Teacher wants to access active directory...

[Olumite]

hi

A teacher who has the role of "data manager" wants an i-teach-esque way of ammending/viewing people's profiles.

I realise that for her to be able to do such things I'd have to give her admin rights. which would enable her to roam free-range around the server.

There is no way I am giving her nor anyother teacher admin rights (nightmares of the possible horrors). I'd rather say there is no method that wouldnt comprimise the security of the server.

Is there another way?
Any suggestions welcome!

lol

My first post!

[plock]

Delegate control?

Create a Microsoft Management Console with the specific permissions of exactly what you would like the user to be able to perform. Ensure you delegate the control to only the OU you would like them to manage.

[FN-GM]

I think you can use delegate control so it will let her into active directory on a normal user and edit items. If you don't want her to edit things by default standard users can view things in AD but not change anything.

[FN-GM]

Beat me to it!

[plexer]

What exactly do you mean by amending/viewing peoples profiles?

What are they wanting to acheive?

Ben

[FN-GM]

Do you mean profiles asin the users settings or the users account in Active Directory?

[plock]

This article will describe delegating control and how to set it up:

http://www.windowsecurity.com/articl...istration.html

This article describes creating a custom MMC:

http://support.microsoft.com/kb/230263

[ICT_GUY]

Give her your mcp server 2003 book along with the XP one and the networking one and possibly the active directory one.

Tell her that when she passes the exams she can come poke around your server under supervision. Even limited rights to admin users would not get past me, one click and its a head ache for me.

Her f*** up costs you your job. And I would not let anyone touch my servers that didnt know at least what I do and certainly not without me breathing down their necks and taking notes. As for admin rights, when hell freezes over.

[webman]

I think this problem is more of a managerial one. Why does the Data Manager want access to ammend/edit user profiles - surely this is what the Network Manager and/or IT Technicians are for?

I second ICT_GUY's suggestion :P

[plock]

I use the above method for allowing ICT Teachers to only reset student passwords!

[GrumbleDook]

She wants to see profiles? I presume that you mean files in home areas (not all here have profiles and home areas in the same place).

Fine ... using RMTSHARE and XCACLs to add a group called 'teacher_view) with read permissions to student homeareas ... put her in the group ... and then give her an excel spreadsheet with student details ...

column 1 - student name
column 2 - year
column 3 - form
column 4 - UNC location of home area.

She can then create her own filter views on the file and get access to whoever she wants.

The AD is not a thing for non-admins to play with ... delegation of control of the AD is one way but if all she wants is a searchable list of home areas and links to them ... give her the above file.

[kingswood]

She wants to see profiles? I presume that you mean files in home areas (not all here have profiles and home areas in the same place).

Fine ... using RMTSHARE and XCACLs to add a group called 'teacher_view) with read permissions to student homeareas ... put her in the group ... and then give her an excel spreadsheet with student details ...

column 1 - student name
column 2 - year
column 3 - form
column 4 - UNC location of home area.

She can then create her own filter views on the file and get access to whoever she wants.

The AD is not a thing for non-admins to play with ... delegation of control of the AD is one way but if all she wants is a searchable list of home areas and links to them ... give her the above file.

Fantastic idea.

The amount of ICT teachers I have had almost argue the point with me is astounding. I mean- throw away my MCP and HNC etc and just hand over the reigns to a teacher who because they have "ICT" in their title think that being an administrator on the network is some kind of power right. I like your idea of filter views.

Of course another way of doing it is by setting permissions for a group of your creation (teacher_admins or whatever) and then mapping a drive in a logon script so that teachers who need access to home areas can get it within the limitation of their own accounts. I had this method suggested to me this past month.

Great idea though Tony- thanks!

Paul

[CyberNerd]

hmm. profiles.
send her a copy of the user.dat and get her to open it with a text editor. It's quite easy to understand, really.

[bossman]

Are you sure it's user profiles and not their documents as in their my docs directory.

I delegate the mmc out to teachers so that they can reset user passwords and give out more printer credits they can also go into user accounts and see the pupils work as well. It also gives them the capacity to turn off the internet for that user.

[ICT_GUY]

I have a VB prog that I wrote that opens every students homefolder in a particular class. Also antother that puts files into them.

Teachers were trying to do this manually and wating 1 hour of PPA time.