Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


SBS2003 -  Restricting an Adminsitrator Account from accessing files on Sharepoint

Posted on 2006-07-16
Medium Priority
Last Modified: 2013-12-04
I am the DIrector of a small consultancy company. As such I am storing certain sensitive information on my SBS2003 Server. This currently resides in a Sharepoint Site which can only be accessed by certain key users (the Company Directors) and these are assigned as yusers to the SHarepoint Site. I do not want any other users to access the site at all.

I would also like to setup certain users (non-Directors) with Adminsitrative Accounts to allow them to performed configuration  of VPNs, Exchange, and much of the networking as well as remote access to the Server from outside our internal LAN via RWW.

At present I can only seem to create a user as an Admin Account which means they get full rights to the Server and access to the sensitive data Folder or conversely as a Mobile User in which case they get no rights to performing network configuration (running Server Manageent) nor accessing the Server console from a remote location.

Having read a little around the subject, I think there must be a way to limit the Adminsitrative rights of a user perhaps using Group Policies or Security Groups. However, none of the literature seems to be very clear on what permissions I need to set and what not and whether i need to sue policies or not.

Would be grateful for any help in this area.


Eliot Minn
Question by:e2e01
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
LVL 10

Expert Comment

ID: 17117636
There is not much you can do to restrict administrators. Even if you deny access to data folders, they will be able to overwrite it.

The best and recommended approach will be to create non-admin users and then give the specific rights to perform the function that they require.

The other option would be to move the sensitive data to a different machine which is not part of your Active Directory, and then give access to only those users who need it.

It is not a shortcomming of the Operating system, the reasoning is that administrators are suppose to perform all operations on the system so nothing is out of their reach.

Author Comment

ID: 17117720
Thanks for your suggestion.

However, my problem is that in there does not seem to be any halfway house betweenan Administratorprofile or a basic mobile user.

Is there any documentation that you know of which explains what functionality each of the Groups and Security Groups actually provide as opposed to the one line description for each Group?

It would also seem that the only way of a user being able to log into the Server console remotely through RWW is if the user is a Power user or Admin User.

What I require is more granularity of user permissions instead of an all or nothing approach.

Take the point about moving teh senistive data to another machine but this will be the fallback situation.
LVL 10

Expert Comment

ID: 17117830
There is lot of documentation that you will need to study before you can create the kind of groups which will serve your purpose. The way Microsoft has addressed this issue is with builtin group, which in your case are not very helpfull.

RWW does work without being a Power User or Admin user, if users are member of Remote Web Workplace Users, they should be able to login to the website.


I would suggest start with minimal permissions and access to RWW on a New security group. Once they are able to connect, see what are the resources they need to manage. Then start working on the first resource by giving them access to that resource only. It is going to be a time consuming process, but since you require a custom solution, you will have to invest time in it, or outsource it to a third party who have good experience in these jobs.

Another option is to give them Admin access, but keep event logs in place. Deny them access to sensitive information. This will allow you to monitor if they attempt to access any of it.

If you do not want to isolate the data to another machine, one other option that is deployed in certain situations is encrypting the sensitive information. EFS is one way to go, or you can try third party tools. This again would require some understanding of the architecture, and recover of lost keys is very important factor to consider.
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 12

Expert Comment

ID: 17122951
Domain admin can see everything in a SharePoint server, so isolating the system and the files won't do you much good.

Is there a central SharePoint admin?
Have they signed a confidentiality agreement?

We maintain a secure site and all of the admins have signed special agreement forms to manage it.

Second, we gave the Web masters the only special access and processes to specially encrypt very sensitive files before they are placed on the SharePoint site.

You can use just about any self-extracting encryption software to do this, but we use software like Zip2Secure with AES and have the Web masters encrypt the defined sensitive files.

You can give your Directors the special passcodes to unlock and extract the files that they obtain from SharePoint.

You also need to map out what portions of data belong in an unencrypted portion of the site and what needs to be encrypted.
Build SPS/WSS (SharePoint) to have these different portals.

Again, remember that your domain admins can see everything on the SharePoint site, even if you don't give them access in SharePoint. They are domain admins.

Author Comment

ID: 17126129
What I would like is the ability forthe specific Network Adminsitrators to be able to log into the SBS Server Console remotely but not have access to the specific web-site with sensitive information on.

The use of encryption Zip2Secure whilst an interesting one would seem to limit the usefulness of Sharepooint versioning etc. something we use on the site.

Auditing of users access ot the site whilst providing tracing of suspects will not limit access to sensitive data which is what we are more worried about.

What I wanted was really a list of the Security Groups and what permissions they provide. Does anybody know where I can obtain this list.

LVL 12

Expert Comment

ID: 17130855
Administrator, on Windows systems, is like root, on UNIX systems, and both accounts have complete access to all applications unless the application has specific security rights.

Oracle and SQL server have special application permissions that do not allow Administrator from using the application.

Unfortunately, SharePoint and IIS do not have these special permissions to do what you are asking.
LVL 12

Accepted Solution

Phil_Agcaoili earned 750 total points
ID: 17131230
You wrote:
"What I wanted was really a list of the Security Groups and what permissions they provide. Does anybody know where I can obtain this list."

This does not exist in SharePoint SPS or WSS.

The following are the accounts that you can set up:
 Reader - Has read-only access to the Web site.
 Contributor - Can add content to existing document libraries and lists.
 Web Designer - Can create lists and document libraries and customize pages in the Web site.
 Administrator - Has full control of the Web site.

Again, is someone is a Domain Admin, they can logon to your site and read/download anything they want.

The user groups are not protected by any additional application security measures.

This is a security flaw designed as a feature in SharePoint unfortunately.

Author Comment

ID: 17163282
My question has been answered in that:

There seems to be no way in giving a Domain User access to the Windows 2003 Server at an Operator/Systems adminsitrator level (e.g. Server management program) without giving them Admin rights and hence the ability to see all Sharepoint sites hosted on the domain.

Many thanks for confirmation that what I am trying to do would appear not to be possible.

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…
In response to a need for security and privacy, and to continue fostering an environment members can turn to for support, solutions, and education, Experts Exchange has created anonymous question capabilities. This new feature is available to our Pr…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question