Win2000 network: How to lock administrators out

The owner of our company wants to lock down our access as administrators and create a group called Managers with him and the supervisors in. They will have a network share where only they will have access. Is this even possible to block out administrators completely of a resource like this. Right now we could go in an change ownership.

If this is possible, how do you do it?
apm825Asked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
Gareth GudgerConnect With a Mentor Commented:
Yes....just remove the Administrator and Administrator group from the share once you set it up.

You can always retake ownership later and reassign permissions to yourself to get back in though - just dont tell him that. But you will be blocked and will obviously require a whole bunch of clicks to unblock yourself.
0
 
apm825Author Commented:
Well, that's what he's wanting us to change. :-(

He knows about this and wants us to block ourselves from never being able to get in.
0
 
infotraderConnect With a Mentor Commented:
Tell him that "take ownership" is not revertible, so that once someone performed the "take ownership" task, they will be listed as the owner of the folder/files.  So, knowing that, he should be able to relax because no matter who tried to regain access to the network they will be detected.

- Info
0
[Webinar] Kill tickets & tabs using PowerShell

Are you tired of cycling through the same browser tabs everyday to close the same repetitive tickets? In this webinar JumpCloud will show how you can leverage RESTful APIs to build your own PowerShell modules to kill tickets & tabs using the PowerShell command Invoke-RestMethod.

 
Gareth GudgerCommented:
He could also encrypt the files....with builtin EFS.
0
 
infotraderCommented:
EFS would work, but there I see 3 problems (please correct me if I am wrong...  I am also trying to learn something here, hopefully):

1.  Only the user who encrypts the data can decrypt it.  This means that other "supervisors" cannot read/write to the files.  The can be assigned as a "recovery agent" but that's kind of messy.
2.  By default, domain admins or local admins are designated as "recovery agent"...  You can get around that by reading this link:  http://www.winnetmag.com/Article/ArticleID/13771/13771.html
3.  If something happens to the user(s) that are also recovery agents, then that'll give you a lot of problems in the future.

Ultimately, us IT guys are paid to be trusted.  If they cannot trust us by NOT allowing us with enough authority to perform out task, then their only choice would be to take the MCSE courses, playing with computers 24/7, and administer their own network!!!

- Info
0
 
Gareth GudgerCommented:
I would have to agree infotrader but it was just another option to throw out there.

Ultimately a savvy IT guy could even crack some EFS even if he wasn't a recovery agents (ie delegated admin).
0
 
infotraderCommented:
Don't you just love it when the users are trying to lock IT access from admins?  It's like taking the keys from a locksmith and locks up the car!!!  Not that I'd do it or have done it in the past, but this kind of behavior/request would only raise the interest level of IT fellows to "peek" or try to find a way to hack into the folder, don't you think?  LOL
0
 
Gareth GudgerCommented:
Yea even if they did lock it completely out and run EFS I wonder what a good packet sniffer and decryption tool would ascertain. :)
0
 
Gareth GudgerCommented:
I had a client that didnt want their admin to get into their financial statements so they stored the files on one client as opposed to the server he was administering. What they failed to realize was that they were sharing it from a Windows ME box. :)
0
 
sirbountyCommented:
How absurd!  I'd love to be a fly on the wall in your office a couple of months from now...
"Hey - our network's crashed - we need these files restored- can't ya fix it?  Well, er - no sir - you had me yank my admin priveledges from those shares, remember?"  Whoo-boy...
If it were me, I'd be looking elsewhere for employment...
0
 
infotraderCommented:
My boss once enforced a rediculous IT policy on us, so that we had very limited access to email boxes, files and folders...  And then it happened...  Someone accidentally sent a confidential document (HR) to the wrong person and need to delete it...  Boss was out of the state, can't be reached...  all managers were freaked out... it was REALLY funny!!!

I then took the chance of changing the company policy and took ownership of the Exchange server... deleted the email, and all were happy...  Turned out my boss was actually pretty glad I did it, and the question of "too much power" never came up again!!!  :-P

- Info
0
 
sirbountyCommented:
Wonder if there's a "Horror stories of removing too many priveledges from the IT guys" web site somewhere...??
0
 
Gareth GudgerCommented:
Maybe a Dilbert one <g>

I still love the one with Dilbert holding a token ring cable in his hand and it is unplugged and stating that the "Token fell out the end of the cable"
0
 
sirbountyCommented:
:D One of my favorites too...'gotta be around here somewhere - keep lookin!'
0
 
kreaganoutsourceditbizCommented:
Have a single machine outside of the domain host the files (Windows 2k or better).  Grant access to matching local accounts with matching passwords of the appropriate domain accounts.  Also assign a matching domain account into the local backup operators group so you can backup the machine and still maintain the requested 'no access'.

Nobody will have access to the machine without the 'boss' giving them access, you wil still be able to backup their 'confidential' data, and in a worst case scenario, should you ever need 'unauthorized access' you can restore those files locally or pop the hard drive and put it into your local machine.

So, yes it can be done.

If your boss wants to eliminate the 'unauthorized access' as stated above, look into EFS on that 'non-domain peer server'

Hope this helps,

The other solution is to switch to a different NOS, you can accomplish this with Novell.
0
 
kreaganoutsourceditbizCommented:
Please note, fom the accepted answer, if you come accress the administrative share, ie \\server\d$, then you will bypass the share restrictions suggested in the accepted answer.  Further, ownership has nothing to do with share restrictions and bypassing them.

The more logical thought would be to remove the objects from the security tab, not the share restrictions.
0
 
kreaganoutsourceditbizCommented:
There are other ways to accomplish this;
     Create a tree, domains are security boundries, boss in parent domain, everyone else in child domain.
     Create a Forest, same idea.  More complex but more secure.

In short, yes this can be done, but it can not be done if everybody is in the same domain.

http://www.xs4all.nl/~koppelra/win2000/dirser/01.htm
0
 
infotraderCommented:
It's like beating on a dead cow here, but the point is...  It SHOULDN'T get done no matter how you cut it...  Do you really trust your boss to be the "god" of the domain or forest?  Without necessary training on IT do's and don'ts, should such a person really be the ONLY PERSON who is the admniistrator?

- Info
0
 
kreaganoutsourceditbizCommented:
A question was asked.  The person deserves a correct answer.
0
 
apm825Author Commented:
Thanks alot guys!! :-)
0
All Courses

From novice to tech pro — start learning today.