Administrator Account

I am a network administrator along with 2 other guys in my organization. We all use the same administrator account. We are a small group and one of the other 2 guys are believed to be going into private shares on the network because they have full control. I know we can setup seperate accounts for each of us. Is there a way to make each admin a lower grade admin so they can install software and that sort of thing but not be able to have access to view files on specific shares?
eli290Asked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
Rob WilliamsConnect With a Mentor Commented:
If they need to be  domain admin you have a problem.
By default private shares are owned by the Administrators account. You can remove this by making either the user the owner, or a specific admin the owner, and then remove the administrators group as having permission to access the files. This will block them from accessing, however as domain admins there is nothing to keep them from taking ownership. You should probably give them their own domain admin account rather than the default, and then enable security logging to see who is going where.
0
 
Naser GabajE&P Senior Software SpecialistCommented:
Greetings eli290,

I assume you are in domain LAN not Workgroup.
Make them Administrator only on thier machine but not domain admins, which is the highest level in the domain. and as for you get domain admin

Good Luck!
Naser
0
 
eli290Author Commented:
we are on a domain LAN but i need this to be access on the domain to install software etc.. on other peoples PC's
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
Juan OcasioApplication DeveloperCommented:
You could also make them a member of power user which should allow to do most installs.

jocasio
0
 
Chris StauntonCommented:
You could also micro manage those special shares and remove the Domain Admins group from those shares so that the group Domain Admins doesn't have rights and assign just a specific admin rights to that group for management of files/folders on the share.


Hope that helps,


Shoota
0
 
eli290Author Commented:
How would we enable security logging?
0
 
Rob WilliamsCommented:
Minor change in group policy will enable. Have look at the following MS article regarding enabling and tracking users:
http://support.microsoft.com/kb/814595
0
 
Rob WilliamsCommented:
Thanks eli290,
--Rob
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.