My computer has 4 accounts: admin, 2 limited users (one of which is ME) and
a guest account. XP Pro, SP3. Seagate external drive is formatted as NTFS. I
need to cut off access to that drive for one of the limited users, but
maintain it for the admin (me) and my own limited user account. Does the
advice at the link below look accurate? Any "gotchas" to look out for? I
need to access this drive daily - no room for unexpected surprises from
Windows.

http://www.windowsnetworking.com/art.../wxppfsec.html

On Sat, 8 Oct 2011 13:19:08 -0400, JoeSpareBedroom wrote in message
<news:fC%jq.2943$(E-Mail Removed)>:

> My computer has 4 accounts: admin, 2 limited users (one of which is ME) and
> a guest account. XP Pro, SP3. Seagate external drive is formatted as NTFS. I
> need to cut off access to that drive for one of the limited users, but
> maintain it for the admin (me) and my own limited user account. Does the
> advice at the link below look accurate? Any "gotchas" to look out for? I
> need to access this drive daily - no room for unexpected surprises from
> Windows.
>
> http://www.windowsnetworking.com/art.../wxppfsec.html

Well, it seems rather complicated to me, at least. You could also have a
look at an encryption program like TrueCrypt (free).

http://www.truecrypt.org/

One very big "gotcha" is that, being an external USB (removable) drive, if
you restrict access using the method outlined in your link, you will not be
able to access the drive if you unplug it and try using it on another
computer.

This would include retrieving data if access via the "Administrators" group
had been deleted.

You would be able to use this method if you bear a couple of things in
mind...

Restrict access *only* by omitting (un-checking) permissions for every
existing user that you don't want to give access to - NOT by granting
permissions to only the accounts you want to grant access.

If, however, you know for fact that the drive will always and only be used
on the one machine, there is no obvious disadvantages.

==

Cheers, Tim Meddick, Peckham, London. :-)




"JoeSpareBedroom" <(E-Mail Removed)> wrote in message
news:fC%jq.2943$(E-Mail Removed)...
> My computer has 4 accounts: admin, 2 limited users (one of which is ME)
> and a guest account. XP Pro, SP3. Seagate external drive is formatted as
> NTFS. I need to cut off access to that drive for one of the limited
> users, but maintain it for the admin (me) and my own limited user
> account. Does the advice at the link below look accurate? Any "gotchas"
> to look out for? I need to access this drive daily - no room for
> unexpected surprises from Windows.
>
> http://www.windowsnetworking.com/art.../wxppfsec.html
>
>

On 10/9/2011 2:48 PM, Tim Meddick wrote:
>
> One very big "gotcha" is that, being an external USB (removable) drive,
> if you restrict access using the method outlined in your link, you will
> not be able to access the drive if you unplug it and try using it on
> another computer.

Of course you will providing that you are a member of the Administrators
group. As an administrator you have rule over the whole computer and
all attached devices and as such you can simply grant yourself
permission to the attached drive.

John

"Tim Meddick" <(E-Mail Removed)> wrote in message
news:j6smpr$1vf$(E-Mail Removed)...
>
> One very big "gotcha" is that, being an external USB (removable) drive, if
> you restrict access using the method outlined in your link, you will not
> be able to access the drive if you unplug it and try using it on another
> computer.
>
> This would include retrieving data if access via the "Administrators"
> group had been deleted.
>
> You would be able to use this method if you bear a couple of things in
> mind...
>
> Restrict access *only* by omitting (un-checking) permissions for every
> existing user that you don't want to give access to - NOT by granting
> permissions to only the accounts you want to grant access.
>
> If, however, you know for fact that the drive will always and only be used
> on the one machine, there is no obvious disadvantages.
>
> ==
>
> Cheers, Tim Meddick, Peckham, London. :-)
>
>
>
>
> "JoeSpareBedroom" <(E-Mail Removed)> wrote in message
> news:fC%jq.2943$(E-Mail Removed)...
>> My computer has 4 accounts: admin, 2 limited users (one of which is ME)
>> and a guest account. XP Pro, SP3. Seagate external drive is formatted as
>> NTFS. I need to cut off access to that drive for one of the limited
>> users, but maintain it for the admin (me) and my own limited user
>> account. Does the advice at the link below look accurate? Any "gotchas"
>> to look out for? I need to access this drive daily - no room for
>> unexpected surprises from Windows.
>>
>> http://www.windowsnetworking.com/art.../wxppfsec.html
>>
>>


Tim, you've touched on an interesting point - not being able to take the
external drive to another computer. It's rare that I'd want to do that, but
it might happen occasionally. So, what's the solution? Some sort of
encryption? I've been avoiding that because I believe (perhaps incorrectly)
that it would affect performance.

"John John MVP" <(E-Mail Removed)> wrote in message
news:j6uoqe$k88$(E-Mail Removed)...
> On 10/9/2011 2:48 PM, Tim Meddick wrote:
>>
>> One very big "gotcha" is that, being an external USB (removable) drive,
>> if you restrict access using the method outlined in your link, you will
>> not be able to access the drive if you unplug it and try using it on
>> another computer.
>
> Of course you will providing that you are a member of the Administrators
> group. As an administrator you have rule over the whole computer and all
> attached devices and as such you can simply grant yourself permission to
> the attached drive.
>
> John
>


So, "administrator" is generic enough from one computer to another, so
access will NOT be restricted? Sorry if I'm asking you to repeat yourself
using different words....but that's why I'm here asking the question.

