What is the best way to restrict access to Domain Admins on certainfolders?

Some of the folders in our file system contain sensitive financial

data. The file server is managed by our IT department. How do I

restrict the people in Domain Admins group (some of them are from IT

Department) from accessing sensitive data? If I remove read

permissions to Domain Admins, backup jobs may fail

Re: What is the best way to restrict access to Domain Admins on certain folders?

Try checking out some of the many replies you've received to your many posts

in other newsgroups.

--

Kerry Brown

MS-MVP - Windows Desktop Experience: Systems Administration

http://www.vistahelp.ca/phpBB2/

"Ravi" <ravichandra.thalluri@gmail.com> wrote in message

news:bcb0ff16-dced-4ad3-89d0-b866e81b552e@e23g2000prf.googlegroups.com...<span style="color:blue">

> Some of the folders in our file system contain sensitive financial

> data. The file server is managed by our IT department. How do I

> restrict the people in Domain Admins group (some of them are from IT

> Department) from accessing sensitive data? If I remove read

> permissions to Domain Admins, backup jobs may fail </span>

Re: What is the best way to restrict access to Domain Admins on certain folders?

ACLs won't help to really restrict access - Domain Admins can typically

take ownership and change permissions directly or indirectly.

EFS with DRA's that are not the Domain Admins but trusted individuals is

the best option off the top of my head. If the DRA and user key pairs and

and associated certificates are properly protected (stored on Smart Cards),

this is pretty much the best it can get without third party components.

Regards,

Dob

--

---

HTH,

Dobromir

Learn more about Security and Identity Management:

Visit http://www.iamechanics.com

"Ravi" <ravichandra.thalluri@gmail.com> wrote in message

news:bcb0ff16-dced-4ad3-89d0-b866e81b552e@e23g2000prf.googlegroups.com...<span style="color:blue">

> Some of the folders in our file system contain sensitive financial

> data. The file server is managed by our IT department. How do I

> restrict the people in Domain Admins group (some of them are from IT

> Department) from accessing sensitive data? If I remove read

> permissions to Domain Admins, backup jobs may fail </span>

Re: What is the best way to restrict access to Domain Admins oncertain folders?

On Mar 19, 10:06 pm, "Dobromir Todorov" <dtodo...@msn.com> wrote:<span style="color:blue">

> ACLs won't help to really restrict access - Domain Admins can typically

> take ownership and change permissions directly or indirectly.

>

> EFS with DRA's that are not the Domain Admins but trusted individuals is

> the best option off the top of my head. If the DRA and user key pairs and

> and associated certificates are properly protected (stored on Smart Cards),

> this is pretty much the best it can get without third party components.

>

> Regards,

> Dob

>

> --

> ---

> HTH,

> Dobromir

>

> Learn more about Security and Identity Management:

> Visithttp://www.iamechanics.com

>

> "Ravi" <ravichandra.thall...@gmail.com> wrote in message

>

> news:bcb0ff16-dced-4ad3-89d0-b866e81b552e@e23g2000prf.googlegroups.com...

>

>

><span style="color:green">

> > Some of the folders in our file system contain sensitive financial

> > data. The file server is managed by our IT department. How do I

> > restrict the people in Domain Admins group (some of them are from IT

> > Department) from accessing sensitive data? If I remove read

> > permissions to Domain Admins, backup jobs may fail- Hide quoted text -</span>

>

> - Show quoted text -</span>

Thank you. Looks like this will be the best solution for our scenario.

Re: What is the best way to restrict access to Domain Admins on certain folders?

"Ravi" <ravichandra.thalluri@gmail.com> wrote in message

news:bcb0ff16-dced-4ad3-89d0-b866e81b552e@e23g2000prf.googlegroups.com...<span style="color:blue">

> Some of the folders in our file system contain sensitive financial

> data. The file server is managed by our IT department. How do I

> restrict the people in Domain Admins group (some of them are from IT

> Department) from accessing sensitive data? If I remove read</span>

oh my !! you mean some are not !!

<span style="color:blue">

> permissions to Domain Admins, backup jobs may fail</span>

Most backup software will not fail if there is no grant to the

account used to run the backup as backup software uses a set

of APIs for backup/restore that is exempt from NTFS ACLing

checks/control.

Your best approach is to store the data on a machine that is

not domain joined or to acquire and use a rights management

package. Use of EFS can be problematic in that you likely have

this placed in the filesystem so that a number of people can have

access to it, but that can be a pain with EFS (yes, someone that

can decrypt the file can add another account to the ability, but

in practice this is not as convenient as one might like).

Roger