Lock a directory from Administrator Access

Posted on 2009-12-26
Last Modified: 2013-12-04
I'm the owner of a business. I have a Network Administrator that I would like to give access to our file server to perform standard network admin activities on (patches, app installs, backups, etc.), however there are certain files I would not like him to access on that server (HR, Payroll, personal, etc.).

Is  there a permissions setting or something I can give him that lets him do network admin stuff on the server but prevents him from having access to sensitive data?

Or would I need some kind of third party app to lock those directories?

Question by:CANLLC
    LVL 74

    Expert Comment

    by:Glen Knight
    You can lock them down by simply specifying the deny permission for te user account he logs in as.  By right clicking on the folder itself and select
    properties then security.

    Add the user in then specify the full access deny permission.

    However as a techie myself I would say that at some stage you need to trust your IT staff and their professionalism.  They have a job to do, ensuring ALL your data is backed up if you deny them access to the data they cannot back it up.  If you use a service account for your backups then this account will have access to your data and what's stopping the admin logging in sing this account?

    Trust is key in IT administration!!

    Author Comment

    Thanks for the input. I do plan on giving them full access at a later date, however would like to get to know the person a bit first before I open up all the company secrets to them.

    But back to your suggestion. Can't they simply log into the server and remove the deny permission and then continue on into the folder?
    LVL 74

    Expert Comment

    by:Glen Knight
    Only if thy login using the Administrator account.  But if they really want to circumvent it they will be able to.

    I am afraid there is no way to completely prevent an Administrator from access there is always wats around it.

    What I would suggest if you don't already have one is some sort if network use policy that your employers sign.
    LVL 33

    Expert Comment

    by:Dave Howe
    you could try using EFS - that's pretty effective, even against those with admin privileges.
    LVL 22

    Accepted Solution

    You can use a third party software
    So only people who know the password can access it.
    LVL 33

    Assisted Solution

    by:Dave Howe
    There are good third-party solutions - folder-protect isn't one of them though; it is trivially bypassed by even a half-hearted admin - like most such things, it asssumes attackers won't have admin privileges or even be able to reboot using a linux live cd.

    For a good third party solution you can use something like truecrypt - at its most paranoid, that uses all three AES finalists (including the winner) in turn for transparent encryption - but again, you are re-inventing the wheel. All copies of windows past Win2000 come with EFS, and that is proof against anyone not knowing an authorized user's password. There is a recovery agent system, but that doesn't have to be the Admin, nor does the Admin even need to know WHO it is... however, though domain policy an Admin can modify that (so you would need to perform occasional checks to make sure the recovery certificate hasn't changed)
    LVL 24

    Expert Comment

    Universal shield is the third part tool,you can use to lock the access using password & even admin can't access until they have password which is used to lock.
    LVL 47

    Expert Comment

    You should use something like....
    Protect Your Data With Encryption
    LVL 22

    Expert Comment

    there are actually many tools...I just pointed to one of them....
    Don't use them so cant tell you exactly what and how...
    To find one that suits your needs just google ' lock folder' and
    find what you need.
    I personally avoid using these stuff ever since I had a bad experience long time ago with
    a similar program (can't remember the name now).
    But to do what you want I think you will have to use one of these tools.
    Just please,be very careful when using the stuff not to loose a password or something similar...


    Featured Post

    Highfive + Dolby Voice = No More Audio Complaints!

    Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

    Join & Write a Comment

    No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
    A quick step-by-step overview of installing and configuring Carbonite Server Backup.
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now