Network Access - who gets what?

[boomam]

Hi.
I was wondering what sort of access people at your schools/colleges get.
What i mean is, that outside of techies, network admins, ect; who else gets domain admin or even admin access?

Bits of internal politics happening here, and i think there's a chance that the head of ICT will demand from the head domain admin access 'because he needs it', and also wants me to document down things for him to do if im not here for worst case scenarios. (His old fix when i wasnt here of pulling the power and restarting wont quite work with our new blade based network. )

Personally, i just want to make him an account with access to things he 'needs' (printer queues, kids work folders, kids internet logs, ect; ) and then nothing else.

How does it work at your places. Do anyone but IT technical staff have 'full access'. And if so, how do you manage it?

I am actually seriously considering walking if the head decides that he (Head of ICT) should have domain admin access.

Thoughts?

[jcollings]

No-one but IT tech. support has admin access here. I don't see why anyone else would need it. Outside that we have the usual staff shares etc which staff can access but not students.

When the last head of IT came about 7 years ago he asked for it and I politley declined. He wasn't over bothered. I have started to give staff read only access to student folders so they can look for work etc.

What "admin" tasks does your head of IT want to do?

I think I'd be pretty miffed if the head made me give admin access to anyone else.

[boomam]

He's justifying it by it being just me there. No helpers.
So its a 'what if your not here' scenario.

So he wants training on building workstations, what to do if.
He says he'll never use it. But last time he had access before i cut him off, he started storing all manor of rubbish on the server, amongst other messes he made.

I was planning on, as said, a 'power login' to do stuff like student logs and whatnot, some light documentation saying this is how to image a workstation and some stuff about this is what each server does. And that'd be it.
But i think he wants it more in depth than that. Im reluctant to tbh.

Especially the domain admin access. Theres no accountability, and as im the only one here, if he messes up, its all on my head.
How they'd expect me to admin the network when the goal posts keep moving i dont know.
He's justifying it by 'ive done it in the past successfully'. Yes, on a one server network, not on a network like whats going in over summer.

The head did back me last time he wanted access, but im not so sure now.

[BaccyNet]

Here it is only IT Support who have Domain Admin rights, staff have local administrator rights over their networked laptop but thats as far as it goes.

Technically if the head requests administrator access, they should be given it. Not sure about anyone below that (or thats how it was said to me when I first joined, thats not to say I would stick with that idea though )

[jcollings]

Can't say I blame you - yes I can see the point of some kind of power user to reset passwords (ours have a little custom mmc) etc but full admin just isn't justified in my book (and I'm not some BOFH - I really do try to help 'em where possible).

Is he really going to build workstations etc? Workforce reform says clearly that teachers should not be doing things that aren't teaching and learning. Hell I can't even get ours to amend N's in the register!

As I said earlier I just can't see a reason why a teacher needs admin access - not because I don't trust them just because I can't see how having it helps them.

[bossman]

Just allow him power user access which should allow him access to the things he wants.
I would also have a quiet word with the headteacher and emphasise the fact that the head of ICT if given domain admin rights would be able to look at everything, including any secure documentation that the Headteacher or anyone else for that matter keeps on the servers.

Security is a must and you have to stress this to your Headteacher as he/she is legally responsible for the schools data.

[Hightower]

Just the techs here.

I have made up some documentation that is pinned on my wall - Server schema's - just details drives and sizes, shares on the server, backup plan, IP's - things like that. Partly so that if anything fails I can always restore with confidence and partly because if I'm not there and something goes wrong.

What we have done is created 'systemadmin2' with a random password and stored it in a sealed envelope in the school safe. That way if we're off, something goes wrong then the school can call in the County and they have access to a full admin account if they need it. It is there for this purpose only - no one else can open it.

[joe90bass]

Only techies here have admin rights, there is two of us though. Could you compromise and put the admin password in a locked safe, so if the unfortunate happened to you, and someone else had to step in they could?? As for day to day stuff, only give him the access he needs not wants!!

[strawberry]

i scared mine off by pointing out if anything went wrong then BOTH of the domain admins would get the blame, and i was the one who was properly trained.

[Sylv3r]

Only ICT Support have administrator privelages.

The ICT Staff are able to change student passwords.

No members of staff have access to any student work areas.

All staff other than the ICT Department have the same privelages and logon as a student. This way I can guarantee when a member of staff tries something before a lesson they are certain that it will work for students when the lesson takes place. This is the same for internet filtering also all staff and students have the same access.

[boomam]

Quote:

Originally Posted by joe90bass

Could you compromise and put the admin password in a locked safe, so if the unfortunate happened to you, and someone else had to step in they could??

Thats how it is now.
Im hoping he'll be happy with the power user thing.

He wants:
1 - Access to backups
2 - Create new users.
3 - Move users in/out of the internet ban OU.
4 - Access to internet logs for the kids.
5 - Delete/manage printer queues.
6 - Access to kids work
7 - Access to internet filters

Now num1 is a non issue as we have shadow copies and he knows how to use it. 2 & 3 can be done by delegating in AD. 4 should be possible as i can have the staffs internet go through the ISA and the kids through the VLE.
5 is simply an issue of giving him the printer security rights.
6 i can map a shared drive or two.
& 7 is similar to 4 as he can do that how it is with the VLE.

Quote:

Originally Posted by jcollings

Is he really going to build workstations etc? Workforce reform says clearly that teachers should not be doing things that aren't teaching and learning. Hell I can't even get ours to amend N's in the register!

Is that info online anywhere?

Quote:

Originally Posted by bossman

Just allow him power user access which should allow him access to the things he wants.
I would also have a quiet word with the headteacher and emphasise the fact that the head of ICT if given domain admin rights would be able to look at everything, including any secure documentation that the Headteacher or anyone else for that matter keeps on the servers.

Security is a must and you have to stress this to your Headteacher as he/she is legally responsible for the schools data.

Ive been accused of being too security centric, even though i havnt done anything to limit what they can do. Merely lock out what they dont need.


The way i see it:
- No accountability with him having the access.
- Problems are on my head if he messes up.
- Its not good practice to do so.
- It makes my job harder as he could change things by accident.
- Data security, such as admin staff work, containing financial records, would be able to be accessed by him too.
-

[Busybub]

Been where you might be heading and would never want to go there again, I'd quit before it happens again. Had no end of grief getting anything done because of the constant conflicts I would come up against because the ICT teacher decided something was more convenient for him even if it screwed things up for everybody else.

Best one was his home folder that become so big that the backups failed due to lack of space (he was single handedly storing 44gb of crap, twice as much as the other 200 users combined). Had to take his files out of the backups so that the others would fit because he refused to delete anything, and he refused to cough up for additional storage... you can guess what happened and who got a bollocking for it.

The irony is that he spent 1500 quid on software he never used whilst an extra hard drive would have cost £50 and would have saved his ass!

Don't compromise, it's not worth the grief you end up with!

[Hightower]

Is this guy new? If not, where did all this come from? Why is he shouting now?

[strawberry]

Quote:

Originally Posted by boomam

Ive been accused of being too security centric, -

one mans security is another mans inconvenience. you need to take this matter to the manager who oversee's you both, your job is to run the network, this fella wants you to comprimise what you do to make his job easier. You need to find out what your manager thinks and ask him how you should do your job in light of this bloke making demands.

[jcollings]

Quote:

Originally Posted by boomam

Is that info online anywhere?
-

Teachernet, Key steps


This lists the tasks that should not be routinely undertaken. Half way down is this:

#
ICT trouble shooting and minor repairs
#
Commissioning new ICT equipment