What's wrong with having one or two trrusted admins, and giving support personnel Power User or less status? Then they can't change anything without the permission of the Admin.
-----Original Message----- From: Jean-François Asselin [mailto:[EMAIL PROTECTED]] Sent: Monday, October 01, 2001 8:13 AM To: Nicholas & Anthony McKenzie; Security Basics Subject: RE: Directory Security > -----Original Message----- > From: Nicholas & Anthony McKenzie [mailto:[EMAIL PROTECTED]] > Sent: Thursday, September 27, 2001 10:52 PM > To: Security Basics > Subject: Re: Directory Security > Situation: Direcotrs, CEO, and General Managers dont want > people accessing files within their own personal home > directories that contain confidential material such as staff > salaries, budgets, pay reivews etc. > Is it possible to (once created) NOT to allow administrative > access or access to any group of admins to a home directory > of a CEO/Director etc that contains such classified > information? ie put a block on all people except the owner. No. Admins can always take ownership and then change permissions. > PS: and putting aside password protecting/encrypting files. Sorry, but you mentioned your own solution in your own restrictions. You could use EFS and remove the recovery certificate from the certificate store, put iot on a floppy, which would be kept in a secure place out of reach of admins. You can also enable auditing, so that anyone accessing the files would be known, but a crafty admin could always disable auditing before doing it... Still, there would be traces of that.