I work for a school of similar size. My recommendation:
Focus on the network infrastructure as the first priority. Get beyond consumer level switches and internet access by implementing say, a Cisco ASA 5505 firewall combined with a Squid web proxy to do edge and http filtering and VPN connectivity.
An ASA 5505 is probably less than 500$ with a support contract, and Squid is open source, you have to build it on a decent machine but you can use it with Cisco's wccp protocol, which redirects http requests to the proxy for approval, but if the proxy machine dies, the system "fails open", meaning access is still allowed. )
Connect that to a main backbone switch. I recommend say a Cisco 2960 48 port switch. Get any other random switches and the wireless ap's plugged back into it. This type of managed switch will prevent switching loops and gives extensive monitoring capabilities if there are problem, as well as providing security mechanisms.
Yes Cisco gear is expensive and can be intimidating to set up when you are new to it, but it is solid, feature rich, and conforms to every network protocol out there. It can be the foundation of resilient networking.
I'm guessing the wireless network is shabby and performance sucks. Run around with netstumbler and see what is interfering and how the wireless range is. Be sure to configure the radios to use non overlapping frequency of channels 1, 6, or 11.
Server? A modest Dell or HP rack server for $4K or $5K with Windows 2008 R2 will work fine. You can use it for user and group management, group policies, print serving, file serving. Get as much RAM and the fastest hard drives you can afford. Sure *nix based systems will work too. Supporting it in the future if you aren't around might be trickier than finding a MS admin.
I'd virtualize that server on a VMWare ESXi install, and size the physical server so I can add another guest machine.
Don't forget to plan for power supply, UPS, and heat mitigation in equipment areas. Enterprise grade gear gets hot fast and uses plenty of power.
No reason to not use both local file storage, and Google Docs, if they want. Let the users needs drive their particular situation.
Antivirus? Probably something that's managed in the cloud, or not managed at all, like MSE? Maintaining a Symantec or Sophos enterprise install is a pain in the ass and licensing is hugely expensive. Give them MSE, take away admin priviliges from their user accounts on their local pc, and call it mitigated. Without admin rights they'll have to try a lot harder to get infected.
Trick here is budget I'm sure. Convincing management that IT is important infrastructure that will break fast and catastrophically if not done correctly is key.
Best Answer
We do something very similar using GADS. Our course group email addresses are prefixed with
course.. Your regexes would match groups which contain those, not match groups which do not contain. Instead, use a negative look ahead regex.Under "Google Apps Configuration", "Exclusions", choose "Add Exclusion Rule". Select Type "Group Email Address" and Match Type "Regular Expression". Use
^(?!school-).+as the expression rule. This will exclude all Google Apps groups with email addresses that do not begin with the stringschool-.