+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 17
Windows Thread, Active Directory Structure in Technical; Hi folks, I want to get a rough idea from you folks how you have structured your active directory, ie. ...
  1. #1

    Join Date
    Feb 2007
    Location
    Monmouth, South Wales
    Posts
    54
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0

    Active Directory Structure

    Hi folks,
    I want to get a rough idea from you folks how you have structured your active directory, ie. OUs, groups, etc. and how you manage the annual changes that occur when a user moves up to the next year. What sort of tools do you use to manage these changes?
    Also... what level of granularity do you have with your security groups, ie. do you have groups of subjects for the pupils for their year. Do you have form groups?
    Does your Active Directory synchronize with your MIS?

    ... a little about our setup:
    Windows Server 2003 environment
    MIS : WCBS PASS
    approx. 1000 users

    We've got quite a locked down desktop, but it's starting to show signs of inflexibility, and a part of me is thinking of redesigning the desktop and policies from scratch. I found this site by chance and I'm quite pleased to say the least, that there is a community of IT support/admin for schools/education here! brilliant!

    anyway... cheers for now.
    Baronne

  2. #2

    plexer's Avatar
    Join Date
    Dec 2005
    Location
    Norfolk
    Posts
    13,272
    Thank Post
    614
    Thanked 1,567 Times in 1,407 Posts
    Rep Power
    412

    Re: Active Directory Structure

    We use year of entry as their username so there is never a need to move them anywhere.

    I have ou's for users, computer, laptops etc... all prefixed with the domain name i.e for us it's wayland so I have Wayland Users, Wayland Computers etc... makes it easy for people to see our relevant stuff.

    Ben

  3. #3

    Join Date
    Jan 2007
    Location
    Birmingham
    Posts
    807
    Thank Post
    29
    Thanked 36 Times in 24 Posts
    Rep Power
    26

    Re: Active Directory Structure

    I have the following structure

    SchoolName
    |
    | --- Curriculum (pupils)
    .............|- intake0
    .............|- intake03
    | --- Machines
    .............|- Curriculum Machines
    ............................|- Room1
    ............................|- Room2 etc
    .............|- Server Room (techies)
    .............|- Staff
    | --- Member Servers
    | --- Staff
    .............| - Academic Coaches
    .............| - Admin
    .............| - Extended Schools
    .............| - ICT Admin
    .............| - SMT
    .............| - Teaching


    I've omitted the OU's we use for testing and the built in ones, etc.

    Hope this helps, also if anybody has any comments about ours, please feel free.....
    |

  4. #4

    Join Date
    Oct 2006
    Location
    uk
    Posts
    494
    Thank Post
    19
    Thanked 3 Times in 2 Posts
    Rep Power
    16

    Re: Active Directory Structure

    likwise we have a naming convention that stays with them done on year of birth and initials
    so for example 93rt11 would be a year seven with the initials rt and be the first person in the first network witj those initials 93rt12 would be the second person with those initials etc etc.
    ous are :
    staff, students, all pcs, then rooms.

  5. #5
    limbo's Avatar
    Join Date
    Aug 2005
    Location
    Birmingham
    Posts
    460
    Thank Post
    2
    Thanked 41 Times in 36 Posts
    Rep Power
    25

    Re: Active Directory Structure

    School
    |
    |-Users
    ----|-Staff
    ----|-Student Teachers (we are an ITT Training school)
    ----|-Main School
    ---------|-06 (intake year)
    ---------|-05
    ---------|-04
    ---------|-03
    ---------|-02
    ----|-Sixth Form
    ---------|-01
    ---------|-02
    |-Machines
    ----|Desktops
    ---------|-Admin Machines
    ---------|-IT Support
    ---------|-Upper School
    -------------|-room 1
    -------------|-room 2
    -------------|-room 3 etc..
    ---------|-Lower School
    ---------|-Sixth Form Centre
    ----|-Laptops
    ---------|-Laptops for Teachers
    -------------|-Maths Department
    -------------|-English Department etc...
    ---------|(same as desktops)

    For users this lets us set different policies globally to main school and then sixth form. Each year I just drag the old year 11 group into the sixth form group to introduce these policies.

    For the machines this gives us the most flexibility for software rollouts. We can push them globally to just laptops or desktops, and then just to one building (or one building at a time to stagger bigger rolouts) or just into one room. With the laptops for teachers being in departments this lets us roll out department specific software to the laptops. All our IT suites are owned by a department so to push out this same software to the cuirriculum machines we do it at the room level.

  6. #6

    Join Date
    Feb 2007
    Location
    Monmouth, South Wales
    Posts
    54
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0

    Re: Active Directory Structure

    ours are all just their first letter of their name and surname, but this has clashes occasionally... which can be a headache. So if you've got pupils with strange usernames, do they have strange email addresses too then?
    You see I find that naming with the intake year means you have to sort of do a calculation to work out which year it was they started. Our structure is
    Pupils
    -------Prep School
    ----------------Year 03
    ----------------Year 04,etc.
    -------Main School
    ----------------Year 07
    ----------------Year 08,etc.

