Solved

Restricting domain admins from confidential data

Posted on 2009-04-13
3
337 Views
Last Modified: 2013-11-25
We are a small company with three IT admins that all have Domain Admin permissions.  Looking for ways to restrict ITs access to sensitive company information like HR and Finance data stored on out file server.   All three of the IT members have overlapping responsibilities on the network so generally need network admin abilities.  Are there some ways to keep data secure from IT even with admin rights?
0
Comment
Question by:doboszb
  • 2
3 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 24131115
No way to do that,  the domain admins can always take ownership if they really wanted to.
...the answer there is to limit the number of domain admins and keep that group small.
The domain admins have rights to your entire forest (forest is the security boundary)
Now if you notice domain admins going in and taking ownership and looking at things they should not be....those people should be fired...no other way to put it.
 
Thanks
Mike
0
 

Author Comment

by:doboszb
ID: 24131123
How about ways to audit access to a specific folders to see who is trying to access them?
0
 
LVL 57

Accepted Solution

by:
Mike Kline earned 500 total points
ID: 24131216
You have to enable "audit object access"
Then you turn on auditing on the files and folders you want to audit.
 
http://www.techotopia.com/index.php/Auditing_Windows_Server_2008_File_and_Folder_Access
That is for 2008 but the same principle applies for all versions.  If you audit to much your logs will have a lot of noise that will fill them up but looks like you are only after a few folders.
Thanks
Mike
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In this article, you will read about the trends across the human resources departments for the upcoming year. Some of them include improving employee experience, adopting new technologies, using HR software to its full extent, and integrating artifi…
A simple overview of the possibilities of using technology for project management.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now