How do I lock another server administrator out of certain folders?

Hi all...

Windows 2003 R2 server.

If there are more than 1 administrator in the domain, is it possible to lock the other administrator out of certain folders, so that he could change the permissions, nor have the right to take ownership or change other words, there's no way he's ever going to see that folder (without some serious hacking; no legitimate way.)  Any ideas?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

gs-rhoAuthor Commented:
I have thought of encryption. I must admit, I'm not terribly familiar with it. I wonder if anyone thinks it is a good solution, and what the caveats may be... I think this is part of the same question, because it's a possible solution to the original question...
Toni UranjekConsultant/TrainerCommented:

Although EFS is possible solution I would suggest that you check this solution, TrueCrypt:

I believe user with domain administrator credentials has possibilty to bypass EFS one way or the other.


Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

For Info - Domain Admin credentials do not allow you to bypass EFS.
Toni UranjekConsultant/TrainerCommented:
ardrac - Wanna bet? ;)
Kevin HaysIT AnalystCommented:
You can use EFS if you wish, but it's not going to be your best solution though.  By default the domain administrator is the DRA (Data Recovery Agent).  I would suggest revoking the domain admin privileges for all users and then delegate roles to them.  It's never a good idea to have more than 1 DA in the domain.
Toni UranjekConsultant/TrainerCommented:
There goes my bet. That's exactly what I had in mind. As long you can reset password of DRA you can access all EFS files and folders in the domain. ;)
Doh. I guess that would be a way round it.
gs-rhoAuthor Commented:
So, if you're an administrator who is not the DRA (like if you're a domain user is a local administrator on a member server) then you won't be able to overcome EFS, right?
gs-rhoAuthor Commented:
that's...   "domain user who is a local administrator..."
Toni UranjekConsultant/TrainerCommented:
In domain environment, local administrator does not have access DRA's certificate and can not decrypt files which were encrypted by domain users.
Kevin HaysIT AnalystCommented:
Don't confuse a local administrator from the Domain Administrator.
gs-rhoAuthor Commented:
Well, then the local administrator won't be able to decrypt the files and that will lock him out.

I'm not confusing the local and domain administrator. Don't know what I said to give that impression. This user needs admin rights on a member server because of what he has to do on there, but I don't want him to be able to access some files on there.

By the same token, if he had to be a domain admin, then I could still use encryption in a few places, on the domain, to keep him out of things, right? The fact that I only need him as a local admin is good, because he's just a user on other servers.

And from my understanding now, if he was a domain admin, then, I could decrypt things all over the domain, and if he is not the DRA, then he can't get at it. DRA by default is the first domain admin, right?

Would be nice to have confirmation of thes thoughts. thanks.

gs-rhoAuthor Commented:
...and for the sake of a thorough discussion...
Does anyone know what would happen, after it's encrypted, if the other administrator tried to take ownership? (I know we're getting to the point of fairly malicious actions, but it would be good to understand this in the case of a disgruntled employee. This security tab does not allow one at this point to view/change security, but does suggest that you can take ownership.)
Toni UranjekConsultant/TrainerCommented:
First question: What kind of tasks that user has to do on member server requires local administrator privileges?
If he has domain administrator prvileges it does not matter wheter he is the DRA or not because he can easily reset password of the account which is DRA. Of course such action is performed only by malicious user on purpose.
Built-in Administrator account is DRA by default.
NTFS represents additional layer of data security and it has nothing to do with EFS. User with proper NTFS premissions can actually take ownership of encrypted files but he won't be able to see their contents.
Kevin HaysIT AnalystCommented:
After looking back i'm not sure why I even got the idea you were confused with local admin v/s domain admin.  Anyway, I would try to limit the roles/access that the user has.  If he could get away with just being a backup operator, server operator, power user on the local machine it would be best, but some admins give their users local admin priv to their machine.  It just depends upon you.

If you had some virtual machines created or test systems then I would suggest testing this out.  Nothing like real hands on experience to see the results :)

Create a private undetected rootkit and hide what you need. Keep the rootkit in several safe places.
gs-rhoAuthor Commented:
"First question: What kind of tasks that user has to do on member server requires local administrator privileges?"

...the real-world example here is a case where one of the administrators is installing programs on the server. I doubt I need to get more specific than that. He has admin permissions so he can install programs on the server. I suppose he may not need permissions that high. I just didn't want him to run into any trouble while installing... of course.
   I suppose in this case I am actually more concerned about the possibility of someone becoming a disgruntled admin, who is not at first (I guess they never appear to start that way) or a case where the permissions fall into different hands (perhaps actually into malicious hands). There are some things you have to protect to that degree.
   The more we talk about this, the more it seems that an admin is just what it is meant to be... god-like powers. There always seems to be some way around this, if malicious enough, if one is an admin. So, I think whole thing finally lands with a re-phrasing of the question...
    Can I allow an "admin" to be able to do generally whatever he needs to do without being able to have access to certain files nor ability to change the attributes of other admins. I must admit, this is all very familiar from my course, but when you don't use it all the time, it slips away. It seems like delegation of realms of authority could come to play here (don't remember the exact name of the concept).
     kshays mentions backup operator, server operator, power user... what do you all think? What level of control does an "admin" need to be able to do installations on a server without being hindered? Can a backup operator or a server operator change permissions on files or take control. (If no one knows or wants to answer, of course, I'll be setting out to experiment.)

     Thanks for allowing this question to evolve without calling me on having multiple questions... that just wastes time. I think I'm pretty much at the end of this, if we can get some comments going on this last point. Hope others are getting somethign out of this too.
Toni UranjekConsultant/TrainerCommented:
"The more we talk about this, the more it seems that an admin is just what it is meant to be... god-like powers. There always seems to be some way around this, if malicious enough, if one is an admin."

I thought that was well known fact. :D I will repeat, you can not lock out administrators efficiently.

You have to be a member of local administrators group to install software.

Backup operator can not change permissions on files. He has ability to backup files and this is low level operation which has nothing to do with permissions or encryption.
Server operator can manage server, create shares, add local printers, upgrade drivers, shutdown system,... I don't think he can istall software.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Kevin HaysIT AnalystCommented:
Once you get a fairly solid understanding of what they should be able to do then the best way is to experiment.  Get a test system and get your hands dirty :)  No better way to have a good understanding of how something works than to actually see it in action.

I believe this approach will actually benefit you in the long run much better than just a simple answer right now.


gs-rhoAuthor Commented:
"I thought that was well known fact. :D I will repeat, you can not lock out administrators efficiently."

Well, yes, it is a well-known fact. The fact that isn't so well-known is that Microsoft has not provided for every situation.
I agree that there isn't an efficient way to lock out administrators, but there are ways. It usually depends on who is the smarter administrator. The intelligent administrator will most likely bypass any locks. There are many methods to use in this situation. It is actually much better to use more than one method. I believe the rootkit method is the way to go. Only a hacker would know anything about a rootkit. Encryption is also a good suggestion, but it is only smart to use it on top of the rootkit.

I had some experience dealing with a rootkit since I used to hack this game called Maplestory. Gameguard is the anti-cheat software that protects Maplestory. Gameguard is actually a rootkit that hides Maplestory's memory.

If the other administrator isn't a coder, a rootkit is the solution. Coding will be required to bypass a rootkit. In the past, some third-party softwares were able to bypass rootkits, but that is no longer the case unless you make a rootkit with broken functions.

You can find help with making an undetected rootkit in the following forum. Most of the users there are very intelligent hackers.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.