General Chat Thread, IT Teachers and Computer rights in General; Originally Posted by mb2k01
This fireproof safe idea is something I don't operate, but am 50/50 on. The only time ...
21st July 2009, 04:19 PM #16
21st July 2009, 05:10 PM #17
What I meant was, the only reason for needing a password in a fireproof safe is if the ENTIRE technical support team was irradecated - litterally no one left available to the school who could access the server without that scrap of paper. In which case, as I said, in the case of small schools it would be a good idea to follow the procedure.
Originally Posted by bossman
In my situation, and other schools with two or more support people, the only way that a password on a scrap of paper would be appropriate is if the ENTIRE support team was to encounter some simultaneous catestrophic accident causing death to each of them - which unless the whole support team regulaly travel together, is highly unlikely.
Even with both of those paragraphs put together, I would STILL not ever write down the top-level domain administrator account! I would only write down an account capable of performing delegated top-level administrative tasks and was audited, which would allow a competent administrator to rebuild the network and perform admin tasks in a disaster!
21st July 2009, 05:20 PM #18
The bit where it says that access to information should be restricted purely to those who require access to it. Network admin requires access to everything to keep it running. An IT teacher does not.
Originally Posted by srochford
As far as I'm aware, the fireproof safe thing is a LEA advised (or in some cases, required) thing.
Originally Posted by mb2k01
21st July 2009, 05:35 PM #19
I'm from a very small school - 40 machines including the server.
The ICT teacher has no admin rights and neither do I day-to-day. I have an admin account (password locked in safe) that I use when I need admin rights, but generally I can manage with standard staff rights (plus my admin account using remote desktop )
Due to the sensitivity of data that can be accessed with admin rights, there is absolutely no way that anybody should routinely be using such an account... and definitely not a teacher. If his permissions do not allow him to do his job - security options may need to be tweaked, but using admin rights as an easy fix is not the solution.
Might I add, it makes a pleasant change to have a HT that is aware of data security and is asking for the right thing. Too often we hear the opposite on here and SLT are not aware of the data security implications and demand privileges for themselves or others that they shouldn't have.
Last edited by elsiegee40; 21st July 2009 at 05:37 PM.
21st July 2009, 05:49 PM #20
We have several adminitrative accounts on our system.
Originally Posted by spiderz
The main Administrator account is never used, the password for it is ridiculously complex, and it is on a piece of paper inside a sealed envelope in the school safe, together with all the other service account passwords that may be needed in the event of an emergency when there were no other IT staff in the building and they had outside support in for whatever reason.
There are 3 of us here, and we all have an admin account each. It can't do absolutely everything, but it can do everything that is needed on a day to day basis. They are specially taylored so they can only reset the passwords of accounts below them in ranking, so there's no danger of one of us going mental and locking everyone else out of the system or something like that. These admin accounts are different to our normal day-to-day accounts and are used speicifically for administration tasks and logging onto servers with.
In my experience it is unusual for a teaching member of staff to have adminitrative privileges on a school network, there's a lot of issues surrounding this, data protection being just one of many that would need to be addressed.
The other major difference between a member of technical staff and a member of teaching staff is the teaching staff are much more likely to leave the machine logged on, or accidentally without realising it give away the password to a whole class of students by typing it into the user name box instead of the password box while being displayed on a projector (oh yes it has happened) incidents like that do need consideration when deciding on appropriate rights to give someone on a system.
Start with the minimum needed and add bits as necessary, not the other way round.
21st July 2009, 06:17 PM #21
In my school I have the main admin passwords and so does the one technician. Nobody else does.
Teachers can change pupil passwords using the LEA supplied SMS interface which they can access. They cannot change teacher passwords.
I agree that teachers do not need the admin password - but in my case I am Network Manager so have them. I don't use it though and log in as my staff password in the majority of cases. When I'm working on the network side of things I do use the admin account.
Can anyone tell me the difference between the Doman Admin and an Enterprise Admin account? I am a Domain Admin, but the LEA are our Enterprise Admins. I assume they are higher so have more control.
As an interesting aside - what would you do if you wanted a lower technician to not have as much power as a Domain Admin? What would you set them up as? The ability to:
but not edit the AD or create GPOs
21st July 2009, 06:32 PM #22
I have 3 admin accounts - one held by the local authority IT team (In case a bus gets in my way), and two of my own - One that I occasionally have to log into in front of people to get things done.
I also work in a small special school, although I have a almost 1:1 ratio of PC's and Laptops - 140 PC's, 150 kids.
The extra account of my own is purely just in case the main account is damaged or (more likely) a kid decides it would be a good idea to enter my password wrong 5 times and lock me out for 20 mins when I need to do something.
Plus there is a copy of it all in the Fireproof Safe.
21st July 2009, 06:55 PM #23
Playing devil's advocate a bit, but there are lots of situations where teachers will require access to pupil names, addresses etc and almost none where an IT person needs that access (they need to be able to backup data etc but there's no reason for them to have access to the information contained in those files)
Originally Posted by localzuk
I'm guessing this follows on from the thread elsewhere where someone asked about if IT staff should have access to the head teacher's home area.
Ultimately, it comes down to trust.
21st July 2009, 07:40 PM #24
I have one admin account at each school - in one I am the only one who knows it as there is no IT co-ord and in the other it is me and the IT co-ord - yes, he is a teacher, but he is very trustworthy and would never attempt to do anything for example to AD or group policy. He does any user name changes or password stuff when I am not here - as a part-timer someone has to do things then - I would not allow other teachers the ability to change passwords etc as somehow they would muck that up too....
In that school I would NOT allow the head or deputy anywhere near my server/network as they could not be trusted: one knows a bit about IT and would mess it up, the other knows nothing and..would mess it up
21st July 2009, 07:59 PM #25
Ahh an argument I've had with many an IT Teacher/Head of IT
Only myself and the NM have admin rights over the entire network, everyone else, including SMT have standard teacher accounts.
Usually the only reason they want admin rights is to change a load of settings on the computers in their room, easily remedied this by giving them a staff laptop with local admin rights.
21st July 2009, 08:14 PM #26
A member of the Domain Admin group has full administrative privillages to make changes in the domain for which is is the admin for.
Originally Posted by garethedmondson
A member of the Enterprise Admin group has full administrative privillages to make changes to the entire forest and any domains in it.
(Hope that's right!)
21st July 2009, 08:27 PM #27
All admin passwords are in the school safe for HT DHT and My line manager. My line manager also has a technician account but its only to be used in extreme situations.
21st July 2009, 09:30 PM #28
- Rep Power
Thanks for the replies. Both the Dept. Head and Headteacher have admin rights at the moment. It seems from the replies your views are similar to mine. The main problem is that he was both IT Teacher and Network Manager before i was employed (I was employed because he didn't have enough time to complete his teaching duties).
21st July 2009, 09:37 PM #29
Why do those teaching and leadership colleagues have administrative access?! That's madness!
You should find out what it is they want to do under their existing prvillages exactly and start working on a delegated permission allowing them do do it under a non-administrative account.
You have a whole list of reasons to want to do this - reduce risk of accidental damage, accidenal data loss, increase security, prevent viruses etc etc.
21st July 2009, 11:40 PM #30
A few quick points ... partly summarising comments from others.
1 - The 24 tasks are quite clear as to what a teacher can't do.
- ICT trouble shooting and minor repairs
- Commissioning new ICT equipment
- Ordering supplies and equipment: teachers may be involved in identifying needs
- Managing pupil data: teachers will need to make use of the analysis of pupil data
- Inputting pupil data: teachers will need to make the initial entry of pupil data into school management systems.
These are the key tasks I thought I would highlight. Notice it does not mention anything about managing ICT / IT or even doing planning / design work. However, neither managing or planning needs to include admin access. Some of the management of ICT / IT is part of the Leadership strand anyway ... so if they are not paid on the Leadership spine then they are not paid to manage it. TLRs are for Teaching and Learning ... although many schools seem to have wangled their way around paying people for doing work they are either not doing or shouldn't be doing.
2 - Never use the Domain (also read Enterprise) Admin account except when doing some *very* specific task, such as significant upgrades or role changes of servers / DCs. MS has some darn good advice on this (go search on Technet) and folk have already pointed to some of these articles.
3 - You should have alternative domain level accounts in reserve in case the Domain Admin accounts goes pear-shaped. These should not be used either but details recorded, locked away and only used in emergencies.
4 - You should have relevant accounts with delegated control. If you are installing software (eg Backup software) then use the backup software account to install it. This will mae sure you have the right access to services etc. For admin work have a personal admin account that you only use when needed and then have your everyday account which only has the 'right' access for simple admin tasks such as change password etc.
5 - The Head is the Boss. When he says who can and can't have access follow their instructions when locking things down, but only open things up there is a clear and direct need. "Just in case" is not a good reason and pointing out the good practice measures above is the best way to show that you *want* to do what they have asked / ordered but it really works better if you do it the way that MS designed it to work. However, the Head is the Boss and unless you want to take it to the Governors then do what the Boss says (examples of when not to follow the instructions include giving full rights to the SIMS server, the file server with access to all the pay details, the file server which has the Head's home area on ... in fact there are lots of examples and once you point out the stuff about Pay and the Head's home area then common sense tends to prevail IMHO!)
6 - If they ask for admin access then ask if you can conduct an OFSTED style inspection of them teaching. It is a tongue in cheek comment ... but it can be used to point out that people have different specialisms and whilst there is an overlap ... it doesn't mean it should be done!
2 Thanks to GrumbleDook:
elsiegee40 (22nd July 2009), skunk (22nd July 2009)
Last Post: 30th June 2009, 04:23 PM
By kylewilliamson in forum General Chat
Last Post: 13th June 2009, 09:07 AM
By crc-ict in forum Wireless Networks
Last Post: 25th April 2008, 10:29 PM
By russdev in forum General Chat
Last Post: 28th July 2005, 02:37 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)