How does your school handle Tech accounts.

Disease · 09-11-2009, 01:06 PM

I am looking to overhaul things here, currentlt techs log in using the Domain admin account when ever tey want to do anything (I know, I know we should not be doing it), I want to change things to proper best practice and was wondering how you set your tech accounts up, what privileges do you give them, do you use a specific GPO etc.

Thanks.

tommej · 09-11-2009, 01:25 PM

We used to have a single account all our techs used but with people leaving etc the password had to be changed often and it was hard to keep track of who knew what. It was also impossible to audit, so now all the techs have their own account with no restrictions.

Edu-IT · 09-11-2009, 01:35 PM

We have one domain administrator account, a system administrator account and then our own individual logins which are just regular staff accounts. On a daily basis we can do everything we need from the staff accounts.

rad · 09-11-2009, 01:37 PM

We have an admin account and our own individual accounts which also have admin rights.

finbar3 · 09-11-2009, 02:13 PM

what o/s are you using, if you are using windows 2003 r2 create a tech group decide what right's they have.You can then add or take away members when you want too.

elsiegee40 · 09-11-2009, 02:19 PM

I'm on my own, but I have my own Domain Admin account - logging on as Administrator is a last resort.

However, my Domain Admin account is not my day-to-day account... too dangerous, I don't trust myself!

My main account has conventional staff privileges. I do most things from that (including Remote Desktop into the server), only using the Domain Admin account if I have to.

tom_newton · 09-11-2009, 02:19 PM

We have our own accounts, plus an admin account each. Eg. "bob.smith" and "bobadmin"

willv28 · 09-11-2009, 02:50 PM

Everyone has their own accounts. Of course domain administrator account separate, though most of us have enough rights not to need it. All students/stuff, etc have their own accounts as well. It's pretty simple, we have automated batch scripts that add account for us. We use GPOs made with different restrictions for staff/students.

fawkers · 09-11-2009, 03:13 PM

Hi fokes

We have a normal staff user account, a <initials>.admin account which has delegated permissions for the jobs that we do (local admin on workstations, servers and delegated permissions to ad, gpmc etc). Only the network manager has an admin account with domain admin privileges.

Cache · 09-11-2009, 08:24 PM

Here currently I have my own standard user account, a standard domain account which is added to the local admins group on each workstation and then domain admin accounts are only used on the servers.

Part of the system I inherited and seems to work quite well actually.

ajbritton · 10-11-2009, 12:46 AM

IMHO, best practise is as per Tom_Newton's post.

Each users gets a 'standard' account which can be used to log on to the domain and do basic working tasks (Office, Email, Internet etc).

Any users who perform 'admin' tasks should have an additional user account, also unique to them which is used just these purposes.

This follows the principles of least privilege. Users needing to do 'admin' tasks either log on to a PC with their admin account or (as I do) use RunAs to run an Admin tool with elevated privileges.

The Admin account should also only have the essential permissions. For example, my own 'admin' account has not access to Internet or Email as this would duplicate what I can already do with my normal account.

This way of working is initially burdensome to those used to logging on as a Domain Admin all the time but it's surprising how quickly you get used to it.

FN-GM · 10-11-2009, 01:06 AM

IT staff have there own account with Domain Admin rights.

The Administrator account everyone uses for server stuff

Disease · 10-11-2009, 12:20 PM

Thanks for all te replies, it's given me something t work with now. Thanks.

cookie_monster · 10-11-2009, 12:44 PM

We have a domain admin account that everyone (members of the IT team of course) uses BUT it's only allowed to logon to servers. Each user has an ordinary user account for general use then we have a domain user that we make a member of local administrators on all stations using GPO restricted groups. This account has no access to the servers or shared areas it can only see our software share and a tools folder for troubleshooting.

RabbieBurns · 10-11-2009, 01:00 PM

All our servers run TS so we each have our own accounts which are domain admin accounts and we each individually log onto servers so all stuff can be accounted / attributed to an individual user.

Welcome, Register for free! or Login below:
User Name		Remember Me?
Password

09-11-2009, 01:06 PM	#1
Disease Join Date: Jan 2006 Posts: 537 Thanks: 18 Thanked 6 Times in 6 Posts Rep Power: 11	How does your school handle Tech accounts. I am looking to overhaul things here, currentlt techs log in using the Domain admin account when ever tey want to do anything (I know, I know we should not be doing it), I want to change things to proper best practice and was wondering how you set your tech accounts up, what privileges do you give them, do you use a specific GPO etc. Thanks.

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
How does your school handle purchases?	RallyTech	How do you do....it?	11	06-11-2009 09:08 PM
ideal tech department for k-12 school	LCPSWolf	How do you do....it?	0	05-09-2009 02:40 AM
Other school tech forums????? rescources	dunkydonut	General Chat	7	16-09-2008 12:34 PM
Why are you a school tech?	ITWombat	General Chat	34	12-03-2007 01:06 PM

Thread Tools	Search Thread
Show Printable Version Email this Page	Search Thread: Advanced Search

		EduGeek.net Forums > Technical > How do you do....it?
How does your school handle Tech accounts.

09-11-2009, 01:25 PM	#2
tommej Join Date: Oct 2009 Location: Lincolnshire Posts: 116 Thanks: 9 Thanked 10 Times in 9 Posts Rep Power: 2	We used to have a single account all our techs used but with people leaving etc the password had to be changed often and it was hard to keep track of who knew what. It was also impossible to audit, so now all the techs have their own account with no restrictions.

