Re: "Is it possible to make it impossible for a domain admin to take ownership of a folder and it's contents?"

From: Oli Restorick [MVP] (oli_at_mvps.org)
Date: 03/31/04 

Date: Wed, 31 Mar 2004 18:13:56 +0100

It's possible to remove the "take ownership" right from domain admins, but
these same people can give the right back to themselves.

It's impossible. The only solution would be to make Fred and only Fred the
domain admin. :-)

Oli

"Russell White" <rwhite@cascodev.com> wrote in message
news:O95pElzFEHA.4044@TK2MSFTNGP10.phx.gbl...
> Greetings.
>
> "Is it possible to make it impossible for a domain admin to take ownership
> of a folder and it's contents?"
>
> this question can also be phrased as...
>
> "is it possible to make something accessible only to one user and no one
> else (including domain admin) can either change permissions, take
ownership,
> etc."? It seems to me this is not possible - that domain admin can always
> take ownership of these files.
>
> The powers that be want one directory on our win2ksbs server to be
> accessible only by a user, "fred". The domain admin should not have
access
> to this file nor should he be able to change permissions nor should he be
> able to take ownership (thus allowing him to change permissions).
>
> So it would appear to me that it is impossible (and for good reason I
would
> think) to make it impossible for domain admin to access a certain
directory
> because he could always take ownership of this directory and then change
> permissions and then access the file.
>
> Is this true? Is it possible to make it impossible for a domain admin to
> take ownership of a folder and it's contents?
>
>
> Thanks in advance,
>
> Russ White
>
>
>

Relevant Pages

  • Re: takeown access denied on w2k3
    ... Neil ... > You didn't mention if you try to take ownership of that folder using ... > domain admin account. ... > ask/guide user to take ownership on their own. ...
    (microsoft.public.windows.server.general)
  • Re: takeown access denied on w2k3
    ... Have you tried to remove that "mysterious" SID from the list of permissions ... >> You didn't mention if you try to take ownership of that folder using ... >> domain admin account. ... >> ask/guide user to take ownership on their own. ...
    (microsoft.public.windows.server.general)
  • Re: "Is it possible to make it impossible for a domain admin to take ownership of a folder and
    ... A lot of people subscribe to multiple groups, and this way you won't be ... > one else (including domain admin) can either change permissions, ... > admin can always take ownership of these files. ...
    (microsoft.public.win2000.security)
  • File Corruption
    ... We had a folder, including sub-folders and many files become corrupt. ... could not change permissions, ownership, open or delete any of the files or ... Deleting an index entry from index $0 of file 4844. ...
    (microsoft.public.windows.file_system)
  • Re: Access Denied
    ... To take ownership of a file or folder, ... > of the file then change permissions to delete the file. ...
    (microsoft.public.windowsxp.basics)