    Currently as they move each year, I simply create an OU called year 13OLD and I move the leavers into that OU and disable their accounts, then I work upwards moving all the accounts into the next OUs.

    It can be a bit tedious, but it doesn't take a long time. Where it's tricky, is the security groups.

    We are in the process of setting up SharePoint 2007 and would like to target content to the relevant audience. So we need to have the right security groups setup to do so.

    So, for example, a pupil is a member of a bunch of security groups, including All Pupils, Year 08, Form 08E, House1, Y8eng, Y8hist, Y8maths, Y8geog, etc. but as she might choose different subjects as she moves up the school, therefore her groups will need to change to reflect this, and not all pupils will obviously choose the same subjects.

    any thoughts? are we going overboard?
    cheers
    Baronne

  7. #7

    Join Date
    Jul 2006
    Location
    London
    Posts
    2,962
    Thank Post
    159
    Thanked 152 Times in 116 Posts
    Rep Power
    49

    Re: Active Directory Structure

    We use a letter for each year for students, and use the first letter of their forename and first 4 of the surname. Eg Tom Smith in Year 7 (which is letter P this year) would be PTSmit
    This way next years year 8 are letter P etc and every year moves up a letter

    Computer names we use a prefix of DT for a desktop and LT for a laptop, followed by the room name and a number, eg DT-A1-01 which tells us its the first desktop in A1

    Active Directory structure is like this:

    Students
    ............Year 7 P
    ............Year 8 N(etc)

    Teachers
    ............Art
    ............Maths (etc)

    Domain Computers
    ............Curriculum PC's
    ........................Subject/Block
    ....................................Room
    ................................................De sktops
    ................................................La ptops
    ............Teacher PC's
    ........................Subject/Block
    ............Admin PC's
    ........................Office
    ........................IT
    ........................Librarians (etc)

    Security Groups:
    Students are members of students & year7/8 whatever their year is group
    Teachers are members of teachers, SIMSusers & whatever their subjects are groups
    All are members of the wireless group that is used to authenticate them

  8. #8

    maniac's Avatar
    Join Date
    Feb 2007
    Location
    Kent
    Posts
    3,037
    Thank Post
    209
    Thanked 425 Times in 306 Posts
    Rep Power
    144

    Re: Active Directory Structure

    We've got simelar to above.

    SCHOOL
    |
    |...|-Accounts
    |.........|-Service Accounts
    |.........|-Staff
    |...............|-Leavers
    |.........|-Students
    |...............|-6th Form
    |...............|-Leavers
    |...............|-Year11
    |...............|---etc--
    |
    |...|-Groups
    |.........|-Distrubution Groups
    |.........|-Staff Groups
    |.........|-Student Groups
    |
    |...|-Member Servers
    |
    |...|-Systems
    |.........|-Staff Systems
    |...............|-Desktops
    |.....................|-Attendance
    |.....................|-Main Office
    |.....................|---etc---
    |...............|-Laptops
    |.........|-Student Systems
    |...............|-Desktops
    |.....................|-Room 218
    |.....................|-Room 219
    |.....................--etc--
    |...............|-Laptops
    |....................|-Laptop group 1
    |....................|-Laptop Group 2
    |....................|---etc--

    We find this convenient, and it's fairly segmented to allow us to apply different group policies where neccessary to small groups of machines or users.

    mike

  9. #9
    Busybub's Avatar
    Join Date
    Feb 2007
    Posts
    384
    Thank Post
    44
    Thanked 39 Times in 37 Posts
    Rep Power
    22

    Re: Active Directory Structure

    One OU for each year group, contianed within an OU for each school (Primary, Juniors, Seniors), all contained in an OU for Students.
    OUs for Teachers, Admin Staff, and Administrators.
    Computers allocated to OUs by room.

    Groups created for each year group and one for all students
    Teachers are allocated to departments, those departments are listed under the Teachers group.

    Other admin groups as necessary.

    I don't create subject groups unless there has been a specific request to make resources available to a select bunch of students.

    User migration is a chore:

    Archive the data for the leaving students. Delete their accounts, move the next year into the OU and reset their profiles, etc. Add new users into the bottom class. There must be a way to script this but I'm not sure it is worth it for 180 students, your situation is very different.

    I've considered a naming convention based on year but it would be problematic to maintain this across the school as the younger kids struggle with their own names let alone year of birth etc!

  10. #10

    Join Date
    Jan 2007
    Location
    Birmingham
    Posts
    807
    Thank Post
    29
    Thanked 36 Times in 24 Posts
    Rep Power
    26

    Re: Active Directory Structure

    Quote Originally Posted by baronne
    Currently as they move each year, I simply create an OU called year 13OLD and I move the leavers into that OU and disable their accounts, then I work upwards moving all the accounts into the next OUs.
    Ouch. We use a year identifier e.g this years year 7 are 06 next year will be 07, followed by first 5 letters of surname, followed by first letter of first name so john smith in year 7 would be: 06smithj

    Where there is a problem with clashing we will either usually give them:
    06smitjo, 06smithjo or some other alternative.

