What is the best way to restrict access to Domain Admins on certainfolders?

[Guest Ravi]

Some of the folders in our file system contain sensitive financial

data. The file server is managed by our IT department. How do I

restrict the people in Domain Admins group (some of them are from IT

Department) from accessing sensitive data? If I remove read

permissions to Domain Admins, backup jobs may fail.

[Guest Danny Sanders]

Re: What is the best way to restrict access to Domain Admins on certain folders?

 

Re: What is the best way to restrict access to Domain Admins on certain folders?

 

You really need to trust your admins. Especially if you consider that

anything you can do to restrict them they, as domain admins can undo.

 

If you can't trust them they don't need to be admins.

 

hth

DDS

 

"Ravi" <ravichandra.thalluri@gmail.com> wrote in message

news:8ce4c6c3-257a-433f-9b94-ecedaf340d27@i7g2000prf.googlegroups.com...

> Some of the folders in our file system contain sensitive financial

> data. The file server is managed by our IT department. How do I

> restrict the people in Domain Admins group (some of them are from IT

> Department) from accessing sensitive data? If I remove read

> permissions to Domain Admins, backup jobs may fail.

[Guest Newell White]

RE: What is the best way to restrict access to Domain Admins on certai

 

RE: What is the best way to restrict access to Domain Admins on certai

 

 

"Ravi" wrote:

> Some of the folders in our file system contain sensitive financial

> data. The file server is managed by our IT department. How do I

> restrict the people in Domain Admins group (some of them are from IT

> Department) from accessing sensitive data? If I remove read

> permissions to Domain Admins, backup jobs may fail.

>

You need to encrypt the sensitive files using Windows EFS or a third-party

product.

 

You cannot prevent a Domain Admin from reading any file on any server or

workstation in a domain, but encryption stops him from understanding the

contents.

 

A third-party product may be a better bet, because some Domain Admins may

know things about Windows EFS that you or I don't!

 

--

regards,

Newell White

[Guest Kerry Brown]

Re: What is the best way to restrict access to Domain Admins on certai

 

Re: What is the best way to restrict access to Domain Admins on certai

 

"Newell White" <NewellWhite@discussions.microsoft.com> wrote in message

news:095AC125-2899-406B-9363-22139A72671A@microsoft.com...

>

> "Ravi" wrote:

>

>> Some of the folders in our file system contain sensitive financial

>> data. The file server is managed by our IT department. How do I

>> restrict the people in Domain Admins group (some of them are from IT

>> Department) from accessing sensitive data? If I remove read

>> permissions to Domain Admins, backup jobs may fail.

>>

> You need to encrypt the sensitive files using Windows EFS or a third-party

> product.

>

> You cannot prevent a Domain Admin from reading any file on any server or

> workstation in a domain, but encryption stops him from understanding the

> contents.

>

> A third-party product may be a better bet, because some Domain Admins may

> know things about Windows EFS that you or I don't!

>

 

 

What happens when something goes wrong with the encryption and the people

who most likely have the skills to fix it don't have access? Not everyone

who administers a domain has to be a domain admin. Domain admins need to be

trusted members of the management team. This may mean you have one domain

admin (plus a backup account in case this one gets corrupted) who delegates

whatever privileges are needed (and nothing more) to other admins so they

can do their job. Backups should be done with a special account used only

for that purpose. This account should not be a domain admin. You should be

able to give it enough permissions to backup without being a domain admin.

 

--

Kerry Brown

MS-MVP - Windows Desktop Experience: Systems Administration

http://www.vistahelp.ca/phpBB2/

[Guest Lanwench [MVP - Exchange]]

Re: What is the best way to restrict access to Domain Admins on certain folders?

 

Re: What is the best way to restrict access to Domain Admins on certain folders?

 

Ravi <ravichandra.thalluri@gmail.com> wrote:

> Some of the folders in our file system contain sensitive financial

> data. The file server is managed by our IT department. How do I

> restrict the people in Domain Admins group (some of them are from IT

> Department) from accessing sensitive data? If I remove read

> permissions to Domain Admins, backup jobs may fail.

 

Hi - I replied to your identical post in one of the XP groups.

 

In the future, please don't multipost - if you need to post to multiple

groups, it's best to crosspost instead, by posting a single message to a

handful of relevant groups (separate the NG names with commas) so that

everyone can follow the thread. Multiposting wastes everyone's time,

including yours, and may lead to your actually getting *less* help rather

than more.