Admin users can see other users My Documents folders in Explorer

[Saucer Man]

How can I prevent admin users from seeing and accessing other admin My
Documents folders? I am using XP Pro SP2 and they are listed in Explorer in
My Computer.

 

[Shenan Stanley]

How can I prevent admin users from seeing and accessing other admin
My Documents folders? I am using XP Pro SP2 and they are listed in
Explorer in My Computer.

Take away their administrative rights.
Anything else you do is a kludge and can be gotten around with ease.

 

[M.I.5¾]

How can I prevent admin users from seeing and accessing other admin My
Documents folders? I am using XP Pro SP2 and they are listed in Explorer
in My Computer.

Turn off simple file sharing and use the 'Security' tab under properties to
set who can access what. But whatever you do, make sure that at least one
admin account can see everything (preferably the default 'Administrator'
account).

 

[Shenan Stanley]

How can I prevent admin users from seeing and accessing other admin
My Documents folders? I am using XP Pro SP2 and they are listed in
Explorer in My Computer.

Take away their administrative rights.
Anything else you do is a kludge and can be gotten around with ease.

Think of it this way...

You go into an office building and rekey all the rooms on a given floor.
Each door has a key that works only on that door. However - for safety,
security and other reasons (janitorial, maintenance, etc) - you also have a
master key made up that fit all the doors.

What you have done (by making everyone administrator level on a given
machine) equates to you handing everyone a copy of the master key. Now -
you can go by the *hope* that if you don't TELL them they have the master
key, they won't ever find out and everything will be fine (or even if they
find out, they'll be honest and not use it) - or you can do the wise thing
and give each of them their own specific door key and nothing more.

So yes - you could make it where each user only sees THEIR "My Documents"
folder in Windows Explorer/My Computer (meaning a list of shared/my
documents folders is not visible by default) - but all you have done is
*not* tell them they all have "master key" and they can just go into
"%SystemDrive%\Documents and Settings\" and pretty well do what they want -
whether or not they know it - yet. ;-)

You can even go in with each user and change the rights on the folders for
that user so that only that user has access... However - since they all
have the equivalent of the master key - they can get around that too...

How to Take Ownership of a File or Folder in Windows XP
http://support.microsoft.com/kb/308421

Read *carefully* - do not just skim the page and start following steps.
There is important information there dependent on the version of Windows XP.

 

[throwitout]

How can I prevent admin users from seeing and accessing other admin My
Documents folders? I am using XP Pro SP2 and they are listed in Explorer in
My Computer.

Look into encryption. XP Pro comes with EFS but if you don't make a
backup of your keys you're royally screwed if you try to recover the
data after a hard drive crash, etc. I think you also get screwed if
you reset the password from another account. Other uses will be able
to see the file names (just not access them)

Truecrypt is a free solution that will let you make encrypted
containers keeping anyone from knowing the contents.

http://www.truecrypt.org/

 

[Leythos]

Turn off simple file sharing and use the 'Security' tab under properties to
set who can access what. But whatever you do, make sure that at least one
admin account can see everything (preferably the default 'Administrator'
account).

Won't change anything. Any local administrator can access all files,
even if you setup NTFS Permissions - an Administrator is considered GOD
on computers and can access anything.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
(e-mail address removed) (remove 999 for proper email address)

 

[M.I.5¾]

Turn off simple file sharing and use the 'Security' tab under properties
to set who can access what. But whatever you do, make sure that at least
one admin account can see everything (preferably the default
'Administrator' account).

That plainly isn't true. I have set up my folders so that my other half
can't see my files. Both are administrator accounts because we both run
applications that won't work under limited accounts.

 

[M.I.5?]

Won't change anything. Any local administrator can access all files,
even if you setup NTFS Permissions - an Administrator is considered GOD
on computers and can access anything.

That plainly isn't true. I have set up my folders so that my other half
can't see my files. Both are administrator accounts because we both run
applications that won't work under limited accounts.

 

[Shenan Stanley]

How can I prevent admin users from seeing and accessing other admin
My Documents folders? I am using XP Pro SP2 and they are listed in
Explorer in My Computer.

Turn off simple file sharing and use the 'Security' tab under
properties to set who can access what. But whatever you do, make
sure that at least one admin account can see everything (preferably
the default 'Administrator' account).

Won't change anything. Any local administrator can access all files,
even if you setup NTFS Permissions - an Administrator is considered
GOD on computers and can access anything.

That plainly isn't true. I have set up my folders so that my other
half can't see my files. Both are administrator accounts because
we both run applications that won't work under limited accounts.

First off - there are very few applications that truly require you to have
full administrative rights on a computer in order to run properly. This is
not to say that there are none (there are some I can think of by Intuit that
make it quite difficult for no apparent reason) or to say that it is an
*easy* endeavor to figure out what you need to change in order to run said
applications without administrative rights. In fact - it usually requires
the use of RegMon and FileMon on the more difficult cases. On the easy
ones - you simply change the NTFS permissions on the installation directory
to allow "users" full rights to that given folder and perhaps find the
applications registry keys and do the same.

Secondly - you have done nothing *really* to prevent your "other half" from
seeing your files. If you are both system administrators and you are not
using some form of encryption, compression with a password or a third party
application - then that other administrator can take ownership of your files
whenever they please and see everything you have - and unless you go
checking file/folder permissions every time you use the computer - you may
never know they did it.

I gave this example in this very conversation already, but I will give it
again here. Think of it this way...

You go into an office building and rekey all the rooms on a given floor.
Each door has a key that works only on that door. However - for safety,
security and other reasons (janitorial, maintenance, etc) - you also have a
master key made up that fit all the doors.

What you have done (by making everyone administrator level on a given
machine) equates to you handing everyone a copy of the master key. Now -
you can go by the *hope* that if you don't TELL them they have the master
key, they won't ever find out and everything will be fine (or even if they
find out, they'll be honest and not use it) - or you can do the wise thing
and give each of them their own specific door key and nothing more.

So yes - you could make it where each user only sees THEIR "My Documents"
folder in Windows Explorer/My Computer (meaning a list of shared/my
documents folders is not visible by default) - but all you have done is
*not* tell them they all have "master key" and they can just go into
"%SystemDrive%\Documents and Settings\" and pretty well do what they want -
whether or not they know it - yet. ;-)

You can even go in with each user and change the rights on the folders for
that user so that only that user has access... However - since they all
have the equivalent of the master key - they can get around that too...

How to Take Ownership of a File or Folder in Windows XP
http://support.microsoft.com/kb/308421

Read *carefully* - do not just skim the page and start following steps.
There is important information there dependent on the version of Windows XP.

What you have done is no more than wishful thinking. You are thinking that
your 'other half' will not (or cannot) figure out how they can obtain access
to your files (and perhaps before now, even the reversal.) As the knowledge
base article above shows, however, with just a few clicks you can take
ownership of a file that you do not have access to and change the
permissions so that you do have access to it. You can even make sure the
other person has full access to it as well - so that *at a glance*,
everything is fine. You could even take ownership, change permissions, look
at what you want and change everything back to the way it was so it does not
even look suspicious *if* the user happens to know what you do and they
check to see if the permissions have been changed. All because you are an
administrative level user on a computer you share with someone else.