+ Post New Thread
Results 1 to 15 of 15
How do you do....it? Thread, How does your school handle Tech accounts. in Technical; I am looking to overhaul things here, currentlt techs log in using the Domain admin account when ever tey want ...
  1. #1
    Disease's Avatar
    Join Date
    Jan 2006
    Posts
    1,100
    Thank Post
    118
    Thanked 70 Times in 48 Posts
    Rep Power
    56

    How does your school handle Tech accounts.

    I am looking to overhaul things here, currentlt techs log in using the Domain admin account when ever tey want to do anything (I know, I know we should not be doing it), I want to change things to proper best practice and was wondering how you set your tech accounts up, what privileges do you give them, do you use a specific GPO etc.

    Thanks.

  2. #2
    tommej's Avatar
    Join Date
    Oct 2009
    Location
    Lincolnshire
    Posts
    727
    Thank Post
    39
    Thanked 150 Times in 108 Posts
    Rep Power
    81
    We used to have a single account all our techs used but with people leaving etc the password had to be changed often and it was hard to keep track of who knew what. It was also impossible to audit, so now all the techs have their own account with no restrictions.

  3. #3

    Edu-IT's Avatar
    Join Date
    Nov 2007
    Posts
    7,259
    Thank Post
    404
    Thanked 633 Times in 578 Posts
    Rep Power
    185
    We have one domain administrator account, a system administrator account and then our own individual logins which are just regular staff accounts. On a daily basis we can do everything we need from the staff accounts.

  4. #4
    rad
    rad is online now
    rad's Avatar
    Join Date
    Jan 2009
    Location
    Middlesex
    Posts
    2,530
    Thank Post
    339
    Thanked 319 Times in 242 Posts
    Rep Power
    112
    We have an admin account and our own individual accounts which also have admin rights.

  5. #5

    Join Date
    Nov 2009
    Location
    leeds
    Posts
    10
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    what o/s are you using, if you are using windows 2003 r2 create a tech group decide what right's they have.You can then add or take away members when you want too.

  6. #6

    elsiegee40's Avatar
    Join Date
    Jan 2007
    Location
    Kent
    Posts
    10,049
    Thank Post
    1,861
    Thanked 2,320 Times in 1,711 Posts
    Rep Power
    824
    I'm on my own, but I have my own Domain Admin account - logging on as Administrator is a last resort.

    However, my Domain Admin account is not my day-to-day account... too dangerous, I don't trust myself!

    My main account has conventional staff privileges. I do most things from that (including Remote Desktop into the server), only using the Domain Admin account if I have to.

  7. #7


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,485
    Thank Post
    867
    Thanked 854 Times in 675 Posts
    Rep Power
    197
    We have our own accounts, plus an admin account each. Eg. "bob.smith" and "bobadmin"

  8. Thanks to tom_newton from:

    plexer (9th November 2009)

  9. #8

    Join Date
    Oct 2009
    Location
    Connecticut
    Posts
    22
    Thank Post
    0
    Thanked 2 Times in 2 Posts
    Rep Power
    11
    Everyone has their own accounts. Of course domain administrator account separate, though most of us have enough rights not to need it. All students/stuff, etc have their own accounts as well. It's pretty simple, we have automated batch scripts that add account for us. We use GPOs made with different restrictions for staff/students.

  10. #9
    fawkers's Avatar
    Join Date
    Jun 2007
    Location
    Southend
    Posts
    193
    Thank Post
    32
    Thanked 22 Times in 21 Posts
    Blog Entries
    2
    Rep Power
    31
    Hi fokes

    We have a normal staff user account, a <initials>.admin account which has delegated permissions for the jobs that we do (local admin on workstations, servers and delegated permissions to ad, gpmc etc). Only the network manager has an admin account with domain admin privileges.

  11. #10
    Cache's Avatar
    Join Date
    Apr 2008
    Location
    Cumbria
    Posts
    1,268
    Thank Post
    473
    Thanked 185 Times in 181 Posts
    Blog Entries
    3
    Rep Power
    66
    Here currently I have my own standard user account, a standard domain account which is added to the local admins group on each workstation and then domain admin accounts are only used on the servers.

    Part of the system I inherited and seems to work quite well actually.

  12. #11
    ajbritton's Avatar
    Join Date
    Jul 2005
    Location
    Wandsworth
    Posts
    1,632
    Thank Post
    23
    Thanked 75 Times in 45 Posts
    Rep Power
    34
    IMHO, best practise is as per Tom_Newton's post.

    Each users gets a 'standard' account which can be used to log on to the domain and do basic working tasks (Office, Email, Internet etc).

    Any users who perform 'admin' tasks should have an additional user account, also unique to them which is used just these purposes.

    This follows the principles of least privilege. Users needing to do 'admin' tasks either log on to a PC with their admin account or (as I do) use RunAs to run an Admin tool with elevated privileges.

    The Admin account should also only have the essential permissions. For example, my own 'admin' account has not access to Internet or Email as this would duplicate what I can already do with my normal account.

    This way of working is initially burdensome to those used to logging on as a Domain Admin all the time but it's surprising how quickly you get used to it.

  13. #12

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    16,249
    Thank Post
    898
    Thanked 1,785 Times in 1,537 Posts
    Blog Entries
    12
    Rep Power
    463
    IT staff have there own account with Domain Admin rights.

    The Administrator account everyone uses for server stuff

  14. #13
    Disease's Avatar
    Join Date
    Jan 2006
    Posts
    1,100
    Thank Post
    118
    Thanked 70 Times in 48 Posts
    Rep Power
    56
    Thanks for all te replies, it's given me something t work with now. Thanks.

  15. #14
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,217
    Thank Post
    394
    Thanked 278 Times in 239 Posts
    Rep Power
    75
    We have a domain admin account that everyone (members of the IT team of course) uses BUT it's only allowed to logon to servers. Each user has an ordinary user account for general use then we have a domain user that we make a member of local administrators on all stations using GPO restricted groups. This account has no access to the servers or shared areas it can only see our software share and a tools folder for troubleshooting.

  16. #15

    RabbieBurns's Avatar
    Join Date
    Apr 2008
    Location
    Sydney
    Posts
    5,531
    Thank Post
    1,341
    Thanked 470 Times in 307 Posts
    Blog Entries
    6
    Rep Power
    200
    All our servers run TS so we each have our own accounts which are domain admin accounts and we each individually log onto servers so all stuff can be accounted / attributed to an individual user.



SHARE:
+ Post New Thread

Similar Threads

  1. How does your school handle purchases?
    By RallyTech in forum How do you do....it?
    Replies: 11
    Last Post: 6th November 2009, 09:08 PM
  2. ideal tech department for k-12 school
    By LCPSWolf in forum How do you do....it?
    Replies: 0
    Last Post: 5th September 2009, 03:40 AM
  3. Other school tech forums????? rescources
    By dunkydonut in forum General Chat
    Replies: 7
    Last Post: 16th September 2008, 01:34 PM
  4. Why are you a school tech?
    By ITWombat in forum General Chat
    Replies: 34
    Last Post: 12th March 2007, 01:06 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •