Domain Admin Access to Teaching Staff

[reltihmd]

Hi Guys, we have a new head of ICT Curriculum, who has ran to the Head and complained as they are not a domain admin, I've explained that they do not need this level of access as they are supposed to teach etc etc etc, after much discussion I've now been threatened with disciplinary if I do not make there standard account an unrestricted domain admin immediately, despite the fact that it is against school policy.

 

Just wondered what everyone else thought to this? There are more politics involved but wanted to keep this brief and to the point

Edited September 27, 2010 by reltihmd

[AyatollahPies]

Make sure you check event log regularly so if a major issue arises, you can cross reference it with her account usage.

 

I hate situations like this. It shows how ruddy hard supporting schools really is.

[plexer]

Are you in a union?

 

I know that seems to be a standard response to these type of situations but it can be very helpfull.

 

You are emploed as the specialist ict support staff and they are employed to teach.

 

Also ask for a written statement from her as to why she needs domain admin access.

 

Ben

[CyberNerd]

even technicians shouldn't log in as a domain admin unless they are doing something on a particular machine that requires it.

could you just make her local admin?

 

Problem is that ultimately it's the school leadership team that manage the school so I doubt if a union could help. They give you domain admin permissions, and if they think the ICT teacher needs it then it's their decision - even if it's a terrible idea.

 

I suggest you go along with it, but insist that she needs adequate training before hand (MSCE) this way you will be able to rely on her to help fix problems, she wants her job roll to change by the sounds of things.

oh - and be sure to make a formal complaint every time she undermines your job.

Edited September 27, 2010 by CyberNerd
cant spell

[gl3nnym]

Any time she screws something up just say "I told you so". I agree with CyberNerd, even technicians and NM's need only log on as a domain admin if absolutely necessary. This is why Microsoft have so many groups like Backup Operator, Power User, Remote User etc etc.

[sonofsanta]

Get her to sign a disclaimer agreeing that any damage caused to the network or its configuration will be resolved by her, immediately, regardless of other teaching commitments, home time, social life etc. Make it as scary as possible that she is responsible for what happens and that she has to clean up her mess and it might scare her out of it. You get the drift here, even if my wording is perhaps a bit of a stretch

 

If you're still forced to, might be wise to make her a new account with the requested access rather than granting permissions to hers - as others have said, even NM and techies have normal accounts and use the admin account only when necessary to prevent accidents happening. Demonstrate that yours is set up in this way and so hers will have to be as well. That way it is both a) protection against accidents and b) a deterrent to fiddling for the hell of it because of the hassle of logging out/in every time.

[witch]

Get her to sign a disclaimer agreeing that any damage caused to the network or its configuration will be resolved by her, immediately, regardless of other teaching commitments, home time, social life etc. Make it as scary as possible that she is responsible for what happens and that she has to clean up her mess and it might scare her out of it. You get the drift here, even if my wording is perhaps a bit of a stretch

 

If you're still forced to, might be wise to make her a new account with the requested access rather than granting permissions to hers - as others have said, even NM and techies have normal accounts and use the admin account only when necessary to prevent accidents happening. Demonstrate that yours is set up in this way and so hers will have to be as well. That way it is both a) protection against accidents and b) a deterrent to fiddling for the hell of it because of the hassle of logging out/in every time.

Absolutely - make her a NEW account - and try and restrict it as much as you can - dependent on what she wants to be able to do with it. Explain the protection and deterrent aspects but also point out that with a separate account it will be possible to check exactly what has been done by whom in case of issues arising

[leco]

I just have to ask the question - does the teacher in question actually understand what is meant by Domain Admin?

[Hightower]

Phone the LEA and ask for support. It may be where a big boss at the LEA phones the head up and explains how bad an idea this is - may be enough to change the HT's mind about the whole thing.

[Guest TheLibrarian]

You could also point out that if left unattended a domain admin account can potentially bring the school network crashing down in less that 20 clicks of a mouse (I'm thinking open ADU&C select an approptiate OU and delete)...

 

That level of access by default is insane, make her enterprise admin so that she can wreck the schema too...

 

This is exactly why Delegation of Control Wizard was created, she can have access to exactly what she needs.

 

Whatever happens I would suggest you CYA if you end up elevating her account and seriously consider the union advice.

 

 

 

I am so glad we have good management at this school!

[reltihmd]

Thanks for all the replies guys, I'll respond to a few points quickly

 

I am in the union, meeting with them next week, the teacher in question is from another school where the staff mark work by going directly into the students my documents and writing comments onto the document itself, teachers also change passwords in AD at the front of the classroom, I know that I can allow both of these without domain admin rights but would rather they didn't happen at all for obvious reasons

 

We are a fairly forward moving school, we've had an onsite VLE for years, onsite Exchange servers and helpdesks to improve how people work, we have various methods of marking work and I see that as a massive backwards step, the most worrying thing is that I've had to teach this member of staff how to turn on the PC by pressing the power button on the front (and not just the one on the monitor).

 

The head is placing the onus on me to ensure that they are trained up on how to do things safely with this level of access, he clearly doesn't realise that this is impossible.

 

We also tried phoning the LEA - the response that we got was somewhat unexpected...

"If the head is prepared to take the risk, then it's up to him"

[Guest TheLibrarian]

We also tried phoning the LEA - the response that we got was somewhat unexpected...

"If the head is prepared to take the risk, then it's up to him"

 

I hate to say it, but that's my opinion too. We call it playing the boss card.

 

All you can do is point out that they do not need to be domain admins to perform the tasks they want, how it's a bad idea for anyone to be using a domain admin account as their normal account, and that the training requirement would be far lower if they only had access to the areas of the network they actually require.

[GrumbleDook]

If you are going to make it her account a domain admin account then take two choices ... a new account (as well as her existing one) for when she needs extra access or just make her a domain admin.

 

Then ask the Head and Bursar / business Manager which folders and documents are needed to be kept sensitive (ie staff pay, disciplinary procedures, etc) as you take it that they would want you to lock out access to those folders / files. Then point out that this account would have access to all staff files and folders, even personal ones, so do you need to let all staff know so that *they* can tell you which files and folders need to have their security permissions changed.

 

Finally, they are unlikely to need physical access to the servers, so make sure that they cannot login localy to them. Point out that if they do have access to do this then they would also be able to restart the servers *DURING THE WORKING DAY* and therefore disrupt the whole school.

 

If, ultimately, the Head sames 'make it so!' then you do so, but ask the school to make sure that their data protection policy is up to date and that you want written confirmation of the required changes, just in case data goes missing.

 

You are like the site supervisor ... he has a master key to all doors but he is trusted not to go in rooting around. But remember that other staff also may have master keys because they are trusted ... to a point. Try to make sure that you look through logs on a regualr basis and if you have any issues that you take it to your line manager, documenting it all the way through.

 

I would also, as advised previously, talk with the teaching union reps ... who might not be too pleased as this can also lead to their members to be expected to take on more admin tasks ... and *they* will have a word with the person involved instead.

[Guest TheLibrarian]

Then ask the Head and Bursar / business Manager which folders and documents are needed to be kept sensitive (ie staff pay, disciplinary procedures, etc) as you take it that they would want you to lock out access to those folders / files. Then point out that this account would have access to all staff files and folders, even personal ones, so do you need to let all staff know so that *they* can tell you which files and folders need to have their security permissions changed.

 

I say this with all due respect: Tony you are an evil genius.

[penfold]

T

 

The head is placing the onus on me to ensure that they are trained up on how to do things safely with this level of access, he clearly doesn't realise that this is impossible.

 

If you have been handed the onus to train up the teacher to be able to use this level of access safely, then do exactly that. Provide a training program which outlines the scope of knowledge which is required and timescales for the training. When they realise that this will replace any teaching time they are supposed to be doing they may actually see it is a bit of a nonsense.

 

After that I'm afraid there is nothing you can do other than provide a seperate account as requested. But what I would do is put together something which states this account shouldn't be used for any other reasons than the primary purpose or it can (and will) be revoked, and get this signed by your head. When the teacher starts using this account rather than their "normal" one, simply log it and revoke access highlighting the person doesn't have the necessary skills to be trusted with this access. Or at the very least, ensure you are covered as GD says "in the event of data protection" you can't be held responsible if mistakes are made by other people.

