Even if file permissions are set on a document, other domain administrators will still have full access to that...
document. The same goes for Group Policy Objects (GPO) in Active Directory. GPOs can be set to restrict access to objects, like documents, to a fairly high degree of granularity. But, again, that won't stop a domain administrator.
There are a few workarounds. One option might be something old-fashioned: put confidential documents on a separate network or on a workstation. Another possibility is to create a separate group for the other three administrators that doesn't have full administrative rights. These users would have to use either "sudo" for Linux or "runas" for Windows. These commands restrict administrative access for particular users for particular functions.
Again, for only four domain administrators, your options are limited, and the best course might be just to keep your confidential documents off the network on an isolated workstation.
For more information:
Dig Deeper on Enterprise Data Governance
Related Q&A from Joel Dubin
After a server room door has been compromised, finding a more secure solution is of utmost importance. Learn how to choose a server room door that ...continue reading
In the IAM world, what's the difference between access control and identity management. This IAM expert response explains how the two relate as well ...continue reading
When working with PeopleSoft and Unix, which single sign-on (SSO) vendors offer the most effective products? Learn how to choose an SSO product in ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.