+ Post New Thread
Page 2 of 4 FirstFirst 1234 LastLast
Results 16 to 30 of 54
Learning Network Manager Thread, Giving SLT User Administrator Password in Technical; We have a separate account (the domain's default Administrator account) with its password stored in the safe, but TBH I ...
  1. #16

    Ephelyon's Avatar
    Join Date
    Aug 2008
    Location
    Cheshire, England
    Posts
    1,661
    Thank Post
    289
    Thanked 318 Times in 192 Posts
    Rep Power
    141
    We have a separate account (the domain's default Administrator account) with its password stored in the safe, but TBH I don't really class this as "giving SLT admin access". To my mind that would be more like what @Jamman960 is referring to.

  2. #17


    Join Date
    May 2009
    Posts
    3,003
    Thank Post
    265
    Thanked 795 Times in 602 Posts
    Rep Power
    289
    Yes/No - depends which member of SLT wanted it! Some would worry me more than others.

    We are much the same as others in that our contingency is a copy in the safe where we keep a copy of the credentials for the lastpass account which holds all (probably not quite yet) the other passwords. Our backup to that is a book.

  3. #18

    witch's Avatar
    Join Date
    Nov 2005
    Location
    Dorset
    Posts
    11,134
    Thank Post
    1,373
    Thanked 2,377 Times in 1,674 Posts
    Rep Power
    703
    Explain the issue very carefully, including the worst-case-scenario and the "password in a safe" solution.
    Then, if they insist -explain some more, detail your objections and document your explanation in an email or something so it is written down for future reference
    If they still insist - create the separate admin acct as detailed above -perhaps restricting them to super-user?

  4. #19

    Ephelyon's Avatar
    Join Date
    Aug 2008
    Location
    Cheshire, England
    Posts
    1,661
    Thank Post
    289
    Thanked 318 Times in 192 Posts
    Rep Power
    141
    That's another point; for what many of them would ask for, full Enterprise Admin access may not be needed and you may well be able to "get away" with an account that has local admin access to all workstations plus e.g. full control permissions cascaded downwards from the root of your file servers' data volumes.

  5. #20

    plexer's Avatar
    Join Date
    Dec 2005
    Location
    Norfolk
    Posts
    13,460
    Thank Post
    646
    Thanked 1,614 Times in 1,444 Posts
    Rep Power
    419
    Just ask them to explain why they think they need this level of access.

    Ben

  6. #21

    Join Date
    Nov 2011
    Location
    Cambridgeshire
    Posts
    522
    Thank Post
    141
    Thanked 75 Times in 67 Posts
    Rep Power
    19
    Quote Originally Posted by Jawloms View Post
    Why would they need it?

    Passwords are like underwear - change them regularly and never share them.
    You see, I've never shared my password, cos I could be blamed for anything done under those account details, but now you've put it like that, it sounds fun

  7. Thanks to jmak from:

    Get2theChoppa (6th September 2013)

  8. #22

    elsiegee40's Avatar
    Join Date
    Jan 2007
    Location
    Kent
    Posts
    10,795
    Thank Post
    1,790
    Thanked 2,181 Times in 1,616 Posts
    Rep Power
    771
    Quote Originally Posted by elsiegee40 View Post
    This.

    Nobody gets my password!
    Quote Originally Posted by Get2theChoppa View Post
    lol

    would love to know your rationale...
    There is history...

    ... involving a headteacher, a holiday, a password, a safe and a third party supplier...

    ... it was the last straw.

    Don't believe it would never happen @Get2theChoppa. I had been in the industry for over 20 years when it did Protect yourself and your network.
    Last edited by elsiegee40; 5th September 2013 at 06:38 PM.

  9. 2 Thanks to elsiegee40:

    Get2theChoppa (6th September 2013), john (6th September 2013)

  10. #23

    witch's Avatar
    Join Date
    Nov 2005
    Location
    Dorset
    Posts
    11,134
    Thank Post
    1,373
    Thanked 2,377 Times in 1,674 Posts
    Rep Power
    703
    Quote Originally Posted by plexer View Post
    Just ask them to explain why they think they need this level of access.

