Win2000 network: How to lock administrators out

Well, that's what he's wanting us to change. :-(

He knows about this and wants us to block ourselves from never being able to get in.

He could also encrypt the files....with builtin EFS.

EFS would work, but there I see 3 problems (please correct me if I am wrong...  I am also trying to learn something here, hopefully):

1.  Only the user who encrypts the data can decrypt it.  This means that other "supervisors" cannot read/write to the files.  The can be assigned as a "recovery agent" but that's kind of messy.
2.  By default, domain admins or local admins are designated as "recovery agent"...  You can get around that by reading this link:  http://www.winnetmag.com/Article/ArticleID/13771/13771.html
3.  If something happens to the user(s) that are also recovery agents, then that'll give you a lot of problems in the future.

Ultimately, us IT guys are paid to be trusted.  If they cannot trust us by NOT allowing us with enough authority to perform out task, then their only choice would be to take the MCSE courses, playing with computers 24/7, and administer their own network!!!

- Info

I would have to agree infotrader but it was just another option to throw out there.

Ultimately a savvy IT guy could even crack some EFS even if he wasn't a recovery agents (ie delegated admin).

Don't you just love it when the users are trying to lock IT access from admins?  It's like taking the keys from a locksmith and locks up the car!!!  Not that I'd do it or have done it in the past, but this kind of behavior/request would only raise the interest level of IT fellows to "peek" or try to find a way to hack into the folder, don't you think?  LOL

Yea even if they did lock it completely out and run EFS I wonder what a good packet sniffer and decryption tool would ascertain. :)

I had a client that didnt want their admin to get into their financial statements so they stored the files on one client as opposed to the server he was administering. What they failed to realize was that they were sharing it from a Windows ME box. :)

How absurd!  I'd love to be a fly on the wall in your office a couple of months from now...
"Hey - our network's crashed - we need these files restored- can't ya fix it?  Well, er - no sir - you had me yank my admin priveledges from those shares, remember?"  Whoo-boy...
If it were me, I'd be looking elsewhere for employment...

My boss once enforced a rediculous IT policy on us, so that we had very limited access to email boxes, files and folders...  And then it happened...  Someone accidentally sent a confidential document (HR) to the wrong person and need to delete it...  Boss was out of the state, can't be reached...  all managers were freaked out... it was REALLY funny!!!

I then took the chance of changing the company policy and took ownership of the Exchange server... deleted the email, and all were happy...  Turned out my boss was actually pretty glad I did it, and the question of "too much power" never came up again!!!  :-P

- Info

Wonder if there's a "Horror stories of removing too many priveledges from the IT guys" web site somewhere...??

Maybe a Dilbert one <g>

I still love the one with Dilbert holding a token ring cable in his hand and it is unplugged and stating that the "Token fell out the end of the cable"

:D One of my favorites too...'gotta be around here somewhere - keep lookin!'

Have a single machine outside of the domain host the files (Windows 2k or better).  Grant access to matching local accounts with matching passwords of the appropriate domain accounts.  Also assign a matching domain account into the local backup operators group so you can backup the machine and still maintain the requested 'no access'.

Nobody will have access to the machine without the 'boss' giving them access, you wil still be able to backup their 'confidential' data, and in a worst case scenario, should you ever need 'unauthorized access' you can restore those files locally or pop the hard drive and put it into your local machine.

So, yes it can be done.

If your boss wants to eliminate the 'unauthorized access' as stated above, look into EFS on that 'non-domain peer server'

Hope this helps,

The other solution is to switch to a different NOS, you can accomplish this with Novell.

Please note, fom the accepted answer, if you come accress the administrative share, ie \\server\d$, then you will bypass the share restrictions suggested in the accepted answer.  Further, ownership has nothing to do with share restrictions and bypassing them.

The more logical thought would be to remove the objects from the security tab, not the share restrictions.

There are other ways to accomplish this;
     Create a tree, domains are security boundries, boss in parent domain, everyone else in child domain.
     Create a Forest, same idea.  More complex but more secure.

In short, yes this can be done, but it can not be done if everybody is in the same domain.

http://www.xs4all.nl/~koppelra/win2000/dirser/01.htm

It's like beating on a dead cow here, but the point is...  It SHOULDN'T get done no matter how you cut it...  Do you really trust your boss to be the "god" of the domain or forest?  Without necessary training on IT do's and don'ts, should such a person really be the ONLY PERSON who is the admniistrator?

- Info

A question was asked.  The person deserves a correct answer.

Thanks alot guys!! :-)