Granting access to NTFS drive

[Adeel]

Hello all.

I have a portable NTFS formatted harddrive. I replaced the default
'everyone' access with 'my computer\administrator' access while the
drive was hooked up to my desktop computer (XP professional).

Now I want to allow another user (my notebook's administrator) to
access it as well. So that only my two computer's administrator users
could access the disk. My notebook has XP home edition on it. How do I
go about doing this?


TIA
Adeel

 

[Shenan Stanley]

I have a portable NTFS formatted harddrive. I replaced the default
'everyone' access with 'my computer\administrator' access while the
drive was hooked up to my desktop computer (XP professional).

Now I want to allow another user (my notebook's administrator) to
access it as well. So that only my two computer's administrator
users could access the disk. My notebook has XP home edition on it.
How do I go about doing this?

Interesting.
I'm not 100% sure this would work - but - you would need to grant everyone
their rights back first..

Then connect to machine (1) - grant the admin full rights to every
file/folder.
Then connect to machine (2) - grant the admin there full rights to every
file/folder.
Remove the "everyone" group.

Now see what happens. It could be that when looking at file/folder
permissions on one machine - you see an unknown-SID that has permissions.
If so - then the same should be true when you connect tot he other machine -
just a different unknown SID.

 

[Steven L Umbach]

Just add administrators to the access control list. Then any administrator
[built in administrator or member of administrators group] on either
computer can access the files. --- Steve

 

[Adeel]

Thanks for your response Shenan.

I have XP home on the second machine... and as a result there is no
security tab. So I can't grant full control to the admin account on
it.


What do I do now?


TIA
Adeel

 

[Shenan Stanley]

I have a portable NTFS formatted harddrive. I replaced the default
'everyone' access with 'my computer\administrator' access while the
drive was hooked up to my desktop computer (XP professional).

Now I want to allow another user (my notebook's administrator) to
access it as well. So that only my two computer's administrator
users could access the disk. My notebook has XP home edition on it.
How do I go about doing this?

I'm not 100% sure this would work - but - you would need to grant
everyone their rights back first..

Then connect to machine (1) - grant the admin full rights to every
file/folder.
Then connect to machine (2) - grant the admin there full rights to
every file/folder.
Remove the "everyone" group.

Now see what happens. It could be that when looking at file/folder
permissions on one machine - you see an unknown-SID that has
permissions. If so - then the same should be true when you connect
to the other machine - just a different unknown SID.

Thanks for your response Shenan.

I have XP home on the second machine... and as a result there is no
security tab. So I can't grant full control to the admin account on
it.

What do I do now?

I think Steven's response may work.. Give it a shot.
(Although - if you boot into safe mode - you have the security tab.)

Just add administrators to the access control list. Then any
administrator [built in administrator or member of administrators
group] on either computer can access the files. --- Steve

 

[Adeel]

Thanks for replying Steve...

Where would I find this 'access control list'?


TIA
Adeel

 

[Adeel]

I think Steven's response may work.. Give it a shot.

(Although - if you boot into safe mode - you have the security tab.)

Thanks Shenan... booting into safe mode did the trick. It got me the
security tab. And the rest of the process was just the way you said it
would be.


Thanks again for your help
Adeel

 

[Sjoerd Visser]

Hello all.

I have a portable NTFS formatted harddrive. I replaced the default
'everyone' access with 'my computer\administrator' access while the
drive was hooked up to my desktop computer (XP professional).

Now I want to allow another user (my notebook's administrator) to
access it as well. So that only my two computer's administrator users
could access the disk. My notebook has XP home edition on it. How do I
go about doing this?


TIA
Adeel

Try the FaJo XP File Security Extension (XP FSE)
It's free and gives XP Home (Prof and w2k) a security tab.

http://www.fajo.de/portal/index.php?lang=en&option=content&task=view&id=6&Itemid=47


Sjoerd Visser

 

[Shenan Stanley]

Try the FaJo XP File Security Extension (XP FSE)
It's free and gives XP Home (Prof and w2k) a security tab.

http://www.fajo.de/portal/index.php?lang=en&option=content&task=view&id=6&Itemid=47

Interesting tool. Going to check it out.