"Iceman" <(E-Mail Removed)> wrote in message
news:j6q5kt$9hl$(E-Mail Removed)...
> On Sat, 8 Oct 2011 13:19:08 -0400, JoeSpareBedroom wrote in message
> <news:fC%jq.2943$(E-Mail Removed)>:
>
>> My computer has 4 accounts: admin, 2 limited users (one of which is ME)
>> and
>> a guest account. XP Pro, SP3. Seagate external drive is formatted as
>> NTFS. I
>> need to cut off access to that drive for one of the limited users, but
>> maintain it for the admin (me) and my own limited user account. Does the
>> advice at the link below look accurate? Any "gotchas" to look out for? I
>> need to access this drive daily - no room for unexpected surprises from
>> Windows.
>>
>> http://www.windowsnetworking.com/art.../wxppfsec.html
>
> Well, it seems rather complicated to me, at least. You could also have a
> look at an encryption program like TrueCrypt (free).
>
> http://www.truecrypt.org/
>


Interesting option, but initially, I'd prefer to explore the use of features
native to the OS.

On 10/10/2011 9:42 AM, JoeSpareBedroom wrote:
> "John John MVP"<(E-Mail Removed)> wrote in message
> news:j6uoqe$k88$(E-Mail Removed)...
>> On 10/9/2011 2:48 PM, Tim Meddick wrote:
>>>
>>> One very big "gotcha" is that, being an external USB (removable) drive,
>>> if you restrict access using the method outlined in your link, you will
>>> not be able to access the drive if you unplug it and try using it on
>>> another computer.
>>
>> Of course you will providing that you are a member of the Administrators
>> group. As an administrator you have rule over the whole computer and all
>> attached devices and as such you can simply grant yourself permission to
>> the attached drive.
>>
>> John
>>
>
>
> So, "administrator" is generic enough from one computer to another, so
> access will NOT be restricted? Sorry if I'm asking you to repeat yourself
> using different words....but that's why I'm here asking the question.

Yes, if you are an administrator you will be able to seize ownership of
the whole drive and grant yourself any an all permissions on all the
objects (files and folders) on the drive regardless of which computer
the drive is plugged in.

John

On 10/10/2011 9:42 AM, JoeSpareBedroom wrote:

> So, "administrator" is generic enough from one computer to another, so
> access will NOT be restricted?

The built-in Administrators group has the same SID/RID across all
Windows versions and has a predefined set of permissions, unless you
deliberately changed the permissions all administrators start with the
same set of permissions. Keep in mind that the starting set of
permissions can be different on different Windows versions as some of
the permissions are sometimes readjusted for security reasons but these
minor differences would not affect the ability to gain control on file
system objects.

What it comes down to is that as an administrator you have rule over the
whole computer on which you are logged on to... and that includes pretty
well all attached devices including external drives. The only exclusion
that I can think of are dongles or specialized hardware with
restrictions hardcoded in the firmware, but that is a topic for another
post altogether...

Well-known security identifiers in Windows operating systems
http://support.microsoft.com/kb/243330


John

*NB ONLY If Access has been granted to the "Administrators" group (default)
but if removed, you will not be able to gain access if just the specific
account: "Administrator" remains - as this account is specific to each
individual system (i.e. each "Administrator" account is assigned a unique
UID number).

So one must ensure a NTFS-formatted removable drive has their
"Administrators" group given "Full Access" permissions at root-level and
applied to all sub-containers and objects.

==

Cheers, Tim Meddick, Peckham, London. :-)




"John John MVP" <(E-Mail Removed)> wrote in message
news:j6uqio$as$(E-Mail Removed)...
> On 10/10/2011 9:42 AM, JoeSpareBedroom wrote:
>> "John John MVP"<(E-Mail Removed)> wrote in message
>> news:j6uoqe$k88$(E-Mail Removed)...
>>> On 10/9/2011 2:48 PM, Tim Meddick wrote:
>>>>
>>>> One very big "gotcha" is that, being an external USB (removable)
>>>> drive,
>>>> if you restrict access using the method outlined in your link, you
>>>> will
>>>> not be able to access the drive if you unplug it and try using it on
>>>> another computer.
>>>
>>> Of course you will providing that you are a member of the
>>> Administrators
>>> group. As an administrator you have rule over the whole computer and
>>> all
>>> attached devices and as such you can simply grant yourself permission
>>> to
>>> the attached drive.
>>>
>>> John
>>>
>>
>>
>> So, "administrator" is generic enough from one computer to another, so
>> access will NOT be restricted? Sorry if I'm asking you to repeat
>> yourself
>> using different words....but that's why I'm here asking the question.
>
> Yes, if you are an administrator you will be able to seize ownership of
> the whole drive and grant yourself any an all permissions on all the
> objects (files and folders) on the drive regardless of which computer the
> drive is plugged in.
>
> John