Grouper Users - Open Discussion List

[Tom Zeller <>]

I'll have more detailed responses later regarding how Memphis uses
Grouper and AD/Exchange. For now, the windows-hied list is another
good resource for AD : http://www.windows-hied.org/

TomZ

On Tue, Apr 27, 2010 at 3:34 AM, Ward, Mike 
<>
 wrote:
> Hello everyone,
>
>
>
> Feel free to let me know if these questions are off topic for this list.  I
> tried searching the www.internet2.edu/grouper site but could not find
> specific answer regarding these questions.
>
>
>
> We are in the process of designing an Enterprise Active Directory (EAD) for
> the entire university in a decentralized environment.  Grouper will be used
> for the logic that controls and connects to our central user account
> database and Microsoft Forefront Identity Manager 2010 (previously ILM)
> synchronizes the accounts (and possibly groups) into EAD.  If we can, we
> would like to keep our AD design as close as possible to the grouper
> design.  My question is around Microsoft Organizational Unit (OU) design.
>
>
>
> Most of the OU design is agreed upon other than the location of user
> accounts.  Currently we are debating putting all user, including students,
> into a single OU and scheduling scripts that apply permissions on user
> accounts verses putting the users into a departmental OU.  The issue is that
> users often move around the university and/or may have several roles (e.g. a
> user might be a student but also teach and work for administration, or a VP
> may also be a professor and do research, etc.).  So what do we do with user
> account in an OU that need to be managed by multiple departmental admin
> groups?
>
>
>
> Other questions that have come out of this discussion are:
>
> 1)      What are other universities doing regarding AD design using grouper?
>
> 2)      GPO’s – We would likely need to use group policy security filtering
> to apply the user GPO.  We would create a GPO for each department, give
> access to departmental administrators to modify the GPO for only their
> departments, then filter the GPO to only run for a specific group.
> Questions about performance where raised.  Maybe this should be done through
> a third-party utility?
>
> 3)      Remote administrators user accounts access - It would simplify
> administration for departmental administrator to have accounts and groups in
> a departmental OU, instead searching through all names.   A possible
> workaround of having user in one OU are creating custom LDAP searches for
> departmental administrators.  Other solutions or thoughts on managing a
> large amount of user in one container vs. departmental OU’s?
>
> 4)      Do we want to apply permissions on the object level or the container
> level?  What is MS best practices to control by OU vs. scripting?
>
> 5)      Is it a security breach for all departmental admins to see all user
> account information?  I believe that all authenticated users have read
> access anyway.
>
> I would really like to talk to any university that is doing a similar setup
> with grouper, particularly in regards to how active directory was setup.
>
>
>
> Thank you for any information you have regarding this.
>
> Mike
>
>