Permission access for executive user on Active Directory

Nana Sutisna 86 Reputation points
2021-06-22T02:22:23.613+00:00

Hi All,

Domain Admin can manage all computer that are in active directory environment, include the computer is belong to executive user. If they want, Domain Admin can access all file on executive user's computer. Other than, domain admin can access executive user's files on file server by taking ownership.
How to protect domain admin can do that?
Or could you share me best practice to implement permission for executive user on active directory environment?

Thanks,
Nana Sutisna

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,831 questions
{count} votes

4 answers

Sort by: Most helpful
  1. Daisy Zhou 18,701 Reputation points Microsoft Vendor
    2021-06-22T08:14:26.497+00:00

    Hello @Nana Sutisna ,

    Thank you for posting here.

    Q: How to protect domain admin can do that? Or could you share me best practice to implement permission for executive user on active directory environment?
    A: Based on my knowledge, we may not be able to achieve this requirement by setting file or folder permissions, because the permissions that normal domain users can set can also be set by domain admins.

    You can try EFS or BitLocker (BitLocker may be more suitable for laptops. )

    The Encrypted File System, or EFS, provides an additional level of security for files and directories. It provides cryptographic protection of individual files on NTFS file system volumes using a public-key system.

    For more information about EFS, please refer to links below.

    File Encryption
    https://learn.microsoft.com/en-us/windows/win32/fileio/file-encryption

    Encrypting File System
    https://en.wikipedia.org/wiki/Encrypting_File_System

    Please understand the EFS function in detail first, and then use it if you need it.

    Hope the information above is also helpful.

    Should you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments No comments

  2. ErazerMe 46 Reputation points
    2021-06-22T15:54:24.16+00:00

    Hello @Nana Sutisna

    we had the same topic. Nearly all week we got discussions like "IT-Adminstrators can see all data, including data of GM, CIO,..".
    For ensuring that we (IT-Administrators) are still able to handle all data (backup, moving,..) but not able to read the content of the data, we implemented the third-party-software LanCrypt.
    Here is the link of to the software: Conpal LanCrypt


  3. Nana Sutisna 86 Reputation points
    2021-07-01T03:13:24.497+00:00

    Hi,

    Thanks for reply, and I'm sorry for late reply.
    So the best solution is using third party software, because the domain admin has full rights to resource on active directory, isn't it?
    The maximum capability that active directories can do is to eliminate the admin domain on the resources (e.g: share folder, computer, etc) owned by the executive user, although it can still be done by taking owner by domain admin, isn't it? or is there a better way other than that without using a third party software?

    Regards,
    Nana Sutisna

    0 comments No comments

  4. Daisy Zhou 18,701 Reputation points Microsoft Vendor
    2021-07-01T06:52:07.62+00:00

    Hello @Nana Sutisna ,

    Thank you for your update.

    So the best solution is using third party software, because the domain admin has full rights to resource on active directory, isn't it?
    A: Domain admin has full rights to resource on active directory.

    The maximum capability that active directories can do is to eliminate the admin domain on the resources (e.g: share folder, computer, etc) owned by the executive user, although it can still be done by taking owner by domain admin, isn't it?
    A: Domain resource can still be done by taking owner by domain admin

    or is there a better way other than that without using a third party software?
    A: If there is such third party software and it can meet your requirements and you can try if needed.

    Should you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments No comments