Strange Senario for Administrator Security Rights

[JadeWolf324]

we have a new employee comming in at our office. i need him to be able to manage everything from Active Directory/DHCP/DNS to GPO editing and installing applications and everything a domain admin can do. EXCEPT be able to have access to the user files on the file server....

is there any setup i can have that can make this possible?

[Aaron P]

No, an administrator is exactly that. Administrator is god and can do what he/she wants.

I believe something like that can only be achieved with a Trusted operating System e.g. SELinux (but thats not going to help you of course)

[MazX_Napalm]

Create a custome MMC and put it on his pc

[+BudMan MVC]

dude - if he has domain admin rights, there are so many ways he could get access to those files. If you do not list his account, he could just add it - or if need be, change the password on the account that does have permission - and use that to access, etc.. etc..

If you trust this guy to admin your network - but not look at user files, why are you hiring him?

Edit: about the only way I can think off the top, is to encrypt the files. But even then, if he wanted to - he more than likley could get them decrypted, either by access to the users private keys, or keyloggers on their machines to find the passwords to decrypt, etc.. etc..

[JadeWolf324]

well we dont want to give him domain admin. we want to give him enough rights to work on active directory and do things that maintain the servers. just not give him access to the files on the fileserver..

[+BudMan MVC]

Dude - if he is your AD admin, that kind of makes him your Domain Admin does it not? Again - why exactly are you hiring a guy to ADMIN your AD and the servers. But you do not trust him to NOT look at user files?

That makes NO sense whatsoever.

Edit - is he going to have physical access to the servers? Well you might as well put a guard on him then. Since all security goes out the window if you have physical access ;) He could just take the drives that store the user files on them? Or just the backup tapes - then he could take all the time he needs to decrypt the files - and look at any user file he wants.

[JadeWolf324]

he will be term serving

the server room is next door, and we all stay in the first room next to it and term serv into the servers to do our administration.

[red8Rain]

how about delegating those ad permissions to him rather then making him a domain admin.

[zorak]

Just delegate control of the OU's that he is going to be modifing. Also the "Group Policy Creator Owner" group can modify the group policy objects for the domain.

I Would'nt even let him term serv into the server(s), rather install the admin pack for 2003 on his workstation.