Domain Administrator - User Rights ?
Zanthian
Mitey Worrier Icrontian
Hello All,
I have a question for any other domain administrators out there.
I am new to this role and I have hit a bump with the HR person at my company.
I have everyone on the server (except for the HR person) and their profiles backed up on the server with raid and online backup and tape backup for data safety. Well the issue with her is that I would have access to view employee information if she put the information on the server. She won't even let me do an install on her computer without watching me...
So, is she just more paranoid than most? How do other companies handle confidential information?
As the domain administrator will you always have rights to access everyones files? I know that I will have access to log onto her computer and access her files if she joins the domain. How can I make a section of files that are viewable by her and the president of the company but not to the domain administrator or any other administrative account?
What is the industry standard on this issue?
Thanks for any assistance or feedback
I have a question for any other domain administrators out there.
I am new to this role and I have hit a bump with the HR person at my company.
I have everyone on the server (except for the HR person) and their profiles backed up on the server with raid and online backup and tape backup for data safety. Well the issue with her is that I would have access to view employee information if she put the information on the server. She won't even let me do an install on her computer without watching me...
So, is she just more paranoid than most? How do other companies handle confidential information?
As the domain administrator will you always have rights to access everyones files? I know that I will have access to log onto her computer and access her files if she joins the domain. How can I make a section of files that are viewable by her and the president of the company but not to the domain administrator or any other administrative account?
What is the industry standard on this issue?
Thanks for any assistance or feedback
0
Comments
Its your job tyo manage those files and back them up etc..
I have been in this buisness 20 years. And twice had situations like yours come up and by a co-incidense maybe both were PR managers/clerks and both were fraudently cutting themselves manual PR checks and recording them to other employees ID's. One nailed them for almost $200,000 over a couple years. The checks to himself were small and spread out over 1200 employees. Most don't know when they get their W2's if there is a extra couple hundred bucks on there. And if the employee called to complain he got... The PR manager who of course appologized printed him a corrected W2 of course.
She is full of crap. The files should be stored on the server where they are backed up and managed by the IT staff. They are company property managed by the IS/IT staff they are not hers.
I would worry about her.
Tex
Install Encryption Software on her PC (and any other HR personnel). Have each of them encrypt their files with the same password. Have them store the password in a lock box in the HR department. Every 120 days, they change the password. If anyone leaves the department, change the password. Then, backup their systems as usual. You won't be able to view any of he files, but HR can. Leave them to the task of setting up the procedures for changing the password. You just maintain the backup of data and the domain.
OR... Install a tape backup system in her office. Print instructions as to how to do a backup.. then leave it be. If it dies, tell her that it's her responsibility not yours. You can't be trusted....
In most places I've seen.... Only one or two IT personnel have total rights and they make sure that the areas that are sensitive remain secure to everyone else but HR. A certain amount of trust needs to be granted to IT managers. The DO have tons of responsibilities. If the HR person cannot trust you, she needs to be able to back that up with reasons why NOT to trust you. You, on the other hand, need to display a great deal of trustworthiness. It's a balancing game... IT should have total access... It's your butt if she fries her PC and all the data gets hosed, she'll blame you anyway.
The President of the company asked the question, "What does a Microsoft or IBM do? Is there one person in that company that has access to all of the information?"
Unfortunately being new to this role I didn't have a good answer on that topic for him.
What do you guys think?
As for that question.... no company should have just one person in control to everything. Multiple people have access to data. Most EXEC. have total access and then the further down the food chain, the less info you have. HR should have HR info. Production should have copyright data access. HR should have no business looking at specs on a product and a manager of line crew shouldn't be viewing HR data on anyone but their own employee’s....
If only one person had access to all the data, if that person died suddenly, the system would collapse.
If she's not stealing from the company, her motivation might be to screen you from being able to see all of the employee salary data and such. Most companies are very wary of employees being ever seeing such info because of jealousy, etc... but I think good data integrity is important enough to the company that they really can just get over it and let you join her to the domain.
Reasons that IT needs access to all files for the company:
1) To maintain a high level of data integrity for the entire company.
a. Backups monitored by IT and not individuals in the company.
b. To ensure access to data in case of personnel lose
2) Uphold the company policy of reviewing files on everyone’s desktops and laptops
a. Including Email and Local Disks
b. Holds everyone accountable.
Reasons not to give IT access to data:
1) Trust issues
a. Can IT or upper level Executives handle having access to sensitive data?
Disadvantages of not giving IT access to data:
1) Potential for loss of data
a. Downtime
b. Potential permanent lose of pertinent information
c. Can lead to failure of Company
Is there anything I should add to this list?
A few years back i worked on a legal DB of expert witness testimony and related files for a defense attorney assoc. All of the data was very sensitive and could have buried individuals if leaked. The whole team that i worked with needed to sign NDA's.
oops, i might have just broken my contract...
He said that I have to earn the right to view the information.
Aparently, since i am only a Systems Specialist and not a VP in the company there is no reason for me to see that information. Insert Brick wall.
I need to find solutions, such as the encryption software mentioned above, to allow them to have data that I can not read, but that I can monitor the storage of for backup purposes.
So, Any specific links to software would be helpful...
Also, any other advice on how to implement a solution as such would be welcome.
Get them to agree that if you don't have access to the information, then you are not responcible for it, so that they can't blame you if something goes wrong...
Then, put peanutbutter on the harddrive head.