Can I exclude a directory/map from the administrator? 2

[sergepille]

Hi all,

As a newbee I have installed a SBS-2003 Server. After a lot of reading, all works very well.

My company has hired a technical engineer, who i would like to give access to the server for complete support and optimizing (backup/mail/monitoring/online backup/etc.)

There is a map on the server, which i would like to exclude from his eyes. (accountancy/banks/insurance)

Is this possible, even if he can login onto the Server?
Of course, this map must be included in the daily backup.

Kind Regards,

Serge Pille

 

[58sniper]

If he has Domain Admin rights, there's not much you can do. You could remove rights for the account that he uses, but he could take ownership of the folders/files and grant rights right back to himself.

You can't troubleshoot problems if you don't have access to the systems or objects that might have the problems.

Pat Richard
Microsoft Exchange MVP

 

[LWComputingMVP]

I agree. If you're not going to trust this guy, go find another who you can trust. One suggestion - make him sign a confidentiality agreement - something that says he will not review the contents of e-mail except as required to troubleshoot problems/implement solutions - anything he does see will not be divulged to others inside his company or any other.

 

[sergepille]

Thank you Pat and Lwcomputing,

I do trust him, really, and I understand your point. But people can (and do) change. The worst thing that could happen to my firm is that knowledge "escapes"...
is there a possibilty to have f.e. a password on this directory?

I could transfer the dir to my computer, but then there is no raid, no daily backup, etc.

You also work in a company, as IT i suppose? How does your CEO react to the fact you have the possibility to see all confidential documents?

Anyway, if there is no solution, then so be it. But if there is a way, I would surely implement it.

Kind Regards,

Serge Pille

 

[58sniper]

CEOs and management generally understand the point I made above - that to support something, you have to have access to it.

Pat Richard
Microsoft Exchange MVP

 

[LWComputingMVP]

I used to work for a company with 1000 people as THE windows admin. It was understood that most of the IT staff had access to EVERYONE'S files. Such staff was not immediately given access, but eventually, most had it. It was necessary for backup and troubleshooting.

It was generally expected that anyone who was granted these rights first (when they are hired) had to have their references check out and second, they had to work there and demonstrate a certain level of trustworthiness. Otherwise, the prevailing understanding and thought was "if you can't trust your admins, they shouldn't be your admins". It was also understood that if you provide a good working environment, there's no reason for their relationship and respect for you to change. People are remarkably understanding and loyal when you are honest with them. At least, that's been my experience. And of course, there are ALWAYS exceptions...

 

[markdmac]

First I think you need to ensure that the admin is logging in with a specific and not generic admin ID. You can then use an intelligent login script (faq329-5798) to prevent them from getting a drive mapping to the data.

Make sure that the share to the data is a hidden share and bury the folder in a few layers of subfolders to prevent accidental browsing and to lower temptation.

As has been well expressed, nothing will prevent an admin from gaining access to such files if they want/need to.

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

Work SMARTER not HARDER. The Spider's Parlor's Admin Script Pack is a collection of Administrative scripts designed to make IT Administration easier! Save time, get more work done, get the Admin Script Pack.