Total respect Grumbledook!
Our LEA has a policy on teachers having access. and it says they must never have admin's level access..
and the Admin passwords need to be lock in the school safe. Just in case you run over by a bus.
To be honest ... I would ask the Head / Bursar about what are the essentially private files are anyway ... *you* are in a position of trust (the same way the site supervisor with the master keys and alarm codes is) but are *all* your staff in that position? There will be some documents which have to be treated with very sensitively and if you get the senior staff thinking about this then it can also make life easier for you when introducing other data protection stuff ...
I have an admin account, but my day-to-day account has the same level of privacy as the teachers (with a few 'tweaks' so I can remote into the servers :D )
It's safer that way. A bad day is less likely to turn into a dreadful one caused by a slip of the fingers.
Well, someone with Domain Admin rights needs to be trained to MCITP Server Administrator level as a minimum, so order the self study guides and point them to the nearest exam centre for them to sit the 3 required exams. When they've passed, sure, give em access.
Sure the user may not know how to do it but if they want to know getting instructions off the internet is not exactly difficult.
How does stating the fact that they could restart the server during the school day differ from the existing NM? Surely the point to get accross is that the teacher is not qualified (no experience or training?) to be given such access rather than stating what someone already has the ability to do? Thats the reason for having experienced IT support so they can perform their job properly, and not have their duties handed out to other members of staff?
Edit: GD - You already answered my question while I was still typing :)
Can you not put the person in a group which has some but not all admin rights? You can certainly give them permissions to access student folders, change passwords, etc via say a sub-admin role. We do the same for some of our IT teachers.
We also give access to some teachers who require it to go into student areas, and also some IT teachers have the abilty to change password. You can delegate all these permissions with AD and NTFS permissions. I reckon the teacher does not know what the domain account really involves so calm them down and give them the level they want. No one should be logging into a computer with domain admin, I know I do which is bad practice but thats not the point.
Who/Whom to stop the thread being too OT.
My line in the sand is read-only access to student my docs, no access to other adult my docs, no one ever gets their normal user account made an admin. I've been expecting but have yet to encounter a compelling request for write access re. SEN kids etc. Password changing doesn't bother me provided it is limited to a select few because it leaves tracks you can refer back to if necessary... not bothered includes the prospect of say one SLT being in a position to change a teacher's password.
Standard defences: "This runs against the grain of [magic word with emphasis] E-safety blah-blah.." and one of those true stories of the very serious inconvenience when a promoted-to-admin teacher account got hit by some brand new and thus undetected malware, which swiftly got the entire domain.
The trust issue is fun, in the sense that some folk just don't appear to have ever considered how much access you have until you talk about it re. the seriousness of giving it to someone else. I always used to think trust/ethics was part of what you got paid for in the private sector, so next time you're sulking over the pay-slip perhaps that ignorance is part of the problem... ;)
Don't forget DPA issues..... There was a thread the other day on the same issue where some costs were pointed out.
A vaguely remember a thread /awhile/ ago about staff have write rights to student data and that was apparently a no no against some policies and exam boards.
If the person just needs to change passwords, i recommend a tool like: http://www.wisesoft.co.uk/software/p...l/default.aspx