We are having a work experience student join us for a few weeks and wondered what level of access I should give them to the system?
They will be carrying out general IT duties and trying to gain exeprience from the whole experience towards her degree.
Has anyone had a similar dilema?
Local admin and access to areas where you have your tech utils and software installed?
I would give local administrative permissions to PC's, access to any files shared necessary but no access to servers.
Or start with a a pretty basic account and add rights as tasks require them, temporarily if necessary.
Delegate necessary permissions over appropriate OUs - i.e nothing mission-critical, no servers (to start with).
Have you agreed what the work experience will cover before they arrive or is there a good chance of them being a toner monkey for most of it?
Give him a standard account (e.g. JoeBloggs) . If he needs anything more than that then create a second (AdmJoeBloggs) account and grant it the minimum permissions you can get away with. Have him log on using the standard account and then use the AdmXXX account to remote log on to servers or to 'RunAs' tools like AD Users & Computers or MMC and so forth.
I used custom taskpad views of MMCs (such as AD) with delegated controls. This meant all the user could view was the locked down MMC which contained the Student OUs only, and the functions that I created an icon for (unlock, reset password)
Even if this user did open his own MMC to try and access the whole of AD, by also delegating control he couldn't do anything.
Give the user a separate logon script, and map the shares needed for the job (general apps, documentation area) and then restrict everything else down.
If you have apps that can only be run on a server (say Print Credits), create them an account which when it connects to a TS session it launches your print management application, restrict the account to run just this application.
For local admin we already have a group "Student Admin Group" which is automatically added to all domain machines local admin group. This is for the awful software that requires local admin access (ALAN testing and Alice come to mind), add the user into your equivalent if you have one so the user has local admin access to your workstations. That was fun trying to figure out after we removed Ranger!
The key point I've found is to try and make it look as though you are trying to be helpful, and give the user easy access to everything they require, instead of making it appear like you are protecting the network and locking them out. Perception!
Last edited by Trapper; 1st May 2010 at 01:25 AM.
reggiep (4th May 2010)
There are currently 1 users browsing this thread. (0 members and 1 guests)