Re: Help setting up HIGH END user rights (higher than ADMIN)

From: Mike Brannigan [MS] (mikebran@online.microsoft.com)
Date: 06/17/02 

From: "Mike Brannigan [MS]" <mikebran@online.microsoft.com>
Date: Mon, 17 Jun 2002 22:40:38 +0100

There are lots of things you can do to make it "difficult" for a user who is
a full Domain Administrator from getting to a file/folder/changing
permissions etc etc etc. BUT ultimately they are Domain Admin and they are
there to fix things when all your delegated admins and other security
personal make a mistake. You place them in a position of trust and thus you
MUST trust them. Obviously you can also audit there actions etc. but the
fact is YOU made them Domain Admins and You must trust them. If not remove
all of those you do not trust from the Administrators groups and use
delegation to just give them the rights on the objects you think they should
have.

This of course easier said then done - BUT not impossible if you are really
serious about security. 

--
Regards,
Mike
--
Mike Brannigan [MS]
This posting is provided "AS IS" with no warranties, and confers no rights
Please note I cannot respond to e-mailed questions.
Please use these newsgroups
"Robert Paresi" <robert@nospam.com> wrote in message
news:#UIggjiFCHA.1732@tkmsftngp07...
> We have the following scenario.  The server is in the server room and
> everyone needs to log into it as Administrator so they can run a job.
>
> We have three people (john, jim and sam) who need HR access (payroll, HR,
> etc.)
>
> I've setup a file folder called HR and put all the payroll under it.  I
> secured it to a group called "HR" and gave to the three people.
>
> Security works great (because I want to keep ADMIN's out of it) --
however,
> nothing is stopping the Admin to edit their profile and give themselves HR
> group security.
>
> Is the only way to handle this NAME security so john, jim and sam are
> specifically giving rights to the HR folder or can I stop the ADMIN from
> even using/selecting/seeing the HR group profile.
>
> Thanks.
>
>