Now they want my server root password.

[tickmike]

Hello . I need your advice again.

The head has asked me for the password to get access to the server and all the computers.

There is no way I'm going to give the root password away, as a lot of you know I spent hours and hours ( may be days) of my own time setting up this new domain for free in the school holidays and I'm not letting them damage it .

Views please.

Problem the new copier/printer is hired and I cannot get access into the settings ( hire firm password protected it) so they are coming in to set it up and I have been ask for the server password.

1..So if I just set up a account / password for them to do this..Is this the way to get around this problem ?.

2.. what permissions do I need to give for them to do this.

3..How to do it.

Note. its a private run school. no l.e.a. etc.

[Geoff]

firstly, you need your own login. You shouldn't be using administrator. No one should.

If someone wants admin, they need a good reason. Provided they do have a good reason, duplicate their login account and alter the username so it's obvious it's an admin account. I generally append '.admin' to the username and use some humorous wallpaper.

Secondly, the printer people don't need access to your server. Just ask them to setup the printer end of things and then ask them to tell you the IP to use and to hand over the printer driver to use. You can do the rest yourself.

[kingswood]

I agree with Geoff. Doesn't make any sense from a security or technical standpoint to have people all over the place who are "administrators". The schools' network would become a mess all too quickly.

Good luck!

[ZeroHour]

How do you run your printers? Just Win2k+ que's?
If so just give them a static ip. YOU can install drivers and link the too.
What do they actually need to setup on your network?
We have hired stuff too but they would NEVER get admin.

[plexer]

absolutely agree with all the above advice.

To alleviate the heads fears maybe a sealed envelope only to be opened in a dire emergency with the admin password written inside.

Regarding the copier yes they can set the ip etc... on it then give you these details to do the server side of things. Or give them an admin login that you then change when they are finished or just log on for them and stay there. Or change the password to something and tell them then change it when they have finished.

Unless the head can give you good reason why they would need to access the server and machines with the domain admin password then don't give it to them.

Ben

[SimpleSi]

The head of the school should have access to any of the passwords.

You have to think from his/her position - what would happen if you fell under a bus/moved or had to be sacked (tricky if working for free but hope you see my point).

I personally would write them down inside a sealed envelope and point out the potential problems if they were to get into the wrong hands.

Then leave the head to do what they want.


regards

Simon

[Geoff]

Yes thats what I do. There's a sealed envelope in the school safe with the admin password(s) on it.

[ZeroHour]

No I dont think they should, they are basically teachers.
If you work on your own its not a problem. There would be huge disruption anyway if you were in hospital or were out of action and they had the passwords. Remember its not hard to get the password for a admin account if you have physical access to the server. They can get retreive it when they are in a position (aka a replacement for you) to properly manage the network or at least have someone trained to handle it in the interm. At least you would have left it in a running state. God knows what would happen to it after that if they had admin for a couple of weeks and were *guessing* how to do things.

[Geoff]

Well that's the thing with per user admin logins. You can work out who broke it. That means they get all the hassle when stuff they broke doesn't work and they get to fix it. If they can't I come in out of hours and charge overtime and fix it. Their admin account gets disabled too.

[kingswood]

Documentation of the network would be better (I think). If a Systems Administrator documents the network, its settings, and password- and stores this safely- then there is no need for this "nuclear bunker" type thing where you rip open the envelope and make sure the keys match and then type in synchronicity on the count of three...

I use a Network DNA type of system where telephone numbers of contacts, account details, contractors, policies, passwords etc are printerd out and stored in a folder in the server room marked "Network Documentation". It would be easy to find.

Having said all that, it isn't a *bad* idea so long as the Head doesn't open the secret envelope just for the hack of it!

;-)

[Ric_]

As mentioned above, you should leave a copy of the password in a sealed envelope IN THE SCHOOL'S SAFE. Nobody should be accessing the system who doesn't now what they are doing as it WILL go tits up.

You cannot keep the login details from the head if he asks for them - it's their network not yours!

I also agree that noody who is 'untrusted' should be allowed any sort of priviledged access to the system. The copier people will spin some sort of line about not being able to set up the machine and test it but if you set up an IP port on the server with a static address and give that address to the copier guys they CAN set up their half and test it from a machine (since you've done your bit already). You will also find that most companies require you to fill in a fax-back form before the engineer arrives asking for an IP and other details.

[GrumbleDook]

I've an idea ... why doesn't everyone PM me with their admin / root paswords and I'll keep them safe :-D

No?

IGMC

[Geoff]

mines 'password' GrumbleDook

[GrumbleDook]

Seal your passwords in an envelope, sign across the back in a water base marker (if they steam it it can be seen and then place in a laminating pouch, melt it until it is sealed and then sign that too.

Then you will *really* know if people have needed your passwords

[Ric_]

@Grumbledook: