Solved

Restricting domain admins from confidential data

Posted on 2009-04-13
3
340 Views
Last Modified: 2013-11-25
We are a small company with three IT admins that all have Domain Admin permissions.  Looking for ways to restrict ITs access to sensitive company information like HR and Finance data stored on out file server.   All three of the IT members have overlapping responsibilities on the network so generally need network admin abilities.  Are there some ways to keep data secure from IT even with admin rights?
0
Comment
Question by:doboszb
  • 2
3 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 24131115
No way to do that,  the domain admins can always take ownership if they really wanted to.
...the answer there is to limit the number of domain admins and keep that group small.
The domain admins have rights to your entire forest (forest is the security boundary)
Now if you notice domain admins going in and taking ownership and looking at things they should not be....those people should be fired...no other way to put it.
 
Thanks
Mike
0
 

Author Comment

by:doboszb
ID: 24131123
How about ways to audit access to a specific folders to see who is trying to access them?
0
 
LVL 57

Accepted Solution

by:
Mike Kline earned 500 total points
ID: 24131216
You have to enable "audit object access"
Then you turn on auditing on the files and folders you want to audit.
 
http://www.techotopia.com/index.php/Auditing_Windows_Server_2008_File_and_Folder_Access
That is for 2008 but the same principle applies for all versions.  If you audit to much your logs will have a lot of noise that will fill them up but looks like you are only after a few folders.
Thanks
Mike
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
AD backup 6 59
Windows 2012R2 Server as new Domain Controller conversion 8 49
changing harddisk on computer in corporate 10 47
server crashed 2 22
Read about the ways of improving workplace communication.
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question