Re: What is the best way to restrict access to Domain Admins on certain folders?
- From: "Dobromir Todorov" <dtodorov@xxxxxxx>
- Date: Wed, 19 Mar 2008 17:06:51 -0000
ACLs won't help to *really* restrict access - Domain Admins can typically
take ownership and change permissions directly or indirectly.
EFS with DRA's that *are not* the Domain Admins but trusted individuals is
the best option off the top of my head. If the DRA and user key pairs and
and associated certificates are properly protected (stored on Smart Cards),
this is pretty much the best it can get without third party components.
Regards,
Dob
--
---
HTH,
Dobromir
Learn more about Security and Identity Management:
Visit http://www.iamechanics.com
"Ravi" <ravichandra.thalluri@xxxxxxxxx> wrote in message
news:bcb0ff16-dced-4ad3-89d0-b866e81b552e@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Some of the folders in our file system contain sensitive financial
data. The file server is managed by our IT department. How do I
restrict the people in Domain Admins group (some of them are from IT
Department) from accessing sensitive data? If I remove read
permissions to Domain Admins, backup jobs may fail
.
- Follow-Ups:
- References:
- Prev by Date: Re: man in the middle
- Next by Date: Re: AD CS in 2003 AD domain
- Previous by thread: What is the best way to restrict access to Domain Admins on certain folders?
- Next by thread: Re: What is the best way to restrict access to Domain Admins on certain folders?
- Index(es):
Relevant Pages
|
