General discussion

Locked

Securing directory from admin.

By Cougster ·
Situation: 2 x Windows 2000 Server Domain Controllers in the same domain (1 is file/print, 1 is Exchange 2000). On the file server, the shared partition has a directory structure broken down by department. In other words, under the root of the share, there are subdirectories for each department which correspond to that department's group membership. Therefore, permissions restrict each user to the groups (departments) they belong in.

Desired Outcome: We have Executive and Accounting groups (departments) for which we want group members to have permission, BUT NO ONE ELSE. This includes the Administrator.

The problem here is that our Administrator has to have access to the servers and all settings, etc. But we don't want them to have access at all to the Executive or Accounting directories. We've tried locing them down and specifically excluding the Administrator, but thet would still have the ability to add themselves to the group or take ownership...

This security is imperative.

Thanks!
Cougster

This conversation is currently closed to new comments.

12 total posts (Page 1 of 2)   01 | 02   Next
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by voldar In reply to Securing directory from a ...

What you ask for is a little bit strange - once the administrator has no rights to the specific folder, if something is crashed or lost, then I suppose, you don't blame the administrator for the situation!! Any administrator has the right to "take Ownership" on every folder that resides on the partition of a server, but what I suggest you is to do the followings:
- add an AUDIT on access to the folders you want. Give rights to the manager or anyone else to access the audit logs. This way you/he'll be informed on every step that each user did to the folders.
I suppose you are asking this because you don't trust the administrator, otherwise I don't get your point.

Collapse -

by Cougster In reply to

Poster rated this answer.

Collapse -

by JackOfAllTech In reply to Securing directory from a ...

Even if this were possible (which I don't think it is), I don't know ANY Admin who would allow this.
A Network Admin MUST be considered in the same priviledged class as Security Admins and System Programmers on a mainframe! In order to maintain the systems AND fix problems, they MUST have access to everything.
If you can't trust your Admin, its time to get a new Admin rather than trying bar access.

Ralph

Collapse -

by Cougster In reply to

Would you want your admin to have access to sentitive personnel and payroll information?

Collapse -

by jeaster In reply to Securing directory from a ...

You can kind of do this by adjusting the options under the security tab to not allow Administrators access to this folder. However, as an Administrator, someone could take ownership, and then reassign permissions so they can see the folders. It is not possible to truly lock the Admin out of the folder, but you can make their life more difficult.

Collapse -

by Cougster In reply to

Thought of this but access would still be possible...

Collapse -

by Jennifer.Gardner In reply to Securing directory from a ...

If you really don't want this person to have access, then you shouldn't give them an Administrator account...

Collapse -

by Cougster In reply to

Again... Would you want your admin to have access to sentitive personnel and payroll information?

Collapse -

by timwalsh In reply to Securing directory from a ...

In summary (as all these answers are correct as far as they go), the short answer is no, you cannot totally lock out the Administrator.

As you surmise, you CAN set permissions to exclude the Administrator. However, the owner of a file/folder can always modify the permissions of that file/folder. And the Administrator can ALWAYS "Take ownership" of ANY file/folder.

If there are sensitive files you don't want the administrator to see, you should consider encryption.

If you don't trust your Administrator to not go where you tell him not to go, he shouldn't be your Administrator.

Collapse -

by JackOfAllTech In reply to Securing directory from a ...

The point is not whether I would want him/her looking at sensitive info. The point is I MUST be able to trust him/her NOT to even though he/she CAN.

Again, if you can't trust your Admin, get a new Admin. Don't try to lock him/her out because you CAN'T.

Ralph

Back to Windows Forum
12 total posts (Page 1 of 2)   01 | 02   Next

Related Discussions

Related Forums