What is the best way to restrict access to Domain Admins on certainfolders?

[Ravi]

Some of the folders in our file system contain sensitive financial
data. The file server is managed by our IT department. How do I
restrict the people in Domain Admins group (some of them are from IT
Department) from accessing sensitive data? If I remove read
permissions to Domain Admins, backup jobs may fail.

 

[Lanwench [MVP - Exchange]]

Some of the folders in our file system contain sensitive financial
data. The file server is managed by our IT department. How do I
restrict the people in Domain Admins group (some of them are from IT
Department) from accessing sensitive data? If I remove read
permissions to Domain Admins, backup jobs may fail.

EFS. But be very careful. Your domain admins/IT staff are the ones you need
to rely on to administer/manage/back up and restore your data. If you
encrypt something and they can't work on it/back it up, and you can't
unencrypt it, your data is lost. Hire only admins you can trust, and have
everyone sign computer use agreements, nondisclosure agreements, and so
forth..

Note for future This isn't really the best group for a question like this -
I'd post in microsoft.public.windows.server.active_directory with a possible
crosspost to microsoft.public.security.

 

[Anteaus]

EFS. But be very careful. Your domain admins/IT staff are the ones you need
to rely on to administer/manage/back up and restore your data. If you
encrypt something and they can't work on it/back it up, and you can't
unencrypt it, your data is lost.

Very true.

Besides, IT staff are Gods <eyes glow> and you would do well to kneel before
us.

 

[Lanwench [MVP - Exchange]]

Very true.

Besides, IT staff are Gods <eyes glow> and you would do well to kneel
before us.

We especially like offerings of glazed raspberry-jelly doughnuts.