Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

SBS 2007 Administrator

Posted on 2012-04-12
2
Medium Priority
?
207 Views
Last Modified: 2012-04-16
I have an adminstration problem on SBS 2007. One of my customer's senior managers wants a section of the file system which contains sensitive files to be inaccessible to the system administrator. Unfortunately there is a need for both the system administrator and one of the operations staff to know the admin password and the manager does not want the operations staff member to be able to access some folders or to be able to make any changes that would enablem them to access them. I have suggested using encryption but he is very reluctant. I changed the ownership of the folders containing the sensitive files and removed the administrator from the ACL but this caused problems with backup and was difficult to administer as the system adminstrator had to change the ownership and reset the ACL etc. I have pointed out that to the best of my knowledge that the administrator or a user who is a member of the administrators group can get access to any part of the filesystem by seizing ownership and then changing the folder/file permissions. So denying the administrator access to the sensitive files was actually not achieving very much and was causing problems. It would be helpful if anyone could confirm (or rebut) my assumption about the administrator being able to get access to any part of the filesystem and any suggestion as to how I could resolve this problem.

Thanks

John
0
Comment
Question by:jhswinson
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 9

Accepted Solution

by:
Geodash earned 2000 total points
ID: 37838835
With a domain admin password, any file or folder on the system cab be "seized" and he can make himself an owner.

If you really want to lock him out, you would need to change DA passwords and remove him from the DA group. Without doing this, he will always be able to gain permissions if he knows where the files/folders are located. This is working as intended for DA's

Being a domain admin, you can change anyone's password on the domain. You can deny his account privileges but a new account can be created and/or a password changed with someone that has permissions, and the files accessed.
0
 

Author Closing Comment

by:jhswinson
ID: 37850433
This confirms what I thought and is very useful as a "second opinion" to convice staff that the answer to the problem is encryption.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I've often see, or have been asked, the question about the difference between the Exchange 2010 SP1 version, available as part of Small Business Server (SBS) 2011, and the “normal” Exchange 2010 SP1 Standard. The answer to the question is relativ…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…

664 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question