Edited September 27, 2010 by penfold

[elsiegee40]

Then ask the Head and Bursar / business Manager which folders and documents are needed to be kept sensitive (ie staff pay, disciplinary procedures, etc) as you take it that they would want you to lock out access to those folders / files. Then point out that this account would have access to all staff files and folders, even personal ones, so do you need to let all staff know so that *they* can tell you which files and folders need to have their security permissions changed.

 

I'm with TheLibrarian... this has to be the best idea I've seen.

 

Total respect Grumbledook!

[Cools]

Our LEA has a policy on teachers having access. and it says they must never have admin's level access..

and the Admin passwords need to be lock in the school safe. Just in case you run over by a bus.

[GrumbleDook]

To be honest ... I would ask the Head / Bursar about what are the essentially private files are anyway ... *you* are in a position of trust (the same way the site supervisor with the master keys and alarm codes is) but are *all* your staff in that position? There will be some documents which have to be treated with very sensitively and if you get the senior staff thinking about this then it can also make life easier for you when introducing other data protection stuff ...

[elsiegee40]

Our LEA has a policy on teachers having access. and it says they must never have admin's level access..

and the Admin passwords need to be lock in the school safe. Just in case you run over by a bus.

 

I'm in a private school and that's how it is here.

 

I have an admin account, but my day-to-day account has the same level of privacy as the teachers (with a few 'tweaks' so I can remote into the servers )

 

It's safer that way. A bad day is less likely to turn into a dreadful one caused by a slip of the fingers.

[teejay]

Well, someone with Domain Admin rights needs to be trained to MCITP Server Administrator level as a minimum, so order the self study guides and point them to the nearest exam centre for them to sit the 3 required exams. When they've passed, sure, give em access.

[SYNACK]

Then ask the Head and Bursar / business Manager which folders and documents are needed to be kept sensitive (ie staff pay, disciplinary procedures, etc) as you take it that they would want you to lock out access to those folders / files. Then point out that this account would have access to all staff files and folders, even personal ones, so do you need to let all staff know so that *they* can tell you which files and folders need to have their security permissions changed.

This should have an addendum that states that this is just a slowing down mechanisum and that as a domain admin even if they are expresssly locked out by permissions they can simply take ownership of the files then read them anyway. Even if they are encrypted using windows a domain admin can reset the network administrator account and use this to get the master encryption certificate allowing decryption.

 

Sure the user may not know how to do it but if they want to know getting instructions off the internet is not exactly difficult.

[penfold]

Then ask the Head and Bursar / business Manager which folders and documents are needed to be kept sensitive (ie staff pay, disciplinary procedures, etc) as you take it that they would want you to lock out access to those folders / files. Then point out that this account would have access to all staff files and folders, even personal ones, so do you need to let all staff know so that *they* can tell you which files and folders need to have their security permissions changed.

 

Why? If another person is deemed good enough to have domain admin access then this should not be a problem. All staff should already know that *someone* has access to these files, but that they are professional enough not to "snoop" into areas that do not concern them. I would imagine a more worrying aspect would be the teacher not having the knowledge to use the account properly and causing problems by breaking things.

 

How does stating the fact that they could restart the server during the school day differ from the existing NM? Surely the point to get accross is that the teacher is not qualified (no experience or training?) to be given such access rather than stating what someone already has the ability to do? Thats the reason for having experienced IT support so they can perform their job properly, and not have their duties handed out to other members of staff?

 

Edit: GD - You already answered my question while I was still typing

Edited September 27, 2010 by penfold

[GrumbleDook]

Edit: GD - You already answered my question while I was still typing

 

I sometimes answer my pre-loaded questions myself ... it comes from constantly having conversations with myself and forgetting who should be answering who.

[timzim]

Can you not put the person in a group which has some but not all admin rights? You can certainly give them permissions to access student folders, change passwords, etc via say a sub-admin role. We do the same for some of our IT teachers.

[jsnetman]

We also give access to some teachers who require it to go into student areas, and also some IT teachers have the abilty to change password. You can delegate all these permissions with AD and NTFS permissions. I reckon the teacher does not know what the domain account really involves so calm them down and give them the level they want. No one should be logging into a computer with domain admin, I know I do which is bad practice but thats not the point. Edited September 27, 2010 by jsnetman