Admin delgation question

  • Thread starter Thread starter Jeff Rodachy
  • Start date Start date
J

Jeff Rodachy

My boss has miraculously decided that I may be trustworthy of administering
our internal Windows 2000 domain. Well, almost. Unfortunately, I need to
first find a way that I can administer the network servers while having NO
capability of reading the human resources data stored on the file server.
At first, I thought I could have my boss just explicitly deny myself
everything regarding file access and special permissions like "take control"
to that series of folders. Then I realized I could just create an account
that could be part of a group that can read those folders. Is there a way
to keep me from being able to add users to certain groups? Better yet, can
anyone think of a way that a folder can be secured so an Administrator
cannot access it? Can God make a rock so heavy he cannot lift it? Sorry,
got off track there. Either way, any help/suggestions would be nice.
Thanks

Jeffrey M. Rodachy
Starfish Computer Corporation
 
Jeff,

If your boss wants you to be a Domain Administrator, he will have to live
with the fact that a Domain Admin always has, at minimum, the right to "Take
Ownership" of any object in your domain - and as such, will always be
potentially available to you. Such is the nature of administration.
Administration is a "trusted" position and therefore everything within that
administrator's domain is his - you can't effectively administer *any* kind
of system without those kinds of rights. The same thing applies to Forest
Administrators (Enterprise Admins). They have the ability to control
virtually everything in the forest.

You might do some of the following:

1 - Institute Auditing on your protected files and folders.
2 - Create a separate forest for your HR Data (begs the question as to who
can administer *that* domain ...)
3 - Create an OU Hierarchy that you can administer that the HR OU is not
within - but that limits your ability to perform "Service Administration".

4 - Hold up your hand in front of your boss and repeat the following, "I
solemnly swear not to peek in HR ..." <g>

-ds
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

delegation for user container - delgated users cant administer someuser accounts 1
AD User Folder Creation Error 1
Delgation Question 2
OU Admins? 3
Permissions not applied to every user 4
Adding a user from another domain to the domain admin 5
DHCP Question-Please help 1
Admin pak 2

Back
Top