Who should know your Domain Administrator password at your School?

One of my many passions is Microsoft technologies in the education sector.  This is one of the reasons why I decided to start my own business in implementing them into schools.  I love working in schools and guiding them in their implementations ensuring that they are getting a well managed network, implemented to best practice but also getting value for money.  Over the next few weeks I’m going to go through some of my best practises that I see in businesses that should be implemented in schools.

The first of these is the use of the administrator user.

Previously I have given all of my IT Pro team the username and password for the administrator but over the past few months I’ve wondered whether this was the right thing to do or not.  They would also have domain admin rights with their user so why would they need two domain admin users?

Its not really a best practice for the domain administrator user password to be known by a whole group of people, all it takes is for one of those member of your team to accidently give out the password by a student looking over their shoulder or by a new member of the team writing it down as its a bit complex and forgetting the piece of paper ever exists.

Should anyone know the domain administrator password?  I think its a good question really but when implementing a network you shouldn’t really implement it using the domain administrator user.  Yes you will use it at first to implement Active Directory roles and supporting features but you should use different admin accounts to implement software such as Exchange and SharePoint and then have different user for their respected services to run.  This will be another blog post in the future but how do some medium and larger organisations conquer this issue?

Medium and larger companies are run completely different to schools.  This is mainly to do with budgets as a company with 1000 computers will have an IT budget of around £1 millions while a school with the same number of devices is around £100,000 (including staff costs).  30 staff to 3 staff are managed differently with a IT Director for the company with a lot of influence in the business while a Network Manager at a school can get told by the school senior leadership what the decision is and they have to make the system work according to that requirement.

In a business team of 30 staff there may be a set of many different teams, one for their internet/network connectivity, another for user management including all of Active Directory, another for email and another for document management.  If you were the IT Director for this company would you let every one of these have the domain administrator password?  Each of the teams would have permission to their respected software allowing them to only control what they are employed to do.

But in a school a Network Manager would control it completely different with each member of the team having access to everything so they can deal with the issue when required for that member of staff or student but do they actually require the administrator username to do this.  No not really.

Lets create a scenario that involves everyone knowing the admin user at a school.  One of your technical team has shutdown the MIS server during registration and now no form tutors can register their students which is a legal requirement.  The head teacher is on to you and they aren’t happy and want to know who it was who shutdown the server.  You check the event log to see who it was and it was the administrator.  You ask your team who it was and no one admits to doing it.  You’re now in a sticky situation that you have to tell the head teacher that you don’t know as you have a security issue with your network.  Can you prove that it isn’t a student who knows the password or maybe it was one of your team who actually went to log off and shut it down by mistake.  If each member of your team used their own username to connect to MIS server the event log will soon tell you what each of the users are doing.

Yes you can perform other checks to find out who it maybe but there are also implementing a whole network under one username means your event log will be full of administrator created logs for all applications.  Wouldn’t it be nice to be able filter by username for that application and help with security.

So what is the answer?  A user should have their own user account.  One that is for them to use as a normal user that is mapped to their email account and the folders they require permission to and another that is elevated and controlled to their requirements in a network.  Thanks to @benrobb for this input.

I hope this makes you think about who and how your use your domain administrator username.