+ Post New Thread
Results 1 to 4 of 4
Windows Thread, AD accounts & email accounts - different usernames? in Technical; The way we've always operated is to give students and staff both an email username and password and a network ...
  1. #1

    Join Date
    Jul 2006
    Location
    London
    Posts
    2,962
    Thank Post
    159
    Thanked 152 Times in 116 Posts
    Rep Power
    49

    AD accounts & email accounts - different usernames?

    The way we've always operated is to give students and staff both an email username and password and a network one, as the email is handled by the LEA

    It does cause a bit of confusion with some staff but overall its always worked well

    But for a while now the LEA has been promoting 'shibboleth' or single sign on, where users log onto the network with the same details as their email

    Instantly I was slightly against this as it means we would lose the year identifier with usernames. Eventually I came round a bit

    But now, after lengthy discussions with someone at the LEA (or at least the company that runs their systems) Im really not sure again.
    They want to install something on one of our DC's which synchronizes the email usernames and creates AD users to match, and also creates its own OU structure and home directory structure. Being made to stick to someone elses OU structure would make a lot of the granular stuff I do much more difficult - eg giving a few students roaming profiles, and giving certain users bogus proxy settings to stop them using the net

    Now straight away that seems to me that a lot of the control we have is being taken away, but maybe thats just me being pathetic because I like having the power?

    Thing is, if they are synchronized, we will have to wait upto a day for new AD users, when now we can create them instantly, and password changes can only be done via the users email or by us via the LEA support site - and they will take roughly 15 minutes to propogate down

    Thankfully nothing has happened yet as they guy is having trouble getting it working with our ISA server but Im not sure whether to pressure my NM to call the whole things off

    So just wanted to know quickly, who has seperate network and email usernames? And if you do, are you being pressured into this single sign on?

  2. #2

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    9,935
    Thank Post
    1,341
    Thanked 1,784 Times in 1,107 Posts
    Blog Entries
    19
    Rep Power
    595

    Re: AD accounts & email accounts - different usernames?

    We have an internal Mail/VLE at the moment (FirstClass) which we are ditching in favour of the LA MLE and email. We presently have the same username but a different password on the existing system but I cannot do that with the LA system.

    Because of the time scales getting it set up (the first 7 pilot secondaries and the pilot primary cluster will be ready to roll at the end of September) trying to get a unique ID that can be used is damn near impossible.

    All the secondary schools have different userid naming structures, slightly different structure to their ADs and different bits of middleware involved too.

    We are looking at Shibboleth and SSO but it gets more complicated as the LA is one of the East Midlands LAs that has chosen Synetrix as the RBC supplier ... and that doesn't fully come into effect until 1st April ... so we either look at SSO with the existing supplier and than have to do work again with the new bunch.

    We want to do the SSO. The loss of control through Shibboleth or any sort of federation is minimal. It just means that you agree specific models of transfer and sharing of data and have to accept the limitations of how often that information is updated.

    Some places will look at the local server (the school one) creating the accounts and then synchronising them up to the central directory ... but then someone else has to do any data matching that is required. It is often simpler for a users to be created at a central location and then rolled down to connected DCs. NAACE actually did a very nice poster explaining the different models and some of the best practice. I'll see if I can get permission to link to it.

    Once the OU structure is in place there should not be anything stopping you from still having sub OUs to do a bit more of the granular work. Without seeing the full details of what is being offered there should still be sufficient methods of you implementing the granularity you want.

  3. #3
    User3204's Avatar
    Join Date
    Aug 2006
    Location
    Wirral
    Posts
    769
    Thank Post
    55
    Thanked 66 Times in 62 Posts
    Rep Power
    34

    Re: AD accounts & email accounts - different usernames?

    SSO should just mean the usernames can be used externally.

    They shouldn't have to enforce their username policy onto your network.


    We have a username based upon Surname + first few initials + an optional number, for the students. This is created in AD when the student starts, or at the open day we give for the new year 7s (in July).
    I usually don;t get around to creating the user emails, in the same format, on our mailserver.

    The staff have a username based upon the first 4 letters of the firstname and the first 4 letters of their surname, we tend to use this username all over the place, they can use this as their email logon name, although the main email address is based upon the forename.surname@schooldomain.com.


    I know our LA is discussing a SSO system, but they have yet to "discuss" it with me, and if it isn't acceptable, then it won't happen here.
    If they want something, the only thing I will do is allow software to upload the user details to their servers...

  4. #4

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    9,935
    Thank Post
    1,341
    Thanked 1,784 Times in 1,107 Posts
    Blog Entries
    19
    Rep Power
    595

    Re: AD accounts & email accounts - different usernames?

    If people would like to know more on the background to Shibboleth in schools in England have a look here.

    Shibboleth is more than just sharing usernames.

    Conventions on usernames are fine if it just affects your school and your school only. What happens when you have a consortium of schools that work together at KS5. At the moment there are individual accounts at each school the student goes to with no real method of sharing work between institutes.

    This is before we even get onto the idea that schools may not actually be following best practice for domain / AD structures, partly because the best practice for business models don't always apply to schools (who have to make things up as they go along) and partly because some schools systems have just evolved with little time for planning and testing.

    Then again, just because someone says that to get stuff done it needs to be done centrally it does not mean it is being done that way because schools can't do it themselves, it is sometimes about scaling costs (not everyone has an army of minions) too.

    A perfect world would see a user being able to use their email address to log into everything and not have to worry (remember that we are here to make the life of the user better so they can just get on and learn / teach), but there are massive hoops to jump through and if that means having to back down occasionally it should not be dismissed out of hand.

    This takes us back to usernames. If we are going to use the email address (which is really just user@domain) then we have to remove the year of entry. The year of entry gives an idea of the age of the user and we are told this is not a good idea on the grounds of e-Safety, something I agree with after a few issues at my last place due to targeting of students.

SHARE:
+ Post New Thread

Similar Threads

  1. Multiple Email Accounts Outlook 2003
    By richard in forum How do you do....it?
    Replies: 3
    Last Post: 8th June 2007, 10:04 AM
  2. Limited accounts - XP
    By benannett in forum Windows
    Replies: 4
    Last Post: 11th March 2007, 05:15 PM
  3. Autocreate AD accounts from MSSQL
    By CyberNerd in forum Coding
    Replies: 9
    Last Post: 12th July 2006, 03:00 PM
  4. Allow non-administrator accounts to unlock a pc
    By richard in forum How do you do....it?
    Replies: 17
    Last Post: 11th March 2006, 10:36 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •