Benefits of joining your computer to IU's ADS domain

In most cases, Windows computers directly on the Indiana University network (that is, physically connected, not via wireless or off campus) should be joined to IU's ADS domain if at all possible. Some departments make this a requirement, while others do not; as a rule, however, UITS recommends it.

In general, a computer should be joined to the ADS domain under the following circumstances:

  • If you or other users wish to take advantage of one-time-per-session domain authentication (for example, if Microsoft Outlook is used regularly to access Exchange accounts, or if users regularly map drives or print to networked printers), the computer should be joined. Otherwise, you and the other users will need to enter your passwords separately for each service or resource you access.
  • If the local UITS support person or departmental administrator controls computer and network security through Group Policy Objects (GPOs), the computer must be joined.
  • If many different IU users use the computer, it should be joined. Otherwise, you will have to create a local account for each individual user, or one "general" local account that's accessible by everyone. This last option is not very secure, as each user would have access to the files of everyone else, and everyone would know the single login name and password.

However, you may not want to join the computer to the ADS domain in some cases:

  • If the computer is portable or otherwise accesses the network wirelessly, you may want to avoid joining. If you don't join, you won't get the benefits mentioned above (once-per-session domain authentication, security through GPOs, network management of user accounts), but you will simplify the login process. If you use the computer mostly or totally off campus, there is little reason to join the Active Directory. Weigh the benefits of doing so against the complication of the login process.
  • If there is a clear and imperative need to disallow any domain management of the system, no matter how minute, then a computer should not be joined. This is an extremely rare, and narrow, situation; the few GPOs that exist at almost any network are usually security policies that users should set on their own. Even so, no one can eliminate the possibility that a program somewhere will break if it depends on a system setting that the GPO changes. If this situation does occur, you will ordinarily know without question that a GPO's implementation is what is breaking the application.

This is document apnt in the Knowledge Base.
Last modified on 2024-04-15 16:11:50.