+ Post New Thread
Results 1 to 15 of 15
Network and Classroom Management Thread, Technicians Administrative access in Technical; Scenario - 1 Network Manager, 1 Tecnician SLT wanting Technician (via personalised admin account) not to have file access rights ...
  1. #1

    Join Date
    Jan 2008
    Posts
    1
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Technicians Administrative access

    Scenario - 1 Network Manager, 1 Tecnician

    SLT wanting Technician (via personalised admin account) not to have file access rights to any member of staff's home directory. This leaves only the Network Manger with the ability, when required, access these areas.

    Opinions please.

    Thanks

  2. #2

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    15,843
    Thank Post
    876
    Thanked 1,679 Times in 1,459 Posts
    Blog Entries
    12
    Rep Power
    444
    I cant see it as a major issue to be honest. I would just leave a copy of your password in a safe incase you get hit by a bus.

  3. Thanks to FN-GM from:

    SimpleSi (15th March 2012)

  4. #3
    BKGarry's Avatar
    Join Date
    Mar 2006
    Location
    Kent
    Posts
    908
    Thank Post
    92
    Thanked 118 Times in 95 Posts
    Rep Power
    47
    will you not need an account with access for backups?

  5. #4


    Join Date
    Jan 2006
    Posts
    8,202
    Thank Post
    442
    Thanked 1,032 Times in 812 Posts
    Rep Power
    339
    It would be easy to set 'deny' to that user on backups and data, but you would also need to deny him/her administrator access to the fileserver. This is essentially how I'd do it with our Samba fileservers, I could give a tech full AD admin rights (notwithstanding the ability for him/her to change passwords) yet deny them access to backups and data.

  6. #5
    rad
    rad is offline
    rad's Avatar
    Join Date
    Jan 2009
    Location
    Middlesex
    Posts
    2,473
    Thank Post
    334
    Thanked 307 Times in 235 Posts
    Rep Power
    109
    Why does SLT not want the Technician to have access to this information. If the Technician needs to do a restore, how are they going to do so. The time will come when you get fed up of doing things you will grant them access.

    So if a teacher comes to you and says, can you copy this file to my area, can you print this for me, its in ...., No I dont do it everyday but I do if a teacher says they have lost a file, I will seach their area first before going to the backup server.

  7. #6


    Join Date
    Dec 2005
    Location
    In the server room, with the lead pipe.
    Posts
    4,630
    Thank Post
    275
    Thanked 777 Times in 604 Posts
    Rep Power
    223
    "At the rate you lot accidentally delete files?"

    "Haha, nope - I'm not doing all of those restores".


    What's the underlying issue? If they don't trust the person, find out why.

  8. #7
    TheLibrarian
    Guest
    Strictly speaking that is going to be a pain to achieve. The tech has an admin account what's to stop said tech resetting permissions etc.

    You could set denies and then set up auditing on the various areas that the tech should not see.

    If you really want this sort of security the tech has to lose the full admin account and you will have to create a custom admin account and delegate control on OUs to allow the tech to do some level of useful work.

  9. #8


    Join Date
    Jan 2006
    Posts
    8,202
    Thank Post
    442
    Thanked 1,032 Times in 812 Posts
    Rep Power
    339
    Quote Originally Posted by TheLibrarian View Post
    Strictly speaking that is going to be a pain to achieve. The tech has an admin account what's to stop said tech resetting permissions etc.
    It's only a pain to do if it was set up inflexibly from the outset. It would take me about 15min to do this.

  10. Thanks to CyberNerd from:


  11. #9
    TheLibrarian
    Guest
    Quote Originally Posted by CyberNerd View Post
    It's only a pain to do if it was set up inflexibly from the outset. It would take me about 15min to do this.
    Playing Devil's Advocate
    And you'd be certain that in those 15 minutes you would not have missed a way for me to get access to things I shouldn't?

    What about testing?

  12. #10


    Join Date
    Jan 2006
    Posts
    8,202
    Thank Post
    442
    Thanked 1,032 Times in 812 Posts
    Rep Power
    339
    Quote Originally Posted by TheLibrarian View Post
    Playing Devil's Advocate
    And you'd be certain that in those 15 minutes you would not have missed a way for me to get access to things I shouldn't?

    What about testing?
    Pretty certain. notwithstanding the ability for an admin to change a password. but I'm in the vast minority of edugeekers who use samba instead of windows.. There's a reason why large corporations use *nix - some of the things that are a pain in windows turn out to be quite trivial if you have more options. I do agree it would be more difficult with windows though.

  13. Thanks to CyberNerd from:


  14. #11
    TheLibrarian
    Guest
    Quote Originally Posted by CyberNerd View Post
    Pretty certain. notwithstanding the ability for an admin to change a password. but I'm in the vast minority of edugeekers who use samba instead of windows.. There's a reason why large corporations use *nix - some of the things that are a pain in windows turn out to be quite trivial if you have more options. I do agree it would be more difficult with windows though.
    That's cheating!

  15. #12

    elsiegee40's Avatar
    Join Date
    Jan 2007
    Location
    Kent
    Posts
    10,710
    Thank Post
    1,784
    Thanked 2,170 Times in 1,605 Posts
    Rep Power
    770
    Working day to day, I use a standard staff account and don't have access to home drives either... It prevents accidental damage.

    I only have access if I log in with a domain admin account... And I certainly don't need that all the time.

  16. #13

    witch's Avatar
    Join Date
    Nov 2005
    Location
    Dorset
    Posts
    11,118
    Thank Post
    1,371
    Thanked 2,375 Times in 1,672 Posts
    Rep Power
    703
    Conversely, I always use a domain admin account as invariably I need to get to something on the server or on a pc that is inaccessible to normal users

  17. #14
    Mr.Ben's Avatar
    Join Date
    Jan 2008
    Location
    A Pirate Ship
    Posts
    941
    Thank Post
    182
    Thanked 157 Times in 126 Posts
    Blog Entries
    2
    Rep Power
    65
    I use my domain account at my desk, but a slightly modified staff account everywhere else. The only extra that I have delegated to my Staff Account is the abilty to change passwords in my User Accounts OU.

  18. #15

    Join Date
    Jan 2012
    Location
    Luton
    Posts
    121
    Thank Post
    22
    Thanked 15 Times in 12 Posts
    Rep Power
    8
    I think the SLT should consider why they are requesting this. DPA? Even then there is a case for access to actually administrate the network.

    If they can't trust staff, they need to assess recruitment procedures.

    My 2p ;-)

SHARE:
+ Post New Thread

Similar Threads

  1. Roaming Profile folders and Administrator access
    By tes in forum Windows Server 2008 R2
    Replies: 1
    Last Post: 10th July 2011, 01:36 PM
  2. Replies: 6
    Last Post: 8th July 2011, 08:25 PM
  3. Laptop Technician/Administrator - West Kent - Closes 20/5/09
    By elsiegee40 in forum Educational IT Jobs
    Replies: 0
    Last Post: 8th May 2009, 07:31 AM
  4. Replies: 7
    Last Post: 5th September 2008, 11:43 AM
  5. Administrator Access
    By itnewbie in forum Wireless Networks
    Replies: 40
    Last Post: 30th March 2008, 08:30 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •