I’ve posed this question in an email to our AD administrator but I thought I would also post here in case someone else has experience with this issue.
I work in higher education. We are about to launch a campus-wide Intranet with SP13. Because of licensing issues, only faculty, staff, and student workers will be able to log onto the Intranet (until we get licensing to include students). Is there anything in AD that would differentiate a student from a student worker from faculty and staff we could use for authentication purposes?
This may be a question only our ADÂ administrator can answer, as this may be unique to each institution, but conceptually, would the best approach be to create a custom field?
ok – so if you are using a ‘deny’ somewhere – that suggests that you have ‘authenticated users’ allowed somewhere – ie, users are allowed by default, unless denied?
In which case, a possible answer is to use positive authorisation – ie, remove ‘authenticated users’ completely, and give the equivalent permissions to ‘intranet users’ instead.
However, you would be best to do this at the site collections level – rather than a web app policy – in case you end up with service account losing permissions due to removal of ‘authenticated users’ at that level.
