Re: customized administrator privelages
- From: "Cary Shultz" <cshultz@xxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 4 Apr 2008 04:15:59 -0400
Congrats on the new job.
Sidenote: with SBS - which is a totally different animal from the 'regular'
version of Windows Server - know one thing: use the wizards. Pretty much
for everything. And, when you join a computer account object to the domain
do it the "SBS-way" - open up IE on the client computer and enter
http://servername/ConnectComputer.
There are a lot of neat things about SBS2003....like RWW (Remote Web
Workplace).....that take a bit of time to get to know and figure out how
they work. You could have years experience with 'regular' Windows and
really, essentially, be a rookie when you walk into the SBS2003 world. I
have been doing SBS2003 for a bit more than one year now (managed serveral
SBS environments a few years ago...but that was a few years ago and
SBS2000...and I am still learning some of the things that SBS has to offer
(usually when there is a problem.....).
Anyway, this is - from a technical point - an NTFS/Share issue. You could
set things up so that only GroupA (the A could stand for many things....I am
going to go with 'Anal' in this case...although my other choice is pretty
close to that!) has access to it. But, when there is a problem what are you
going to do? And, backup? What about that?
As everyone has either directly stated or alluded to....the real issue is
trust: either they trust you or they do not. If they do not - no offense -
then they should fire you and hire someone they trust. There are several
potential problems with that, though. Especially from your vantage point,
right! If they are going to hire someone from the outside, how do they
trust that person (you, for example)? And, if they are going to "hire"
someone from the inside, is that person qualified to run a network? The
usual answer to that question is absolutely not! Just because personA can
make pretty pivot tables in MS Excel does not mean that personA can do
anything with a Firewall, yet alone Active Directory or maybe this little
application called Exchange 2003.
As a consultant, I run into this issue all the time. Just look them in the
eye and tell them point blank - "look, either you trust me or you do not.
If you do, we never need to have this conversation again. If you don't,
well, then you need to find someone else. If me signing a document of
confidentiality helps you to trust me then I will gladly sign it. If you
want me to sign a document in which I agree to not access certain folders
without "personA's" prior consent - except in the case of emergency - I will
gladly. If that is not going to work then you need to find someone else.
Because I am not interested in this conversation again!"
That is always going to be in the back of people's minds.....are they
reading my e-mail? are they looking at my My Documents? I can honestly
say that save one time I have never done that. That one time was I looked
at someone's e-mail without their prior knowledge -AND- I did not tell that
person that I did this. But, there was a very specific (non-personal)
reason for doing that. And that happened some seven years ago. It is just
something that you can not do. For a whole lot of reasons. Once you do it
you just slipped on that very slippery sloap. I have accessed people's
e-mail in the recent passed without their prior knowledge but immediately
told him - via e-mail (so that there was a paper trail...for both sides!) -
five seconds after I did that. Again, in that case there was a very
specific business reason for doing that. And, not really something that
could have waited until the next morning to call him to see if he received
the e-mail (this particular client of ours was having issues receiving
e-mails from a specific company and my contact was the person who pretty
much was that other company's contact). I was working with the other
company who was sending him e-mails after I had done a couple of things...I
needed to verify that what I had done worked...it did. But we needed to
verify. It was after hours...I knew this particular person's password so I
hoped onto OWA, saw that the e-mail was there - in the Inbox - and
immediately logged out. End of story. And then sent him an e-mail letting
him know what I had done. There was really no need to send him that e-mail.
He would have never known. Or would he? But, that does not really matter.
Tell them upfront and be done with it. It all goes back to what? Trust.
Which is where we started, right?
Anyway, I would not want to work someplace where they do not trust me. If
trust is not there -AND/OR - if trust does not "get there" in the immediate
future then you need to find another job. Again, no offense intended to
you. You really do not want to work in an environment where someone is
always watching what you are doing (and in a very distrustful manner
usually). I can only assume that it is not pleasant. I was once on the
"watching" side....that is not really all that pleasant. I can't imagine
being on the other side of that.
Anyway, stand tall, look 'em in the eye and be done with it - one way or the
other.
Cary
"cjupiter" <cjupiter@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:0BB7307A-BF1B-4F95-84CD-3E4FCD908904@xxxxxxxxxxxxxxxx
Hi,
I have started working at a new company as the IT administrator.
The SBS Server is used as the file server and there is a particular folder
with accounting info that the manager would prefer to be off limitz to
everyone including the IT administrator, me.
Is there anyway of setting up an administrator account that has every
privelage an administrator has except having the power to take ownership
of a
particular folder which in this case would be the 'accounts' folder.
Or could there be another way of satisfying the managers security
insecurities.
.
- References:
- customized administrator privelages
- From: cjupiter
- customized administrator privelages
- Prev by Date: Re: Static default gateway reverts to earlier IP address
- Next by Date: Restoring backup from external usb hard disk
- Previous by thread: Re: customized administrator privelages
- Next by thread: Re: customized administrator privelages
- Index(es):
Relevant Pages
|
Loading
