Domain Administrator accessing folders

Dear Experts,

we are going to implement Domain server in our company, but the question is our IT director wants that administrator group should not be able to access to C drive or D drive Folders of all users and staff. how can be done. Need your help please

thanking you in advance
Mohammed SIIOperation ExpertsAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Marwan OsmanCommented:
so how they will manage their PCs?!!
JohnBusiness Consultant (Owner)Commented:
By definition, the Administrator has keys to the kingdom. It was always thus.

For one person, they could secure files on a USB hard drive (and lose them if the drive fails).

But to restrict access to all computer drives is not reasonable and cannot be implemented because the Administrator can always access all things.
Lior KarasentiCommented:
Maybe you mean access them remotely through administrative shares? C$, D$ etc

this you can accomplish through GPO

If you meant the local C and D then I completely agree with John Hurst.
IT Pros Agree: AI and Machine Learning Key

We’d all like to think our company’s data is well protected, but when you ask IT professionals they admit the data probably is not as safe as it could be.

Mohammed SIIOperation ExpertsAuthor Commented:
i mean, remotely they should not have access for C and D drive

Example : from Run \\ip-address\C$, this should not be accessed
JohnBusiness Consultant (Owner)Commented:
Administrators can change the access rights.

The only way you can come close is to make sub-administrators who do not have rights and cannot change the policies. But then they cannot do much.
Lior KarasentiCommented:
Check this previous EE solution how to accomplish that: 

But, again.. as John mentioned administrator can always revert those settings back
so it's a bit useless to do such thing
Mohammed SIIOperation ExpertsAuthor Commented:

i just need to block c$ and D$ drive and also how to create sub-administrators. as i am starter for this task
JohnBusiness Consultant (Owner)Commented:
how to create sub-administrators  <-- There are "operators" who can perform back up and like tasks who are not administrators.

Someone must be Administrator (or else fire your IT staff and go home), and the administrator can block access to the "operators" using standard Windows share security.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Will SzymkowskiSenior Solution ArchitectCommented:
The best way to secure this is to have minimal amount of administrators. Another thing you can do is Enable Auditing on files/folders or even Active Directory Changes. This way you can track changes etc when admins make them.

If you do decide to go that route then you can use Active Directory Auditor by Lepide Software.

Mohammed SIIOperation ExpertsAuthor Commented:
i am elaborating
We have a domain network. What we want is for the domain admin to be unable to view the all users PC's local drive (C:) and D: remotely. unless he is physically at the PC.  In other words, the domain admin should not be allowed to put \\user_pc\c$ in Windows Explorer and see all the files on remote computer, unless he is physically present at the PC itself.
JohnBusiness Consultant (Owner)Commented:
What we want is for the domain admin to be unable to view the all users PC's local drive (C:) and D: remotely

Hopeless task. The domain admin can change what you want.

If you do not trust your domain admin, make people changes.
Will SzymkowskiSenior Solution ArchitectCommented:
As we have already stated a domain admin can revert any changes that have been made. However, you can achieve this using Group Policy to remove the default shares from all domain workstations, or ones that you specify using Security Filtering.

Natty GregIn Theory (IT)Commented:
If there is no trust among the administrators then do not bother implement anything as admin has the right to the kingdom, you setup superusers, or sub-administrators same thing but someone will have access to c and d
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.