What is the best way to restrict access to Domain Admins on certain folders?

What is the best way to restrict access to Domain Admins on certain folders?
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Applications Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
What is the best way to restrict access to Domain Admins on certain folders? Ravi 03-19-2008
Posted by Ravi on March 19, 2008, 10:31 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Some of the folders in our file system contain sensitive financial
data. The file server is managed by our IT department. How do I
restrict the people in Domain Admins group (some of them are from IT
Department) from accessing sensitive data? If I remove read
permissions to Domain Admins, backup jobs may fail

Posted by Kerry Brown on March 19, 2008, 11:06 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Try checking out some of the many replies you've received to your many posts
in other newsgroups.

--
Kerry Brown
MS-MVP - Windows Desktop Experience: Systems Administration
http://www.vistahelp.ca/phpBB2/



> Some of the folders in our file system contain sensitive financial
> data. The file server is managed by our IT department. How do I
> restrict the people in Domain Admins group (some of them are from IT
> Department) from accessing sensitive data? If I remove read
> permissions to Domain Admins, backup jobs may fail


Posted by Dobromir Todorov on March 19, 2008, 1:06 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
ACLs won't help to *really* restrict access - Domain Admins can typically
take ownership and change permissions directly or indirectly.

EFS with DRA's that *are not* the Domain Admins but trusted individuals is
the best option off the top of my head. If the DRA and user key pairs and
and associated certificates are properly protected (stored on Smart Cards),
this is pretty much the best it can get without third party components.

Regards,
Dob

--
---
HTH,
Dobromir

Learn more about Security and Identity Management:
Visit http://www.iamechanics.com

> Some of the folders in our file system contain sensitive financial
> data. The file server is managed by our IT department. How do I
> restrict the people in Domain Admins group (some of them are from IT
> Department) from accessing sensitive data? If I remove read
> permissions to Domain Admins, backup jobs may fail



Posted by Ravi on March 19, 2008, 4:24 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
> ACLs won't help to *really* restrict access - Domain Admins can typically
> take ownership and change permissions directly or indirectly.
>
> EFS with DRA's that *are not* the Domain Admins but trusted individuals is=

> the best option off the top of my head. If the DRA and user key pairs and
> and associated certificates are properly protected (stored on Smart Cards)=
,
> this is pretty much the best it can get without third party components.
>
> Regards,
> Dob
>
> --
> ---
> HTH,
> Dobromir
>
> Learn more about Security and Identity Management:
> Visithttp://www.iamechanics.com
>
>
>
>
>
> > Some of the folders in our file system contain sensitive financial
> > data. The file server is managed by our IT department. How do I
> > restrict the people in Domain Admins group (some of them are from IT
> > Department) from accessing sensitive data? If I remove read
> > permissions to Domain Admins, backup jobs may fail- Hide quoted text -
>
> - Show quoted text -

Thank you. Looks like this will be the best solution for our scenario.

Posted by Roger Abell [MVP] on March 20, 2008, 7:41 am
If you were  Registered and logged in, you could reply and use other advanced thread options
> Some of the folders in our file system contain sensitive financial
> data. The file server is managed by our IT department. How do I
> restrict the people in Domain Admins group (some of them are from IT
> Department) from accessing sensitive data? If I remove read

oh my !! you mean some are not !!

> permissions to Domain Admins, backup jobs may fail

Most backup software will not fail if there is no grant to the
account used to run the backup as backup software uses a set
of APIs for backup/restore that is exempt from NTFS ACLing
checks/control.

Your best approach is to store the data on a machine that is
not domain joined or to acquire and use a rights management
package. Use of EFS can be problematic in that you likely have
this placed in the filesystem so that a number of people can have
access to it, but that can be a pain with EFS (yes, someone that
can decrypt the file can add another account to the ability, but
in practice this is not as convenient as one might like).

Roger



Similar ThreadsPosted
Giving admins Local Admin to DC's not Domain Admins August 15, 2008, 4:48 pm
Only domain admins can install? November 11, 2008, 3:10 pm
How do I restrict users from joing member servers to my domain May 1, 2006, 6:02 am
Restrict Anonymous access November 5, 2006, 5:05 am
restrict access to desk top only March 19, 2008, 3:04 pm
How to restrict users to access web pages all exept one July 8, 2006, 2:03 pm
Forcing Workstations to DHCP or Allowing Non-Admins Access to Alternate TCP/IP Config? October 24, 2007, 6:48 am
Access is denied to some my folders. How to regain access? June 17, 2005, 7:38 am
Giving access to a share folder in domain A to users in Domain B May 17, 2007, 2:22 pm
Auditing access to shared folders? December 1, 2005, 10:32 pm

The site map in XML format XML site map

Contact Us | Privacy Policy