09-11-2009, 01:35 PM	#3
Edu-IT Join Date: Nov 2007 Posts: 3,691 Thanks: 186 Thanked 255 Times in 236 Posts Rep Power: 62	We have one domain administrator account, a system administrator account and then our own individual logins which are just regular staff accounts. On a daily basis we can do everything we need from the staff accounts.

09-11-2009, 01:37 PM	#4
rad Join Date: Jan 2009 Location: Middlesex Posts: 549 Thanks: 43 Thanked 44 Times in 25 Posts Rep Power: 14	We have an admin account and our own individual accounts which also have admin rights.

09-11-2009, 02:13 PM	#5
finbar3 Join Date: Nov 2009 Location: leeds Posts: 8 Thanks: 0 Thanked 0 Times in 0 Posts Rep Power: 0	what o/s are you using, if you are using windows 2003 r2 create a tech group decide what right's they have.You can then add or take away members when you want too.

09-11-2009, 02:19 PM	#6
elsiegee40 Join Date: Jan 2007 Location: Kent Posts: 3,360 Thanks: 384 Thanked 349 Times in 276 Posts Rep Power: 94	I'm on my own, but I have my own Domain Admin account - logging on as Administrator is a last resort. However, my Domain Admin account is not my day-to-day account... too dangerous, I don't trust myself! My main account has conventional staff privileges. I do most things from that (including Remote Desktop into the server), only using the Domain Admin account if I have to.

09-11-2009, 02:19 PM	#7
tom_newton Join Date: Sep 2006 Location: Leeds Posts: 2,089 Thanks: 195 Thanked 281 Times in 214 Posts Rep Power: 64	We have our own accounts, plus an admin account each. Eg. "bob.smith" and "bobadmin"

09-11-2009, 02:50 PM	#8
willv28 Join Date: Oct 2009 Location: Connecticut Posts: 18 Thanks: 0 Thanked 2 Times in 2 Posts Rep Power: 1	Everyone has their own accounts. Of course domain administrator account separate, though most of us have enough rights not to need it. All students/stuff, etc have their own accounts as well. It's pretty simple, we have automated batch scripts that add account for us. We use GPOs made with different restrictions for staff/students.

09-11-2009, 03:13 PM	#9
fawkers Join Date: Jun 2007 Location: Southend Posts: 72 Thanks: 11 Thanked 12 Times in 11 Posts Rep Power: 9	Hi fokes We have a normal staff user account, a <initials>.admin account which has delegated permissions for the jobs that we do (local admin on workstations, servers and delegated permissions to ad, gpmc etc). Only the network manager has an admin account with domain admin privileges.

09-11-2009, 08:24 PM	#10
Cache Join Date: Apr 2008 Location: Cumbria Posts: 149 Thanks: 50 Thanked 21 Times in 21 Posts Rep Power: 7	Here currently I have my own standard user account, a standard domain account which is added to the local admins group on each workstation and then domain admin accounts are only used on the servers. Part of the system I inherited and seems to work quite well actually.

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

10-11-2009, 12:46 AM	#11
ajbritton Join Date: Jul 2005 Location: Wandsworth Posts: 1,557 Thanks: 12 Thanked 58 Times in 35 Posts Rep Power: 22	IMHO, best practise is as per Tom_Newton's post. Each users gets a 'standard' account which can be used to log on to the domain and do basic working tasks (Office, Email, Internet etc). Any users who perform 'admin' tasks should have an additional user account, also unique to them which is used just these purposes. This follows the principles of least privilege. Users needing to do 'admin' tasks either log on to a PC with their admin account or (as I do) use RunAs to run an Admin tool with elevated privileges. The Admin account should also only have the essential permissions. For example, my own 'admin' account has not access to Internet or Email as this would duplicate what I can already do with my normal account. This way of working is initially burdensome to those used to logging on as a Domain Admin all the time but it's surprising how quickly you get used to it.

10-11-2009, 01:06 AM	#12
FN-GM Join Date: Jun 2007 Location: Rochdale, Lancashire Posts: 8,107 Thanks: 280 Thanked 531 Times in 481 Posts Rep Power: 109	IT staff have there own account with Domain Admin rights. The Administrator account everyone uses for server stuff

10-11-2009, 12:20 PM	#13
Disease Join Date: Jan 2006 Posts: 537 Thanks: 18 Thanked 6 Times in 6 Posts Rep Power: 11	Thanks for all te replies, it's given me something t work with now. Thanks.

10-11-2009, 12:44 PM	#14
cookie_monster Join Date: May 2007 Location: Derbyshire Posts: 3,788 Thanks: 234 Thanked 239 Times in 203 Posts Rep Power: 57	We have a domain admin account that everyone (members of the IT team of course) uses BUT it's only allowed to logon to servers. Each user has an ordinary user account for general use then we have a domain user that we make a member of local administrators on all stations using GPO restricted groups. This account has no access to the servers or shared areas it can only see our software share and a tools folder for troubleshooting.

10-11-2009, 01:00 PM	#15
RabbieBurns Join Date: Apr 2008 Location: Sydney Posts: 2,696 Thanks: 373 Thanked 230 Times in 128 Posts Blog Entries: 5 Rep Power: 63	All our servers run TS so we each have our own accounts which are domain admin accounts and we each individually log onto servers so all stuff can be accounted / attributed to an individual user.

How do you do....it? sponsored by

How does your school handle Tech accounts.