Assistant Network Managers admin rights.

[tosca925]

After xmas we will have a assistant NM starting. For the first month or two while they settle in i dont really want them to have full admin rights on the domain.

What do you think are apropriate rights for them while they settle in and get used to our network.

Back Up Operaters
Remote Desktop users

Waht sort of righ tfor basic Active Directory right. i.e just changing password passwords etc


What would you recommend.?

[Dos_Box]

Create user accounts and create computer accounts would be handy.

[ChrisH]

Yes limited to begin with definately. You dont want what happened to ICT NUT where his Technician thought it would be a good idea to put everyone in the Domain Administrators group

[tosca925]

But what group membership should i give them

[ChrisH]

Just leave them as a normal user and use the delegation wizard to give them rights to reset passwords etc. Then maybe after a bit make a group and stick that in the local administrators group on your workstations and put him in it.

[kingswood]

Delegation of authority over an OU is a good start- give them change password for users rights, and printers too (like you said). I wouldn't (personally) make them part of backup operators until and unless they understand your backup system- it's too critical for the "have a go" types you can get (like me then ;-)

Have fun!

Paul

[Geoff]

I'd make them two accounts. Their normal user account with normal 'staff' priverlege levels and an 'administration' account with some of the priverleges the others have mentioned above. Get him into the good habit of logining into his normal 'staff' account and only using his 'admin' account when he needs to. I'd suggest some forced wallpaper settings to remind him which account he's in as too. Even better explain how 'runas' and friends work so he doesn't have to keep logging in/out.

[kevinmcaleer]

I found that using a normal user account for day to day stuff was fine, both for myself ,the ICT Technician and Help Desk Advisor.

The only extra priviledges any of us had (we all belonged to a help desk group) was that we could create/modify user accounts.

To do any work on the server, we simply Remote Desktop'd into the server with the administrator account. Only I, as the network manager, needed this account. After about a year, the ICT technician became quite confident with the network and I knew I could trust him with the administrator password.

It all depends how you run your technical support department. Structure is important, as well as clearly defined roles.

For a really, really good guide to running technical support in schools, have a look at FITS: www.becta.org.uk/fits

[tarquel]

delegation wizard

whaaa???

wheres that? That sounds good - will it modify an existing user? I wouldnt mind altering the ICT Co-Ord's rights with that

Maybe that will save him logging on as me [administrator] 8O

Cheers
Nath

[kevinmcaleer]

Right click on an OU in group policy and its there (top of the list, if I remember correctly).

As a general rule, its better to apply any kind of changes to a group, then just add people to that group. If the person with elevated permissions leaves or changes position in the school its easier to change them back to a normal user again and give them to another user. This is true with file permissions also. (Apart from the home directory of course).

-Kev

[Geoff]

I tend to discourage use of the 'Administrator' account. Seperate per user admin accounts leads to a bit more accountability.

[tarquel]

True, but its rare that the ICT Co-ord uses Administrator - usually only when i'm not in school... if he has to lol

And as he rarely remembers the password, its no real problem

But i do see your point - I might make a new user for him to use when he needs to do anything admin

Cheers
N.