none
Prevent Admin from taking ownership of a folder and its contents?

    Question

  • Is there a way, via NTFS or other permissions, that I can prevent the domain admin account (or any account with domain admin rights) from taking ownership of a particular folder and its contents?

    We have an H.R. folder that should only be able to be accessed by an H.R. employee and one other trusted I.T. employee. The problem is that other I.T. employees know the domain admin username and password, and even though the domain admin account isn't in the NTFS permissions on the HR Folder, could technically access the folder by taking ownership of it with the domain admin account and changing the permissions. Is there a way to prevent this from happening?

    Thanks for any thoughts on this!

    Win Server 2008 R2 Standard

     

    Tuesday, July 26, 2011 4:41 PM

Answers

  • An administrator can always take owernship of a file.  You need an alternative solution such as encrypting the file or storing the data on a standalone system with its own security.

    • Proposed as answer by Techboat Friday, July 29, 2011 8:34 PM
    • Marked as answer by James ZouModerator Tuesday, August 02, 2011 1:21 AM
    Tuesday, July 26, 2011 9:33 PM

All replies

  • Hello, what you need to do is go take off all rights including inheritance from he folder, and only add the HR with modify/read.write and the IT with full control. That way only the one IT employee will have full rights to take control if needed. to avodi being locked out of the folder, please add the IT employee first, then HR employees then remove everything else. Once this is done look at the nTFS permission to make sure only HR employees and the designated IT employee are members
    Isaac Oben MCITP:EA, MCSE,MCC View my MCP Certifications
    Tuesday, July 26, 2011 6:21 PM
  • Hello, what you need to do is go take off all rights including inheritance from he folder, and only add the HR with modify/read.write and the IT with full control. That way only the one IT employee will have full rights to take control if needed. to avodi being locked out of the folder, please add the IT employee first, then HR employees then remove everything else. Once this is done look at the nTFS permission to make sure only HR employees and the designated IT employee are members
    Isaac Oben MCITP:EA, MCSE,MCC View my MCP Certifications


    Isaac,

    Thank you for the reply. I had tried this last night but tried it word for word at your suggestion and ended up with the same outcome. It locks the "domain admin" user, and all other users out of the folder (access is denied) if they browse to it, but the domain admin is still able to go to the folder on the server, right click and select properties, select the security tab (ok through the warning) go to advanced button and owner tab and then set the owner to the domain admin account. From there they can close the properties, reopen and edit the security settings as they wish since they are now the folder owner.

    Any idea how to prevent the domain admin account from being able to claim ownership of the folder, and thus allowing them to change the permissions of the folder?

    Thanks!


    • Edited by CSTGRB Tuesday, July 26, 2011 9:18 PM More descript
    Tuesday, July 26, 2011 9:17 PM
  • An administrator can always take owernship of a file.  You need an alternative solution such as encrypting the file or storing the data on a standalone system with its own security.

    • Proposed as answer by Techboat Friday, July 29, 2011 8:34 PM
    • Marked as answer by James ZouModerator Tuesday, August 02, 2011 1:21 AM
    Tuesday, July 26, 2011 9:33 PM
  • Hello,

    You can prevent Domain Admins from taking ownership through GPO configuration. Computer Configuration,Windows Settings, Security Settings,local policies,User Rights Assignment.."Take Ownership of Files and other objects" remove groups you don't want and add the one you want. link the to the appropriate OU or put the server in a security group and app;y only ot the group.

    If you computer is not in a domain, you can configure on local server policies

     


    Isaac Oben MCITP:EA, MCSE,MCC View my MCP Certifications
    Tuesday, July 26, 2011 9:48 PM
  • Domain admins can change whatever they want. You cannot prevent Domain admin from taking ownership.

    Hire only IT employees you can trust :).
    This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing!
    Wednesday, July 27, 2011 4:13 AM