Help. Our contracted IT administrator is getting a bit over-protective and zealous about our little network.

We are a small charity in Shropshire that helps disabled individuals into work experience placements. We only employ 12 people and have two small offices.

Up until recently our I.T. was a bit of a Heath Robinson affair with a range of PC's that had been begged or borrowed (but never stolen) and some half decent laptops. They all worked as stand alone PC's with their own software and were networked to use workgroups.

Then we were offered some free IT support from a large company and their technicians came and set up a Windows Small Business 2003 Server and we all became part of a domain. (they were never told why this was better than a workgroup)

Then the big company said they could no longer support us but that one of their technicians was willing to offer us IT support on a voluntary basis, 'fab' we thought. Then he said he was setting up his own IT support company and we'd have to pay for his services. Not so fab.

This wouldn't have been so bad if he was a network guru, but he quite clearly isn't. And he never responds within the time frame that he specified either (which isn't good for us).

But now he's getting carried away and acting like he owns the network and we're just able to use it by his grace!

We're not a high risk company. The data we store electronically is of value to no-one but us and we have very few visitors in the building so unauthorised terminal access isn't an issue. Bearing all of this in mind here is our new, emposed, IT structure.

2 Servers with managed software, and onother one being added soon for dedicated email serving, all PC's and laptops on the domain with username/password access that has to be changed every 20 days, terminals that log you out if you dont use them for 3 minutes, no user right's to instal software or change any settings and no-one with admin rights except the IT guy who doesn't even work for us, he's just a contractor. Myself and the boss have 'power-user' accounts as well as our normal user accounts but even they don't have full access rights. He remotely works on the network and can hi-jack our terminals whenever he wishes to do something on them. He thinks he's a demi-god.

I joined the company recently, looked at the IT situation and alarm bells have been ringing ever since. The guy seems to be making things as complicated and dependent upon him as possible. I am an advanced home user but have almost no experience of networking beyond setting up work-groups and wireless internet access.

I have experimented with the network here but nothing that would threaten it's stability or integrity (we cant afford down-time) My employer is happy for me to act as 'the IT guy' and just pass on problems that are beyond my expertise to the contracted guy. This obviously thratens him because he's started acting like a brat.

Last weekend I accidentally removed my laptop from the domain and it uninstalled all of the managed software and wouldn't let me log back in. Obviously I called him and (2 days later!) he came and used some hacker's tool to bypass the log-in and restore the domain. Then, in my absence, he cancelled my super-user account and restricted my normal account. And he hasn't even restored the managed software so now I have no Office apps and no way of installing them! I feel like a naughty child who's been grounded, not a project coordinator and nominated IT support person.

My Concerns are...

He's far too protective of the whole IT situation. I'm only going to learn by trial and error and he gets paid to fix anything I might mess up so why's he stamping his feet?

More importantly if I really upset him (which I dont think would be difficult, he's so unstable) We could be completely locked out of our own network and could loose all of our files, he could deny any action on his part and we'd be unable to prove otherwise.

I know it's a worse case scenario but it could happen.

My thought's are to remove him as the Network Administrator and make the boss that person. He could still have an administrator account so that he can still look after everything but should 'he' and 'us' fall-out we could lock him out of the network not the other way around.

Would this work and what else would you do (short of ditching the guy) to take back control without the risk of sabotage?

Any help and advice will be gratefully appreciated.

Thanks.

That’s an interesting situation you’re in

Obviously this IT guy isn’t very professional. Having deployed a Windows Domain multiple times, I can say that he certainly has not followed MCSE conventions.

He should have consulted staff to get an idea of what you needed from the network, and decide whether a domain was necessary.
Domains have RPs (Responsible Persons) which must be a member of the Administrator group and considered to be on-site at all times. This should be a trained staff member.
He should have given someone in management the Administrator password, obviously with the instruction that it was not to be used lightly or given out, and that the RP would do whatever was necessary.

I wish I could say that I don’t see much of this sort of thing, but sadly I do. These are interesting times for the IT industry because while everything is networked and stored in databases, the general level of PC literacy has risen only slightly overall. Unfortunately, PCs are not so niche now, so there are thousands of people out there who can simply declare that they are IT professionals, and no one is qualified to contradict them. It is then quite difficult for many people to tell the experts from the incompetents.

Firstly, I would re-evaluate the existence of the Domain.

The Domain offers these advantages over a Workgroup:

• Centralised security.
  All members of a domain inherit passwords and security policies from the Domain Controller. This means any individual can log on to any system without any pre-configuration necessary.
• Centralised configuration
  Many configurations are automatically deployed to Domain Members, meaning that in order to change a setting for all systems, it need only be done once on the domain policy manager.
• Automation
  The Domain Controller offers numerous other services that Windows 2000 and above automatically take advantage of, which range from simple things such as synchronizing the clock, to more complicated things like automatically mounting common storage space.

Workgroups on the other hand are simple things:

• Peer to Peer
  Security, such as logging in, is an affair locally managed on each machine.
• Local administration
  Any software and settings is locally managed by the system owner.
• Plug in and go
  Systems do not need to join anything in order to be fully fledged members of the network. In the Domain model, system that are not members are limited.
  

Be aware that in either model, you will need a network server to perform mundane tasks such as file serving, issuing DHCP leases to clients. Presumably you have an internet connection, so you will need DNS and routing services. Windows Servers have all these features available without the need for Domain deployment; with the exception of Windows Server 2003 Small Business Edition, where you are forced to configure a Domain but can simply ignore it.


Of course, then you have to deal with this…IT expert. I think a measure of aggression is necessary. State your complaints, express that you are unhappy with the situation, tell him it’s unprofessional and you’ve had enough. You want the Administrator password, and nothing more to do with him. If you make a sufficient impression, he may become more accommodating, and help you mold the network into something more suitable.

Then, cut him loose. You need to get someone more professional to manage the network, or at least, train someone in the mundane tasks. If you're worried about him causing problems for you, make sure he's aware that you're prepared to get mad, and flex some legal muscle. Once you've disposed of him, get a real security expert to come in and make sure he hasn't left himself any backdoors.