[jeffnorem]

Hello,

I know there is usually an inherent trust of a companies administrator group. I work for a very large corporation (100+ admins) and am in charge of security compliance intiatives. I have a folder that has very sensitive bank auditing information and I want to make sure that only my team can access/change these docs.

It has been awhile since I did any special access permissions etc.. so I was wondering if someone could help me figure out if I could use special permissions (possibly the deny attribute) to set it up so administrators can change/add/edit user access, but not actually view or modify the files and sub-folders without changing permissions?

any help would be appreciated..
thanks

[Elvandil]

I don't think that we can help you since you are asking us to help you override an admin.

But you might consider simple, non-NTFS encryption.

[jeffnorem]

First I want to point out that this is not an question of me trying to be unethical, I do not have the desire or rights to set this myself, my request would go through to our adminstrators to set this up. I am just looking to have some knowledge to provide them a possible solution to do what I am asking.

The justification pretty much explains itself, this is information that general server operators or domain admins do not need to view, and they still would have all rights to controlling new/changed access to the folder, I would still have none. I am not trying to overide and admin

thanks for your help

[Elvandil]

Then I guess I don't fully understand what you are trying to accomplish. You want to prevent the admins from having access to the files, but you plan to enlist their aid in accomplishing this? I'm not trying to be sarcastic or argumentative, but I am really unclear about what you are trying to do.

Maybe if you could give an example of how not having this set up has resulted in a problem and what the problem was?

[1002richards]

Hi,
My employer of 100,000 has 'Admins' who are totally trusted (they have to be!). Ten of us across the country needed a shared drive. The Admins set this up and we chose the passwords. Sure, they can access it but there's an audit log of who did what & when. Surely something like that would suffice? If you can't trust the Admins ... or as the Romans said "Who guards the guards?" (Sorry I don't know the Latin!)

Richard

[DotHQ]

Yes this can be done a number of ways. Password protecting and encrypting the files or a product such as 'source safe' which locks up the files and even keeps multiple versions of the file in case you need to backtrack.
However, password protecting with encryption would appear the safest to me.