Do you allow staff to have Local Admin privileges?

[daveyboy]

Nobody has local admin rights on any network workstation / laptop (we regularly image them - software updates, patches - fixes)

But - what we term as 'staff laptops' the staff use as local admin - BUT - if they come to me for repair, upgrade, or even for a 'health check' (or AV is out of date) they are imaged with the latest version. The staff are 100% responsible for the data that is on them.

Laptops are for staff to write reports, create resources etc, etc - Not for ebay, personal banking, or for their family / friends to use.

[bishopsgarthstockton]

stick by your guns mate. Do not allow them admin rights.

im sick of teachers who think they know all and they do what the can to get what they want even if it means tramppling all over us.

ICT teachers wanted write/modify permissions for kids work folders. I had given them read permisions so they could check the kids work. I told them no way....Never.

Crap i will come down for you and drum it in to your boss head for you if you like :twisted:

[CheeseDog]

Just finished an AUP and given it to staff to sign. PM me an email address and I can send it you.

It's more or less based on things I found on the policies section in here.

[mark]

We're moving to no admin access here. Not 'actual' LA but 'a' local admin.

We had a policy of tightening up security if a member of staff caused too much work, and one of those that fell foul of this was a Deputy Head.

All staff now use SIMS on their desktops and we made them power users + GP lockdowns. This has been fine so far.

Some people have pushed for access - they had so many problems with virtually unrecoverable PCs (well a hell of a lot of work or a re-build) that they now happily live with tied down PCs.

What we say is that we set up the machines to be reliable business machines. If anything happens to the machine to stop it functioning on the network then that is unacceptable to the business, costing time and money to rectify that needn't be spent.

It's difficult in the present climate where IT is not given the status it needs in schools, and poor business descisions are made.

[netadmin]

We used to lend staff the domain admin account...big mistake.
We quickly stopped after someone installed Limewire filesharing on about five computers, and downloaded a virus onto their network drive (requiring the server operating system to be reinstalled).

Now, no staff gets any type of admin access, except for local power user if needed for special program. But even then, there are so many restrictions enabled through group policy they cannot really do much damage.

[Grommit]

We allow LA rights for staff on Staff PC's as we feel that they need to explore ICT and see what works for them..

There is no peer to peer allowed or such but only "proper" software.. (like the CD in the TES)

If the PC dies we just re-ghost and it's as fresh as a daisy again...

This is better than having the frustration of the staff moaning that they are treated like children and that the T&L is suffering because they cannot experiment with new software without asking the permission ICT Department..

We have a good working relationship with the teaching staff and we like to keep it that way...

The staff also have read and write permissions to the Students folders.. as they transfer the students work from Floppy/Flash drives to the students folders in class.. or else we would have lots of students coming to the ICT office asking for their homework to be copied everyday..

We also give the "ICT Teachers" Student Password Change rights.. and thays only Change the Student Password..

Laptops... they are free to do what they want with as again I feel that they must play with new software and see how it can improve T&L and not have a Laptop where thay can only do Office and other pre setup software work...

Again.. if it dies.. a quick Ghost and it's as fresh as a Daisy..

[mark]

You could use Deep Freeze or MS's Shared Computer Toolkit on PCs with LA access - then they could experiment all they like - re-boot and it's all gone

IIRC Ric has set up virtual machines on all his school's PCs for this very purpose - those staff that would like to play at admin..

[NetworkGeezer]

We used to lend staff the domain admin account...big mistake.
We quickly stopped after someone installed Limewire filesharing on about five computers, and downloaded a virus onto their network drive (requiring the server operating system to be reinstalled).

Did I read that right? The domain admin account was given to non-technical staff. Whether or not they install crap on computers, giving total access to a wide range of people means you effectively have no security. It would be like lending a master key to all the doors in the school to different people.

Thank god you stopped it.

[mrforgetful]

We tend to give them Local Admin access on laptops just so they can install printers and any software they may need when at home. It's never caused any problems and is so much smoother than us having to install everything.

Noone has Adminof access on a standard network PC except technical staff and one teacher - the Head of ICT.

[DaveP]

Removed.

[CyberNerd]

IMO best 'compromise' option is to give staff an extra local admin account but not to allow their domain account to be a local admin account.
This way they can install if they need, but are discouraged from regularly logging in using the local admin account because its not on the domain, thus more painful.

[mrforgetful]

Just tell them 'Look, even though you're perfectly capable of exchanging your own contract when you move house, will solicitors let you? No? Exactly, neither will Administrators let you do what you probably could, so nerr nerrr'

[ZeroHour]

Simply NO!
No one gets LA or anything similar for any PC/LAPTOP that is on the domain. There are a couple of stand alones with no network rights but a LA account and we are trying to faze them out (only really a couple left).
The simple truth of it is most staff can not be trusted and/or have rather limited common sense with IT. They like to shop online and end up visiting a dodgy fake shop site that installs a virus/malware (or tries to) and sophos then becomes your last line of defence if they have LA (unless the virus uses process elevation exploits) and we all know that sophos has some *patchy* protection for malware. Most staff have the attitude that if they break it they dont care as they dont have to fix it and never really get punished (more a SMT issue).
Really if you want some more work/pain give it to them but I would fight really hard (balboa style hard ) to stop it being forced.
Remember vicarious liability means the blame can fall to the head/gov if illegal anything is found installed by staff. If they force you to do it (and get it in writing) then the responsibility is then theirs. If you emphasise that there collective bums are on the line and not yours if they go against you they may rethink that plan.

[acb_]

We don't allow LA rights. Not even for the guy who really wanted them: 'But I don't know enough to break anything!'

[pinemarten]

Networkgeezer wrote:

It would be like lending a master key to all the doors in the school to different people.

our school went one better about 10 years ago - cut about 12 copies of the master room key , gave one to each of the cleaners....