have never set up a network for a server for this sort of environment before so I'm not quite sure what the norm is.

    This will seem a bit off topic but how do you deal with updates to your workstations? do you use wsus?

    The reason I ask is because this network is tiny, one server 20 workstations. I'm afraid wsus would kill the server but I'm not sure, it was suggested that the IT teacher in the room should have rights so that they can do updates (because this is how it has been done before) but I didn't think that was a particularly smart idea.

    Once I have the server installed I will only be back if something breaks, hopefully remotely. They don't have any technical support on site.

  6. #6
    clareq's Avatar
    Join Date
    Dec 2005
    Location
    Doncaster
    Posts
    777
    Thank Post
    57
    Thanked 199 Times in 131 Posts
    Rep Power
    103
    I use WSUS for 1400 workstations. The server copes fine. The likelihood of something breaking will be much less if no-one but you have admin rights!

  7. #7
    alexsanger's Avatar
    Join Date
    Oct 2009
    Location
    London
    Posts
    117
    Thank Post
    21
    Thanked 23 Times in 21 Posts
    Rep Power
    15
    I would still use WSUS, so long as you have enough storage for the downloads. If this is going to be supported remotely I would set up email notifications wherever possible. That way you can sort things pro-actively, rather than waiting to break-fix. Keeping permissions tight will reduce the chances of software problems, and you look good for reducing the support overhead for the teachers. Perhaps set them up an admin account to use separately if needed, but have all normal user accounts secured.

  8. #8


    Join Date
    Oct 2006
    Posts
    3,414
    Thank Post
    184
    Thanked 356 Times in 285 Posts
    Rep Power
    149
    *Can of worms* I hate WSUS. Personally if I only had 20 PCs to look after I'd be tempted to not use it. WSUS has been too unreliable ime.

  9. #9

    Join Date
    Apr 2011
    Posts
    52
    Thank Post
    3
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    If I was going to go for wsus I would be installing the bare minimum but the other problem that I have is the server only as 2x250gb drives in raid 1 (software) This is partition in half for OS and users Data & shares.

    I'm nearly tempted to turn automatic updating off all together, just have the server and workstations stay as they are.

  10. #10
    alexsanger's Avatar
    Join Date
    Oct 2009
    Location
    London
    Posts
    117
    Thank Post
    21
    Thanked 23 Times in 21 Posts
    Rep Power
    15
    I've experienced two very good reasons for not ignoring updates over the years - Sasser, and Conficker. I'm still reaping the rewards of my predecessors overlooking the importance of a good update policy on this network some 8 months later...

  11. #11


    Join Date
    Oct 2006
    Posts
    3,414
    Thank Post
    184
    Thanked 356 Times in 285 Posts
    Rep Power
    149
    Quote Originally Posted by cheeseslice View Post
    If I was going to go for wsus I would be installing the bare minimum but the other problem that I have is the server only as 2x250gb drives in raid 1 (software) This is partition in half for OS and users Data & shares.

    I'm nearly tempted to turn automatic updating off all together, just have the server and workstations stay as they are.
    Without knowing exactly which updates you are going to deploy (windows xp, 7, office) I'd say your disk space may cause you a problem. My current WSUS share is 60gb

  12. #12

    Join Date
    Apr 2011
    Posts
    52
    Thank Post
    3
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    updates would be for windows 7 and office.

    How bad an idea would it be to set each workstations automatic updates, I know that would increase the bandwidth and there isn't any central control as such but it would get me around the problem of no space.

  13. #13
    alexsanger's Avatar
    Join Date
    Oct 2009
    Location
    London
    Posts
    117
    Thank Post
    21
    Thanked 23 Times in 21 Posts
    Rep Power
    15
    The onus will still be on the teacher to respond to prompts for any that do not run completely automatically. Better than nothing though.

    How about a £50 USB HDD for the server? Performance and fault tolerance really aren't issues, so it might just do the job.

  14. #14


    Join Date
    Oct 2006
    Posts
    3,414
    Thank Post
    184
    Thanked 356 Times in 285 Posts
    Rep Power
    149
    Ask your LEA if they have a WSUS server you can pull from.



SHARE:
+ Post New Thread

Similar Threads

  1. Replies: 10
    Last Post: 24th March 2011, 01:16 PM
  2. OS x 10.6 administrators course
    By nicholab in forum Courses and Training
    Replies: 3
    Last Post: 17th January 2011, 09:11 AM
  3. Technical Administrators (3x posts)
    By somabc in forum Educational IT Jobs
    Replies: 0
    Last Post: 1st November 2008, 02:50 AM
  4. sims administrators for beginners
    By thegrassisgreener in forum MIS Systems
    Replies: 17
    Last Post: 30th November 2007, 05:42 PM
  5. The Ultimate Administrators Toolbox
    By ICTNUT in forum Scripts
    Replies: 7
    Last Post: 16th August 2005, 12:38 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •