+ Post New Thread
Page 2 of 3 FirstFirst 123 LastLast
Results 16 to 30 of 45
General Chat Thread, IT Teachers and Computer rights in General; Originally Posted by mb2k01 This fireproof safe idea is something I don't operate, but am 50/50 on. The only time ...
  1. #16

    bossman's Avatar
    Join Date
    Nov 2005
    Location
    England
    Posts
    3,905
    Thank Post
    1,186
    Thanked 1,057 Times in 749 Posts
    Rep Power
    328
    Quote Originally Posted by mb2k01 View Post
    This fireproof safe idea is something I don't operate, but am 50/50 on. The only time it would ever need to be utilised is if the entire network admin team were blown off the face of the earth - in which case the server room they are based next to would have gone with them!
    What if the server room has been specifically designed not to be next to the IT office which should always be the case so in the eventuality the IT team are incapacitated all is not lost.
    Data centres are usually designed this way so half of the machine room exists across another part of the building and so too the trained workforce, any damage to that part of the building only takes out half the usability.


  2. #17
    mb2k01's Avatar
    Join Date
    Jan 2007
    Posts
    1,129
    Thank Post
    189
    Thanked 227 Times in 193 Posts
    Rep Power
    92
    Quote Originally Posted by bossman View Post
    What if the server room has been specifically designed not to be next to the IT office which should always be the case so in the eventuality the IT team are incapacitated all is not lost.
    Data centres are usually designed this way so half of the machine room exists across another part of the building and so too the trained workforce, any damage to that part of the building only takes out half the usability.

    What I meant was, the only reason for needing a password in a fireproof safe is if the ENTIRE technical support team was irradecated - litterally no one left available to the school who could access the server without that scrap of paper. In which case, as I said, in the case of small schools it would be a good idea to follow the procedure.

    In my situation, and other schools with two or more support people, the only way that a password on a scrap of paper would be appropriate is if the ENTIRE support team was to encounter some simultaneous catestrophic accident causing death to each of them - which unless the whole support team regulaly travel together, is highly unlikely.

    Even with both of those paragraphs put together, I would STILL not ever write down the top-level domain administrator account! I would only write down an account capable of performing delegated top-level administrative tasks and was audited, which would allow a competent administrator to rebuild the network and perform admin tasks in a disaster!

  3. #18

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,644
    Thank Post
    514
    Thanked 2,443 Times in 1,891 Posts
    Blog Entries
    24
    Rep Power
    831
    Quote Originally Posted by srochford View Post
    Just out of interest, what bit of the DPA says a teacher is less likely to be trustworthy in terms of access to data than a member of the IT Support Team?
    The bit where it says that access to information should be restricted purely to those who require access to it. Network admin requires access to everything to keep it running. An IT teacher does not.

    Quote Originally Posted by mb2k01 View Post
    This fireproof safe idea is something I don't operate, but am 50/50 on. The only time it would ever need to be utilised is if the entire network admin team were blown off the face of the earth - in which case the server room they are based next to would have gone with them!
    In some schools (especially smaller ones) I can see it being a good idea - as long as there was clear understanding it wasn't to be used without written authorisation from the actual administrator or the headteacher.
    As far as I'm aware, the fireproof safe thing is a LEA advised (or in some cases, required) thing.

  4. #19

    elsiegee40's Avatar
    Join Date
    Jan 2007
    Location
    Kent
    Posts
    10,705
    Thank Post
    1,784
    Thanked 2,169 Times in 1,604 Posts
    Rep Power
    769
    I'm from a very small school - 40 machines including the server.

    The ICT teacher has no admin rights and neither do I day-to-day. I have an admin account (password locked in safe) that I use when I need admin rights, but generally I can manage with standard staff rights (plus my admin account using remote desktop )

    Due to the sensitivity of data that can be accessed with admin rights, there is absolutely no way that anybody should routinely be using such an account... and definitely not a teacher. If his permissions do not allow him to do his job - security options may need to be tweaked, but using admin rights as an easy fix is not the solution.

    Might I add, it makes a pleasant change to have a HT that is aware of data security and is asking for the right thing. Too often we hear the opposite on here and SLT are not aware of the data security implications and demand privileges for themselves or others that they shouldn't have.
    Last edited by elsiegee40; 21st July 2009 at 05:37 PM.

  5. #20

    maniac's Avatar
    Join Date
    Feb 2007
    Location
    Kent
    Posts
    3,037
    Thank Post
    209
    Thanked 425 Times in 306 Posts
    Rep Power
    144
    Quote Originally Posted by spiderz View Post
    Hey guys, I'm a Network Manager at a fairly small special school in Durham, we only have about 65 machines. The head give me strict instructions last night to change all our administration passwords and change the IT teacher from an Adminstrator back to a normal staff user due to a few complains he has had against this particular teacher. When the head explained the situation to the teacher he has kicked up a massive fuss and send numerous letters to both the school governors and his union.

    He also mentioned that if we were a main stream school we would require 2 administrators is this true?
    so i was just wondering, Do the IT teachers in your school have admin rights? and also how many administrators do you have in your school?


    Thanks
    Ian
    We have several adminitrative accounts on our system.

    The main Administrator account is never used, the password for it is ridiculously complex, and it is on a piece of paper inside a sealed envelope in the school safe, together with all the other service account passwords that may be needed in the event of an emergency when there were no other IT staff in the building and they had outside support in for whatever reason.

    There are 3 of us here, and we all have an admin account each. It can't do absolutely everything, but it can do everything that is needed on a day to day basis. They are specially taylored so they can only reset the passwords of accounts below them in ranking, so there's no danger of one of us going mental and locking everyone else out of the system or something like that. These admin accounts are different to our normal day-to-day accounts and are used speicifically for administration tasks and logging onto servers with.

    In my experience it is unusual for a teaching member of staff to have adminitrative privileges on a school network, there's a lot of issues surrounding this, data protection being just one of many that would need to be addressed.

    The other major difference between a member of technical staff and a member of teaching staff is the teaching staff are much more likely to leave the machine logged on, or accidentally without realising it give away the password to a whole class of students by typing it into the user name box instead of the password box while being displayed on a projector (oh yes it has happened) incidents like that do need consideration when deciding on appropriate rights to give someone on a system.

    Start with the minimum needed and add bits as necessary, not the other way round.

    Mike.

  6. #21

    garethedmondson's Avatar
    Join Date
    Oct 2008
    Location
    Gowerton, Swansea
    Posts
    2,260
    Thank Post
    965
    Thanked 324 Times in 192 Posts
    Blog Entries
    11
    Rep Power
    164
    In my school I have the main admin passwords and so does the one technician. Nobody else does.

    Teachers can change pupil passwords using the LEA supplied SMS interface which they can access. They cannot change teacher passwords.

    I agree that teachers do not need the admin password - but in my case I am Network Manager so have them. I don't use it though and log in as my staff password in the majority of cases. When I'm working on the network side of things I do use the admin account.

    Can anyone tell me the difference between the Doman Admin and an Enterprise Admin account? I am a Domain Admin, but the LEA are our Enterprise Admins. I assume they are higher so have more control.

    As an interesting aside - what would you do if you wanted a lower technician to not have as much power as a Domain Admin? What would you set them up as? The ability to:

    Edit printers/queues
    Change passwords
    Build machines
    but not edit the AD or create GPOs

    GJE

  7. #22
    Mr.Ben's Avatar
    Join Date
    Jan 2008
    Location
    A Pirate Ship
    Posts
    941
    Thank Post
    182
    Thanked 157 Times in 126 Posts
    Blog Entries
    2
    Rep Power
    65
    I have 3 admin accounts - one held by the local authority IT team (In case a bus gets in my way), and two of my own - One that I occasionally have to log into in front of people to get things done.

