Restricting Admin usage on w2k servers

[mr-frosty 0]

Hi Guys

 

I have an issue where there are too many admins at work and the IT manager wants to reduce the number of admins. But the demoted guys need printer and user operator, and access to tweak and amend settings on a w2k pro workstation.

 

Unfortunately this has come about due to certain admins trawling through highly confidential info on the file servers, and this has to be stopped!!!!

 

Any help would be highly appreciated, thanking you all in advance!!

 

Rob

[Silver-Dagger 0]

If you are running a domain (active directory) then put these people in the administrator group and take them out of the domain administrator group. Next make sure domain administrators and other lower groups have access to the files on the server.

If you are not running a domain then I would just create a group on the file server, put people that need access to the files in this group and then give only that group access to the shared files. I do not know if this way will work 100%. The admins may just be able to change ownership of the share and give themself access.

[mr-frosty 0]

Hi, tried printer op, user op, and administrator!!!! and yes by changing folder permissions to ent admin, they cannot access the folder, but they can log onto the server and add themselves back, so they can open it any more ideas??? these uses still have to have admin access to workstations so thay can add them onto the domain, or change network settings etc!!!!!

[DS3Circuit 0]

Quote:

workstations so thay can add them onto the domain

Is a security policy

Delegation of Control Wizard well lock down Active Directory Access.

As silver-dagger pointed out, you can create a second global group to have local admin access to the machines, but this group to have limited domain access. Adding that global group to the local machine adminstrators group can be done through VB scripts such as addusers.vbs or again group policies.