Solved at last! The cause of this problem and removing the user priveleges are two different matters.
Firstly: How they come to be site-wide course creators (here at my school anyway)... We use LDAP authentication and currently have 74 users with 'course creator' system wide role who cannot be removed and we don't want them to have the role. One has only been here a day and we didn't even know he'd arrived - that was the clue. He was on the LDAP server but we hadn't put him on Moodle.
Site administration>Plugins>Authentication>Manage authentication
Under 'Common settings' the box for 'prevent account creation when authenticating' had been left on the default unticked 'No'. This combined with the next setting (see below) caused a problem because new users on the system would click on the link to our Moodle site and would automatically be given a user account on Moodle - this is only a problem when the next setting is as follows:
Site administration>Plugins>Authentication>LDAP server
Under 'Course creator' there was an entry for 'Staff', 'Teachers' and all sorts of OUs who shouldn't have been there.
So whenever a new teacher (or member of another OU listed in this setting) clicked on the link to our Moodle site for their first time, they were automatically given a Moodle account with a site-wide course creator role.
To stop this happening anymore: leave the course creator setting blank (or just something like OU=Admins).
Next: how to clean up the mess of unwanted course creators.
I haven't found an easy way. But what works is:
- First make a note, for each user, of the cohorts and courses they should be in
- Then delete that user
- Then create a new user - same name - which will link back LDAP and they can authenticate just as before. But the new user will have a new Moodle userID. And no course creator role.
- Then put this re-created user back in the right courses and cohorts
I did say it wasn't an easy solution. And I haven't checked to see what happens to any comments they may have made on students work, or grades they may have awarded. So be careful.
Perhaps some Moodle backend wizard can find an entry deep in the Moodle code which allows us to change the role without deleting and recreating the user?
Many thanks to my colleague Mike who found the cause of this problem.