Saucer said:
How can I prevent admin users from seeing and accessing other admin
My Documents folders? I am using XP Pro SP2 and they are listed in
Explorer in My Computer.
M.I.5¾ said:
Turn off simple file sharing and use the 'Security' tab under
properties to set who can access what. But whatever you do, make
sure that at least one admin account can see everything (preferably
the default 'Administrator' account).
Won't change anything. Any local administrator can access all files,
even if you setup NTFS Permissions - an Administrator is considered
GOD on computers and can access anything.
M.I.5? said:
That plainly isn't true. I have set up my folders so that my other
half can't see my files. Both are administrator accounts because
we both run applications that won't work under limited accounts.
First off - there are very few applications that truly require you to have
full administrative rights on a computer in order to run properly. This is
not to say that there are none (there are some I can think of by Intuit that
make it quite difficult for no apparent reason) or to say that it is an
*easy* endeavor to figure out what you need to change in order to run said
applications without administrative rights. In fact - it usually requires
the use of RegMon and FileMon on the more difficult cases. On the easy
ones - you simply change the NTFS permissions on the installation directory
to allow "users" full rights to that given folder and perhaps find the
applications registry keys and do the same.
Secondly - you have done nothing *really* to prevent your "other half" from
seeing your files. If you are both system administrators and you are not
using some form of encryption, compression with a password or a third party
application - then that other administrator can take ownership of your files
whenever they please and see everything you have - and unless you go
checking file/folder permissions every time you use the computer - you may
never know they did it.
I gave this example in this very conversation already, but I will give it
again here. Think of it this way...
You go into an office building and rekey all the rooms on a given floor.
Each door has a key that works only on that door. However - for safety,
security and other reasons (janitorial, maintenance, etc) - you also have a
master key made up that fit all the doors.
What you have done (by making everyone administrator level on a given
machine) equates to you handing everyone a copy of the master key. Now -
you can go by the *hope* that if you don't TELL them they have the master
key, they won't ever find out and everything will be fine (or even if they
find out, they'll be honest and not use it) - or you can do the wise thing
and give each of them their own specific door key and nothing more.
So yes - you could make it where each user only sees THEIR "My Documents"
folder in Windows Explorer/My Computer (meaning a list of shared/my
documents folders is not visible by default) - but all you have done is
*not* tell them they all have "master key" and they can just go into
"%SystemDrive%\Documents and Settings\" and pretty well do what they want -
whether or not they know it - yet. ;-)
You can even go in with each user and change the rights on the folders for
that user so that only that user has access... However - since they all
have the equivalent of the master key - they can get around that too...
How to Take Ownership of a File or Folder in Windows XP
http://support.microsoft.com/kb/308421
Read *carefully* - do not just skim the page and start following steps.
There is important information there dependent on the version of Windows XP.
What you have done is no more than wishful thinking. You are thinking that
your 'other half' will not (or cannot) figure out how they can obtain access
to your files (and perhaps before now, even the reversal.) As the knowledge
base article above shows, however, with just a few clicks you can take
ownership of a file that you do not have access to and change the
permissions so that you do have access to it. You can even make sure the
other person has full access to it as well - so that *at a glance*,
everything is fine. You could even take ownership, change permissions, look
at what you want and change everything back to the way it was so it does not
even look suspicious *if* the user happens to know what you do and they
check to see if the permissions have been changed. All because you are an
administrative level user on a computer you share with someone else.