Poll: Do you allow staff to have Local Admin Privileges?

Be advised that this is a public poll: other users can see the choice(s) you selected.

+ Post New Thread
Page 1 of 3 123 LastLast
Results 1 to 15 of 40
How do you do....it? Thread, Do you allow staff to have Local Admin privileges? in Technical; I am currently having an argument with my SMT relating to a specific user and local admin permissions on said ...
  1. #1
    Ravening_Wolf's Avatar
    Join Date
    Oct 2006
    Location
    Essex :(
    Posts
    290
    Thank Post
    1
    Thanked 3 Times in 3 Posts
    Rep Power
    18

    Do you allow staff to have Local Admin privileges?

    I am currently having an argument with my SMT relating to a specific user and local admin permissions on said staff member's PC so that they can "still work when the network is down" (we have had two outages in 6 months thanks to power cuts, both of which were resolved in less than 2 hours).

    Said member of staff has had local admin privileges in the past and saved all of her data to the C: drive. Until the hard drive "failed". Apparently four years worth of work was lost including staff appraisals, personal references and other sensitive data relating to personnel.

    Despite the blatant incompetence on display, plus the severe breach of Data Protection legislation, said member of staff is still pushing for local admin rights! And the Head is backing them up!

    In fact, the Head wants all staff to have local admin permissions and the ability to install their own software. I have attempted to explain that my position becomes untenable if that desire becomes a reality as I will never be able to keep track of software licenses let alone the trouble caused by the multitude of cr4p which would be added to the network. And the potential for further breaches of Data Protection legislation, intentional or otherwise...

    Anyway, before you all start complaining this thread should be in FFS, what I really need to know is this: How many of you allow your staff unrestricted C: drive access with permission to install anything and everything?

  2. #2
    Quackers's Avatar
    Join Date
    Jan 2006
    Posts
    1,433
    Thank Post
    45
    Thanked 156 Times in 131 Posts
    Rep Power
    56

    Re: Local Admin Permissions

    On their laptops and PC's of which they only use they are allowed local admin. Any PC's in LABS etc they are not.

  3. #3
    Ravening_Wolf's Avatar
    Join Date
    Oct 2006
    Location
    Essex :(
    Posts
    290
    Thank Post
    1
    Thanked 3 Times in 3 Posts
    Rep Power
    18

    Re: Do you allow staff to have Local Admin privileges?

    Do you have an AUP in place with enforceable punishment for breaches, such as installation of unlicensed software?

  4. #4

    mattx's Avatar
    Join Date
    Jan 2007
    Posts
    9,248
    Thank Post
    1,059
    Thanked 1,069 Times in 625 Posts
    Rep Power
    740

    Re: Do you allow staff to have Local Admin privileges?

    Oh my, I feel really sorry for you on this. There is NO way I would let anyone have the admin password. Can't you get some sort of Edugeek E-petition setup so we can all back you up on this ? Then you can show it to your head and SMT.
    As you know a network setup like that would be un-manageable. Can't you explain if this happened it would not be long before the students got hold of the password and started deleting everything in site and causing a mass of problems ?
    If they still insist of granting Admin rights to all staff, I would write up an E-mail letter to them & the Govs explaining what will happen, and when it happens you want NOTHING to do with it and that you had warned the SMT & Head and because of their actions you don't have a network anymore...
    I am sure others on the site would offer more valueable advice but all I can do is wish you luck on your quest.
    Get a petition going on here, I'll sign it....

  5. #5

    witch's Avatar
    Join Date
    Nov 2005
    Location
    Dorset
    Posts
    11,381
    Thank Post
    1,501
    Thanked 2,585 Times in 1,799 Posts
    Rep Power
    777

    Re: Do you allow staff to have Local Admin privileges?

    Staff can do whatever they like on their laptops - I have tried to point out all the things you mention but the head just lets them get on with it.
    They aren't allowed on my network, though, and if I get them for repair I take care to clean them up.
    I have said that if they go on my network, they will have the same permissions that staff have there - ie not allowed to install anything.

  6. #6

    MK-2's Avatar
    Join Date
    Oct 2006
    Location
    Nottingham
    Posts
    3,237
    Thank Post
    149
    Thanked 581 Times in 307 Posts
    Blog Entries
    8
    Rep Power
    200

    Re: Do you allow staff to have Local Admin privileges?

    I know giving staff LA rights to their laptops can open up a whole can of worms.
    All staff here have LA on their laptops. Yes, they can install their own software, but all know that we regularly (once every 6 weeks or so) get all staff laptops in to make sure updates are running and do basic health checks on them. So that means we will notice things and point it out to them (installation of file sharing/p2p stuff for example) or if it poses a threat, remove it.
    It's not an ideal situation but I think (not 100% sure) that with SIMS on their laptops, if they are LA then updates will install rather than us having to do it manually.

  7. #7
    Quackers's Avatar
    Join Date
    Jan 2006
    Posts
    1,433
    Thank Post
    45
    Thanked 156 Times in 131 Posts
    Rep Power
    56

    Re: Do you allow staff to have Local Admin privileges?

    Quote Originally Posted by Ravening_Wolf
    Do you have an AUP in place with enforceable punishment for breaches, such as installation of unlicensed software?
    We have no AUP.

  8. #8
    linuxgirlie's Avatar
    Join Date
    Jul 2005
    Location
    Kent
    Posts
    340
    Thank Post
    106
    Thanked 33 Times in 18 Posts
    Rep Power
    32

    Re: Do you allow staff to have Local Admin privileges?

