+ Post New Thread
Page 2 of 3 FirstFirst 123 LastLast
Results 16 to 30 of 35
Learning Network Manager Thread, Domain Admin Access to Teaching Staff in Technical; Originally Posted by GrumbleDook Then ask the Head and Bursar / business Manager which folders and documents are needed to ...
  1. #16

    elsiegee40's Avatar
    Join Date
    Jan 2007
    Location
    Kent
    Posts
    10,793
    Thank Post
    1,789
    Thanked 2,180 Times in 1,615 Posts
    Rep Power
    771
    Quote Originally Posted by GrumbleDook View Post
    Then ask the Head and Bursar / business Manager which folders and documents are needed to be kept sensitive (ie staff pay, disciplinary procedures, etc) as you take it that they would want you to lock out access to those folders / files. Then point out that this account would have access to all staff files and folders, even personal ones, so do you need to let all staff know so that *they* can tell you which files and folders need to have their security permissions changed.
    I'm with TheLibrarian... this has to be the best idea I've seen.

    Total respect Grumbledook!

  2. #17
    Cools's Avatar
    Join Date
    Jan 2009
    Location
    Bedfordshire
    Posts
    498
    Thank Post
    24
    Thanked 62 Times in 57 Posts
    Rep Power
    25
    Our LEA has a policy on teachers having access. and it says they must never have admin's level access..
    and the Admin passwords need to be lock in the school safe. Just in case you run over by a bus.

  3. #18

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    9,933
    Thank Post
    1,339
    Thanked 1,783 Times in 1,106 Posts
    Blog Entries
    19
    Rep Power
    594
    To be honest ... I would ask the Head / Bursar about what are the essentially private files are anyway ... *you* are in a position of trust (the same way the site supervisor with the master keys and alarm codes is) but are *all* your staff in that position? There will be some documents which have to be treated with very sensitively and if you get the senior staff thinking about this then it can also make life easier for you when introducing other data protection stuff ...

  4. #19

    elsiegee40's Avatar
    Join Date
    Jan 2007
    Location
    Kent
    Posts
    10,793
    Thank Post
    1,789
    Thanked 2,180 Times in 1,615 Posts
    Rep Power
    771
    Quote Originally Posted by Cools View Post
    Our LEA has a policy on teachers having access. and it says they must never have admin's level access..
    and the Admin passwords need to be lock in the school safe. Just in case you run over by a bus.
    I'm in a private school and that's how it is here.

    I have an admin account, but my day-to-day account has the same level of privacy as the teachers (with a few 'tweaks' so I can remote into the servers )

    It's safer that way. A bad day is less likely to turn into a dreadful one caused by a slip of the fingers.

  5. #20

    teejay's Avatar
    Join Date
    Apr 2008
    Posts
    3,176
    Thank Post
    284
    Thanked 773 Times in 583 Posts
    Rep Power
    335
    Well, someone with Domain Admin rights needs to be trained to MCITP Server Administrator level as a minimum, so order the self study guides and point them to the nearest exam centre for them to sit the 3 required exams. When they've passed, sure, give em access.

  6. #21

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,143
    Thank Post
    863
    Thanked 2,695 Times in 2,285 Posts
    Blog Entries
    9
    Rep Power
    772
    Quote Originally Posted by GrumbleDook View Post
    Then ask the Head and Bursar / business Manager which folders and documents are needed to be kept sensitive (ie staff pay, disciplinary procedures, etc) as you take it that they would want you to lock out access to those folders / files. Then point out that this account would have access to all staff files and folders, even personal ones, so do you need to let all staff know so that *they* can tell you which files and folders need to have their security permissions changed.
    This should have an addendum that states that this is just a slowing down mechanisum and that as a domain admin even if they are expresssly locked out by permissions they can simply take ownership of the files then read them anyway. Even if they are encrypted using windows a domain admin can reset the network administrator account and use this to get the master encryption certificate allowing decryption.

    Sure the user may not know how to do it but if they want to know getting instructions off the internet is not exactly difficult.

  7. #22


    Join Date
    Sep 2008
    Posts
    1,766
    Thank Post
    323
    Thanked 258 Times in 211 Posts
    Rep Power
    120
    Quote Originally Posted by GrumbleDook View Post
    Then ask the Head and Bursar / business Manager which folders and documents are needed to be kept sensitive (ie staff pay, disciplinary procedures, etc) as you take it that they would want you to lock out access to those folders / files. Then point out that this account would have access to all staff files and folders, even personal ones, so do you need to let all staff know so that *they* can tell you which files and folders need to have their security permissions changed.
    Why? If another person is deemed good enough to have domain admin access then this should not be a problem. All staff should already know that *someone* has access to these files, but that they are professional enough not to "snoop" into areas that do not concern them. I would imagine a more worrying aspect would be the teacher not having the knowledge to use the account properly and causing problems by breaking things.

    How does stating the fact that they could restart the server during the school day differ from the existing NM? Surely the point to get accross is that the teacher is not qualified (no experience or training?) to be given such access rather than stating what someone already has the ability to do? Thats the reason for having experienced IT support so they can perform their job properly, and not have their duties handed out to other members of staff?

    Edit: GD - You already answered my question while I was still typing
    Last edited by penfold; 27th September 2010 at 03:37 PM.

  8. #23

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    9,933
    Thank Post
    1,339
    Thanked 1,783 Times in 1,106 Posts
    Blog Entries
    19
    Rep Power
    594
    Quote Originally Posted by penfold View Post
    Edit: GD - You already answered my question while I was still typing
    I sometimes answer my pre-loaded questions myself ... it comes from constantly having conversations with myself and forgetting who should be answering who.

  9. #24

    Join Date
    Jun 2007
    Location
    London
    Posts
    894
    Thank Post
    64
    Thanked 171 Times in 140 Posts
    Rep Power
    55
    Can you not put the person in a group which has some but not all admin rights? You can certainly give them permissions to access student folders, change passwords, etc via say a sub-admin role. We do the same for some of our IT teachers.

  10. #25
    jsnetman's Avatar
    Join Date
    Oct 2007
    Posts
    887
    Thank Post
    23
    Thanked 134 Times in 126 Posts
    Rep Power
    39
    We also give access to some teachers who require it to go into student areas, and also some IT teachers have the abilty to change password. You can delegate all these permissions with AD and NTFS permissions. I reckon the teacher does not know what the domain account really involves so calm them down and give them the level they want. No one should be logging into a computer with domain admin, I know I do which is bad practice but thats not the point.
    Last edited by jsnetman; 27th September 2010 at 06:09 PM.

  11. #26

    witch's Avatar
    Join Date
    Nov 2005
    Location
    Dorset
    Posts
    11,133
    Thank Post
    1,373
    Thanked 2,377 Times in 1,674 Posts
    Rep Power
    703
    Quote Originally Posted by jsnetman View Post
    We also give access to some teachers who require it to go into student areas, and also some IT teachers have the abilty to change password. You can delegate all these permissions with AD and NTFS permissions. I reckon the teacher does not know what the domain account really involves so calm them down and give them the level they want. No one should be logging into a computer with domain admin, I know I do which is bad practice but thats not the point.
    Yes, so do I and I know I shouldnt. I agree though give them what they want, locked down as far as you are able.

    Quote Originally Posted by GrumbleDook View Post
    I sometimes answer my pre-loaded questions myself ... it comes from constantly having conversations with myself and forgetting who should be answering who.
    Now that IS disppointing, Grumbledook - 'who should be answering whom' is correct

  12. #27

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    9,933
    Thank Post
    1,339
    Thanked 1,783 Times in 1,106 Posts
    Blog Entries
    19
    Rep Power
    594
    Quote Originally Posted by witch View Post
    Now that IS disppointing, Grumbledook - 'who should be answering whom' is correct
    Taken to Who/Whom to stop the thread being too OT.

  13. #28

    Join Date
    Jan 2006
    Location
    Surburbia
    Posts
    2,178
    Thank Post
    74
    Thanked 307 Times in 243 Posts
    Rep Power
    115
    My line in the sand is read-only access to student my docs, no access to other adult my docs, no one ever gets their normal user account made an admin. I've been expecting but have yet to encounter a compelling request for write access re. SEN kids etc. Password changing doesn't bother me provided it is limited to a select few because it leaves tracks you can refer back to if necessary... not bothered includes the prospect of say one SLT being in a position to change a teacher's password.

    Standard defences: "This runs against the grain of [magic word with emphasis] E-safety blah-blah.." and one of those true stories of the very serious inconvenience when a promoted-to-admin teacher account got hit by some brand new and thus undetected malware, which swiftly got the entire domain.

    The trust issue is fun, in the sense that some folk just don't appear to have ever considered how much access you have until you talk about it re. the seriousness of giving it to someone else. I always used to think trust/ethics was part of what you got paid for in the private sector, so next time you're sulking over the pay-slip perhaps that ignorance is part of the problem...

  14. #29
    p858snake's Avatar
    Join Date
    Dec 2008
    Location
    Queensland
    Posts
    1,490
    Thank Post
    37
    Thanked 175 Times in 151 Posts
    Blog Entries
    2
    Rep Power
    51
    Don't forget DPA issues..... There was a thread the other day on the same issue where some costs were pointed out.

    A vaguely remember a thread /awhile/ ago about staff have write rights to student data and that was apparently a no no against some policies and exam boards.

    If the person just needs to change passwords, i recommend a tool like: http://www.wisesoft.co.uk/software/p...l/default.aspx

  15. #30

    TechMonkey's Avatar
    Join Date
    Dec 2005
    Location
    South East
    Posts
    3,286
    Thank Post
    225
    Thanked 405 Times in 302 Posts
    Rep Power
    162
    Quote Originally Posted by Cools View Post
    and the Admin passwords need to be lock in the school safe. Just in case you run over by a bus.
    There's the answer. Things with the admin password need to go in the safe. Give the teacher the password then put them in the safe

SHARE:
+ Post New Thread
Page 2 of 3 FirstFirst 123 LastLast

Similar Threads

  1. Replies: 28
    Last Post: 15th August 2010, 09:47 AM
  2. Replies: 6
    Last Post: 26th May 2010, 06:17 PM
  3. Support Staff or Non-Teaching?
    By webman in forum General Chat
    Replies: 58
    Last Post: 20th April 2007, 12:06 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •