Learning Network Manager Thread, Domain Admin Access to Teaching Staff in Technical; Hi Guys, we have a new head of ICT Curriculum, who has ran to the Head and complained as they ...
27th September 2010, 11:46 AM #1
- Rep Power
Domain Admin Access to Teaching Staff
Hi Guys, we have a new head of ICT Curriculum, who has ran to the Head and complained as they are not a domain admin, I've explained that they do not need this level of access as they are supposed to teach etc etc etc, after much discussion I've now been threatened with disciplinary if I do not make there standard account an unrestricted domain admin immediately, despite the fact that it is against school policy.
Just wondered what everyone else thought to this? There are more politics involved but wanted to keep this brief and to the point
Last edited by reltihmd; 27th September 2010 at 01:56 PM.
27th September 2010, 11:58 AM #2
Make sure you check event log regularly so if a major issue arises, you can cross reference it with her account usage.
I hate situations like this. It shows how ruddy hard supporting schools really is.
27th September 2010, 12:02 PM #3
Are you in a union?
I know that seems to be a standard response to these type of situations but it can be very helpfull.
You are emploed as the specialist ict support staff and they are employed to teach.
Also ask for a written statement from her as to why she needs domain admin access.
27th September 2010, 12:12 PM #4
even technicians shouldn't log in as a domain admin unless they are doing something on a particular machine that requires it.
could you just make her local admin?
Problem is that ultimately it's the school leadership team that manage the school so I doubt if a union could help. They give you domain admin permissions, and if they think the ICT teacher needs it then it's their decision - even if it's a terrible idea.
I suggest you go along with it, but insist that she needs adequate training before hand (MSCE) this way you will be able to rely on her to help fix problems, she wants her job roll to change by the sounds of things.
oh - and be sure to make a formal complaint every time she undermines your job.
Last edited by CyberNerd; 27th September 2010 at 12:13 PM.
Reason: cant spell
27th September 2010, 12:35 PM #5
Any time she screws something up just say "I told you so". I agree with CyberNerd, even technicians and NM's need only log on as a domain admin if absolutely necessary. This is why Microsoft have so many groups like Backup Operator, Power User, Remote User etc etc.
27th September 2010, 12:47 PM #6
Get her to sign a disclaimer agreeing that any damage caused to the network or its configuration will be resolved by her, immediately, regardless of other teaching commitments, home time, social life etc. Make it as scary as possible that she is responsible for what happens and that she has to clean up her mess and it might scare her out of it. You get the drift here, even if my wording is perhaps a bit of a stretch
If you're still forced to, might be wise to make her a new account with the requested access rather than granting permissions to hers - as others have said, even NM and techies have normal accounts and use the admin account only when necessary to prevent accidents happening. Demonstrate that yours is set up in this way and so hers will have to be as well. That way it is both a) protection against accidents and b) a deterrent to fiddling for the hell of it because of the hassle of logging out/in every time.
27th September 2010, 01:05 PM #7
Absolutely - make her a NEW account - and try and restrict it as much as you can - dependent on what she wants to be able to do with it. Explain the protection and deterrent aspects but also point out that with a separate account it will be possible to check exactly what has been done by whom in case of issues arising
Originally Posted by sonofsanta
27th September 2010, 01:09 PM #8
I just have to ask the question - does the teacher in question actually understand what is meant by Domain Admin?
27th September 2010, 01:13 PM #9
Phone the LEA and ask for support. It may be where a big boss at the LEA phones the head up and explains how bad an idea this is - may be enough to change the HT's mind about the whole thing.
27th September 2010, 01:49 PM #10
You could also point out that if left unattended a domain admin account can potentially bring the school network crashing down in less that 20 clicks of a mouse (I'm thinking open ADU&C select an approptiate OU and delete)...
<sarcasm>That level of access by default is insane, make her enterprise admin so that she can wreck the schema too...</sarcasm>
This is exactly why Delegation of Control Wizard was created, she can have access to exactly what she needs.
Whatever happens I would suggest you CYA if you end up elevating her account and seriously consider the union advice.
