Active Directory



  • So, I've been taking a couple IT-related classes at a local community college. Both classes are in a lab. In the first class, all 25-some computers are logged into the same account all day. The second class has a different logins for each class section, though it's still the same account for the 25-some computers. I never really thought much of it since they are pretty much public computers anyway, until I noticed bookmarks in chrome on the computer I use in the first class. Sure enough, someone synced chrome to their Google account. I went to check my gmail and lo and behold that was logged into as well. In the second class, we frequently use virtual machines. Several times, people have complained that the vm they were were working on was deleted.




    I asked one of my instructors why students do not have individual logins. His response was that there wasn't enough money to provide resources for all the accounts. This college has almost 4000 students and 500 computers would be a generous estimate. Do domain controllers take that much hardware? What boggles me is that he said this is an improvement on how it used to be and that there used to be more of these issues.

    Please tell me that this isn't as common practice as this site makes me inclined to believe.



  • Hey, at least you can store files on the computers. Some schools just flat out delete everything when you log out.



  • In that environment, not using Active Directory, or at least some form of centralized management is costing them money.

    Hell, I have a Win2K3 Domain Controller on my 3 PC/laptop network at home.



  • Sounds like AD and network profiles are already in place.

    What they probably can't justify is the cost overhead of adding 4000 user accounts and the required network storage space that will generate as people download stuff.

    Plus, the client access licenses that Microsoft charges can get expensive. I'm guessing they opted for per-user licenses instead of per-machine licenses, and MS doesn't let you swap that.



  • @dynedain said:

    …cost overhead of adding 4000 user accounts and the required network storage space…

    If you don't create roaming profiles and home directories then AD user accounts require around 4k of disk space, which is hopefully trivial.

    @dynedain said:

    Plus, the client access licenses that Microsoft charges can get expensive. I'm guessing they opted for per-user licenses instead of per-machine licenses, and MS doesn't let you swap that.

    MS have lots and lots of options for licensing large sites, most of which include changing at least yearly. In any case, creating a user account in AD does not mean a license is automatically consumed. In fact, doing nothing on the computer consumes licenses since licensing is not a server feature any more - licenses are just pieces of paper in a filing cabinet. I don't know if the institution in the story is getting educational discounts or not but in my country a training college or university can access up to 90% discount. Since a Windows CAL is normally around $NZ 90 ($US 75), that is $NZ 9 per CAL. If they have picked per-user then they are idiots and should change to per-device. In other words, blaming "licensing" for not creating the accounts is just some sysadmin making up excuses for their laziness.

    As other posters have also pointed out, not using individual accounts is in fact costing them more in support costs and lost training time. A deleted VM that causes a student to lose time in labs will cost the institution reputation and sales.



  • @Ben L. said:

    Hey, at least you can store files on the computers. Some schools just flat out delete everything when you log out.

    I'm noticing that seems to be common in educational institutions. At other places I've been, if you want to save something, you have to save it to the mapped network drive or your flash drive. Anything on the desktop, my documents, pictures, etc. is removed on logout. Not that that's really a bad thing though.

    @Nexzus said:

    In that environment, not using Active Directory, or at least some form of centralized management is costing them money.

    Hell, I have a Win2K3 Domain Controller on my 3 PC/laptop network at home.

    The computers are managed by a domain controller, but there are just so few accounts. They did, however, spend the time to set up unattended deployments. The other instructor said it took him and four other students eight months to get it to the point where a lab can be deployed in an hour or two's time.

    @dynedain said:

    Sounds like AD and network profiles are already in place. What they probably can't justify is the cost overhead of adding 4000 user accounts and the required network storage space that will generate as people download stuff. Plus, the client access licenses that Microsoft charges can get expensive. I'm guessing they opted for per-user licenses instead of per-machine licenses, and MS doesn't let you swap that.

    The campus uses Windows 7 Enterprise on all the computers. I'll have to find out more details on the license.



  • @havokk said:

    If you don't create roaming profiles and home directories then AD user accounts require around 4k of disk space, which is hopefully trivial.

    I knew if roaming profiles were off, then it would take up less space. I didn't realize it would be so tiny.



  • @havokk said:

    I don't know if the institution in the story is getting educational discounts or not but in my country a training college or university can access up to 90% discount. Since a Windows CAL is normally around $NZ 90 ($US 75), that is $NZ 9 per CAL. If they have picked per-user then they are idiots and should change to per-device. In other words, blaming "licensing" for not creating the accounts is just some sysadmin making up excuses for their laziness.
     

    They are quite probably saving on CAL cost, not disk space.  If they choosed per accont CALs, their current setup uses 2 of them, if they choosed per computer CAL, they'd need 500. That's $44k they are not paying MS (without discount).

     Depending on where they are located and the type of institution, they are really saving money.



  • @Mcoder said:

    That's $44k they are not paying MS (without discount).

    They're a school. Unless they're unaccredited, why do you think they'd be paying full rate?



  • @blakeyrat said:

    @Mcoder said:
    That's $44k they are not paying MS (without discount).

    They're a school. Unless they're unaccredited, why do you think they'd be paying full rate?

    Okay, let's assume a 90% reduction in price. $4400. Still nontrivial when the alternative is $0.



  • @stapler117 said:

    At other places I've been, if you want to save something, you have to save it to the mapped network drive or your flash drive. Anything on the desktop, my documents, pictures, etc. is removed on logout. Not that that's really a bad thing though.
     

    Yes, it is. Their profile should be mapped to the network drive so anything stored in My Documents, Pictures, Desktop etc is seamlessly preserved.

    Making a user avoid specific user areas in favour of an unfamiliar drive letter strikes me as user-hostile, the product of lazy administration.

    @stapler117 said:

    @Nexzus said:
    In that environment, not using Active Directory, or at least some form of centralized management is costing them money.

    Hell, I have a Win2K3 Domain Controller on my 3 PC/laptop network at
    home.

    The computers are managed by a domain controller, but there are just so
    few accounts. They did, however, spend the time to set up unattended
    deployments. The other instructor said it took him and four other
    students eight months to get it to the point where a lab can be deployed
    in an hour or two's time.

    That's not centralised management - unattended deployments is process automation. It sounds like they're eschewing the centralised model for a fully self-contained silo-mentality sandboxed setup. I hope they don't extend this concept to teaching copy-pasta code.

     



  • @Mcoder said:

    If they choosed per accont CALs, their current setup uses 2 of them, if they choosed per computer CAL, they'd need 500.
    There's no such thing as a per-account CAL. There's only user and device CALs. If you have 100 users and 50 client computers (servers, network printers etc. don't count), you need either 100 user CALs or 50 device CALs, regardless if all 100 users use the same login.



  • That's the point I was going to make - not giving an individual login makes no difference to the required licences.

    Also, if they stored files on a server (or used a SQL Server, or IIS) then these all need to be licensed per CPU or per person accessing it, no matter what mechanism they use for access, or whether they are logged in or not.

    Not sure I have a lot of confidence in the ability of the IT team and the OP's uni


  • Considered Harmful

    @stapler117 said:

    I didn't realize it would be so tiny.

    That's what she said.

    *sob*



  • Samba 4 is out out beta, costs nothing, and runs on Raspberry PI hardware (though it apparently takes two days to compile). CALs cease to be an issue with a total cost of under $100.



  • @taustin said:

    Samba 4 is out out beta, costs nothing, and runs on Raspberry PI hardware (though it apparently takes two days to compile). CALs cease to be an issue with a total cost of under $100.

    They're a community college. Where the fuck are they going to find someone to do that?

    The salary savings of hiring a AD admin compared to hiring a "Raspberry PI data center builder/Samba 4 compiler dude" (assuming they can even FIND the latter) would more than pay for the CALs needed.

    Come on, people. It says "community college" right there in the OP. Use your loaf.



  • @blakeyrat said:

    @taustin said:
    Samba 4 is out out beta, costs nothing, and runs on Raspberry PI hardware (though it apparently takes two days to compile). CALs cease to be an issue with a total cost of under $100.

    They're a community college. Where the fuck are they going to find someone to do that?

    The salary savings of hiring a AD admin compared to hiring a "Raspberry PI data center builder/Samba 4 compiler dude" (assuming they can even FIND the latter) would more than pay for the CALs needed.

    Come on, people. It says "community college" right there in the OP. Use your loaf.

     I'm a Windows guy. Have been for a long, long time. I can make Windows sing and dance (literally, if you give me the hardware).

    I find the HowTos for Samba to be pretty straight forward and easy to follow. The only issue is a lack of explanation in one spot on Kerberos set up, but even that's not rocket science.

    And once you've got it provisioned, you do all the domain adminstration with . . . the Microsoft tools from a Windows desktop.

    If the computer lab of a community college can't handle it, they aren't qualified to teach a computer lab.



  • @taustin said:

    If the computer lab of a community college can't handle it, they aren't qualified to teach a computer lab.

    Duh.

    Haven't you ever been to a community college?



  • @blakeyrat said:

    @taustin said:
    If the computer lab of a community college can't handle it, they aren't qualified to teach a computer lab.

    Duh.

    Haven't you ever been to a community college?

     Yes. Took one computer class. I knew more going in than the instructor did. The guy who ran the lab, however, knew his ass from a whole in the ground.

    If I can figure Samba out, anybody who is qualified to teach a computer class, or be in charge of the computer lab, can. I repeat: if they can't figure it out, they're not qualified to teach a computer lab.

    Their problem isn't the cost of AD controllers. Infinite money to spend on AD controllers (or anything else, for that matter, including hookers and coaine) will not solve the least of their problems.


Log in to reply