Solved

Win2000 network: How to lock administrators out

Posted on 2004-04-26
20
681 Views
Last Modified: 2010-03-18
The owner of our company wants to lock down our access as administrators and create a group called Managers with him and the supervisors in. They will have a network share where only they will have access. Is this even possible to block out administrators completely of a resource like this. Right now we could go in an change ownership.

If this is possible, how do you do it?
0
Comment
Question by:apm825
  • 6
  • 5
  • 4
  • +2
20 Comments
 
LVL 31

Accepted Solution

by:
Gareth Gudger earned 25 total points
ID: 10920471
Yes....just remove the Administrator and Administrator group from the share once you set it up.

You can always retake ownership later and reassign permissions to yourself to get back in though - just dont tell him that. But you will be blocked and will obviously require a whole bunch of clicks to unblock yourself.
0
 

Author Comment

by:apm825
ID: 10921501
Well, that's what he's wanting us to change. :-(

He knows about this and wants us to block ourselves from never being able to get in.
0
 
LVL 11

Assisted Solution

by:infotrader
infotrader earned 25 total points
ID: 10923169
Tell him that "take ownership" is not revertible, so that once someone performed the "take ownership" task, they will be listed as the owner of the folder/files.  So, knowing that, he should be able to relax because no matter who tried to regain access to the network they will be detected.

- Info
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 10923644
He could also encrypt the files....with builtin EFS.
0
 
LVL 11

Expert Comment

by:infotrader
ID: 10923727
EFS would work, but there I see 3 problems (please correct me if I am wrong...  I am also trying to learn something here, hopefully):

1.  Only the user who encrypts the data can decrypt it.  This means that other "supervisors" cannot read/write to the files.  The can be assigned as a "recovery agent" but that's kind of messy.
2.  By default, domain admins or local admins are designated as "recovery agent"...  You can get around that by reading this link:  http://www.winnetmag.com/Article/ArticleID/13771/13771.html
3.  If something happens to the user(s) that are also recovery agents, then that'll give you a lot of problems in the future.

Ultimately, us IT guys are paid to be trusted.  If they cannot trust us by NOT allowing us with enough authority to perform out task, then their only choice would be to take the MCSE courses, playing with computers 24/7, and administer their own network!!!

- Info
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 10923768
I would have to agree infotrader but it was just another option to throw out there.

Ultimately a savvy IT guy could even crack some EFS even if he wasn't a recovery agents (ie delegated admin).
0
 
LVL 11

Expert Comment

by:infotrader
ID: 10923840
Don't you just love it when the users are trying to lock IT access from admins?  It's like taking the keys from a locksmith and locks up the car!!!  Not that I'd do it or have done it in the past, but this kind of behavior/request would only raise the interest level of IT fellows to "peek" or try to find a way to hack into the folder, don't you think?  LOL
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 10924054
Yea even if they did lock it completely out and run EFS I wonder what a good packet sniffer and decryption tool would ascertain. :)
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 10924060
I had a client that didnt want their admin to get into their financial statements so they stored the files on one client as opposed to the server he was administering. What they failed to realize was that they were sharing it from a Windows ME box. :)
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 10924082
How absurd!  I'd love to be a fly on the wall in your office a couple of months from now...
"Hey - our network's crashed - we need these files restored- can't ya fix it?  Well, er - no sir - you had me yank my admin priveledges from those shares, remember?"  Whoo-boy...
If it were me, I'd be looking elsewhere for employment...
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 11

Expert Comment

by:infotrader
ID: 10924198
My boss once enforced a rediculous IT policy on us, so that we had very limited access to email boxes, files and folders...  And then it happened...  Someone accidentally sent a confidential document (HR) to the wrong person and need to delete it...  Boss was out of the state, can't be reached...  all managers were freaked out... it was REALLY funny!!!

I then took the chance of changing the company policy and took ownership of the Exchange server... deleted the email, and all were happy...  Turned out my boss was actually pretty glad I did it, and the question of "too much power" never came up again!!!  :-P

- Info
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 10924233
Wonder if there's a "Horror stories of removing too many priveledges from the IT guys" web site somewhere...??
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 10924270
Maybe a Dilbert one <g>

I still love the one with Dilbert holding a token ring cable in his hand and it is unplugged and stating that the "Token fell out the end of the cable"
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 10924286
:D One of my favorites too...'gotta be around here somewhere - keep lookin!'
0
 
LVL 4

Expert Comment

by:kreaganoutsourceditbiz
ID: 10970114
Have a single machine outside of the domain host the files (Windows 2k or better).  Grant access to matching local accounts with matching passwords of the appropriate domain accounts.  Also assign a matching domain account into the local backup operators group so you can backup the machine and still maintain the requested 'no access'.

Nobody will have access to the machine without the 'boss' giving them access, you wil still be able to backup their 'confidential' data, and in a worst case scenario, should you ever need 'unauthorized access' you can restore those files locally or pop the hard drive and put it into your local machine.

So, yes it can be done.

If your boss wants to eliminate the 'unauthorized access' as stated above, look into EFS on that 'non-domain peer server'

Hope this helps,

The other solution is to switch to a different NOS, you can accomplish this with Novell.
0
 
LVL 4

Expert Comment

by:kreaganoutsourceditbiz
ID: 10970125
Please note, fom the accepted answer, if you come accress the administrative share, ie \\server\d$, then you will bypass the share restrictions suggested in the accepted answer.  Further, ownership has nothing to do with share restrictions and bypassing them.

The more logical thought would be to remove the objects from the security tab, not the share restrictions.
0
 
LVL 4

Expert Comment

by:kreaganoutsourceditbiz
ID: 10970170
There are other ways to accomplish this;
     Create a tree, domains are security boundries, boss in parent domain, everyone else in child domain.
     Create a Forest, same idea.  More complex but more secure.

In short, yes this can be done, but it can not be done if everybody is in the same domain.

http://www.xs4all.nl/~koppelra/win2000/dirser/01.htm
0
 
LVL 11

Expert Comment

by:infotrader
ID: 10970426
It's like beating on a dead cow here, but the point is...  It SHOULDN'T get done no matter how you cut it...  Do you really trust your boss to be the "god" of the domain or forest?  Without necessary training on IT do's and don'ts, should such a person really be the ONLY PERSON who is the admniistrator?

- Info
0
 
LVL 4

Expert Comment

by:kreaganoutsourceditbiz
ID: 10970604
A question was asked.  The person deserves a correct answer.
0
 

Author Comment

by:apm825
ID: 10977256
Thanks alot guys!! :-)
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

A brief overview to explain gateways, default gateways and static routes OR NO - you CANNOT have two default gateways on the same server, PC or other Windows-based network device. In simple terms a gateway is formed when a computer such as a serv…
Greetings, Experts! First let me state that this website is top notch. I thoroughly enjoy the community that is shared here; those seeking help and those willing to sacrifice their time to help. It is fantastic. I am writing this article at th…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
This video discusses moving either the default database or any database to a new volume.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now