Subject: Grouper Users - Open Discussion List
Re: [grouper-users] Active Directory Organizational Unit Design
- From: Tom Zeller <>
- To: "Ward, Mike" <>
- Subject: Re: [grouper-users] Active Directory Organizational Unit Design
- Date: Tue, 27 Apr 2010 09:29:08 -0500
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type :content-transfer-encoding; b=mnTbiJMphJQbbnmnM8pKieFrkbyTPeIQFx/Kxy/CWDE78bIPVuH9vG7ITisOBYiG22 XYWZjpTUksGE5QhsVoUXba/SVtgzGCF7H6UARe+1x9ILDkCksew0ux1SeryyPSUIm0+H aOH0cBIc5lQG2IQXxbBRRuZePLmxQRcqRtCgU=
I'll have more detailed responses later regarding how Memphis uses
Grouper and AD/Exchange. For now, the windows-hied list is another
good resource for AD : http://www.windows-hied.org/
On Tue, Apr 27, 2010 at 3:34 AM, Ward, Mike
> Hello everyone,
> Feel free to let me know if these questions are off topic for this list. I
> tried searching the www.internet2.edu/grouper site but could not find
> specific answer regarding these questions.
> We are in the process of designing an Enterprise Active Directory (EAD) for
> the entire university in a decentralized environment. Grouper will be used
> for the logic that controls and connects to our central user account
> database and Microsoft Forefront Identity Manager 2010 (previously ILM)
> synchronizes the accounts (and possibly groups) into EAD. If we can, we
> would like to keep our AD design as close as possible to the grouper
> design. My question is around Microsoft Organizational Unit (OU) design.
> Most of the OU design is agreed upon other than the location of user
> accounts. Currently we are debating putting all user, including students,
> into a single OU and scheduling scripts that apply permissions on user
> accounts verses putting the users into a departmental OU. The issue is that
> users often move around the university and/or may have several roles (e.g. a
> user might be a student but also teach and work for administration, or a VP
> may also be a professor and do research, etc.). So what do we do with user
> account in an OU that need to be managed by multiple departmental admin
> Other questions that have come out of this discussion are:
> 1) What are other universities doing regarding AD design using grouper?
> 2) GPO’s – We would likely need to use group policy security filtering
> to apply the user GPO. We would create a GPO for each department, give
> access to departmental administrators to modify the GPO for only their
> departments, then filter the GPO to only run for a specific group.
> Questions about performance where raised. Maybe this should be done through
> a third-party utility?
> 3) Remote administrators user accounts access - It would simplify
> administration for departmental administrator to have accounts and groups in
> a departmental OU, instead searching through all names. A possible
> workaround of having user in one OU are creating custom LDAP searches for
> departmental administrators. Other solutions or thoughts on managing a
> large amount of user in one container vs. departmental OU’s?
> 4) Do we want to apply permissions on the object level or the container
> level? What is MS best practices to control by OU vs. scripting?
> 5) Is it a security breach for all departmental admins to see all user
> account information? I believe that all authenticated users have read
> access anyway.
> I would really like to talk to any university that is doing a similar setup
> with grouper, particularly in regards to how active directory was setup.
> Thank you for any information you have regarding this.
- Active Directory Organizational Unit Design, Ward, Mike, 04/27/2010
- Re: [grouper-users] Active Directory Organizational Unit Design, Chris Phillips, 04/27/2010
- Re: [grouper-users] Active Directory Organizational Unit Design, Tom Zeller, 04/27/2010
- Re: [grouper-users] Active Directory Organizational Unit Design, Tom Barton, 04/29/2010
Archive powered by MHonArc 2.6.16.