Solved

removing domain admins from a folder

Posted on 2014-02-04
1
318 Views
Last Modified: 2014-02-04
our security team need to secure some sensitive documents on a file share. the audit team have asked about the implications/practicality of even removing the local admins and domain admins group from the folders DACL. what issues/support risks does removing the admins from the folder cause, is it even possible?
0
Comment
Question by:pma111
1 Comment
 
LVL 6

Accepted Solution

by:
alexgreen312 earned 500 total points
ID: 39832452
Hi there,

Yes it is possible, no you shouldn't do it, main reasons are the following

1. We can still take ownership of the folder, takes a bit of fiddling but it's quite easy

2. Backups could fail as the backup service account is normally a Domain Admin

3. We won't be able to fix issues if they arise without blowing apart the security structure

4. We can still modify our accounts with the active directory group associated with that folder.

5. Extra administration will be required.


The thing is, as an IT professional we should be trusted with all and any data that is held on the network. It's our responsibility to maintain the infrastructure and ensure that it's all running smoothly. I seriously doubt anyone will be interested in going into that folder to see what's in there.

I assume it's either HR or Finance that have requested this?

Cheers

Alex
0

Join & Write a Comment

I'm a big fan of Windows' offline folder caching and have used it on my laptops for over a decade.  One thing I don't like about it, however, is how difficult Microsoft has made it for the cache to be moved out of the Windows folder.  Here's how to …
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now