Can anyone please suggest account permissions for an Apprentice Technician?

[burgemaster]

Can anyone please suggest AD account permissions for an apprentice technician we have starting?

Sorry if this appears lazy, but as I'm sure many of you have been through this before. Previously there has only been an experienced technician and a network manager, we have just been full "domain administrators"....

Obviously I know it depends on what roles we wish them to be able to do, but could anyone please suggest what set-up they may have for there trainee technicians? I do not want our computer/user accounts deleted whilst he is learning!

Thanks in advance

[ihaveaproblem]

Just give him access to reset passwords for the start? And then as you train him/Gain his trust, alter the permissions to suit the jobs he needs to do.

[glennda]

Just give him access to reset passwords for the start? And then as you train him/Gain his trust, alter the permissions to suit the jobs he needs to do.

As mentioned here - I setup like a normal staff account - so had perms to reset password but then removed him from the ou so no gpo's applied. added locally to the admins group of his pc therefore he can tinker etc on that - if it breaks fog it!

[burgemaster]

Thanks,
Students reset their own passwords and if they cant manage it themselves staff do it for them, we use "Self Service Password Reset" which is a great edugeek project

I will set him up as glennda suggested and maybe have a read of the 114 page, "Best Practice Guide for Securing Active Directory Installations.doc" tomorrow!!
I did start to read about setting up "service administrator" accounts and thought that someone might have already done this and have a great set for a beginner.
Thanks again

[burgemaster]

added locally to the admins group of his pc

We have a very strange problem that has been around since we created the domain, if anyone is added as a local admin to any computer at any point, then roaming profiles just stop working on any other future computers for them until their AD account is recreated, I have no idea why and there are no errors, the replication back to the server just doesn't happen! Luckily now as the bursar`s use SAP, we don't have anyone in the school that needs to be a local administrator or power user!

Thanks for replies

[plexer]

To be honest with something like this I think it's best to start them off doing the basic tasks, toner/paper stuffing, maybe building/repairing some hardware faults on machines.

If you want to expose them to AD etc... let them observe and to give them some hands on experience of that give them some vm's in a domain configuration to play with.

Ben

[burgemaster]

Thanks Ben,
I guess I am jumping the gun a little. I forget we will have to be first showing him how to clean projector filters and change toners first. But we only have him for a year and I really don't want him to leave us after 12 months without the learned skills to get a great tech job somewhere instead of being as some teachers would call him a "Toner Monkey" .
Oh well nothing like planning in advance!

[FN-GM]

Personally i think he will be ok with local admin rights, password resets & the ability to join machines to the domaim.

[plexer]

Maybe plan backwards and set some goals/milestones for him to work towards.

Ben

[dgsmith]

I think it's rather demeaning to give any less than a basic administrative access level.

When I first started, I had little experience in this field (a few months from previous place) but was given full admin access (or maybe it's because I was on my own half the week for the first year so had no choice but to need it and to pick things up very quickly!)

I'd have felt a little miffed to say the least if i'd come into a job enthusiastic and to learn but was held back and limited to, as I quote above, "toner/paper stuffing, maybe building/repairing some hardware faults on machines". The irony is that after all these years, most of my time is now spent faffing with pc components and fiddling/sorting out printers!!

Sure, work experience students (under 17) or someone who is only going to be there for a very short time should be given the bare minimum (if they're there just to test the water in terms of is that what they want to do), but someone who is starting as a full-time job and intends on their duration being long term I think should have some form of administrative access.

You'll find you'll learn alot more about them quicker depending on how they treat such access and respect trust from yourself/other techies; indeed, offer the suggestion that you're willing to trust them as an adult who won't take it as an opportunity to cause havoc and accept alot of things they'll need to be patient with regards to the learning curve. Should a disaster caused by lack of maturity or worrying impatience happen, of course, you should have a decent enough backup system in place and pending how bad such "havoc" was caused, be able to ensure they find all the correct "one-way" doors

On a more serious note, unless they're a kid or has zero experience and/or shown zero enthusiasm, any less than a basic admin account is an insult.

[plexer]

Totally disagree and as I said plan the work to lead to bringing them up to a suitable standard.

Saying that someone should be given the keys to the kingdom from day one us reckless and irresponsible.

There will be no need to "recover from havoc" as it will not happen if done in the right way.

Depending on the persons apptitude then the program may be accelerated.

Ben

[dgsmith]

@plexer: You may disagree and maybe you're right in your own way, but I can only speak from (positive) experience at my current and previous workplace (where I was also given full access). The "havoc" statement was meant tongue in cheek, but mainly to reinterate that as professionals we always ensure everything is backed up and thus most undesirable actions can never usually be indefinately destructive.

Note though I only noted "basic admin access" and didn't suggest everyone, under every circumstance, should be given rights to the whole lot. My circumstances where different (as I briefly explained) and thus would have been very difficult to have anything other than full, but I guess it depends on the circumstances and how you perceive an individual on the initial impressions or indeed your own preferences.

To answer burgemaster directly though: "I do not want our computer/user accounts deleted whilst he is learning!" - either action is a concious action and equally can be mistakenly done whether you're learning or working from years of experience.

[plexer]

I would also add that they should be taught to use least access rights required to acheive their tasks.

@GREED has dealt with a lot of apprentices

Ben

[GREED]

Thanks @plexer

To let you know I used to mentor and assess IT apprentices, apprentice IT Technicians etc so I would be happy to share my experiences etc (tomorrow, it is far to late for such a potentially mamouth post!) But let me know if interested and what you might like to know and I can give you everything I have. What quals they doing as well?

To give you a starting point though, think back to when you started with IT and what help you would have liked, so give that back!!

[rad]

Set up his account so he can only log onto X number of machines at one time. Ours started as just 2, office pc and one other.