Drawing the Line - Network Consulting vs. Employee Training

[Striker109]

Hey:

I've got a bit of dilemma and it would be great to hear from fellow IT network consultants. I've got a long time client who has recently employed a new office manager. She has requested that I train someone in the office who can handle basic IT troubleshooting (printer not working, account locked, etc). This in itself isn't a big deal because of the security policies I have in place. Plus, it would be nice to get the basic desktop support stuff off my plate.

Now, the manager is asking for me to grant admin rights to the PBX system, mission critical servers, etc to this person. This is where I draw the line. I am not able to support servers, equipment, etc when I know someone else has been messing with them. I recognize its their equipment and they have every right to it so if they want in that's fine. I just won't support it anymore.

The PBX system is very complicated and a novice should not be tinkering around in it. Heck, even I only do basic work in it and let the PBX vendor perform the rest of it (I know my limits and I'm not a "phone guy"). The same goes for the mission critical servers. Unless you're a Windows Administrator they won't be able to understand anything.

How does one logically approach this issue with management? I'm just at a loss here because I can see this blowing up in my face quickly. Any help from the IT consultants out there would be appreciated. Thanks!

 

[Nicklebon]

There is no question here. It is not your place to draw lines. You are the contractor and you do what the client asks. That's what they pay you for. You can provide information with caveats but you hand over the requested info / permissions first. At the end of the day the client owns the environment. By complying the worst case scenario is you end with more billable hours. By not complying you'll likely be out the door.

 

[/usr/home]

If he effs it up, you'll be called to fix it. If you don't do what they want, they may just get rid of you.

 

[C7J0yc3]

You make them sign an acceptance of responsibility. Seriously.

We has a client ask for this exact thing. They had a secretary who was "good with computers" and wanted her to start handling the day to day stuff and bring us in as backup. We set her up with an admin account and didn't give her the domain admin password. Trained her on how to fix simple server issues, etc and let her loose. 4 months later we get a call that their whole environment is down and find out that she was "tinkering" trying to get something to work better, and took down their 2 business apps. They tried to blame us up and down about not properly training her, and we should have had safeguards in place to prevent this, and at the end of the day we just pulled out the signed agreement saying that we didn't recommend giving this much control to a non admin for this exact reason and anything she broke was her fault. Access got removed right after that meeting.

The best way to approach it is to just explain why it is a bad idea for a non admin to have admin credentials. If they push back and say well we really want it anyway, then suggest that you would like to have a signed agreement by all parties involved (you, CEO of the company, office manager, person with the access) outlining what they are and are not allowed to do, who they need to call when they get in over their head, etc so that when it blows up in your face you can just say TOLD YA SO!

 

[Striker109]

There is no question here. It is not your place to draw lines. You are the contractor and you do what the client asks. That's what they pay you for.

Perhaps you misunderstood me. I draw the line in providing support to them if they want to give administrator access to all the critical equipment.

You can provide information with caveats but you hand over the requested info / permissions first. At the end of the day the client owns the environment. By complying the worst case scenario is you end with more billable hours. By not complying you'll likely be out the door.

That's a given and I'm sorry I didn't make that more clear.

By complying the worst case scenario is you end with more billable hours. By not complying you'll likely be out the door.

Well this client is the exception. I wouldn't mind being "out the door" at this point. Maybe it's time I re-evaluate and see if it is really worth my trouble to continue supporting them.



C7J0yc3, you wrote one heck of a post! Thank you for the information. You would happen to have a generic template, copy of such an agreement, or a place where I can go to get one written up (which I know costs money and I'm fine with it)?

 

[brshoemak]

I have been in this situation before and I am actually in one of those situations right now - amazingly enough at the same location.

I won't give all the details, but after working on a jumble of a network, we setup a domain with actually security, setup and Exchange server, GPO's, formal backup plan in place, completely documented, etc. Then we handed the reigns to their in-house IT Manager. Long story short, within 6 months we were back in there to rectify a massive problem, completely redo everything he "fixed" and then some. After all was said and done, they were in it for about $10K (on top of the original amount they paid in the first place).

