August 19th, 2002, 04:40 PM
Any MS Active Directory Admins out there?
I have several admins who I need to keep out of several HR folders. I need to know how I can keep them as admins (domain admins), but not allow them to modify permissions on those folders. I am finding that after I set the permissions on the folder, they can be changed (by the admin) to allow that admin access to the HR folders. All MS Win 2k Machines if that helps.
August 19th, 2002, 06:27 PM
As far as I am aware if you are the administrator, a member of the domain administrators group, or a member of the local administrators group you can give yourself rights to anything on that box.
Work... Some days it's just not worth chewing through the restraints...
August 19th, 2002, 06:29 PM
Put these administrators into a group. Then under the permissions for the folder explicitly deny access for the users in that group. This is just a suggestion, but might be the easiest way to go w/o running around with Group Policy.
August 19th, 2002, 06:45 PM
Sgt_B: They are not admins of the server box, but admins over the network. They need to retain all of the privledges of a domain admin, but not be able to modify permissions on a folder.
I will try putting them in a group and denying all privlidges to the folder, but I think that they can still modify the NTFS permissions on the folder and give themselves the right to that folder again.
The main thing I am trying to not allow is for them to take ownership of that folder.
August 19th, 2002, 06:51 PM
They very well might be able to change the permissions. I'd like to see if it works though before venturing into GPOs. I'm a bit rusty with GPOs though so we'll see.
On second thought, even if they were denied access, they could simply remove themselves from the group, and presto, they got access. Try adding them as indivdual users to the deny list.
I'll look into this for ya, see if I can come up with anything.
For records sake, is this only one domain?, and are all admins in the Domain Admins group?
August 19th, 2002, 06:59 PM
One domain. Yes, all admins are in the domain admin group. I inheirited this domain from the previous admin who did not do any documentation of the network.
August 19th, 2002, 07:08 PM
I think the trick may be to separate the HR department into it's own separate ou, and then the rest of the company into another ou. Then give them admin rights to the within the rest of the company network, but only allow yourself or the head of HR (or a computer saavy HR person) to have admin rights to the HR ou.
Just remember: Abraham Lincoln didn\'t die in vain. He died in Washington D.C.
August 19th, 2002, 07:35 PM
You cannot restrict an administrator from doing anything on a machine that they have administrator access for.
And if you remove the domain admin group from having administrator privileges. They can easily give it back to themselves with the following.
I would suggest encrypting the data that you want to keep out of the hands of the domain admins with something like PGP.
August 19th, 2002, 08:16 PM
DarkGuardian hit the nail right on the head! Once you have that set up, administration will be easy. Not sure what your exp. with AD is, but you might want to look into taking a class or two in regards to AD. It can be a great tool for a great many things.
August 19th, 2002, 08:22 PM
Sgt_B: I am working on MCSE, so I do have general knowledge in AD. (Also have plenty of books) I will try DarkGuardian suggestion.