Solved

Restricting domain admins from confidential data

Posted on 2009-04-13
3
347 Views
Last Modified: 2013-11-25
We are a small company with three IT admins that all have Domain Admin permissions.  Looking for ways to restrict ITs access to sensitive company information like HR and Finance data stored on out file server.   All three of the IT members have overlapping responsibilities on the network so generally need network admin abilities.  Are there some ways to keep data secure from IT even with admin rights?
0
Comment
Question by:doboszb
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 24131115
No way to do that,  the domain admins can always take ownership if they really wanted to.
...the answer there is to limit the number of domain admins and keep that group small.
The domain admins have rights to your entire forest (forest is the security boundary)
Now if you notice domain admins going in and taking ownership and looking at things they should not be....those people should be fired...no other way to put it.
 
Thanks
Mike
0
 

Author Comment

by:doboszb
ID: 24131123
How about ways to audit access to a specific folders to see who is trying to access them?
0
 
LVL 57

Accepted Solution

by:
Mike Kline earned 500 total points
ID: 24131216
You have to enable "audit object access"
Then you turn on auditing on the files and folders you want to audit.
 
http://www.techotopia.com/index.php/Auditing_Windows_Server_2008_File_and_Folder_Access
That is for 2008 but the same principle applies for all versions.  If you audit to much your logs will have a lot of noise that will fill them up but looks like you are only after a few folders.
Thanks
Mike
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Starting up a Project

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question