Announcement

Collapse
No announcement yet.

What files, folders, and drives a domain admin can access on a client computer.

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • What files, folders, and drives a domain admin can access on a client computer.

    Can someone explain that what a domain administrator or anyone with domain administrator rights can access on a client workstation after logging in locally or managing this computer remotely using Active Directory Users and Computes? Letís put it in this way, what a domain administrator can or cannot do on a client computer?
    Can we stop someone to access the local C:\ when they login to a domain computer belong to some other domain user?
    Thanks,

  • #2
    Re: What files, folders, and drives a domain admin can access on a client computer.

    No, a domain administrator has full control over the domain. That's why you should only give trustworthy people that need access the Domain Admins membership.

    I will say that you can remove the domain admins permissions from a member computer but because of the control that a domain admin has over the domain itself, they can just add themselves back.
    Regards,
    Jeremy

    Network Consultant/Engineer
    Baltimore - Washington area and beyond
    www.gma-cpa.com

    Comment


    • #3
      Re: What files, folders, and drives a domain admin can access on a client computer.

      Originally posted by Raindrop View Post
      Can someone explain that what a domain administrator or anyone with domain administrator rights can access on a client workstation after logging in locally or managing this computer remotely using Active Directory Users and Computes? Letís put it in this way, what a domain administrator can or cannot do on a client computer?
      Can we stop someone to access the local C:\ when they login to a domain computer belong to some other domain user?
      Thanks,
      Not realy, like JeremyW said.
      An Admin can override things.
      But, one thing you can do, is set EFS to files and folders you want to keep to yourself.
      An Admin can only open these if he is the recovery agent and most Admins are not.

      Comment


      • #4
        Re: What files, folders, and drives a domain admin can access on a client computer.

        Originally posted by ASS-Ware View Post
        Not realy, like JeremyW said.
        An Admin can override things.
        But, one thing you can do, is set EFS to files and folders you want to keep to yourself.
        An Admin can only open these if he is the recovery agent and most Admins are not.
        But an admin can add themselves as an EFS agent

        Comment


        • #5
          Re: What files, folders, and drives a domain admin can access on a client computer.

          Originally posted by wullieb1 View Post
          But an admin can add themselves as an EFS agent
          But only for files encrypted after that point in time.


          Basically, if you don't completely trust your domain admins, fire them!
          Tom Jones
          MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
          PhD, MSc, FIAP, MIITT
          IT Trainer / Consultant
          Ossian Ltd
          Scotland

          ** Remember to give credit where credit is due and leave reputation points where appropriate **

          Comment


          • #6
            Re: What files, folders, and drives a domain admin can access on a client computer.

            Originally posted by Ossian View Post
            But only for files encrypted after that point in time.
            Yep


            Originally posted by Ossian View Post
            Basically, if you don't completely trust your domain admins, fire them!
            Yep again.

            Your domain admin is pretty much the top of the tree when it comes to your IT dept. If you don't trust them let them go and get someone you do trust.

            Just out of curiosity what do you have stored that you don't want the admin to see?? We have payroll DB's, personell files etc, etc, etc and i wouldn't want to read any of the content. Doesn't interest me.

            Comment

            Working...
            X