We help IT Professionals succeed at work.

Administrator Account

eli290
eli290 asked
on
Medium Priority
230 Views
Last Modified: 2010-03-19
I am a network administrator along with 2 other guys in my organization. We all use the same administrator account. We are a small group and one of the other 2 guys are believed to be going into private shares on the network because they have full control. I know we can setup seperate accounts for each of us. Is there a way to make each admin a lower grade admin so they can install software and that sort of thing but not be able to have access to view files on specific shares?
Comment
Watch Question

Naser GabajE&P Senior Software Specialist
CERTIFIED EXPERT

Commented:
Greetings eli290,

I assume you are in domain LAN not Workgroup.
Make them Administrator only on thier machine but not domain admins, which is the highest level in the domain. and as for you get domain admin

Good Luck!
Naser

Author

Commented:
we are on a domain LAN but i need this to be access on the domain to install software etc.. on other peoples PC's
Juan OcasioContinuous Process Improvement Lead
CERTIFIED EXPERT

Commented:
You could also make them a member of power user which should allow to do most installs.

jocasio
Chris StauntonSr. Infrastructure Engineer

Commented:
You could also micro manage those special shares and remove the Domain Admins group from those shares so that the group Domain Admins doesn't have rights and assign just a specific admin rights to that group for management of files/folders on the share.


Hope that helps,


Shoota
CERTIFIED EXPERT
Top Expert 2013
Commented:
If they need to be  domain admin you have a problem.
By default private shares are owned by the Administrators account. You can remove this by making either the user the owner, or a specific admin the owner, and then remove the administrators group as having permission to access the files. This will block them from accessing, however as domain admins there is nothing to keep them from taking ownership. You should probably give them their own domain admin account rather than the default, and then enable security logging to see who is going where.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Author

Commented:
How would we enable security logging?
CERTIFIED EXPERT
Top Expert 2013

Commented:
Minor change in group policy will enable. Have look at the following MS article regarding enabling and tracking users:
http://support.microsoft.com/kb/814595
CERTIFIED EXPERT
Top Expert 2013

Commented:
Thanks eli290,
--Rob
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.