Granting access to NTFS drive

  • Thread starter Thread starter Adeel
  • Start date Start date
A

Adeel

Hello all.

I have a portable NTFS formatted harddrive. I replaced the default
'everyone' access with 'my computer\administrator' access while the
drive was hooked up to my desktop computer (XP professional).

Now I want to allow another user (my notebook's administrator) to
access it as well. So that only my two computer's administrator users
could access the disk. My notebook has XP home edition on it. How do I
go about doing this?


TIA
Adeel
 
Adeel said:
I have a portable NTFS formatted harddrive. I replaced the default
'everyone' access with 'my computer\administrator' access while the
drive was hooked up to my desktop computer (XP professional).

Now I want to allow another user (my notebook's administrator) to
access it as well. So that only my two computer's administrator
users could access the disk. My notebook has XP home edition on it.
How do I go about doing this?

Interesting.
I'm not 100% sure this would work - but - you would need to grant everyone
their rights back first..

Then connect to machine (1) - grant the admin full rights to every
file/folder.
Then connect to machine (2) - grant the admin there full rights to every
file/folder.
Remove the "everyone" group.

Now see what happens. It could be that when looking at file/folder
permissions on one machine - you see an unknown-SID that has permissions.
If so - then the same should be true when you connect tot he other machine -
just a different unknown SID.
 
Just add administrators to the access control list. Then any administrator
[built in administrator or member of administrators group] on either
computer can access the files. --- Steve
 
Thanks for your response Shenan.

I have XP home on the second machine... and as a result there is no
security tab. So I can't grant full control to the admin account on
it.


What do I do now?


TIA
Adeel
 
Adeel said:
I have a portable NTFS formatted harddrive. I replaced the default
'everyone' access with 'my computer\administrator' access while the
drive was hooked up to my desktop computer (XP professional).

Now I want to allow another user (my notebook's administrator) to
access it as well. So that only my two computer's administrator
users could access the disk. My notebook has XP home edition on it.
How do I go about doing this?

Shenan said:
I'm not 100% sure this would work - but - you would need to grant
everyone their rights back first..

Then connect to machine (1) - grant the admin full rights to every
file/folder.
Then connect to machine (2) - grant the admin there full rights to
every file/folder.
Remove the "everyone" group.

Now see what happens. It could be that when looking at file/folder
permissions on one machine - you see an unknown-SID that has
permissions. If so - then the same should be true when you connect
to the other machine - just a different unknown SID.
Thanks for your response Shenan.

I have XP home on the second machine... and as a result there is no
security tab. So I can't grant full control to the admin account on
it.

What do I do now?

I think Steven's response may work.. Give it a shot.
(Although - if you boot into safe mode - you have the security tab.)
Just add administrators to the access control list. Then any
administrator [built in administrator or member of administrators
group] on either computer can access the files. --- Steve
 
I think Steven's response may work.. Give it a shot.
(Although - if you boot into safe mode - you have the security tab.)

Thanks Shenan... booting into safe mode did the trick. It got me the
security tab. And the rest of the process was just the way you said it
would be.


Thanks again for your help
Adeel
 
Adeel said:
Hello all.

I have a portable NTFS formatted harddrive. I replaced the default
'everyone' access with 'my computer\administrator' access while the
drive was hooked up to my desktop computer (XP professional).

Now I want to allow another user (my notebook's administrator) to
access it as well. So that only my two computer's administrator users
could access the disk. My notebook has XP home edition on it. How do I
go about doing this?


TIA
Adeel
Try the FaJo XP File Security Extension (XP FSE)
It's free and gives XP Home (Prof and w2k) a security tab.

http://www.fajo.de/portal/index.php?lang=en&option=content&task=view&id=6&Itemid=47


Sjoerd Visser
 
The access control list is where you manage permissions via the security tab
by adding users/groups and giving them the needed permissions and per
response to Shenan it sounds like you all ready have done it. --- Steve
 
Yes, I have successfully resolved the original problem.

Now the trouble is that every administrator can modify the permissions
and grant himself access via the same procedure (although I just
granted access to two specific accounts, one on each machine. And
removed the everyone group).

Is there any way I could restrict access to just two specific
administrator users... and disallow everyone else (including other
administrators) from granting themselves the access?


TIA
Adeel
 
Adeel said:
Yes, I have successfully resolved the original problem.

Now the trouble is that every administrator can modify the
permissions and grant himself access via the same procedure
(although I just granted access to two specific accounts, one on
each machine. And removed the everyone group).

Is there any way I could restrict access to just two specific
administrator users... and disallow everyone else (including other
administrators) from granting themselves the access?

If you added the specific usernames (and they were not the default
"administrator") and not the group (administrators) <- then only those
usernames will have access. However - anyone with admin rights on a machine
owns it.. They can TAKE ownership away and give themselves rights.
 
If you added the specific usernames (and they were not the default
"administrator") and not the group (administrators) <- then only
those usernames will have access. However - anyone with admin
rights on a machine owns it.. They can TAKE ownership away and give
themselves rights.


I suppose this is what is happening... ownership transfer. I did grant
access to specific administrator users only (not the admin group, not
the default account).

A new admin cannot directly open the disk but they can grant
themselves the access by opening the security tab and adding
themselves.

I suppose there's no way to keep that from happening?


Thanks for all your help
Adeel
 
Adeel said:
I suppose this is what is happening... ownership transfer. I did grant
access to specific administrator users only (not the admin group, not
the default account).

A new admin cannot directly open the disk but they can grant
themselves the access by opening the security tab and adding
themselves.

I suppose there's no way to keep that from happening?


Thanks for all your help
Adeel
Nope ;)
 
You can use Group Policy to hide the security tab [user
configuration/administrative templates/Windows components/Windows Explorer]
,deny the user access to the command prompt and registry editing, and remove
administrators from the user right for take ownership of files and that will
dissuade most users but a skilled administrator will be able to find a way
to undo the restrictions if they want to. That does not mean it is not
worth trying though. --- Steve
 
Thanks Steve,

Actually, the disk in question is an external portable disk... so any
restrictions I apply on my computers would be limited to them. And
when if I hook it up to someone else's machine, their settings would
take effect. Right?

But of course, you're right... this doesn't mean I should leave it all
wide open on my personal machines.
 
In that situation you are correct and any user that is a local administrator
on another computer could access those files. The only way to keep such
files confidential would be to use encryption such as the built in EFS
encryption in XP Pro. EFS encryption should not be used however unless you
know all the hazards of it and how to backup your EFS private key to a
password protected .pfx file or you could loose permanent access to your own
files. --- Steve


Adeel said:
Thanks Steve,

Actually, the disk in question is an external portable disk... so any
restrictions I apply on my computers would be limited to them. And when if
I hook it up to someone else's machine, their settings would take effect.
Right?

But of course, you're right... this doesn't mean I should leave it all
wide open on my personal machines.


--
Thanks for all your help
Adeel



Steven L Umbach said:
You can use Group Policy to hide the security tab [user
configuration/administrative templates/Windows components/Windows
Explorer] ,deny the user access to the command prompt and registry
editing, and remove administrators from the user right for take ownership
of files and that will dissuade most users but a skilled administrator
will be able to find a way to undo the restrictions if they want to.
That does not mean it is not worth trying hough. --- Steve
 
Thanks a ton Steve... your suggestions and help has been invaluable to
me. I *really* appreciate it...

I guess EFS would probably be overkill in my situation. I don't have
anything super-secret on my disk. I'll stick to the basic stuff for
now...


Thanks again.

Cheers
Adeel
 
Back
Top