I am so glad we have good management at this school!
27th September 2010, 01:58 PM #11
- Rep Power
Thanks for all the replies guys, I'll respond to a few points quickly
I am in the union, meeting with them next week, the teacher in question is from another school where the staff mark work by going directly into the students my documents and writing comments onto the document itself, teachers also change passwords in AD at the front of the classroom, I know that I can allow both of these without domain admin rights but would rather they didn't happen at all for obvious reasons
We are a fairly forward moving school, we've had an onsite VLE for years, onsite Exchange servers and helpdesks to improve how people work, we have various methods of marking work and I see that as a massive backwards step, the most worrying thing is that I've had to teach this member of staff how to turn on the PC by pressing the power button on the front (and not just the one on the monitor).
The head is placing the onus on me to ensure that they are trained up on how to do things safely with this level of access, he clearly doesn't realise that this is impossible.
We also tried phoning the LEA - the response that we got was somewhat unexpected...
"If the head is prepared to take the risk, then it's up to him"
27th September 2010, 02:11 PM #12
I hate to say it, but that's my opinion too. We call it playing the boss card.
Originally Posted by reltihmd
All you can do is point out that they do not need to be domain admins to perform the tasks they want, how it's a bad idea for anyone to be using a domain admin account as their normal account, and that the training requirement would be far lower if they only had access to the areas of the network they actually require.
27th September 2010, 03:40 PM #13
If you are going to make it her account a domain admin account then take two choices ... a new account (as well as her existing one) for when she needs extra access or just make her a domain admin.
Then ask the Head and Bursar / business Manager which folders and documents are needed to be kept sensitive (ie staff pay, disciplinary procedures, etc) as you take it that they would want you to lock out access to those folders / files. Then point out that this account would have access to all staff files and folders, even personal ones, so do you need to let all staff know so that *they* can tell you which files and folders need to have their security permissions changed.
Finally, they are unlikely to need physical access to the servers, so make sure that they cannot login localy to them. Point out that if they do have access to do this then they would also be able to restart the servers *DURING THE WORKING DAY* and therefore disrupt the whole school.
If, ultimately, the Head sames 'make it so!' then you do so, but ask the school to make sure that their data protection policy is up to date and that you want written confirmation of the required changes, just in case data goes missing.
You are like the site supervisor ... he has a master key to all doors but he is trusted not to go in rooting around. But remember that other staff also may have master keys because they are trusted ... to a point. Try to make sure that you look through logs on a regualr basis and if you have any issues that you take it to your line manager, documenting it all the way through.
I would also, as advised previously, talk with the teaching union reps ... who might not be too pleased as this can also lead to their members to be expected to take on more admin tasks ... and *they* will have a word with the person involved instead.
Thanks to GrumbleDook from:
elsiegee40 (27th September 2010)
27th September 2010, 03:43 PM #14
I say this with all due respect: Tony you are an evil genius.
Originally Posted by GrumbleDook
27th September 2010, 03:59 PM #15
If you have been handed the onus to train up the teacher to be able to use this level of access safely, then do exactly that. Provide a training program which outlines the scope of knowledge which is required and timescales for the training. When they realise that this will replace any teaching time they are supposed to be doing they may actually see it is a bit of a nonsense.
Originally Posted by reltihmd
After that I'm afraid there is nothing you can do other than provide a seperate account as requested. But what I would do is put together something which states this account shouldn't be used for any other reasons than the primary purpose or it can (and will) be revoked, and get this signed by your head. When the teacher starts using this account rather than their "normal" one, simply log it and revoke access highlighting the person doesn't have the necessary skills to be trusted with this access. Or at the very least, ensure you are covered as GD says "in the event of data protection" you can't be held responsible if mistakes are made by other people.
Last edited by penfold; 27th September 2010 at 04:02 PM.
By pete in forum General Chat
Last Post: 15th August 2010, 10:47 AM
Last Post: 26th May 2010, 07:17 PM
By webman in forum General Chat
Last Post: 20th April 2007, 01:06 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)