• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 602
  • Last Modified:

Denying Permissions in Windows to administrator

Several people in our company know the administrator password to our Windows Server computers and need to continue to have administrator priviledges.  Note: We don't have Active Directory implemented yet.  We won't be implementing Microsoft Exchange until the end of the year at the earliest, so in the mean time we want to backup people's .pst files to a folder on a NAS appliance running Windows Storage Server 2008.   We only want managers (not administrators) to have access to this folder.  Is there a way in Windows Storage Server 2008 to Deny read/write permissions to a specified folder to the administrator account and to anyone who is part of the administrators group?
0
Declan_Basile
Asked:
Declan_Basile
  • 8
  • 5
1 Solution
 
Darius GhassemCommented:
Administrator's can get ownership of files so even if they don't  have permission they can take control of the file or folder and give themselves permission. Not really way to block an Administrator
0
 
pwindellCommented:
Your problem is that you believe Administrator rights are required to do what you need to do.
You can have Regular Users do this by just simply create a special Group for this,...give the Group Permissions to the File System in the correct location,...then add the Regular Users to the Group.

Original question:,....no it is impossible to restrict Administrators,...they have the power to unrestricted themselves after you restrict them.
0
 
pwindellCommented:
When I say "Regular Users" I mean just normal simple regular users,...I'm not talking about any special groups called "Regular Users" which there is no such thing,...because the regular group for regular users is just called "Users" and I am not saying to use that group, because that would end up being everyone.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
Declan_BasileAuthor Commented:
How can I give a small group of users administrative permissions to do everything an administrator can do except view this one folder?
0
 
pwindellCommented:
You want to backup PST files.
Backing up files does not require Administrator rights,...all it requires is "Read-Only" access to the files.  You only have to "read" files to back them up.

You could also add the individual Users to the Backup Operators Group.

Change the Administrator Password so only those who should know it, actually know it.
0
 
pwindellCommented:
Your thinking seems backwards.
You do not restrict Administrators,...you stop people from being administrators in the first place,...and give them only the minimal abilities to do what they need to do.
0
 
pwindellCommented:
If you can't get your head around how to approach this you are never going to survive the change to a Domain where this kind of knowledge and understanding is critical.  You will have to bring in outside Consultants who have the knowledge and skills to make it all work properly, safely and securely.  It becomes even more critical if the company falls under government regulations such as Sarbanes-Oxley or HIPPA.

0
 
Declan_BasileAuthor Commented:
No, my thinking is not at all backwards.  There are people here, myself included, who can "get their head around" these concepts just fine.  Everyone who knows the administrator password is capable of being an administrator.  That is NOT the issue.  The issue is that these people are not allowed to view confidential emails.  I realize that you can password protect .pst files, but if people are intelligent enough to have been given the administrator's password, then they're intelligent enough to hack past it.  So the concept to get your head around is that people need to manage the servers but there is confidential information that they can't have access to.
0
 
pwindellCommented:
Everyone who knows the administrator password is capable of being an administrator.

How many times can I say this.  THAT is your problem.  They are NOT supposed to know the password,...so change it so that no one but one of two trusted people in the place know it,...or in this case the Managers you want to allow access tot he PST files!

The issue is that these people are not allowed to view confidential emails.  I realize that you can password protect .pst files


No you can't "password protect" files,...this is not Windows98.   This is exactly what I mean when I say that I don't think you are getting your head around this. I'm not trying to be insulting,...I'm really not,...but you don't realize how far off the mark you are here in your approach and I'm trying to get you to view this in the correct way.   What you are wanting to have is just flat impossible and you first need to understand and accept that, and second need to take a correct approach to network and system security.  You can't make an impossible thing happen no matter how bad you want it.

IT people must be the most scrutinized people in a company and should have to go through the most thorough background checks.  The IT people have the Administrator credentials,...that means they have the "keys to the kingdom", and have access to things that even the President of the company might not have (example, Sarbanes Oxley Act) and therefore have to be quality trusted people before that is ever given to them.   You just can't allow everybody around the facility to know the Admin credential,...you just can't do it.  You just cannot have people all over the facility jumping on the server and playing "Mr IT guy" either.  

At our place I have access to everything,...everything.  Can I see other people's mail,...yes,...absolutely,....do I read it just for fun,...NO,..because I am a trustworthy person that has the integrity and personal maturity and sense of responsibility that the job requires, heck I know things that I won't even tell my boss because it is not proper that he should know.  The most important skill of an IT person is not their technical knowledge,...you can look that stuff up in a book somewhere (or call a Consultant),...the most important possession of an IT person is their level of integrity.   If a company can't trust their IT people the war is over and they lost.
0
 
Declan_BasileAuthor Commented:
It's not *my* thinking that's backwards.  Just because I'm an administrator doesn't mean I have the right to know everything.  I don't have any more right to see an owner's confidential emails than the janitor of the company has, and it doesn't mean that I don't have integrity, it means that it's none of my business.  There's a difference between trusting a person to do their job right and trusting someone with confidential information, and if the information isn't needed to do the job then the person shouldn't have access to it.  I might need to know how much RAM our server computer has, but I don't need to know what the lady in sales salary is and I shouldn't be able to find out.  It's pretty simple actually.  I'm glad I could help *you* with *your* thinking.  You should award me points.  If I give you the link that tells you how to do what you say can't be done will you give me an "A" for my solution?  ...  http://support.microsoft.com/kb/198088
0
 
Declan_BasileAuthor Commented:
Someone thought I needed help with my thinking and wrote multiple paragraphs of philosophical garbage.  I don't know how he/she finds the time for that.  All I needed was an answer to my question.  I'll probably just have the individual people temporarily back their emails up to flash drives until Exchange is deployed.  Thanks dariusq.
0
 
pwindellCommented:
You're still missing the point.

What you want is impossible,...period.
 
It is the way the computer OS's work.

Your approach to the problem is wrong because of the way computer OS's work,...if you won't listen,..I cannot do anything about that.

There is a correct approach that works, in compliance with the way computer OS's work, which I have outlined,...again,...if you won't listen,..I cannot do anything about that either.

 http://support.microsoft.com/kb/198088
That is about adding passwords to the PST itself which is independent of the OS and is only a partial solution. You're looking at the little picture, I'm looking at the big picture  If you want to do that fine,...but I could have those PST opened in a few minutes in spite of your password.
0
 
pwindellCommented:
The subject line reads:

Denying Permissions in Windows to administrator

Not....how do I embed passwords in PST files.
0
 
Declan_BasileAuthor Commented:
I wrote in my messages that passwords on .pst files can be hacked and that I'm going to get a flash drive for each person.   The link was in response to <<No you can't "password protect" files,...this is not Windows98>>  Does that make it simple enough for you see which one of us is the one who isn't listening?  You'll have to find someone else to argue with, I can't entertain this post any longer.  I have too much work to do.
0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

  • 8
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now