    Never, laptops they can do what they want, but network pc's are locked down and all work is saved onto the servers. I couldn't think of a worse thing than the burser losing all their work.Sometimes even a knoppix cd can't rescue the contents of a harddrive!!

    Jo

  9. #9
    OverWorked's Avatar
    Join Date
    Jul 2005
    Location
    N. Yorks
    Posts
    1,025
    Thank Post
    201
    Thanked 42 Times in 34 Posts
    Rep Power
    31

    Re: Do you allow staff to have Local Admin privileges?

    I make staff members of the local admin group on thier own laptops, so they can do what they like with them. They need to be able to set up internet. They would be responsible for any crap software.

    I also configure offline file so they can work at home and in school. This would negate the argument about needing to use the laptop when the server's down.

  10. #10
    contink's Avatar
    Join Date
    Jul 2006
    Location
    South Yorkshire
    Posts
    3,791
    Thank Post
    303
    Thanked 327 Times in 233 Posts
    Rep Power
    119

    Re: Do you allow staff to have Local Admin privileges?

    At a guess the best way to resolve this is to put together some demands of your own.

    1. AUP with enforceable penalties if breached (ie: loss of admin rights, etc..)
    2. Require a training course to have been completed BEFORE admin rights given
    3. Absolutely no admin access on anything other than their specific classroom machine and/or laptop
    4. SLT must sign off on any remedial work required because of a teacher mis-using the admin privs

    Beyond that I'd quietly make them at most a power user and ensure that any machines are locked down in terms of what they can do on the network.. and ensure that the network is locked down itself to detect and block any malware or suspect usage (eg: from a child gaining access and going a wandering).

    Either way you'll only be able to counter the problems by stating your position in terms of the experience they will undoubtedly gain by forcing you to go this route. A classic case of "I told you so" waiting to happen..

    My sympathies...

  11. #11

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    10,045
    Thank Post
    1,373
    Thanked 1,860 Times in 1,154 Posts
    Blog Entries
    19
    Rep Power
    609

    Re: Do you allow staff to have Local Admin privileges?

    Local Admins on their laptops ... but all teachers work from laptops ... there are no 'teacher computers' in any of the rooms now.

    On the normal desktops ... they are locked down. The only exceptions are a few of the admin staff who are member of the local admin group (but still locked down) purely to make life easier with some of the admin software used.

  12. #12

    Join Date
    Feb 2006
    Posts
    1,187
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0

    Re: Do you allow staff to have Local Admin privileges?

    Quote Originally Posted by MK-2
    It's not an ideal situation but I think (not 100% sure) that with SIMS on their laptops, if they are LA then updates will install rather than us having to do it manually.
    Not strictly true. SIMS will update for non-admins if you run SIMSperm.bat on the machine before hand. This loosens permissions on the C:\Program Files\SIMS folder and on the HKCR registry key(yikes!).

  13. #13


    Join Date
    Dec 2005
    Location
    In the server room, with the lead pipe.
    Posts
    4,705
    Thank Post
    285
    Thanked 788 Times in 615 Posts
    Rep Power
    226

    Re: Do you allow staff to have Local Admin privileges?

    Laptops: if they know what they're doing and the benefit outweighs the grief they would cause themselves. Currently that's 3 users out of ~60. SMT back me on this - everything they need for teaching is installed automatically. New tax laws FTW as well

    Desktops: Nope, even if you're the only one to use that machine.

    Given the users history of saving to C:, it would be safer for them to sit on their hands until the power comes back on.

  14. #14

    maniac's Avatar
    Join Date
    Feb 2007
    Location
    Kent
    Posts
    3,081
    Thank Post
    210
    Thanked 431 Times in 311 Posts
    Rep Power
    145

    Re: Do you allow staff to have Local Admin privileges?

    Our staff have the ability to logon their laptop without the network being present, but they are still logging on with their network account. Because we have offline files enabled on all laptops this means they can be used as if they were on the network even if the servers aren't available. Of course they loose public drives etc. but their own home area, desktop etc. is still available.

    All staff have local admin rights to the laptop too but again only through their network account, they don't have a local login as such. They still can't install software though, as we've disabled that ability using group policy. As soon as a setup program is run, it requests the administrator details.

    The only reason we enabled local admin rights on laptops was so staff could install hardware at home such as printers, scanners, USB modems etc. which they couldn't do otherwise.

    Desktop machines, no one has rights above a normal user. Never had any one challenge this as the machines do everything needed of them.

    Mike.

  15. #15
    Ravening_Wolf's Avatar
    Join Date
    Oct 2006
    Location
    Essex :(
    Posts
    290
    Thank Post
    1
    Thanked 3 Times in 3 Posts
    Rep Power
    18

    Re: Do you allow staff to have Local Admin privileges?

    I have a meeting with the Head on Friday and would like to be able to present a full AUP on the day in the event that I get overruled. Does anyone know where to find a template? The links on Becta were, errrr, poor...



SHARE:
+ Post New Thread
Page 1 of 3 123 LastLast

Similar Threads

  1. Replies: 7
    Last Post: 26th February 2010, 11:00 AM
  2. Local admin password reset?
    By sidewinder in forum Windows
    Replies: 13
    Last Post: 15th October 2009, 08:26 PM
  3. Replies: 5
    Last Post: 7th February 2007, 12:28 PM
  4. Replies: 9
    Last Post: 14th December 2006, 09:07 AM
  5. Admin staff to 'admin' AD phonebook
    By ITWombat in forum MIS Systems
    Replies: 2
    Last Post: 31st May 2006, 11:08 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •