Windows Server 2000/2003 Thread, Can anyone please suggest account permissions for an Apprentice Technician? in Technical; Can anyone please suggest AD account permissions for an apprentice technician we have starting?
Sorry if this appears lazy, but ...
8th February 2012, 08:12 PM #1
Can anyone please suggest account permissions for an Apprentice Technician?
Can anyone please suggest AD account permissions for an apprentice technician we have starting?
Sorry if this appears lazy, but as I'm sure many of you have been through this before. Previously there has only been an experienced technician and a network manager, we have just been full "domain administrators"....
Obviously I know it depends on what roles we wish them to be able to do, but could anyone please suggest what set-up they may have for there trainee technicians? I do not want our computer/user accounts deleted whilst he is learning!
Thanks in advance
IDG Tech News
8th February 2012, 08:16 PM #2
Just give him access to reset passwords for the start? And then as you train him/Gain his trust, alter the permissions to suit the jobs he needs to do.
8th February 2012, 08:25 PM #3
As mentioned here - I setup like a normal staff account - so had perms to reset password but then removed him from the ou so no gpo's applied. added locally to the admins group of his pc therefore he can tinker etc on that - if it breaks fog it!
Originally Posted by ihaveaproblem
8th February 2012, 08:29 PM #4
Students reset their own passwords and if they cant manage it themselves staff do it for them, we use "Self Service Password Reset" which is a great edugeek project
I will set him up as glennda suggested and maybe have a read of the 114 page, "Best Practice Guide for Securing Active Directory Installations.doc" tomorrow!!
I did start to read about setting up "service administrator" accounts and thought that someone might have already done this and have a great set for a beginner.
8th February 2012, 08:33 PM #5
We have a very strange problem that has been around since we created the domain, if anyone is added as a local admin to any computer at any point, then roaming profiles just stop working on any other future computers for them until their AD account is recreated, I have no idea why and there are no errors, the replication back to the server just doesn't happen! Luckily now as the bursar`s use SAP, we don't have anyone in the school that needs to be a local administrator or power user!
Originally Posted by glennda
Thanks for replies
8th February 2012, 08:51 PM #6
To be honest with something like this I think it's best to start them off doing the basic tasks, toner/paper stuffing, maybe building/repairing some hardware faults on machines.
If you want to expose them to AD etc... let them observe and to give them some hands on experience of that give them some vm's in a domain configuration to play with.
8th February 2012, 08:57 PM #7
I guess I am jumping the gun a little. I forget we will have to be first showing him how to clean projector filters and change toners first. But we only have him for a year and I really don't want him to leave us after 12 months without the learned skills to get a great tech job somewhere instead of being as some teachers would call him a "Toner Monkey" .
Oh well nothing like planning in advance!
8th February 2012, 10:35 PM #8
Personally i think he will be ok with local admin rights, password resets & the ability to join machines to the domaim.
8th February 2012, 10:46 PM #9
Maybe plan backwards and set some goals/milestones for him to work towards.
8th February 2012, 10:54 PM #10
I think it's rather demeaning to give any less than a basic administrative access level.
When I first started, I had little experience in this field (a few months from previous place) but was given full admin access (or maybe it's because I was on my own half the week for the first year so had no choice but to need it and to pick things up very quickly!)
I'd have felt a little miffed to say the least if i'd come into a job enthusiastic and to learn but was held back and limited to, as I quote above, "toner/paper stuffing, maybe building/repairing some hardware faults on machines". The irony is that after all these years, most of my time is now spent faffing with pc components and fiddling/sorting out printers!!
Sure, work experience students (under 17) or someone who is only going to be there for a very short time should be given the bare minimum (if they're there just to test the water in terms of is that what they want to do), but someone who is starting as a full-time job and intends on their duration being long term I think should have some form of administrative access.
You'll find you'll learn alot more about them quicker depending on how they treat such access and respect trust from yourself/other techies; indeed, offer the suggestion that you're willing to trust them as an adult who won't take it as an opportunity to cause havoc and accept alot of things they'll need to be patient with regards to the learning curve. Should a disaster caused by lack of maturity or worrying impatience happen, of course, you should have a decent enough backup system in place and pending how bad such "havoc" was caused, be able to ensure they find all the correct "one-way" doors
On a more serious note, unless they're a kid or has zero experience and/or shown zero enthusiasm, any less than a basic admin account is an insult.
Last edited by dgsmith; 8th February 2012 at 10:57 PM.
Thanks to dgsmith from:
FN-GM (8th February 2012)
8th February 2012, 11:16 PM #11
Totally disagree and as I said plan the work to lead to bringing them up to a suitable standard.
Saying that someone should be given the keys to the kingdom from day one us reckless and irresponsible.
There will be no need to "recover from havoc" as it will not happen if done in the right way.
Depending on the persons apptitude then the program may be accelerated.
8th February 2012, 11:26 PM #12
@plexer: You may disagree and maybe you're right in your own way, but I can only speak from (positive) experience at my current and previous workplace (where I was also given full access). The "havoc" statement was meant tongue in cheek, but mainly to reinterate that as professionals we always ensure everything is backed up and thus most undesirable actions can never usually be indefinately destructive.
Note though I only noted "basic admin access" and didn't suggest everyone, under every circumstance, should be given rights to the whole lot. My circumstances where different (as I briefly explained) and thus would have been very difficult to have anything other than full, but I guess it depends on the circumstances and how you perceive an individual on the initial impressions or indeed your own preferences.
To answer burgemaster directly though: "I do not want our computer/user accounts deleted whilst he is learning!" - either action is a concious action and equally can be mistakenly done whether you're learning or working from years of experience.
8th February 2012, 11:30 PM #13
I would also add that they should be taught to use least access rights required to acheive their tasks.
@GREED has dealt with a lot of apprentices
8th February 2012, 11:50 PM #14
To let you know I used to mentor and assess IT apprentices, apprentice IT Technicians etc so I would be happy to share my experiences etc (tomorrow, it is far to late for such a potentially mamouth post!) But let me know if interested and what you might like to know and I can give you everything I have. What quals they doing as well?
To give you a starting point though, think back to when you started with IT and what help you would have liked, so give that back!!
9th February 2012, 09:48 AM #15
Set up his account so he can only log onto X number of machines at one time. Ours started as just 2, office pc and one other.
By burgemaster in forum Windows 7
Last Post: 20th July 2012, 11:51 AM
By SimpleSi in forum General Chat
Last Post: 5th June 2011, 06:33 PM
By burgemaster in forum General Chat
Last Post: 10th September 2010, 12:08 PM
By googlemad in forum Educational IT Jobs
Last Post: 23rd March 2007, 01:27 PM
By mrforgetful in forum How do you do....it?
Last Post: 19th December 2006, 12:50 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)