Solved

Restricting domain admins from confidential data

Posted on 2009-04-13
3
334 Views
Last Modified: 2013-11-25
We are a small company with three IT admins that all have Domain Admin permissions.  Looking for ways to restrict ITs access to sensitive company information like HR and Finance data stored on out file server.   All three of the IT members have overlapping responsibilities on the network so generally need network admin abilities.  Are there some ways to keep data secure from IT even with admin rights?
0
Comment
Question by:doboszb
  • 2
3 Comments
 
LVL 57

Expert Comment

by:Mike Kline
Comment Utility
No way to do that,  the domain admins can always take ownership if they really wanted to.
...the answer there is to limit the number of domain admins and keep that group small.
The domain admins have rights to your entire forest (forest is the security boundary)
Now if you notice domain admins going in and taking ownership and looking at things they should not be....those people should be fired...no other way to put it.
 
Thanks
Mike
0
 

Author Comment

by:doboszb
Comment Utility
How about ways to audit access to a specific folders to see who is trying to access them?
0
 
LVL 57

Accepted Solution

by:
Mike Kline earned 500 total points
Comment Utility
You have to enable "audit object access"
Then you turn on auditing on the files and folders you want to audit.
 
http://www.techotopia.com/index.php/Auditing_Windows_Server_2008_File_and_Folder_Access
That is for 2008 but the same principle applies for all versions.  If you audit to much your logs will have a lot of noise that will fill them up but looks like you are only after a few folders.
Thanks
Mike
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Online collaboration can help businesses be more efficient, help employees grow their skills and foster a team environment.
"Disruption" is the most feared word for C-level executives these days. They agonize over their industry being disturbed by another player - most likely by startups.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now