We’re very similar to what Jim has, but somewhat larger with 2000+ staff (including subs) and 15,000+ students, 20 schools with a new one on the way, an ECEAP site, and three admin sites. Our 6 repair techs are assigned to specific buildings and may deal with specialized apps and hardware at those locations, but we also have some central office tech staff who will deal with other general district-wide apps and responsibilities, including our SIS.
All technology staff have a regular “user” level account, then a second account that has local admin on the domain workstations. Those of us who need domain admin each have a separate account for that as well, so three accounts each, nothing shared. We also have a role called “Computer Specialist”, which is a staff member at the school (usually a teacher, but can be anyone, they get a stipend) and they have a local admin “tech” account for the pcs at their site. Computer Specialists responsibilities are managed through our department and they are the first point of contact for building-related tech issues, but can do things with their admin account like installing local print drivers for someone and deleting local profiles for students. When I was first here many years ago, we did have people all over who were administrators on pcs (although students never were), but we have tightened that up over the years, and have also since layered on SRP and Applocker. One of the techniques we’ve used to do this is to say that we’re going to start doing XX (ie, removing admin permissions) starting with a specific OS version, so it doesn’t cause issues with existing systems and apps. You can then use GPOs and group or WMI filters to control those kinds of settings and who is impacted, let me know if you want more specifics. -Bonnie From: [email protected] [mailto:[email protected]] On Behalf Of Kennedy, Jim Sent: Tuesday, January 3, 2017 5:23 AM To: [email protected] Subject: RE: [NTSysADM] IT Organization Design 6000 students, 900 staff. 12 schools and one administration building. There are 4 desktop technicians that have several buildings assigned to them. They each also have districtwide responsibilities. For example one is in charge of our emergency radios, another is in charge of our makerspaces. Things like that. I handle all the Google and AD domains, email, and all the other server functions and security. One other guy handles all the network, viop, camera systems and so on. Desktop techs each have their own local desktop admin account, it is a separate account from their regular account. They do not need DA. There are two DA accounts, one for me and one for the network guy. No one shares anything, ever. No one else has any administrative rights. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of CSSU NetAdmin Sent: Sunday, January 1, 2017 3:07 PM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] IT Organization Design We are looking at re-organizing our IT department for our K-12 school district. Are there examples out there for how work is divided? Do IT staff focus on specific areas or is everyone more of a generalist? We have moved to Chromebooks in a big way and find how we are presently organized- school based- really doesn't work anymore. Finally, who uses the Least Privilege Administrative model? If you do, is there one domain admin account shared for people who need admin rights or do each IT staff person have two accounts? Thanks for any ideas. Happy New Year!
