+ Post New Thread
Page 1 of 3 123 LastLast
Results 1 to 15 of 35
Learning Network Manager Thread, Domain Admin Access to Teaching Staff in Technical; Hi Guys, we have a new head of ICT Curriculum, who has ran to the Head and complained as they ...
  1. #1

    Join Date
    Feb 2007
    Posts
    16
    Thank Post
    2
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Domain Admin Access to Teaching Staff

    Hi Guys, we have a new head of ICT Curriculum, who has ran to the Head and complained as they are not a domain admin, I've explained that they do not need this level of access as they are supposed to teach etc etc etc, after much discussion I've now been threatened with disciplinary if I do not make there standard account an unrestricted domain admin immediately, despite the fact that it is against school policy.

    Just wondered what everyone else thought to this? There are more politics involved but wanted to keep this brief and to the point
    Last edited by reltihmd; 27th September 2010 at 01:56 PM.

  2. #2
    AyatollahPies's Avatar
    Join Date
    Jan 2008
    Location
    Earth
    Posts
    900
    Thank Post
    48
    Thanked 105 Times in 95 Posts
    Rep Power
    43
    Make sure you check event log regularly so if a major issue arises, you can cross reference it with her account usage.

    I hate situations like this. It shows how ruddy hard supporting schools really is.

  3. #3

    plexer's Avatar
    Join Date
    Dec 2005
    Location
    Norfolk
    Posts
    13,685
    Thank Post
    755
    Thanked 1,715 Times in 1,526 Posts
    Rep Power
    438
    Are you in a union?

    I know that seems to be a standard response to these type of situations but it can be very helpfull.

    You are emploed as the specialist ict support staff and they are employed to teach.

    Also ask for a written statement from her as to why she needs domain admin access.

    Ben

  4. #4


    Join Date
    Jan 2006
    Posts
    8,202
    Thank Post
    442
    Thanked 1,033 Times in 813 Posts
    Rep Power
    341
    even technicians shouldn't log in as a domain admin unless they are doing something on a particular machine that requires it.
    could you just make her local admin?

    Problem is that ultimately it's the school leadership team that manage the school so I doubt if a union could help. They give you domain admin permissions, and if they think the ICT teacher needs it then it's their decision - even if it's a terrible idea.

    I suggest you go along with it, but insist that she needs adequate training before hand (MSCE) this way you will be able to rely on her to help fix problems, she wants her job roll to change by the sounds of things.
    oh - and be sure to make a formal complaint every time she undermines your job.
    Last edited by CyberNerd; 27th September 2010 at 12:13 PM. Reason: cant spell

  5. #5

    Join Date
    May 2010
    Location
    Kent
    Posts
    375
    Thank Post
    43
    Thanked 47 Times in 45 Posts
    Rep Power
    26
    Any time she screws something up just say "I told you so". I agree with CyberNerd, even technicians and NM's need only log on as a domain admin if absolutely necessary. This is why Microsoft have so many groups like Backup Operator, Power User, Remote User etc etc.

  6. #6

    sonofsanta's Avatar
    Join Date
    Dec 2009
    Location
    Lincolnshire, UK
    Posts
    5,375
    Thank Post
    957
    Thanked 1,630 Times in 1,103 Posts
    Blog Entries
    47
    Rep Power
    711
    Get her to sign a disclaimer agreeing that any damage caused to the network or its configuration will be resolved by her, immediately, regardless of other teaching commitments, home time, social life etc. Make it as scary as possible that she is responsible for what happens and that she has to clean up her mess and it might scare her out of it. You get the drift here, even if my wording is perhaps a bit of a stretch

    If you're still forced to, might be wise to make her a new account with the requested access rather than granting permissions to hers - as others have said, even NM and techies have normal accounts and use the admin account only when necessary to prevent accidents happening. Demonstrate that yours is set up in this way and so hers will have to be as well. That way it is both a) protection against accidents and b) a deterrent to fiddling for the hell of it because of the hassle of logging out/in every time.

