THat's a philisophical issue. Frankly, the bottom line is two-fold: 1. Use the concept of least necessary permissions - only grant specific people enough access to do their job - no more. Currently, I manage 1000 servers in a domain in which I have nothing more than a general "user" account - no domain admin access at all. Only explicit elevation of privileges is having rights for our OU. 2. If you can't trust the admins, replace them. There are plenty (and I mean PLENTY) of ways to validate that someone isn't doing something they shouldn't - auditing is your friend.
-------- Roger Seielstad E-mail Geek _____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Katrin Wilhelm Sent: Wednesday, April 20, 2005 3:40 PM To: [email protected] Subject: RE: [ActiveDir] Restricting sensitive information I think if you use the 'deny' flag you should be able to restrict the access to just the 2 admins if you like. As the deny options overrides everything else deny the 12 admin accounts and do nothing to the last two. Deny should over ride the privileges they got from the admin group. Hope this helps. Kat _____ From: [EMAIL PROTECTED] on behalf of Perdue David J Contr InDyne/Enterprise IT Sent: Thu 21/04/2005 6:30 AM To: [email protected] Subject: RE: [ActiveDir] Restricting sensitive information You could. If you're trying to keep Admin's out of the information there is a good bet they'd have the password for the local admin account or they could change it with less notice than a user's network account. Dave //SIGNED// ------------------------------------------------ David J. Perdue ------------------------------------------------ _____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: Wednesday, April 20, 2005 10:48 AM To: '[email protected]' Subject: RE: [ActiveDir] Restricting sensitive information Can you use a local administrator account of a machine to unencrypt files? I do it all the time on laptops that we have deployed when they bring them in for service. I'm not sure how well this works on servers, but if it does then this might not be such a great option. Charlie -----Original Message----- From: Perdue David J Contr InDyne/Enterprise IT [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 20, 2005 11:34 AM To: [email protected] Subject: RE: [ActiveDir] Restricting sensitive information You could encrypt the files/folders and add in the user accounts of the folks who need access as well as one or two admins to help maintain it. Depending on what your policy has setup for a recovery agent, this would prevent individuals from accessing the files. They could still rename/delete/take ownership, but they couldn't access the data. Dave //SIGNED// ------------------------------------------------ David J. Perdue ------------------------------------------------ _____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Jessop Sent: Wednesday, April 20, 2005 04:44 AM To: [email protected] Subject: Re: [ActiveDir] Restricting sensitive information Original Message: We have a problem in discussion where we need to restrict sensitive HIPAA information to a very select few employees in the US and only one or two people overseas. The problem is, we have about 10-15 domain admins worldwide in our single domain, and this is too many people to have access to the HIPAA data. Rather than take domain admin priviledges away, whereby breaking their ability to promote domain controllers, etc - what's an easy way to have a share on a file server restricted to only a select few of the domain admins? We were thinking of maybe adding a 2nd domain just for the server with this share on it. Then only enterprise admins would have access to that other domain, so only they could see that share. Is there an alternative to something this drastic? Reply Why not simply install the server out of the domain completely and use it's local accounts? Regards Peter Jessop ;Arial;Confidentiality: The contents contain privileged and/or confidential information intended for the named recipient of this email. CVGT does not warrant that the contents of any electronically transmitted information will remain confidential. If the reader of this email is not the intended recipient you are hereby notified that any use, reproduction, disclosure or distribution of the information contained in the email is prohibited. If you receive this email in error, please reply to us immediately and delete the document. Viruses: It is the recipient/client's duties to virus scan and otherwise test the information provided before loading onto any computer system. No warranty is made that this material is free from computer virus or any other defect or error. Any loss/damage incurred by using this material is not the sender's responsibility. CVGT's entire liability will be limited to resupplying the material. Please contact us at www.cvgt.com.au <http://www.cvgt.com.au> for further information regarding this disclaimer. Confidentiality: The contents contain privileged and/or confidential information intended for the named recipient of this email. CVGT does not warrant that the contents of any electronically transmitted information will remain confidential. If the reader of this email is not the intended recipient you are hereby notified that any use, reproduction, disclosure or distribution of the information contained in the email is prohibited. If you receive this email in error, please reply to us immediately and delete the document. Viruses: It is the recipient/client's duties to virus scan and otherwise test the information provided before loading onto any computer system. No warranty is made that this material is free from computer virus or any other defect or error. Any loss/damage incurred by using this material is not the sender's responsibility. CVGT's entire liability will be limited to resupplying the material. Please contact us at www.cvgt.com.au for further information regarding this disclaimer
<<attachment: winmail.dat>>