    Therefore no problems with moving in to year 8, 9, etc

    Do you create your users and the folder shares manually or use a tool for it?

  11. #11

    Join Date
    Feb 2007
    Location
    Monmouth, South Wales
    Posts
    54
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0

    Re: Active Directory Structure

    we create some shares manually some are auto using redirect, but I constantly battle with application data redirects and profiles, so the whole thing really needs a rethink.
    I have been looking at using ManageEngine's AD ManagerPlus but would like to look for other tools to evaulate too...
    any suggestions?

  12. #12

    Join Date
    Jan 2007
    Location
    Birmingham
    Posts
    807
    Thank Post
    29
    Thanked 36 Times in 24 Posts
    Rep Power
    26

    Re: Active Directory Structure

    I've mentioned it before, but i use AD infinitum, great little tool, creates all users, group membership and any AD property you can think of, folders, shares as well as setting NTFS/Share permissions. Cost about £100. Nothing extortionate.

  13. #13
    tarquel's Avatar
    Join Date
    Jun 2005
    Location
    Powys, Mid-Wales, UK
    Posts
    1,740
    Thank Post
    13
    Thanked 44 Times in 34 Posts
    Rep Power
    29

    Re: Active Directory Structure

    I use my own custom made script that I can import a SIMS export of the new year 7, move a few things around and then run it through my script.

    It creates the user, adds them to the year group and a general pupils group, creates the dir structure and permissions, sets the allowed times etc etc and is automatic...

    My OU structure is mostly the same as others here...

    I'll link a picture later on [if i remember]

    Nath.

  14. #14
    Irazmus's Avatar
    Join Date
    Feb 2006
    Location
    Suffolk
    Posts
    313
    Thank Post
    13
    Thanked 19 Times in 14 Posts
    Rep Power
    22

    Re: Active Directory Structure

    Ours is also similar to those above

    SchoolName
    |
    |- Domain Controllers
    |
    |- Member Servers
    |
    |- PCs
    ||- Admin Workroom
    ||- DT2
    ||- Library
    ||- Staff Laptops
    ||- Curriculum Laptops
    ||- Trolley 1
    ||- Trolley 2
    ||- Pupil Laptops
    ||- Etc
    |
    |- User Accounts
    ||- Staff
    ||- A Team
    ||- TAs
    ||- Teachers
    ||- Students
    ||- 03
    ||- 04
    ||- 05
    ||- 06

    Students are in OUs based on year of enrollment and are members of the Students and [EntryYear]_Students security groups

    All staff are members of the Staff and InternetAuth groups, and depending on their role they may also be members of:
    A Team
    OfficeStaff
    SIMS Users
    TeachersGroup
    PasswordChangers
    Moodle Creators

    Student accounts are created by a script which takes a csv file containing EntryYear,Surname,Forename. This creates the user account, adds group membership, creates home directories/redirected folders, sets ACLs.
    I'll have a similar one for staff when I get around to it.

    Student usernames are in the form Surname.Forename
    Teachers usernames are their initials, support staff use their first initial followed by their surname

    Staff laptops are members of subject groups which are used mainly during RIS to control application installation for programs without site licences.

  15. #15

    maniac's Avatar
    Join Date
    Feb 2007
    Location
    Kent
    Posts
    3,037
    Thank Post
    209
    Thanked 425 Times in 306 Posts
    Rep Power
    144

    Re: Active Directory Structure

    I've found Active directory will automatically create userfolders, and you can do it in bulk as well. We're running Server 2003 standard edition. There is also a built in utility in server 2003 for importing users in bulk, but I can't remember the name of it off hand.

    E.g for our homefolders.

    Highlight the students you want to create folders for,
    Right hand click and click 'properties',
    Select the Profile Tab,
    Tick the homefolder box, and set to connect H:\ to and enter the path as follows:
    \\servername\sharename\yeargroup\%username%

    This will create a folder named as the username of the users, set security on the folder and enter the correct infomation in AD. You can do the same with profiles, and also bulk edit information like logon scripts etc.

    You can only do this is you have one big share with all your users directories in and use the security settings to control access. It will not create an individual share for each users home folder.

    Mike.

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Active Directory Auditing??
    By ICTNUT in forum How do you do....it?
    Replies: 8
    Last Post: 28th November 2012, 02:21 AM
  2. Active Directory Alternative HOW-TO??
    By Joedetic in forum *nix
    Replies: 17
    Last Post: 26th January 2012, 10:46 PM
  3. Active Directory Explorer
    By ajbritton in forum Windows
    Replies: 6
    Last Post: 15th November 2007, 10:37 PM
  4. PDA and Active Directory
    By localzuk in forum Windows
    Replies: 4
    Last Post: 10th October 2007, 03:54 PM
  5. Active Directory Design
    By tscnmuk in forum Windows
    Replies: 7
    Last Post: 27th February 2007, 03:13 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •