question

NanaSutisna-7928 avatar image
0 Votes"
NanaSutisna-7928 asked DaisyZhou-MSFT commented

Permission access for executive user on Active Directory

Hi All,

Domain Admin can manage all computer that are in active directory environment, include the computer is belong to executive user. If they want, Domain Admin can access all file on executive user's computer. Other than, domain admin can access executive user's files on file server by taking ownership.
How to protect domain admin can do that?
Or could you share me best practice to implement permission for executive user on active directory environment?

Thanks,
Nana Sutisna

windows-active-directory
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @NanaSutisna-7928,
How are things going on your end? Please keep me posted on this issue.
If you have any further questions or concerns about this question, please let us know.
I appreciate your time and efforts.

Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

0 Votes 0 ·

Hello @NanaSutisna-7928,
I just want to confirm the current situations.
Please feel free to let us know if you need further assistance.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

0 Votes 0 ·

Hello @NanaSutisna-7928,
I just want to confirm the current situations.
Please feel free to let us know if you need further assistance.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

0 Votes 0 ·
DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered

Hello @NanaSutisna-7928,

Thank you for posting here.

Q: How to protect domain admin can do that? Or could you share me best practice to implement permission for executive user on active directory environment?
A: Based on my knowledge, we may not be able to achieve this requirement by setting file or folder permissions, because the permissions that normal domain users can set can also be set by domain admins.

You can try EFS or BitLocker (BitLocker may be more suitable for laptops. )

The Encrypted File System, or EFS, provides an additional level of security for files and directories. It provides cryptographic protection of individual files on NTFS file system volumes using a public-key system.

For more information about EFS, please refer to links below.

File Encryption
https://docs.microsoft.com/en-us/windows/win32/fileio/file-encryption

Encrypting File System
https://en.wikipedia.org/wiki/Encrypting_File_System

Please understand the EFS function in detail first, and then use it if you need it.

Hope the information above is also helpful.

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ErazerMe avatar image
0 Votes"
ErazerMe answered HoppnerMichael-8149 commented

Hello @NanaSutisna-7928

we had the same topic. Nearly all week we got discussions like "IT-Adminstrators can see all data, including data of GM, CIO,..".
For ensuring that we (IT-Administrators) are still able to handle all data (backup, moving,..) but not able to read the content of the data, we implemented the third-party-software LanCrypt.
Here is the link of to the software: Conpal LanCrypt


· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @AndyMeboldt,

Thank you so much for your reply and sharing.

Hope it is also helpful to NanaSutisna-7928 and people with similar topic.

Thank you again for your help.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

0 Votes 0 ·

Hi everybody,
if you're interested in a chat about said solution (conpal LAN Crypt), please reach out to me - I'll gladly walk you through the functionality and/or options.
Kind regards,
Michael
Lead Communications at conpal GmbH

0 Votes 0 ·
NanaSutisna-7928 avatar image
0 Votes"
NanaSutisna-7928 answered

Hi,

Thanks for reply, and I'm sorry for late reply.
So the best solution is using third party software, because the domain admin has full rights to resource on active directory, isn't it?
The maximum capability that active directories can do is to eliminate the admin domain on the resources (e.g: share folder, computer, etc) owned by the executive user, although it can still be done by taking owner by domain admin, isn't it? or is there a better way other than that without using a third party software?


Regards,
Nana Sutisna

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered

Hello @NanaSutisna-7928,

Thank you for your update.

So the best solution is using third party software, because the domain admin has full rights to resource on active directory, isn't it?
A: Domain admin has full rights to resource on active directory.

The maximum capability that active directories can do is to eliminate the admin domain on the resources (e.g: share folder, computer, etc) owned by the executive user, although it can still be done by taking owner by domain admin, isn't it?
A: Domain resource can still be done by taking owner by domain admin

or is there a better way other than that without using a third party software?
A: If there is such third party software and it can meet your requirements and you can try if needed.


Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.