Grouper Users - Open Discussion List

[Tom Barton <>]

Mike,

Earlier this week Rob Carter & Shilen Patel from Duke gave a 
presentation at the Internet2 meeting about how Duke is using grouper to 
manage the permissions that people have over person objects and ou 
containers, which covers some of what you're asking about.

http://www.internet2.edu/presentations/spring10/20100426-grouper-carter.pdf

Tom

Tom Zeller wrote:
> I'll have more detailed responses later regarding how Memphis uses
> Grouper and AD/Exchange. For now, the windows-hied list is another
> good resource for AD : http://www.windows-hied.org/
>
> TomZ
>
> On Tue, Apr 27, 2010 at 3:34 AM, Ward, Mike 
> <>
>  wrote:
> > Hello everyone,
> >
> >
> >
> > Feel free to let me know if these questions are off topic for this list.  I
> > tried searching the www.internet2.edu/grouper site but could not find
> > specific answer regarding these questions.
> >
> >
> >
> > We are in the process of designing an Enterprise Active Directory (EAD) for
> > the entire university in a decentralized environment.  Grouper will be used
> > for the logic that controls and connects to our central user account
> > database and Microsoft Forefront Identity Manager 2010 (previously ILM)
> > synchronizes the accounts (and possibly groups) into EAD.  If we can, we
> > would like to keep our AD design as close as possible to the grouper
> > design.  My question is around Microsoft Organizational Unit (OU) design.
> >
> >
> >
> > Most of the OU design is agreed upon other than the location of user
> > accounts.  Currently we are debating putting all user, including students,
> > into a single OU and scheduling scripts that apply permissions on user
> > accounts verses putting the users into a departmental OU.  The issue is that
> > users often move around the university and/or may have several roles (e.g. a
> > user might be a student but also teach and work for administration, or a VP
> > may also be a professor and do research, etc.).  So what do we do with user
> > account in an OU that need to be managed by multiple departmental admin
> > groups?
> >
> >
> >
> > Other questions that have come out of this discussion are:
> >
> > 1)      What are other universities doing regarding AD design using grouper?
> >
> > 2)      GPO’s – We would likely need to use group policy security filtering
> > to apply the user GPO.  We would create a GPO for each department, give
> > access to departmental administrators to modify the GPO for only their
> > departments, then filter the GPO to only run for a specific group.
> > Questions about performance where raised.  Maybe this should be done through
> > a third-party utility?
> >
> > 3)      Remote administrators user accounts access - It would simplify
> > administration for departmental administrator to have accounts and groups in
> > a departmental OU, instead searching through all names.   A possible
> > workaround of having user in one OU are creating custom LDAP searches for
> > departmental administrators.  Other solutions or thoughts on managing a
> > large amount of user in one container vs. departmental OU’s?
> >
> > 4)      Do we want to apply permissions on the object level or the container
> > level?  What is MS best practices to control by OU vs. scripting?
> >
> > 5)      Is it a security breach for all departmental admins to see all user
> > account information?  I believe that all authenticated users have read
> > access anyway.
> >
> > I would really like to talk to any university that is doing a similar setup
> > with grouper, particularly in regards to how active directory was setup.
> >
> >
> >
> > Thank you for any information you have regarding this.
> >
> > Mike