Security

As long as you are using ONLY permissions to control access, the bottom line is that the domain administrator has the ability to get at ANYTHING he chooses to access.

You can set permissions so that an administrator does not have access. However, if the administrator decides he wants access, all he has to do is take ownership of the files and change permissions to allow himself access.

Your only choice will be some sort of third-party file encryption solution and provide the decryptionkey to only those people who need access.

Being a network administrator, I will now put in a plug for all network administrators. By trying to find a solution to TOTALLY deny a network administrator access to certain data/files, you are tying his hands in his ability to solve problems when they occur.

The network administrator position is usually one of special trust, because he normally does have the "keys to the kingdom" as far as data residing on network servers. If the administrator is ethical and trustworthy, merely removing his permission to access files will prevent any inadvertent access. His ethics and honesty will prevent his getting curious to the point of peeking. If you have reason to distrust the network administrator, you shouldn't leave him in that position. My two cents worth!

Just to Clarify, I am aware that this is impossible using just windows security and permissions. I need some sort of 3rd party solution... but what? Smart cards? I dunno.

If you remove DOMAIN ADMINS from the ADMINISTRATORS group on the local machine they will not be able to access that machine.

You can also remove any other accounts, domain or otherwise, that you do not want to be able to log on and add the ones that you do want to allow access.

This does work as we use it for sensitive servers in our environment often.

ChrisV

This question was closed by the author