Currently the administration computer systems can be accessed by duplicate usernames. For example, most schools in Staffordshire can access their administration network using the account Lanuser1, Lanuser2, Lanuser3 etc….
This is mainly for historical reasons, when the first administration networks where introduced to schools in the 1990s there was no easy way to manage user accounts without being on site. Therefore a uniform approach had to be taken; however now that Staffordshire has an interconnected WAN between all school sites, remote management is no longer a barrier.
In order to move forward school administration systems in security, usability and manageability we need to redefine the user accounts in use.
There are five main reasons why it is advisable to change the structure.
- It is impossible to know which "Lanuser" account matches which user, occasionally a member of school staff keeps a record of this, but unless it is kept up to date the information is not accurate. This means we cannot accurately audit the network and systems access
- We also have a problem with multiple users logging on with the same account. As the Lanuser structure is generic and not person specific, users are not always as protective of their accounts as required by Data Protection Laws.
- A user from one school could quite easily access a neighbouring schools administration network from knowledge of the existing username structure. There are cases where passwords have not been changed in over a decade; they have simply been left at their preset default.
- Disaster recovery is made difficult by how we currently manage user home directories, as each individual Lanuser account has its own network share, it is a laborious task in recreating shares during data recovery.
- The user profile which stores all of the user's settings, including e-mail which is often critical data is stored locally on the user's main workstation and therefore not backed up. This data is lost in the event of system failure, fire or theft.
- Long term, it is advisable to join all the administration systems in Staffordshire into a single Active Directory Structure or a hosted solution to take advantage of the many benefits this will bring. Before this takes place however we need to have a unique account name for each individual user accessing school administration systems.
To improve the situation we need to convert the existing users into a new user name convention. This will also give us the opportunity to rationalise the school systems and remove unneeded accounts and user accounts that are no longer used - thus removing a possible security problem.
The end customers will obviously not be aware of the underlying problems the Lanuser accounts pose to LT, but they will find that their systems are more personalised to their own schools and user management will be a much simpler task.
How long does it take to migrate users?
It usually takes one to two days to convert the admin systems in the school, depending on the number of users and user data.
We generally allow half an hour per machine/user to migrate. So the impact of migration is approximately < ½ hr per user.
Most of the required server work is carried out remotely, with user data transfer being carried out onsite at the time of migration
It's easier with the users available, because of passwords and testing the desktop afterwards, but we can also carry out the migration over a school holiday without the users in attendance - in the case of the latter someone from school IT will need to be in for access and show us around the user stations.
What does Learning Technologies need to carry out the migration?
The information we need to carry out the conversion is - the 'lanuser logon' mapped to the 'persons name' - this applies to the administration systems only
Lanuser1 = user Charlie Smith which would then become user charlie.smith@slt with a unique password chosen by the user.
It's important that the user names are:-
a) What the user wants to be known by, but must be in the format 'firstname.lastname' (e.g if they are named Susan it may be Sue, Suzy etc for firstname)
b) Name must be spelt correctly - it upsets users when the names are wrong! We also have to remove the profile and reinstall it
Where there are multiple logons: for instance multiple users who log on as lanuser1 - have access to lanuser1 documents; after migration we will put these documents in the shared area so that users can still access them - unless there are documents that are of a confidential/sensitive nature, in which case the owner decides on the location.
Where the user is the only person to logon as the lanuser - data is transferred seamlessly to the new user area.
When Not to go for unique usernames
If you are creating a single network for the school - as part of that implementation you will be migrating users, and create your own user structure.
Back to top