SBS 2007 Administrator
Posted on 2012-04-12
I have an adminstration problem on SBS 2007. One of my customer's senior managers wants a section of the file system which contains sensitive files to be inaccessible to the system administrator. Unfortunately there is a need for both the system administrator and one of the operations staff to know the admin password and the manager does not want the operations staff member to be able to access some folders or to be able to make any changes that would enablem them to access them. I have suggested using encryption but he is very reluctant. I changed the ownership of the folders containing the sensitive files and removed the administrator from the ACL but this caused problems with backup and was difficult to administer as the system adminstrator had to change the ownership and reset the ACL etc. I have pointed out that to the best of my knowledge that the administrator or a user who is a member of the administrators group can get access to any part of the filesystem by seizing ownership and then changing the folder/file permissions. So denying the administrator access to the sensitive files was actually not achieving very much and was causing problems. It would be helpful if anyone could confirm (or rebut) my assumption about the administrator being able to get access to any part of the filesystem and any suggestion as to how I could resolve this problem.