What is the best way to restrict access to Domain Admins on certainfolders?

What is the best way to restrict access to Domain Admins on certainfolders?: Posted by Ravi on March 19th, 2008; Some of the folders in our file system contain sensitive financial
data. The file server is managed by our IT department. How do I
restrict the people in Domain Admins group (some of them are from IT
Department) from accessing sensitive data? If I remove read
permissions to Domain Admins, backup jobs may fail.; Posted by Danny Sanders on March 19th, 2008; You really need to trust your admins. Especially if you consider that
anything you can do to restrict them they, as domain admins can undo.

If you can't trust them they don't need to be admins.

hth
DDS

"Ravi" <ravichandra.thalluri@gmail.com> wrote in message
news:8ce4c6c3-257a-433f-9b94-ecedaf340d27@i7g2000prf.googlegroups.com...; Posted by Newell White on March 19th, 2008; "Ravi" wrote:

product.

You cannot prevent a Domain Admin from reading any file on any server or
workstation in a domain, but encryption stops him from understanding the
contents.

A third-party product may be a better bet, because some Domain Admins may
know things about Windows EFS that you or I don't!

--
regards,
Newell White; Posted by Kerry Brown on March 19th, 2008; "Newell White" <NewellWhite@discussions.microsoft.com> wrote in message
news:095AC125-2899-406B-9363-22139A72671A@microsoft.com...

What happens when something goes wrong with the encryption and the people
who most likely have the skills to fix it don't have access? Not everyone
who administers a domain has to be a domain admin. Domain admins need to be
trusted members of the management team. This may mean you have one domain
admin (plus a backup account in case this one gets corrupted) who delegates
whatever privileges are needed (and nothing more) to other admins so they
can do their job. Backups should be done with a special account used only
for that purpose. This account should not be a domain admin. You should be
able to give it enough permissions to backup without being a domain admin.

--
Kerry Brown
MS-MVP - Windows Desktop Experience: Systems Administration
http://www.vistahelp.ca/phpBB2/; Posted by Lanwench [MVP - Exchange] on March 19th, 2008; Ravi <ravichandra.thalluri@gmail.com> wrote:
Hi - I replied to your identical post in one of the XP groups.

In the future, please don't multipost - if you need to post to multiple
groups, it's best to crosspost instead, by posting a single message to a
handful of relevant groups (separate the NG names with commas) so that
everyone can follow the thread. Multiposting wastes everyone's time,
including yours, and may lead to your actually getting *less* help rather
than more.

Similar Posts

Restrict Domain admins for Remote Desktop (Microsoft Windows) by CBO
What is the best way to restrict access to Domain Admins on certainfolders? (Security & Administration) by Ravi
Restrict access to computers for all domain users during certain t (Windows Server) by WBStech
Restrict Access to Local Admins group (Windows Server) by George
Restrict User Access on NT Domain (Windows NT) by bc