[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Restricting domain admins from confidential data

Posted on 2009-04-13
3
Medium Priority
?
353 Views
Last Modified: 2013-11-25
We are a small company with three IT admins that all have Domain Admin permissions.  Looking for ways to restrict ITs access to sensitive company information like HR and Finance data stored on out file server.   All three of the IT members have overlapping responsibilities on the network so generally need network admin abilities.  Are there some ways to keep data secure from IT even with admin rights?
0
Comment
Question by:doboszb
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 24131115
No way to do that,  the domain admins can always take ownership if they really wanted to.
...the answer there is to limit the number of domain admins and keep that group small.
The domain admins have rights to your entire forest (forest is the security boundary)
Now if you notice domain admins going in and taking ownership and looking at things they should not be....those people should be fired...no other way to put it.
 
Thanks
Mike
0
 

Author Comment

by:doboszb
ID: 24131123
How about ways to audit access to a specific folders to see who is trying to access them?
0
 
LVL 57

Accepted Solution

by:
Mike Kline earned 2000 total points
ID: 24131216
You have to enable "audit object access"
Then you turn on auditing on the files and folders you want to audit.
 
http://www.techotopia.com/index.php/Auditing_Windows_Server_2008_File_and_Folder_Access
That is for 2008 but the same principle applies for all versions.  If you audit to much your logs will have a lot of noise that will fill them up but looks like you are only after a few folders.
Thanks
Mike
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
Successful collaboration among team members is essential for the growth of your business. When employees work together on projects, share ideas and communicate effectively they get better results.
Simple Linear Regression
Progress
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question