Re: What is the best way to restrict access to Domain Admins on certain folders?
- From: "Roger Abell [MVP]" <mvpNoSpam@xxxxxxx>
- Date: Thu, 20 Mar 2008 04:41:42 -0700
"Ravi" <ravichandra.thalluri@xxxxxxxxx> wrote in message
news:bcb0ff16-dced-4ad3-89d0-b866e81b552e@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Some of the folders in our file system contain sensitive financial
data. The file server is managed by our IT department. How do I
restrict the people in Domain Admins group (some of them are from IT
Department) from accessing sensitive data? If I remove read
oh my !! you mean some are not !!
permissions to Domain Admins, backup jobs may fail
Most backup software will not fail if there is no grant to the
account used to run the backup as backup software uses a set
of APIs for backup/restore that is exempt from NTFS ACLing
checks/control.
Your best approach is to store the data on a machine that is
not domain joined or to acquire and use a rights management
package. Use of EFS can be problematic in that you likely have
this placed in the filesystem so that a number of people can have
access to it, but that can be a pain with EFS (yes, someone that
can decrypt the file can add another account to the ability, but
in practice this is not as convenient as one might like).
Roger
.
- References:
- Prev by Date: Re: AD CS in 2003 AD domain
- Next by Date: Re: A paper on Threat model
- Previous by thread: Re: What is the best way to restrict access to Domain Admins on certain folders?
- Next by thread: Re: New Free software and games download (A to Z)
- Index(es):
Relevant Pages
|