  7. #7

    witch's Avatar
    Join Date
    Nov 2005
    Location
    Dorset
    Posts
    11,510
    Thank Post
    1,529
    Thanked 2,633 Times in 1,823 Posts
    Rep Power
    813
    Quote Originally Posted by sonofsanta View Post
    Get her to sign a disclaimer agreeing that any damage caused to the network or its configuration will be resolved by her, immediately, regardless of other teaching commitments, home time, social life etc. Make it as scary as possible that she is responsible for what happens and that she has to clean up her mess and it might scare her out of it. You get the drift here, even if my wording is perhaps a bit of a stretch

    If you're still forced to, might be wise to make her a new account with the requested access rather than granting permissions to hers - as others have said, even NM and techies have normal accounts and use the admin account only when necessary to prevent accidents happening. Demonstrate that yours is set up in this way and so hers will have to be as well. That way it is both a) protection against accidents and b) a deterrent to fiddling for the hell of it because of the hassle of logging out/in every time.
    Absolutely - make her a NEW account - and try and restrict it as much as you can - dependent on what she wants to be able to do with it. Explain the protection and deterrent aspects but also point out that with a separate account it will be possible to check exactly what has been done by whom in case of issues arising

  8. #8
    leco's Avatar
    Join Date
    Nov 2006
    Location
    West Yorkshire
    Posts
    2,026
    Thank Post
    595
    Thanked 125 Times in 119 Posts
    Rep Power
    42
    I just have to ask the question - does the teacher in question actually understand what is meant by Domain Admin?

  9. #9

    Hightower's Avatar
    Join Date
    Jun 2008
    Location
    Cloud 9
    Posts
    4,920
    Thank Post
    494
    Thanked 690 Times in 444 Posts
    Rep Power
    242
    Phone the LEA and ask for support. It may be where a big boss at the LEA phones the head up and explains how bad an idea this is - may be enough to change the HT's mind about the whole thing.

  10. #10
    TheLibrarian
    Guest
    You could also point out that if left unattended a domain admin account can potentially bring the school network crashing down in less that 20 clicks of a mouse (I'm thinking open ADU&C select an approptiate OU and delete)...

    <sarcasm>That level of access by default is insane, make her enterprise admin so that she can wreck the schema too...</sarcasm>

    This is exactly why Delegation of Control Wizard was created, she can have access to exactly what she needs.

    Whatever happens I would suggest you CYA if you end up elevating her account and seriously consider the union advice.



    I am so glad we have good management at this school!

  11. #11

    Join Date
    Feb 2007
    Posts
    16
    Thank Post
    2
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Thanks for all the replies guys, I'll respond to a few points quickly

    I am in the union, meeting with them next week, the teacher in question is from another school where the staff mark work by going directly into the students my documents and writing comments onto the document itself, teachers also change passwords in AD at the front of the classroom, I know that I can allow both of these without domain admin rights but would rather they didn't happen at all for obvious reasons

    We are a fairly forward moving school, we've had an onsite VLE for years, onsite Exchange servers and helpdesks to improve how people work, we have various methods of marking work and I see that as a massive backwards step, the most worrying thing is that I've had to teach this member of staff how to turn on the PC by pressing the power button on the front (and not just the one on the monitor).

    The head is placing the onus on me to ensure that they are trained up on how to do things safely with this level of access, he clearly doesn't realise that this is impossible.

    We also tried phoning the LEA - the response that we got was somewhat unexpected...
    "If the head is prepared to take the risk, then it's up to him"

  12. #12
    TheLibrarian
    Guest
    Quote Originally Posted by reltihmd View Post
    We also tried phoning the LEA - the response that we got was somewhat unexpected...
    "If the head is prepared to take the risk, then it's up to him"
    I hate to say it, but that's my opinion too. We call it playing the boss card.

    All you can do is point out that they do not need to be domain admins to perform the tasks they want, how it's a bad idea for anyone to be using a domain admin account as their normal account, and that the training requirement would be far lower if they only had access to the areas of the network they actually require.

  13. #13

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    10,074
    Thank Post
    1,384
    Thanked 1,887 Times in 1,169 Posts
    Blog Entries
    19
    Rep Power
    614
    If you are going to make it her account a domain admin account then take two choices ... a new account (as well as her existing one) for when she needs extra access or just make her a domain admin.

    Then ask the Head and Bursar / business Manager which folders and documents are needed to be kept sensitive (ie staff pay, disciplinary procedures, etc) as you take it that they would want you to lock out access to those folders / files. Then point out that this account would have access to all staff files and folders, even personal ones, so do you need to let all staff know so that *they* can tell you which files and folders need to have their security permissions changed.

    Finally, they are unlikely to need physical access to the servers, so make sure that they cannot login localy to them. Point out that if they do have access to do this then they would also be able to restart the servers *DURING THE WORKING DAY* and therefore disrupt the whole school.

    If, ultimately, the Head sames 'make it so!' then you do so, but ask the school to make sure that their data protection policy is up to date and that you want written confirmation of the required changes, just in case data goes missing.

    You are like the site supervisor ... he has a master key to all doors but he is trusted not to go in rooting around. But remember that other staff also may have master keys because they are trusted ... to a point. Try to make sure that you look through logs on a regualr basis and if you have any issues that you take it to your line manager, documenting it all the way through.

    I would also, as advised previously, talk with the teaching union reps ... who might not be too pleased as this can also lead to their members to be expected to take on more admin tasks ... and *they* will have a word with the person involved instead.

  14. Thanks to GrumbleDook from:

    elsiegee40 (27th September 2010)

  15. #14
    TheLibrarian
    Guest
    Quote Originally Posted by GrumbleDook View Post
    Then ask the Head and Bursar / business Manager which folders and documents are needed to be kept sensitive (ie staff pay, disciplinary procedures, etc) as you take it that they would want you to lock out access to those folders / files. Then point out that this account would have access to all staff files and folders, even personal ones, so do you need to let all staff know so that *they* can tell you which files and folders need to have their security permissions changed.
    I say this with all due respect: Tony you are an evil genius.

  16. #15


    Join Date
    Sep 2008
    Posts
    1,853
    Thank Post
    352
    Thanked 264 Times in 216 Posts
    Rep Power
    121
    Quote Originally Posted by reltihmd View Post
    T<Snip

    The head is placing the onus on me to ensure that they are trained up on how to do things safely with this level of access, he clearly doesn't realise that this is impossible.
    If you have been handed the onus to train up the teacher to be able to use this level of access safely, then do exactly that. Provide a training program which outlines the scope of knowledge which is required and timescales for the training. When they realise that this will replace any teaching time they are supposed to be doing they may actually see it is a bit of a nonsense.

    After that I'm afraid there is nothing you can do other than provide a seperate account as requested. But what I would do is put together something which states this account shouldn't be used for any other reasons than the primary purpose or it can (and will) be revoked, and get this signed by your head. When the teacher starts using this account rather than their "normal" one, simply log it and revoke access highlighting the person doesn't have the necessary skills to be trusted with this access. Or at the very least, ensure you are covered as GD says "in the event of data protection" you can't be held responsible if mistakes are made by other people.
    Last edited by penfold; 27th September 2010 at 04:02 PM.



SHARE:
+ Post New Thread
Page 1 of 3 123 LastLast

Similar Threads

  1. Replies: 28
    Last Post: 15th August 2010, 10:47 AM
  2. Replies: 6
    Last Post: 26th May 2010, 07:17 PM
  3. Support Staff or Non-Teaching?
    By webman in forum General Chat
    Replies: 58
    Last Post: 20th April 2007, 01:06 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •