How can I get access to files and folders on my portable drive on other computers?

[Dmitry Kopnichev]

Hello
How can I get access to my files and folders on my portable drive on other
computers? I do not want to give access to a Windows XP group because I
don't want
Administrators of our domain have direct access to my files on the drive.
They will not take ownership because I will see the taking. I want to get
access by a password.

 

[S. Pidgorny]

Use a 3rd-party security/encryption software - needs to be installed on each
computer where you're using your drive

 

[Dmitry Kopnichev]

Owners of computers could not allow installing the software on their
computers. Can't I use Windows for a password protected access?

 

[Roger Abell]

Still struggling with this hey Dmitry ?

Since you cannot install anything on the machines where this
will be used, you really need to just use NTFS.

To get it set up you will for a while have to have a grant to a
built-in group, like Users, unless you can log in as an admin on
each machine where use is needed.
1. set full control for Users on the external NTFS
then on each system where it will be used
2. set full grant to the account used on that system
when doing this
2a. the grants to accounts from other systems are known only
on the other systems and so will show up as SID strings or
as Unknown - leave them alone.
3. when you set the grant to the last account, on the last system
where this will be used, remove the grant of Full to Users
that was only needed in order to be able to make the grants
to the specific users
Whatever temporary group, like Users above, used to build
up the desired permissions must be understood on each system
so it must be a builtin group that will include the account you
log in with on each system.

 

[Lanwench [MVP - Exchange]]

In

Hello
How can I get access to my files and folders on my portable drive on
other computers? I do not want to give access to a Windows XP group
because I don't want
Administrators of our domain have direct access to my files on the
drive. They will not take ownership because I will see the taking. I
want to get access by a password.

Roger's reply re NTFS is correct. However, if you're trying to bypass your
network admins, and you are not officially one yourself, I can't help you.
If the data isn't supposed to be on your computer/on the network, don't do
it.

 

[Roger Abell]

"Lanwench [MVP - Exchange]"

In

Roger's reply re NTFS is correct. However, if you're trying to bypass your
network admins, and you are not officially one yourself, I can't help you.
If the data isn't supposed to be on your computer/on the network, don't do
it.

Hey, I thought he just wanted to have the pix of the sig-other around
but beyond network admin eyes

 

[Dmitry Kopnichev]

Thanks for your reply, Roger.
Thus, I have to give the Full grants to the Users group each time there is a
smallest possibility I might need my portable drive contents on any other
Windows NT and remove the grant of Full to Users each time I come back to my
domain Windows XP. I will have to give and remove Full grants too often and
it will take too much time.

 

[Dmitry Kopnichev]

Why do you think the data isn't supposed to be on my computer? Our Admin
just keeps the network working, they are not supposed to see all the
commercial data that other specialists possess.
"Lanwench [MVP - Exchange]"

 

[Dmitry Kopnichev]

I can log in as an admin on each machine where use is needed.

 

[Dmitry Kopnichev]

Some of the machines where use is needed are Windows XP Home.

 

[Leythos]

Why do you think the data isn't supposed to be on my computer? Our Admin
just keeps the network working, they are not supposed to see all the
commercial data that other specialists possess.

You are wrong, the network admin can and will be able to see all data on
the network, if you don't trust the network admin then you need to get a
new one.

It really seems like you're doing something you don't need to be doing
and that you feel you have a reason to hide.

"Lanwench [MVP - Exchange]"

In

Roger's reply re NTFS is correct. However, if you're trying to bypass your
network admins, and you are not officially one yourself, I can't help you.
If the data isn't supposed to be on your computer/on the network, don't do
it.

 

[Dmitry Kopnichev]

Only General manager is supposed to see all the information. But he will not
administrate the network himself of course. General manager has even a
second computer separate from the Admins network to keep information
securely. Our Admin is two times younger than most of our specialists and
has only computer education and is not devoted to our business as the
General manager is. A company can never take just a computer specialist into
it's confidence, can never entrust all its commercial information to him.

Why do you think the data isn't supposed to be on my computer? Our Admin
just keeps the network working, they are not supposed to see all the
commercial data that other specialists possess.

You are wrong, the network admin can and will be able to see all data on
the network, if you don't trust the network admin then you need to get a
new one.

It really seems like you're doing something you don't need to be doing
and that you feel you have a reason to hide.

"Lanwench [MVP - Exchange]"
message

In Dmitry Kopnichev <[email protected]> typed:
Hello
How can I get access to my files and folders on my portable drive on
other computers? I do not want to give access to a Windows XP group
because I don't want
Administrators of our domain have direct access to my files on the
drive. They will not take ownership because I will see the taking. I
want to get access by a password.

Roger's reply re NTFS is correct. However, if you're trying to bypass
your
network admins, and you are not officially one yourself, I can't help
you.
If the data isn't supposed to be on your computer/on the network, don't
do
it.

 

[Kerry Brown]

Only General manager is supposed to see all the information. But he will
not administrate the network himself of course. General manager has even a
second computer separate from the Admins network to keep information
securely. Our Admin is two times younger than most of our specialists and
has only computer education and is not devoted to our business as the
General manager is. A company can never take just a computer specialist
into it's confidence, can never entrust all its commercial information to
him.

As others have pointed out you need to rethink your business model when it
comes to computers. With today's technology the network administrator will
potentially have access to everything. You can use auditing to see what has
been done but it's pretty hard to stop it from being done. The only way I
know to get around this is to keep data that sensitive on a computer not
connected to the LAN or use 3rd party encryption software.

Kerry

Why do you think the data isn't supposed to be on my computer? Our Admin
just keeps the network working, they are not supposed to see all the
commercial data that other specialists possess.

You are wrong, the network admin can and will be able to see all data on
the network, if you don't trust the network admin then you need to get a
new one.

It really seems like you're doing something you don't need to be doing
and that you feel you have a reason to hide.

"Lanwench [MVP - Exchange]"
message


In Dmitry Kopnichev <[email protected]> typed:
Hello
How can I get access to my files and folders on my portable drive on
other computers? I do not want to give access to a Windows XP group
because I don't want
Administrators of our domain have direct access to my files on the
drive. They will not take ownership because I will see the taking. I
want to get access by a password.

Roger's reply re NTFS is correct. However, if you're trying to bypass
your
network admins, and you are not officially one yourself, I can't help
you.
If the data isn't supposed to be on your computer/on the network,
don't do
it.

 

[Leythos]

Only General manager is supposed to see all the information. But he will not
administrate the network himself of course. General manager has even a
second computer separate from the Admins network to keep information
securely. Our Admin is two times younger than most of our specialists and
has only computer education and is not devoted to our business as the
General manager is. A company can never take just a computer specialist into
it's confidence, can never entrust all its commercial information to him.

You are COMPLETELY WRONG. A good network admin will be vested in the
company with all their heart and desire. They will always look to
protect the network and it's data. They have full access to everything
by default and can take ownership of anything they want. If you don't
trust the Admin then you are in a bad spot, as the Admin can do many
things without you even finding out about it.

Now, to protect you against an rogue Admin, you need a second Admin that
is used to check the other admin - in fact, both check each other for
doing things that should not be done. Both Admins have full access to
all resources, it's the nature of the networks.

If you don't want an Admin to have access, then setup another network,
managed by someone you trust at the moment, and don't give the Admin any
access to it.

In every company I've worked for or designed the network for, the Admin
group (sometimes 1 person, but normally more than 1) has full access to
all resources, even if they don't use them.

If the Admin can't reach all resources, then they can't properly do
their job - which is Network security, Resource Protection, support of
users, disaster recovery planning and testing, and monitoring for
unapproved activity (yea, there are more).

 

[Roger Abell]

so you could use Administrators instead of Users

 

[Roger Abell]

Thanks for your reply, Roger.
Thus, I have to give the Full grants to the Users group each time there is a
smallest possibility I might need my portable drive contents on any other
Windows NT and remove the grant of Full to Users each time I come back to my
domain Windows XP. I will have to give and remove Full grants too often and
it will take too much time.

Then you will need to find another way.
There is no way to add a new account into the NTFS permissions
except by using an account with the permission to alter permissions.
So, you need to know you will be going to a new machine before
you leave to go there. When there, add the account that will be used
on that machine and remove the Full grant to Users (or Administrators).
There just is not an alternative that is within Windows.

 

[Roger Abell]

I am obviously not into the politics of why you want to keep info
secured from your larger environment (net admins).
Your problem seems to be that you need the info transportable
between too many systems that are in different domains and/or
workgroups to make it simple to set up.
We did not address using EFS in addition to NTFS security,
and but for your mention of an XP Home system could have.

I can understand both how one's business model would benefit
from having a well-respected, and motivated, member providing
the computing infrastructure needs.
I can also understand how a small group with some shared office
capabilities would be content with an easily replaced support
person. However, in that case one should have someone that
does watch out for the over-all well-being of the organization
with regards to its computing infrastructure.

From all you have said about the reasons for seeking to secure
info in this way, it does sound to me that you would be better
off not having any domain structure (in which the net admin
can roam about).

--
Roger Abell
Microsoft MVP (Windows Security)

Why do you think the data isn't supposed to be on my computer? Our Admin
just keeps the network working, they are not supposed to see all the
commercial data that other specialists possess.
"Lanwench [MVP - Exchange]"

In

Roger's reply re NTFS is correct. However, if you're trying to bypass your
network admins, and you are not officially one yourself, I can't help you.
If the data isn't supposed to be on your computer/on the network, don't do
it.

 

[Dmitry Kopnichev]

Thanks Roger.

Then you will need to find another way.
There is no way to add a new account into the NTFS permissions
except by using an account with the permission to alter permissions.
So, you need to know you will be going to a new machine before
you leave to go there. When there, add the account that will be used
on that machine and remove the Full grant to Users (or Administrators).
There just is not an alternative that is within Windows.

 

[Dmitry Kopnichev]

Yes, but this does not prevent domain administrators from seeing my folders
and files.

 

[Dmitry Kopnichev]

Our domain is needed for our women usually and Windows XP illiterate workers
who can not administer their Windows XP themselves.

I am obviously not into the politics of why you want to keep info
secured from your larger environment (net admins).
Your problem seems to be that you need the info transportable
between too many systems that are in different domains and/or
workgroups to make it simple to set up.
We did not address using EFS in addition to NTFS security,
and but for your mention of an XP Home system could have.

I can understand both how one's business model would benefit
from having a well-respected, and motivated, member providing
the computing infrastructure needs.
I can also understand how a small group with some shared office
capabilities would be content with an easily replaced support
person. However, in that case one should have someone that
does watch out for the over-all well-being of the organization
with regards to its computing infrastructure.

From all you have said about the reasons for seeking to secure
info in this way, it does sound to me that you would be better
off not having any domain structure (in which the net admin
can roam about).

--
Roger Abell
Microsoft MVP (Windows Security)

Why do you think the data isn't supposed to be on my computer? Our Admin
just keeps the network working, they are not supposed to see all the
commercial data that other specialists possess.
"Lanwench [MVP - Exchange]"

In Dmitry Kopnichev <[email protected]> typed:
Hello
How can I get access to my files and folders on my portable drive on
other computers? I do not want to give access to a Windows XP group
because I don't want
Administrators of our domain have direct access to my files on the
drive. They will not take ownership because I will see the taking. I
want to get access by a password.

Roger's reply re NTFS is correct. However, if you're trying to bypass your
network admins, and you are not officially one yourself, I can't help you.
If the data isn't supposed to be on your computer/on the network, don't do
it.