    Ben
    Well, you can ask, but as they are SLT they outrank you and can do what they like. It is neither "your" network nor "your" password so the only thing you can do is tell them why it is not a good idea and ask them what they are thinking that they might need to do when you are not there

  11. Thanks to witch from:

    Get2theChoppa (6th September 2013)

  12. #24

    DaveP's Avatar
    Join Date
    Oct 2006
    Location
    Can't talk now: The mother-ship is calling!
    Posts
    8,885
    Thank Post
    351
    Thanked 1,288 Times in 880 Posts
    Blog Entries
    4
    Rep Power
    1128
    Quote Originally Posted by Jawloms View Post
    Why would they need it?

    Passwords are like underwear - change them regularly and never share them.
    [Old] Thread with relevant pictures/posters:

    Link: Passwords are like underwear

  13. Thanks to DaveP from:

    Jawloms (5th September 2013)

  14. #25

    Ephelyon's Avatar
    Join Date
    Aug 2008
    Location
    Cheshire, England
    Posts
    1,661
    Thank Post
    289
    Thanked 318 Times in 192 Posts
    Rep Power
    141
    @witch, it's still rather difficult to respect that structure given that a senior management team comprised solely of people from one profession makes no sense and can't work.

    Naturally there does need to be a hierarchy at the end of the day, but when you're the sole expert in a particular domain it's not unreasonable to expect SLT to justify themselves every once in a while. The IT industry as a whole wasn't created just for them, has standards of its own which exist for very good reasons and rightly demands some degree of respect for them.

  15. #26

    plexer's Avatar
    Join Date
    Dec 2005
    Location
    Norfolk
    Posts
    13,460
    Thank Post
    646
    Thanked 1,614 Times in 1,444 Posts
    Rep Power
    419
    Quote Originally Posted by witch View Post
    Well, you can ask, but as they are SLT they outrank you and can do what they like. It is neither "your" network nor "your" password so the only thing you can do is tell them why it is not a good idea and ask them what they are thinking that they might need to do when you are not there
    Depends really IT is the responsibility of a centralised company within our federation now staffed with all the existing people a managed services company if you like, they would have to be talking to the Director of IT Services to be granted domain rights here and I doubt that would happen

    Having said that I never said it was my network or my password?

    Ben

  16. 2 Thanks to plexer:

    ADMaster (11th December 2013), Get2theChoppa (6th September 2013)

  17. #27

    witch's Avatar
    Join Date
    Nov 2005
    Location
    Dorset
    Posts
    11,134
    Thank Post
    1,373
    Thanked 2,377 Times in 1,674 Posts
    Rep Power
    703
    Quote Originally Posted by plexer View Post
    Depends really IT is the responsibility of a centralised company within our federation now staffed with all the existing people a managed services company if you like, they would have to be talking to the Director of IT Services to be granted domain rights here and I doubt that would happen

    Having said that I never said it was my network or my password?

    Ben
    No, @plexer, you didn't. @elsiegee40 did. Your situation is different from a school with an IT tech. I'm sure a Director of IT Services carries more clout!
    and @Ephelyon Yes, they certainly should justify themselves and I did say that. All I meant was that however much you explain the problems, and however much you want them to listen to you as an expert, sometimes you are on a hiding to nothing and need to accept it or go mad in the process.

  18. #28

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,143
    Thank Post
    863
    Thanked 2,695 Times in 2,285 Posts
    Blog Entries
    9
    Rep Power
    772
    Quote Originally Posted by witch View Post
    Well, you can ask, but as they are SLT they outrank you and can do what they like. It is neither "your" network nor "your" password so the only thing you can do is tell them why it is not a good idea and ask them what they are thinking that they might need to do when you are not there
    I partially disagree, it is your password and user account, traceable to you, if they need admin access give them a different account for it, separate from their usual account as users running around doing everything while logged in as a domain admin is begging for trouble. Also segregate what they actually need, of it's just software installs have a local admins group and even restrict it down to just the stations that they need. Sure there should be at least one other domain admin or password in a safe for continuity purposes but not too many more. The best way to describe this to them is that someone with a domain admin logon can read everything, all their documents, all their emails, everything and ask them if they are happy spreading that around, usually it is two separate issues, the continuity one and the software install one which you can get around with more limited local admin only Groups pushed out via special Groups in a gpo.

  19. #29

    Ephelyon's Avatar
    Join Date
    Aug 2008
    Location
    Cheshire, England
    Posts
    1,661
    Thank Post
    289
    Thanked 318 Times in 192 Posts
    Rep Power
    141
    I think @witch is talking generically about giving SLT an account with admin access, not necessarily your own. Perhaps "'your' password" refers to "admin access passwords" in general.

    I do agree that the school IT resources are the property of the school, which in our case is to say they are the property of the County Council with the Head locally in charge. That is the accepted structure and doesn't change just because we might want it to.

    However, and on the topic of explaining oneself, I'd view it this way:

    Full access to all data assets within an organisation is nothing short of an occupational hazard. That's because the first question the Police will ask you if your house gets broken into is "Who else has the keys?" If you are a full administrator, you're on that list. In common law, you can do away with the DPA completely and opt for "Malfeasance in Public Office", for which the burden of proof is (VERY broadly speaking) "the preponderance of the evidence". That means it needs to be "more likely than not" that the defendant is guilty of the charge.

    Furthermore, there will be some data stored on the system that even members of SLT should not be privy to. This includes sensitive personal data on staff, particularly where e.g. disciplinary meetings are concerned, or disclosures of e.g. mental health concerns that may lead to an OHU referral. Some of you will know that the latter happened to me last year, and the only member of SLT I expect to have access to those stored copies of OHU referrals is the Head. Not the Deputy Head, not the Assistant Heads, not the Business Manager, because they Don't Need To Know™. In that manner, and only in that manner, we comply with Principles 2, 6 and 7 of the DPA.

    Our profession is the only one where it is accepted that the "can" is not the same as the "may" in terms of access to data. The ONLY reason for that is that we have accepted the necessity of this for us to carry out our duties for the past 40 years. Nevertheless it remains an occupational hazard - and not a power trip! - that nobody else should be exposed to unless they can state, and prove, in explicit terms, why it is required. Perhaps it would be appropriate for the Governors or the LEA to intervene in forming an impartial external judgement on the matter.

    Maybe it's possible to use some of that reasoning when discussing these matters with SLT.
    Last edited by Ephelyon; 6th September 2013 at 01:52 AM.

  20. Thanks to Ephelyon from:

    Get2theChoppa (6th September 2013)

  21. #30

    elsiegee40's Avatar
    Join Date
    Jan 2007
    Location
    Kent
    Posts
    10,795
    Thank Post
    1,790
    Thanked 2,181 Times in 1,616 Posts
    Rep Power
    771
    I ended up pointing out to the HT that what had been done with our administrator password was like giving the school keys and alarm code to a contractor and then leaving all the internal doors and filing cabinets ... and then keaving them unattended to get on with it.

SHARE:
+ Post New Thread
Page 2 of 4 FirstFirst 1234 LastLast

Similar Threads

  1. Vbscript reset a single domain user's password
    By ryan_powell in forum Scripts
    Replies: 9
    Last Post: 4th June 2009, 02:43 PM
  2. Clear User accounts password attributes on mass.
    By tosca925 in forum How do you do....it?
    Replies: 2
    Last Post: 8th June 2007, 03:15 PM
  3. Local Administrator Password Puzzle
    By Andie in forum Windows
    Replies: 18
    Last Post: 11th February 2007, 09:14 PM
  4. Replies: 8
    Last Post: 12th November 2006, 02:02 PM
  5. Data Protection Act And Root/Administrators Passwords.
    By tickmike in forum General Chat
    Replies: 4
    Last Post: 11th September 2006, 03:35 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •