Domain Admins restriction

T

tshad

We have a couple of people that need to be Domain Admins. This works fine.

My problem is that I want 1 person to be a Domain Admin, but there are a few
user files I want to restrict him from.

I tried Domain Admin to the folders (which he is part of) and then adding
his name to these folder and restricting access, but it doesn't work.
Apparently Domain Admin takes precedence.

Is there a way to do this?

Thanks,

Tom.
 
O

Oli Restorick [MVP]

There is no such thing as a restricted domain administrator. Absolutely
anything you put in his way, he can undo.

As far as file permissions are concerned, a deny overrides everything, no
matter who you are. However, there's nothing to stop him giving himself
access to the files again because he's an administrator of the machine the
files are on.

Have you thought about using the Rights Management facilities of Office
2003? This will encrypt the files and is about as close as you'll get to
doing what you want.

I would also argue with you assertion that you have people who need to be
domain admins. Use the delegation of control wizard to delegate certain
tasks.

Regards

Oli
 
T

tshad

Oli Restorick said:
There is no such thing as a restricted domain administrator. Absolutely
anything you put in his way, he can undo.

As far as file permissions are concerned, a deny overrides everything, no
matter who you are. However, there's nothing to stop him giving himself
access to the files again because he's an administrator of the machine the
files are on.

Have you thought about using the Rights Management facilities of Office
2003? This will encrypt the files and is about as close as you'll get to
doing what you want.

I would also argue with you assertion that you have people who need to be
domain admins. Use the delegation of control wizard to delegate certain
tasks.
Click to expand...

We have one person (the owner of the company) who has complete access. We
also need a couple of people who administer the domain that also need access
to all but a couple of folder that contain sensitive information. A problem
is that the owner is away a bit and if he is gone and we need to get access,
we need to be able to.

Where is the "delegation of control wizard"?

Thanks,

Tom.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Restrict Domain admins for Remote Desktop 2
Limit who can add domain admins? 3
enterprise admins in single domain question 6
Prevent some Domain Admin Account from creating USERS, Groups, OUs 2
Local Admins via GPO? 1
Remove domain admins from local admins group on specific servers 6
Hide Domain admin 1
Can i use the Group Domainadmins for two Domains? 1

Top