How would you solve this problem....?

[Zammo]

Hello there,

I work for a small college, and have been tasked with the problem of how to tackle a growing problem we have with exams software, and more specifically the AD account we use to run them. Here is the current scenario:

We run a number of courses, that between them use ~6 different pieces of exam software, some more complex than others, some require internet connectivity, others check for updates every time they are launched and some older apps. need certain administrative privileges or access to the c:\ drive to run. Because of the varied nature and design of these apps. they cannot be ran under a typical "student" account. Instead an exams account is set up which has the correct privileges to run all of the exam apps.


In theory, before any exam the exams staff should log each user on using the exams account. What we are finding however is that the exams password is being given out to the students, who are then open to abuse this right by logging in as the exams account at a later date (thus avoiding accountability for misuse).

We have tried simply changing the exams password on a regular basis, however this results in frequent AD lock outs, which is a pain considering some of these exams take place after working hours. We have considered implementing a "log on hours" policy for the account, but we don’t believe we can rely on our exams department to be organised enough to make this workable!


I can think of a number of ideas that *might* resolve the problems, but I suspect that other colleges\schools will have similar setups and could enlighten me on how they work!

Thanks in advance

Martin

[Steve21]

Generally anything that needs a seperate exam login one of us techies will log it in. If we're not told about an exam etc they don't get access. No problems with students etc logging on either then

Steve

[Michael]

If you specify 'Domain Users' as local administrators, this means all users have the necessary rights to run and update software as required. You can still lock out Control Panel and make the C:\ drive unavailable (hidden) for example.

[Dos_Box]

Is the software installed college wide, or just on a specific set of machines?

[Zammo]

Thanks for the thoughts so far, I will give them some thought...
@Dos_Box - The software is not college wide, I would estimate that 60% of the computers have some form of exams software on them, if not all the packages at once. Another ongoing battle we have with exams is their habbit of using a very wide selection of IT suites to perform the exams, as opposed to limiting themselves to just a couple of rooms that could be managed more easily....

[twin--turbo]

Use AB Tutor to log all the machines on.

Rob

[bandgeekmafia78]

If you could narrow it down to 2 computer suites, you could simply add up to 64 computers in the 'Log on to' section of the account tab in Active Directory. I guess this won't solve your problem but it will make it a bit more manageable.

[tmcd35]

We (try to) keep exam accounts disabled in AD unless a teacher as requested they be enabled. We usually create specific accounts for a particular teacher with unique passwords for him to use with his class.

All staff here have the facility to change pupils passwords so if an account is locked out or disabled they can sort it with out disturbing us (we use WiseSoft's password utility).

On top of that all computer logons are logged and time stamped in two log files whenever anyone logs in. One log file is for the user listing date/times/machines he/she logged in to. The other is per computer listing date/times/users logged in to that machine. So, if we suspect someone of cheating we can easily check it.

[kmount]

Are you in a position to make using an exams account an annoyance for the user?

For example, if you have a decent filtering product could you make the exams accounts only be allowed access to the exams website so no naughty / games websites (to avoid the accountability) can be accessed?

Perhaps have a logon script that logs when these accounts are used along with the computer names (or all computers) so you can get a location, date, time etc and talk to the teacher to know who was sat to the left of John Smith, and the right of Jack A'Nory to pinpoint who the darling was?

I'd go about it this way to make the exams accounts actually less desirable to use!

[Dos_Box]

Is running them on VM's (hosted locally) not an option? You could then restrict access to the VM as and when required.

[clareq]

All exam accounts are disabled when exams are not running. Those that require Internet access are only allowed access to the web page required by the exam. No network drives are set, they are the most locked down accounts we have, which makes them undesirable.

[TheLibrarian]

I gave our Exams Officer a small script file that activates the exam accounts on the day she runs the script; students could use those accounts for that day should they choose to afterwards but not again until she activates them again.

Code:

 @echo off


REM --------------------------------------------------------------------------
REM REM out the if statement to allow any user to run this script.
REM --------------------------------------------------------------------------
if /i NOT "%username%" == "staff-username" goto noteofficer


cls
color 1f
REM --------------------------------------------------------------------------
REM The following two commands are the worker commands.
REM --------------------------------------------------------------------------
dsquery user -samid exam* | dsmod user -acctexpires 0 -disabled no


REM --------------------------------------------------------------------------
REM Check that the commands were executed successfully.
REM --------------------------------------------------------------------------
if %errorlevel% equ 0 goto finished
goto error


REM --------------------------------------------------------------------------
REM Everything went as it should
REM --------------------------------------------------------------------------
:finished
cls
color 2f
echo Completed sucessfully
echo    - The exam accounts will be active in 30 minutes.
echo    - The exam accounts will automatically deactivate at 23:59 today.
pause
goto end


REM --------------------------------------------------------------------------
REM Something went wrong - no idea what though.
REM --------------------------------------------------------------------------
:error
cls
color 4f
echo Something went wrong!
echo    - Call ICT Helpdesk on 0000.
pause
goto end


REM --------------------------------------------------------------------------
REM Username running the script is not Mrs. E. Officer
REM --------------------------------------------------------------------------
:noteofficer
cls
color 4f
echo This is only to be run by Mrs. E. Officer - Exams Coordinator.
echo    - Call 0000 to contact Mrs. E. Officer
pause
goto end


:end
color

It's not the best of scripts, but it does its job.

[dhicks]

I gave our Exams Officer a small script file that activates the exam accounts on the day she runs the script;

You could put that script on the other end of a simple web page that lets the user log in and press a button to enable a given set of exam accounts - it might make the process a bit more usable for the average end user.

[cscott]

We used to have same problem with online exams - exams being ran in different rooms everytime, students given the online exams accounts, conflicting requirements from different exam boards etc...

Fortunately when we looked at the exams timetables we discovered that about 70% of the time we had at least one online exam or test of some sort running in the College - this gave us a good case for having a designated online exams room, as it didn't really have any cost implications.

The PC's in our exams room have Microsoft Virtual PC installed and have a seperate VM for each exam board. The physical machines are tightly locked down, we set Virtual PC as the shell and configured them to autologin, so basically they sit showing the available VM's - students them start the appropriate VM for the exam they are doing.

To get round the online exam password we generate a unique online exam account for each student for each exam - some of the exam boards we use actually require this be done. Where required the accounts are placed in an appropriate group to give them admin rights on the relevent VM.

Sounds like a complicated setup but online exams used to be anightmare, complaints from stduents, letters to the Principal etc... Since introducing this system they run like a dream, not a single complaint