0

I encountered a problem when trying to create a folder share on an NTFS volume on a Windows 2003 R2 instance:

The account used for administration should - due to the sensitivity of the data - not be allowed to access the folder itself or the files therein. That access is to be restricted to the owner of the data.

But alas, as I found out, at least "List folder/read data" permission is required to be able to create a share!

So, to achieve my goal, I would have to either

  • grant the admin account permission to read the data or
  • grant the user account permission to access the containing folder to be able to create the share.

Or is there a third option I am missing?

I'm with Monica
  • 115
  • 1
  • 9

1 Answers1

0

If you are speaking about "real administrator" (eg: someone included into the "Administrators" group", you will have an hard time doing that.

I don't think you can prevent administrator access to some files: even if configuring the ACLs to deny access, the administrator can always change the ACLs itself.

Even the second approach (let the user create the subfolder by itself) is open to "curious" administrator as, again, nothing can stop a real admin from read/write any file.

If you talk about "share admin" but not really a machine-wide administrator, the second approach can work, though.

shodanshok
  • 47,711
  • 7
  • 111
  • 180