1

In a windows 2008 R2 server with multiple administrator accounts, is it possible to create private folders (one per admin) in one drive that the other administrators cannot unlock (gain access to)?

I have tried using deny "Full control" on a folder from one account, but the other account could simply remove that restriction.

Carl R
  • 113
  • 5
  • I think you need to sort out your people problems instead of looking for a technical solution. An admin you can't trust completely shouldn't be an admin. – John Gardeniers Oct 13 '11 at 11:22
  • Captain obvious to the rescue? It's a hypotetical question that helps us with some choices regarding demo servers. – Carl R Oct 13 '11 at 12:24
  • Had you actually told us why you're trying to do what can't be done I might not have felt the need to post the obvious. – John Gardeniers Oct 13 '11 at 20:46

2 Answers2

2

No, you can't do this with permissions as any administrator has full access to the system.

You could do it using encryption (either windows builtin or 3rd party) but it would be easy for a determined admin to get your password and unlock the file so you couldn't treat it as 100% secure.

JamesRyan
  • 8,138
  • 2
  • 24
  • 36
1

As far as I know this isn't possible.

All members of the Windows "Administrators"-group have equal rights. This means that anything one of them does, can be undone by any of the others.

He may have to be a bit creative (like assinging himself to the backup-operators group) but eventually he will be able to access the folder.

Tonny
  • 6,252
  • 1
  • 17
  • 31