How to secure access to a folder on windows server 2008 R2

How to restrict access to a shared network folder on Windows Server 2008 R2 to only one administrator account. We have 3 users with administrative rights in AD and need to have only one of them to have access to it. How to set sharing and security permissions?
Nick ITAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Emmanuel AdebayoGlobal Windows Infrastructure Engineer - ConsultantCommented:
Create a group add the account that need access to the folder. Assign this group permission the require permission to the folder, i.e Shared permission - Full or Modify; NTFS - Full or Modify

Remove local admin or domain admin permission from the folder.

this scenario will not work if there are multiple administrators

The members of administrative / high privileged groups can logon to server and take ownership of folder followed by full permissions

If you really want to restrict access to share folder except one admin, you need to remove other admins from high privileged groups in AD and also from local administrators group on file server
After that remove them from access control of folder ( Share and NTFS permissions)

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
btanExec ConsultantCommented:
Via NTFS security and remove Domain Administrators to the access of that folder. Then actually, specify explicitly the groups that should have access and make sure that Domain Admins are not included in any of those groups. Include that particular one Administrator as required.
Natty GregIn Theory (IT)Commented:
OU's makes things so simple, you can have organizational units and with 3 admins each assigned roles with certain privileges n one person I assume you to man the AD then non of this would be an issue, if you assign only one admin to share because the others wouldn't be able to assign themselves access.
Basically what Mahesh said. The easy side is changing the access to specifically what you want, the problem becomes preventing someone from changing those accesses back to where they were before.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.