|
-
August 19th, 2002, 08:26 PM
#11
They should not be domain admins, because the built in group is designed for people who have complete, unrestricted access to everything in the domain. You can make it annoying for them to get at data, but they can always do it.
Denying them permissions does not work because they can take ownership. Denying the right to take ownership doesn't work because they can reset the rights back to a default setting.
Encryption will not work because they can name themself as a recovery agent and get encryption keys from any other user in the domain.
If you have people that you do want to be domain admins, dont put them in the group, make a junior admin group and give them appropriate rights or something along those lines.
-Shkuey
Living life one line of error free code at a time.
-
August 19th, 2002, 08:44 PM
#12
Nothing worse then going into a network with nothing to go on. I take it that this is a WAN ? Not much to go on here but you can reduce privalages to other admins by using several options one set up a group of admins under a different group and password as well as permissions, second move the HR folder to it's own mapped drive, and use login scripts as to who sees the drive and then set the drive for password protection to login to that drive. Oh you can do this by creating a user with Admin rights exclusive to the drive. Best bet and fastest is to reduce privlages to other admins forget the group in W2K Backup Operators or perhaps power users. Can only be one Master Admin and other local admins should not have a problem with the policy. Good luck, sorry just so little to go on, just think to many cooks spoil the broth as do to many admins on a WAN policy has to come from the top and I hope you have their support.
Another thought is to simply give ownership to the folder to HR people, reduce everyone else to nothing including Admin no groups.
I believe that one of the characteristics of the human race - possibly the one that is primarily responsible for its course of evolution - is that it has grown by creatively responding to failure.- Glen Seaborg 
-
August 19th, 2002, 09:16 PM
#13
Im not to good with Active Directory yet, also working on it, But there is something called delegation. If you put these users in there own OU you can then have them act as domain administrators of a certain part of the active directory. I believe you have to delegate control to them. Again this is kinda what i picked up from reading books never actually tried it though but i believe it might work.
-
August 19th, 2002, 09:49 PM
#14
First rule of admining...never have your personal accounts have admin access. You should have to make a concious effort to make changes to machines that require admin access. Second rule of admining, never add accounts to Domain Admins, ever unless you want them to have complete access to everything in the domain. Third rule, if you don't listen to rule 1, then make a seperate OU/Security group for these other user's accounts and set the permissions with that security group.
Regards,
Wizeman
\"It\'s only arrogrance if you can\'t back it up, otherwise it is confidence.\" - Me
-
August 20th, 2002, 02:02 AM
#15
Member
I agree that these people probably should not be domain admins. If they need to stay domain admins, your best bet is put the restricted files on an NTFS partition, set the permissions to keep the domain admins out, and then audit the crap out of it! If they change permissions/ownership, it's logged....if they create a user and access the files with that user, it's logged...if they muck around, and then clear the logs, that is also logged, so you can go back and say "you cleared the security log, and policy is logs are saved....where is the log file?"
Good luck
Put down the mouse......Step away from the keyboard!
--Me 
-
August 20th, 2002, 12:17 PM
#16
Junior Member
It will almost be impossible to restrict domain admins unless you use a GPO unfortunately. Like in my environment they use GPO's to restrict us domain admins from a lot of things including specific folders---there is always a way around it if you know what you're doing.
-
August 20th, 2002, 05:06 PM
#17
Take them out of the Domain Admin group, create a new group for them and give that group the explicit rights you want for them to be able to do, i.e. create groups, users, assign rights to certian OU's etc.
Do not allow them rights to create users, folders or change rights on the OU that the HR folder exists in. There is more to this, and not nearly as simple as I'm making it sound, but this is your only bet.
Even if you give those users an explicit deny access/no access to the HR folders since they are already Domain Admins (gods on your network) all they will have to do is take ownership of the folder and then give their users full rights to it again. There is no way you are keeping a domain admin out of anything in the domain because they have the rights to change those ACL's at any time they choose to, within that domain.
Good luck, and email me if you need any help on this. It's been a while since I have had to do something similar but I may be able to give you some suggestions and can be a good sounding board if you need one.
Also as grygst76 you can restrict access via GPO's but if they are in the Enterprise Admin group you will never keep them out. There are ways around GPO's but it's not easy.
El Diablo
-
August 20th, 2002, 06:41 PM
#18
All these different posts are confusing the issue... So once again to answer the original question. NO. You cannot restrict a domain administrator from a network share that is on a machine that is a member of said domain.
Creating different OUs doesn't do it for you, explicit denies will not do it, GPOs also will not do it for you.
You can remove the admins from the domain admin group, but hey.. then they can't do their job... Which is administration of the domain. You can add another domain to your forest, but somebody will still have administration priviledges of the root domain, and they can get around anything you put in place.
SO.. from my original reply.. The only solution given the information we have to work with.. Is to use some type of encryption program other then Win2k encryption, such as PGP. Then the admin can get to the file, but they can't read it.
-
August 20th, 2002, 07:39 PM
#19
Senior Member
mohaughn: OU's are the answer actually. OU's are designed to help break down the domain into more managable organizational units (OU's...) You can then delegate management/administration to each OU specfically. As DarkGuardian and El Diablo stated, you can delegate authority to the HR OU for the head network admin/hr person, and then delegate authority for the other admins in the other OU(s). This way they are not in the Domain Admins group, and thus do not have access to the HR OU or any of its resources. This way the administrators can do their job, and they do not have access to the HR OU.
I don't know enough about encryption, but shkuey wrote:
Encryption will not work because they can name themself as a recovery agent and get encryption keys from any other user in the domain.
So the encryption method may be compromised as well.
The method using AD and OU's will work, and should be the primary method used to delegate authority to various admins within your domain.
-
August 20th, 2002, 09:29 PM
#20
Umm.. He said in the original post that he wanted the domain admins to stay domain admins.
So given the original question. OUs do not work. Encryption does not work if you use the native win2k encryption.. Which is why in both of my messages I said to use PGP. There is no such thing as a DRA for PGP.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote