Permission access for executive user on Active Directory

Question

Hi All,

Domain Admin can manage all computer that are in active directory environment, include the computer is belong to executive user. If they want, Domain Admin can access all file on executive user's computer. Other than, domain admin can access executive user's files on file server by taking ownership.
How to protect domain admin can do that?
Or could you share me best practice to implement permission for executive user on active directory environment?

Thanks,
Nana Sutisna

Answer 1

Hello @Nana Sutisna ,

Thank you for posting here.

Q: How to protect domain admin can do that? Or could you share me best practice to implement permission for executive user on active directory environment?
A: Based on my knowledge, we may not be able to achieve this requirement by setting file or folder permissions, because the permissions that normal domain users can set can also be set by domain admins.

You can try EFS or BitLocker (BitLocker may be more suitable for laptops. )

The Encrypted File System, or EFS, provides an additional level of security for files and directories. It provides cryptographic protection of individual files on NTFS file system volumes using a public-key system.

For more information about EFS, please refer to links below.

File Encryption
https://learn.microsoft.com/en-us/windows/win32/fileio/file-encryption

Encrypting File System
https://en.wikipedia.org/wiki/Encrypting_File_System

Please understand the EFS function in detail first, and then use it if you need it.

Hope the information above is also helpful.

Should you have any question or concern, please feel free to let us know.

Best Regards,
Daisy Zhou

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.

Answer 2

Hello @Nana Sutisna

we had the same topic. Nearly all week we got discussions like "IT-Adminstrators can see all data, including data of GM, CIO,..".
For ensuring that we (IT-Administrators) are still able to handle all data (backup, moving,..) but not able to read the content of the data, we implemented the third-party-software LanCrypt.
Here is the link of to the software: Conpal LanCrypt

Answer 3

Hi,

Thanks for reply, and I'm sorry for late reply.
So the best solution is using third party software, because the domain admin has full rights to resource on active directory, isn't it?
The maximum capability that active directories can do is to eliminate the admin domain on the resources (e.g: share folder, computer, etc) owned by the executive user, although it can still be done by taking owner by domain admin, isn't it? or is there a better way other than that without using a third party software?

Regards,
Nana Sutisna

Answer 4

Hello @Nana Sutisna ,

Thank you for your update.

So the best solution is using third party software, because the domain admin has full rights to resource on active directory, isn't it?
A: Domain admin has full rights to resource on active directory.

The maximum capability that active directories can do is to eliminate the admin domain on the resources (e.g: share folder, computer, etc) owned by the executive user, although it can still be done by taking owner by domain admin, isn't it?
A: Domain resource can still be done by taking owner by domain admin

or is there a better way other than that without using a third party software?
A: If there is such third party software and it can meet your requirements and you can try if needed.

Should you have any question or concern, please feel free to let us know.

Best Regards,
Daisy Zhou

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.