You can keep working with them, but get CYA (cover your ass) material. This includes the aforementioned letter to management, any e-mail communication regarding the issue, and tell them in person what might come of it. As I'm sure you know, clients have incredibly short memories for things like this. In the end, all you can do is educate the client, if they still want to proceed with giving others admin access then you can at least expect more billable hours in the future.

Most likely, the first time it really hits the fan and you're brought in to fix something major they will change their tune and lock down things again.

 

[figgie]

agreement of absolvement of any issues caused by someone that is not you.

As stated, you give them the information but put the CAVEATS in writing and you basically absolve yourself of any issue that arise from said persons action.

have all involved signed. Done.

When it blows up (matter of when), you are covered.

 

[C7J0yc3]

C7J0yc3, you wrote one heck of a post! Thank you for the information. You would happen to have a generic template, copy of such an agreement, or a place where I can go to get one written up (which I know costs money and I'm fine with it)?

Unfortunately since I left that company I don't have access to the template anymore. For us we just had a list of dos and don'ts printed on our letterhead, client signed one, we signed one and that was "binding" enough for when we needed it.

A short list was.

Do:
Install Windows Updates
Maintain Backups
Install Critical Application Patches (however you must give proper warning to the the consultant and management)
Add, Delete, Modify Users Computers and Groups in AD.
Add Delete Modify Shares and Share Permissions
Maintain Central AV suite
Add Delete Modify Exchange Mailboxes and Distribution groups.
Manage DHCP
Modify DNS

Do Not
Make any modification to AD or Exchange that is not listed above unless contacting consultant first.
Modify the LOB apps unless instructed to do so by the support staff of the LOB app.
Make ANY registry change for any reason
Install new applications or new versions of applications (except java flash etc) without consulting me
Make any changes to the firewall or switch without authorization from me, unless instructed to do so by support staff of vendor.

There was a much bigger list with things more clearly broken out, but you get the idea. The way I pitched it was like this.

Having smart hands on site is absolutely invaluable and I would love the help. However you need to understand that just unchecking a box or making one small variable change can absolutely destroy an environment and if you aren't documenting your changes fixing what you broke can be very long and costly. With this agreed set of rules you will be able to accomplish day to day tasks and management of the environment. The more complicated stuff you will be able to do, we just want to give you a hand with it and make sure that you are learning, not hindering. As you become more competent with systems administration we will re-evaluate the list and change up your roles.

Basically it doesn't make you look like you are trying to totally control something that isn't yours, but at the same time basically says your gonna screw up and I'm just trying to give you a safety net.

 

[RocketTech]

Worst case, this is a good test of your disaster recovery plan

 

[adam30k]

Can't you setup admin type user accounts on various levels through Active Directory? I know some of what you're discussing is outside of AD but the company I work for has a variety of "admin" templates including a help desk admin, for people who need to add or remove computers from domains, reset passwords and change file share privileges.

 

[jadams]

You make them sign an acceptance of responsibility. Seriously.

We has a client ask for this exact thing. They had a secretary who was "good with computers" and wanted her to start handling the day to day stuff and bring us in as backup. We set her up with an admin account and didn't give her the domain admin password. Trained her on how to fix simple server issues, etc and let her loose. 4 months later we get a call that their whole environment is down and find out that she was "tinkering" trying to get something to work better, and took down their 2 business apps. They tried to blame us up and down about not properly training her, and we should have had safeguards in place to prevent this, and at the end of the day we just pulled out the signed agreement saying that we didn't recommend giving this much control to a non admin for this exact reason and anything she broke was her fault. Access got removed right after that meeting.

The best way to approach it is to just explain why it is a bad idea for a non admin to have admin credentials. If they push back and say well we really want it anyway, then suggest that you would like to have a signed agreement by all parties involved (you, CEO of the company, office manager, person with the access) outlining what they are and are not allowed to do, who they need to call when they get in over their head, etc so that when it blows up in your face you can just say TOLD YA SO!

I echo this. I'll equate this to our customers that want to run the "IT" function of the application we in support. If for some reason they want to manage it themselves.... fine. In the end when they break it, its billable. End of story.