    I also work in a small special school, although I have a almost 1:1 ratio of PC's and Laptops - 140 PC's, 150 kids.

    The extra account of my own is purely just in case the main account is damaged or (more likely) a kid decides it would be a good idea to enter my password wrong 5 times and lock me out for 20 mins when I need to do something.

    Plus there is a copy of it all in the Fireproof Safe.

  8. #23

    Join Date
    Aug 2005
    Location
    London
    Posts
    3,154
    Thank Post
    114
    Thanked 527 Times in 450 Posts
    Blog Entries
    2
    Rep Power
    123
    Quote Originally Posted by localzuk View Post
    The bit where it says that access to information should be restricted purely to those who require access to it. Network admin requires access to everything to keep it running. An IT teacher does not.
    Playing devil's advocate a bit, but there are lots of situations where teachers will require access to pupil names, addresses etc and almost none where an IT person needs that access (they need to be able to backup data etc but there's no reason for them to have access to the information contained in those files)

    I'm guessing this follows on from the thread elsewhere where someone asked about if IT staff should have access to the head teacher's home area.

    Ultimately, it comes down to trust.

  9. #24

    witch's Avatar
    Join Date
    Nov 2005
    Location
    Dorset
    Posts
    11,111
    Thank Post
    1,367
    Thanked 2,374 Times in 1,671 Posts
    Rep Power
    703
    I have one admin account at each school - in one I am the only one who knows it as there is no IT co-ord and in the other it is me and the IT co-ord - yes, he is a teacher, but he is very trustworthy and would never attempt to do anything for example to AD or group policy. He does any user name changes or password stuff when I am not here - as a part-timer someone has to do things then - I would not allow other teachers the ability to change passwords etc as somehow they would muck that up too....
    In that school I would NOT allow the head or deputy anywhere near my server/network as they could not be trusted: one knows a bit about IT and would mess it up, the other knows nothing and..would mess it up

  10. #25
    BaccyNet's Avatar
    Join Date
    Jun 2007
    Location
    Norfolk
    Posts
    309
    Thank Post
    7
    Thanked 15 Times in 15 Posts
    Rep Power
    17
    Ahh an argument I've had with many an IT Teacher/Head of IT
    Only myself and the NM have admin rights over the entire network, everyone else, including SMT have standard teacher accounts.
    Usually the only reason they want admin rights is to change a load of settings on the computers in their room, easily remedied this by giving them a staff laptop with local admin rights.

  11. #26
    mb2k01's Avatar
    Join Date
    Jan 2007
    Posts
    1,129
    Thank Post
    189
    Thanked 227 Times in 193 Posts
    Rep Power
    92
    Quote Originally Posted by garethedmondson View Post
    Can anyone tell me the difference between the Doman Admin and an Enterprise Admin account? I am a Domain Admin, but the LEA are our Enterprise Admins. I assume they are higher so have more control.
    A member of the Domain Admin group has full administrative privillages to make changes in the domain for which is is the admin for.

    A member of the Enterprise Admin group has full administrative privillages to make changes to the entire forest and any domains in it.
    (Hope that's right!)

  12. #27
    PEO
    PEO is offline
    PEO's Avatar
    Join Date
    Oct 2007
    Posts
    2,093
    Thank Post
    457
    Thanked 150 Times in 95 Posts
    Rep Power
    71
    All admin passwords are in the school safe for HT DHT and My line manager. My line manager also has a technician account but its only to be used in extreme situations.

  13. #28

    Join Date
    Mar 2009
    Location
    Darlington
    Posts
    5
    Thank Post
    1
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Thanks for the replies. Both the Dept. Head and Headteacher have admin rights at the moment. It seems from the replies your views are similar to mine. The main problem is that he was both IT Teacher and Network Manager before i was employed (I was employed because he didn't have enough time to complete his teaching duties).

    Thanks again!

  14. #29
    mb2k01's Avatar
    Join Date
    Jan 2007
    Posts
    1,129
    Thank Post
    189
    Thanked 227 Times in 193 Posts
    Rep Power
    92
    Why do those teaching and leadership colleagues have administrative access?! That's madness!
    You should find out what it is they want to do under their existing prvillages exactly and start working on a delegated permission allowing them do do it under a non-administrative account.

    You have a whole list of reasons to want to do this - reduce risk of accidental damage, accidenal data loss, increase security, prevent viruses etc etc.

  15. #30

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    9,930
    Thank Post
    1,337
    Thanked 1,781 Times in 1,105 Posts
    Blog Entries
    19
    Rep Power
    594
    A few quick points ... partly summarising comments from others.

    1 - The 24 tasks are quite clear as to what a teacher can't do.
    • ICT trouble shooting and minor repairs
    • Commissioning new ICT equipment
    • Ordering supplies and equipment: teachers may be involved in identifying needs
    • Managing pupil data: teachers will need to make use of the analysis of pupil data
    • Inputting pupil data: teachers will need to make the initial entry of pupil data into school management systems.

    These are the key tasks I thought I would highlight. Notice it does not mention anything about managing ICT / IT or even doing planning / design work. However, neither managing or planning needs to include admin access. Some of the management of ICT / IT is part of the Leadership strand anyway ... so if they are not paid on the Leadership spine then they are not paid to manage it. TLRs are for Teaching and Learning ... although many schools seem to have wangled their way around paying people for doing work they are either not doing or shouldn't be doing.

    2 - Never use the Domain (also read Enterprise) Admin account except when doing some *very* specific task, such as significant upgrades or role changes of servers / DCs. MS has some darn good advice on this (go search on Technet) and folk have already pointed to some of these articles.

    3 - You should have alternative domain level accounts in reserve in case the Domain Admin accounts goes pear-shaped. These should not be used either but details recorded, locked away and only used in emergencies.

    4 - You should have relevant accounts with delegated control. If you are installing software (eg Backup software) then use the backup software account to install it. This will mae sure you have the right access to services etc. For admin work have a personal admin account that you only use when needed and then have your everyday account which only has the 'right' access for simple admin tasks such as change password etc.

    5 - The Head is the Boss. When he says who can and can't have access follow their instructions when locking things down, but only open things up there is a clear and direct need. "Just in case" is not a good reason and pointing out the good practice measures above is the best way to show that you *want* to do what they have asked / ordered but it really works better if you do it the way that MS designed it to work. However, the Head is the Boss and unless you want to take it to the Governors then do what the Boss says (examples of when not to follow the instructions include giving full rights to the SIMS server, the file server with access to all the pay details, the file server which has the Head's home area on ... in fact there are lots of examples and once you point out the stuff about Pay and the Head's home area then common sense tends to prevail IMHO!)

    6 - If they ask for admin access then ask if you can conduct an OFSTED style inspection of them teaching. It is a tongue in cheek comment ... but it can be used to point out that people have different specialisms and whilst there is an overlap ... it doesn't mean it should be done!

  16. 2 Thanks to GrumbleDook:

    elsiegee40 (22nd July 2009), skunk (22nd July 2009)

SHARE:
+ Post New Thread
Page 2 of 3 FirstFirst 123 LastLast

Similar Threads

  1. Replies: 13
    Last Post: 30th June 2009, 04:23 PM
  2. Local Admin rights for teachers..
    By kylewilliamson in forum General Chat
    Replies: 13
    Last Post: 13th June 2009, 09:07 AM
  3. Computer hangs at 'Applying Computer Settings'
    By crc-ict in forum Wireless Networks
    Replies: 8
    Last Post: 25th April 2008, 10:29 PM
  4. digital rights
    By russdev in forum General Chat
    Replies: 0
    Last Post: 28th July 2005, 02:37 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •