Any MS Active Directory Admins out there?
Page 1 of 3 123 LastLast
Results 1 to 10 of 24

Thread: Any MS Active Directory Admins out there?

  1. #1
    AO Decepticon CXGJarrod's Avatar
    Join Date
    Jul 2002
    Posts
    2,038

    Any MS Active Directory Admins out there?

    I have several admins who I need to keep out of several HR folders. I need to know how I can keep them as admins (domain admins), but not allow them to modify permissions on those folders. I am finding that after I set the permissions on the folder, they can be changed (by the admin) to allow that admin access to the HR folders. All MS Win 2k Machines if that helps.

  2. #2
    Shadow Programmer mmelby's Avatar
    Join Date
    Jul 2002
    Location
    Ft. Myers, FL
    Posts
    291
    As far as I am aware if you are the administrator, a member of the domain administrators group, or a member of the local administrators group you can give yourself rights to anything on that box.
    Work... Some days it's just not worth chewing through the restraints...

  3. #3
    Senior Member
    Join Date
    Feb 2002
    Posts
    177
    Put these administrators into a group. Then under the permissions for the folder explicitly deny access for the users in that group. This is just a suggestion, but might be the easiest way to go w/o running around with Group Policy.

  4. #4
    AO Decepticon CXGJarrod's Avatar
    Join Date
    Jul 2002
    Posts
    2,038
    Sgt_B: They are not admins of the server box, but admins over the network. They need to retain all of the privledges of a domain admin, but not be able to modify permissions on a folder.

    I will try putting them in a group and denying all privlidges to the folder, but I think that they can still modify the NTFS permissions on the folder and give themselves the right to that folder again.

    The main thing I am trying to not allow is for them to take ownership of that folder.

  5. #5
    Senior Member
    Join Date
    Feb 2002
    Posts
    177
    They very well might be able to change the permissions. I'd like to see if it works though before venturing into GPOs. I'm a bit rusty with GPOs though so we'll see.

    On second thought, even if they were denied access, they could simply remove themselves from the group, and presto, they got access. Try adding them as indivdual users to the deny list.
    I'll look into this for ya, see if I can come up with anything.

    For records sake, is this only one domain?, and are all admins in the Domain Admins group?

  6. #6
    AO Decepticon CXGJarrod's Avatar
    Join Date
    Jul 2002
    Posts
    2,038
    One domain. Yes, all admins are in the domain admin group. I inheirited this domain from the previous admin who did not do any documentation of the network.

  7. #7
    Member
    Join Date
    May 2002
    Posts
    89
    I think the trick may be to separate the HR department into it's own separate ou, and then the rest of the company into another ou. Then give them admin rights to the within the rest of the company network, but only allow yourself or the head of HR (or a computer saavy HR person) to have admin rights to the HR ou.
    Just remember: Abraham Lincoln didn\'t die in vain. He died in Washington D.C.

  8. #8
    Senior Member
    Join Date
    Oct 2001
    Posts
    748
    You cannot restrict an administrator from doing anything on a machine that they have administrator access for.

    http://support.microsoft.com/default...;en-us;Q240267


    And if you remove the domain admin group from having administrator privileges. They can easily give it back to themselves with the following.

    http://support.microsoft.com/default...;en-us;Q297307


    I would suggest encrypting the data that you want to keep out of the hands of the domain admins with something like PGP.

  9. #9
    Senior Member
    Join Date
    Feb 2002
    Posts
    177
    DarkGuardian hit the nail right on the head! Once you have that set up, administration will be easy. Not sure what your exp. with AD is, but you might want to look into taking a class or two in regards to AD. It can be a great tool for a great many things.

  10. #10
    AO Decepticon CXGJarrod's Avatar
    Join Date
    Jul 2002
    Posts
    2,038
    Sgt_B: I am working on MCSE, so I do have general knowledge in AD. (Also have plenty of books) I will try DarkGuardian suggestion.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •