I’ve posed this question in an email to our AD administrator but I thought I would also post here in case someone else has experience with this issue.
I work in higher education. We are about to launch a campus-wide Intranet with SP13. Because of licensing issues, only faculty, staff, and student workers will be able to log onto the Intranet (until we get licensing to include students). Is there anything in AD that would differentiate a student from a student worker from faculty and staff we could use for authentication purposes?
This may be a question only our AD administrator can answer, as this may be unique to each institution, but conceptually, would the best approach be to create a custom field?
But how would we give permission to student workers and not students?
Additionally, we will need to set this as a web app policy. Individual colleges will be given control over their own site collections. Our central IT administration can dictate a policy that students aren’t allowed, but the individual site collection administrators could easily ignore that policy, which is why we would like to control it at the web app level.
One idea I suggested to our AD admins is to create a new “employee” security group. We could write a Powershell script to bulk move employees to this group, then we could authenticate against this group. What do you think of that idea? Any drawbacks?