 

[Steven L Umbach]

The access control list is where you manage permissions via the security tab
by adding users/groups and giving them the needed permissions and per
response to Shenan it sounds like you all ready have done it. --- Steve

 

[Adeel]

Yes, I have successfully resolved the original problem.

Now the trouble is that every administrator can modify the permissions
and grant himself access via the same procedure (although I just
granted access to two specific accounts, one on each machine. And
removed the everyone group).

Is there any way I could restrict access to just two specific
administrator users... and disallow everyone else (including other
administrators) from granting themselves the access?


TIA
Adeel

 

[Shenan Stanley]

Yes, I have successfully resolved the original problem.

Now the trouble is that every administrator can modify the
permissions and grant himself access via the same procedure
(although I just granted access to two specific accounts, one on
each machine. And removed the everyone group).

Is there any way I could restrict access to just two specific
administrator users... and disallow everyone else (including other
administrators) from granting themselves the access?

If you added the specific usernames (and they were not the default
"administrator") and not the group (administrators) <- then only those
usernames will have access. However - anyone with admin rights on a machine
owns it.. They can TAKE ownership away and give themselves rights.

 

[Adeel]

If you added the specific usernames (and they were not the default

"administrator") and not the group (administrators) <- then only
those usernames will have access. However - anyone with admin
rights on a machine owns it.. They can TAKE ownership away and give
themselves rights.

I suppose this is what is happening... ownership transfer. I did grant
access to specific administrator users only (not the admin group, not
the default account).

A new admin cannot directly open the disk but they can grant
themselves the access by opening the security tab and adding
themselves.

I suppose there's no way to keep that from happening?


Thanks for all your help
Adeel

 

[Sigmundur Jonsson]

I suppose this is what is happening... ownership transfer. I did grant
access to specific administrator users only (not the admin group, not
the default account).

A new admin cannot directly open the disk but they can grant
themselves the access by opening the security tab and adding
themselves.

I suppose there's no way to keep that from happening?


Thanks for all your help
Adeel

Nope

 

[Steven L Umbach]

You can use Group Policy to hide the security tab [user
configuration/administrative templates/Windows components/Windows Explorer]
,deny the user access to the command prompt and registry editing, and remove
administrators from the user right for take ownership of files and that will
dissuade most users but a skilled administrator will be able to find a way
to undo the restrictions if they want to. That does not mean it is not
worth trying though. --- Steve

 

[Adeel]

Thanks Steve,

Actually, the disk in question is an external portable disk... so any
restrictions I apply on my computers would be limited to them. And
when if I hook it up to someone else's machine, their settings would
take effect. Right?

But of course, you're right... this doesn't mean I should leave it all
wide open on my personal machines.

 

[Steven L Umbach]

In that situation you are correct and any user that is a local administrator
on another computer could access those files. The only way to keep such
files confidential would be to use encryption such as the built in EFS
encryption in XP Pro. EFS encryption should not be used however unless you
know all the hazards of it and how to backup your EFS private key to a
password protected .pfx file or you could loose permanent access to your own
files. --- Steve

Thanks Steve,

Actually, the disk in question is an external portable disk... so any
restrictions I apply on my computers would be limited to them. And when if
I hook it up to someone else's machine, their settings would take effect.
Right?

But of course, you're right... this doesn't mean I should leave it all
wide open on my personal machines.


--
Thanks for all your help
Adeel

You can use Group Policy to hide the security tab [user
configuration/administrative templates/Windows components/Windows
Explorer] ,deny the user access to the command prompt and registry
editing, and remove administrators from the user right for take ownership
of files and that will dissuade most users but a skilled administrator
will be able to find a way to undo the restrictions if they want to.
That does not mean it is not worth trying hough. --- Steve

 

[Adeel]

Thanks a ton Steve... your suggestions and help has been invaluable to
me. I *really* appreciate it...

I guess EFS would probably be overkill in my situation. I don't have
anything super-secret on my disk. I'll stick to the basic stuff for
now...


Thanks again.

Cheers
Adeel