"Is it possible to make it impossible for a domain admin to take ownership of a folder and it's cont

R

Russell White

Greetings.

"Is it possible to make it impossible for a domain admin to take ownership
of a folder and it's contents?"

this question can also be phrased as...

"is it possible to make something accessible only to one user and no one
else (including domain admin) can either change permissions, take ownership,
etc."? It seems to me this is not possible - that domain admin can always
take ownership of these files.

The powers that be want one directory on our win2ksbs server to be
accessible only by a user, "fred". The domain admin should not have access
to this file nor should he be able to change permissions nor should he be
able to take ownership (thus allowing him to change permissions).

So it would appear to me that it is impossible (and for good reason I would
think) to make it impossible for domain admin to access a certain directory
because he could always take ownership of this directory and then change
permissions and then access the file.

Is this true? Is it possible to make it impossible for a domain admin to
take ownership of a folder and it's contents?


Thanks in advance,

Russ White
 
S

Scott Harding - MS MVP

You are correct. The domain admin have all powers and can change a users
password, take ownership, change permissions etc. to get access to this file
if they want. Believe me this is what we all want becuase you know that
'fred' is going to forget his password, or get fired, etc and then what
would happen to the data then? No one would get it and the President of the
company would blame the domain admins for not being able to recover the
file.
 
L

Lanwench [MVP - Exchange]

Hi - note that I also replied in another group - if you need to post to
multiple groups, it's best to do so all at once in a single message
(separate the NG names with commas) so that everyone can follow the thread.
A lot of people subscribe to multiple groups, and this way you won't be
asking anyone to reproduce someone else's work, and everyone can benefit.

Crossposting = posting once to several newsgroups within a single message.
This is not a Bad Thing (presuming the list of groups posted to is small,
and all the groups are truly relevant to your question)

Multiposting = posting separate, identical posts to several newsgroups. This
is a Bad Thing. :)

See http://www.aspfaq.com/etiquette.asp?id=5003 and
http://www.blakjak.demon.co.uk/mul_crss.htm
 
O

Oli Restorick [MVP]

It's possible to remove the "take ownership" right from domain admins, but
these same people can give the right back to themselves.

It's impossible. The only solution would be to make Fred and only Fred the
domain admin. :)

Oli
 
D

Dave

Oli Restorick said:
It's possible to remove the "take ownership" right from domain admins, but
these same people can give the right back to themselves.

It's impossible. The only solution would be to make Fred and only Fred the
domain admin. :)

Oli
Click to expand...

or to keep the critical data on a removable media or a non-networked machine
in a locked room.
 
G

Guest

zip the files and use a strong encryption (not the windows
one, its flaky!) program on the zip file. The standard zip
password protection is not very strong.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Is it possible to prevent ownership replacing in a forest? 9
Everyone take ownership 9
Unable to take ownership of directory 2
Folder Security Problems 1
Help! Can't take Ownership - Security Tab Missing! Win2k 2
no Domain Admin rights to a Domain Server 3
windows 2003 server taking ownership of profiles folder 1
Take ownership of a file (programatically) 1

Top