Admin account but do not have full access to private folders

G

Guest

I'm on Windows XP Pro on an Administrator (also supposed to be owner) account.
In order to provide other users unrestricted use of software, I made two
other admin accounts, A and B.

The problem arises when I noticed that account B is able to view the
contents, but not execute and open files, of my private My Documents folder
and also A's private folders.

My admin account, and A's admin account is both password protected.
B's admin account is not.

My account cannot view or even access any folders of A's password-protected
account but can do so on B's otherwise not password-protected account. I
understand the very simple concept that the presence of A's password have
prevented me from doing so.

However B's admin account can view both mine and A's files. Although, I have
to stress that he cannot execute any files in our private folders because of
the "access denied" error.

I do not know if A has similar rights to view my private folders like B.


I'm really troubled by this. How can I fix it so that B do not have any
rights to view my private files?
I physically own the computer but am sharing it.

Thanks in advance.
 
R

Robert Moir

Aaron said:
I'm really troubled by this. How can I fix it so that B do not have
any rights to view my private files?
I physically own the computer but am sharing it.

The easiest thing, in fact the only foolproof way, would be to not give
people administrator access to your system. (I'm assuming that your system
is using NTFS and the default settings haven't been messed with).

It says what it means and means what it says, and if that isn't what you
want people to do to your system then don't give them the rights to do it!


--
 
B

Bruce Chambers

Aaron said:
I'm on Windows XP Pro on an Administrator (also supposed to be owner) account.
In order to provide other users unrestricted use of software, I made two
other admin accounts, A and B.

That wasn't necessary, and was probably unwise.

If you grant a user account administrative privileges, you've granted
that user free access to *everything* on the hard drive. If you don't
want the other computer users to have access to everything, start by
taking away their administrative privileges.

HOW TO Create and Configure User Accounts in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;279783

HOW TO Set, View, Change, or Remove File and Folder Permissions
http://support.microsoft.com/default.aspx?scid=kb;en-us;q308418

HOW TO Set, View, Change, or Remove Special Permissions for Files and
Folders
http://support.microsoft.com/default.aspx?scid=kb;[LN];Q308419

You may experience some problems if the software was designed for
Win9x/Me, or if it was intended for WinNT/2K/XP, but was improperly
designed. Quite simply, the application doesn't "know" how to handle
individual user profiles with differing security permissions levels, or
the application is designed to make to make changes to "off-limits"
sections of the Windows registry or protected Windows system folders.

For example, saved data are often stored in a sub-folder under the
application's folder within C:\Program Files - a place where no
inexperienced or limited user should ever have write permissions.

It may even be that the software requires "write" access to parts
of the registry or protected systems folders/files that are not normally
accessible to regular users. (This *won't* occur if the application is
properly written.) If this does prove to be the case, however, you're
often left with three options: Either grant the necessary users
appropriate higher access privileges (either as Power Users or local
administrators), explicitly grant normal users elevated privileges to
the affected folders and/or part(s) or the registry, or replace the
application with one that was properly designed specifically for
WinNT/2K/XP.

Some Programs Do Not Work If You Log On from Limited Account
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q307091

Additionally, here are a couple of tips suggested, in a reply to a
different post, by MS-MVP Kent W. England:

"If your game or application works with admin accounts, but not with
limited accounts, you can fix it to allow limited users to access the
program files folder with "change" capability rather than "read" which
is the default.

C:\>cacls "Program Files\appfolder" /e /t /p users:c

where "appfolder" is the folder where the application is installed.

If you wish to undo these changes, then run

C:\>cacls "Program Files\appfolder" /e /t /p users:r

If you still have a problem with running the program or saving
settings on limited accounts, you may need to change permissions on
the registry keys. Run regedit.exe and go to HKLM\Software\vendor\app,
where "vendor\app" is the key that the software vendor used for your
specific program. Change the permissions on this key to allow Users
full control."


--

Bruce Chambers

Help us help you:



You can have peace. Or you can have freedom. Don't ever count on having
both at once. - RAH
 
S

Shenan Stanley

Aaron said:
I'm on Windows XP Pro on an Administrator (also supposed to be owner)
account.
In order to provide other users unrestricted use of software, I made two
other admin accounts, A and B.

Mistake one - all admin accounts.
The problem arises when I noticed that account B is able to view the
contents, but not execute and open files, of my private My Documents
folder
and also A's private folders.

Likely file/directory permissions - they may have "read only - but since
they are all admins - they can do whatever they want in the end - take
ownership, delete them all and even erase their own tracks.
My admin account, and A's admin account is both password protected.
B's admin account is not.

Doesn't reall matter when they are all admins - unless you are using
encryption. And for that - I suggest you read up first!
My account cannot view or even access any folders of A's
password-protected
account but can do so on B's otherwise not password-protected account. I
understand the very simple concept that the presence of A's password have
prevented me from doing so.

No - not really - probably just file/directory permissions again. Not that
it matters much - with them all being admins.
However B's admin account can view both mine and A's files. Although, I
have
to stress that he cannot execute any files in our private folders because
of
the "access denied" error.

Yeah - file and directory permissions - easily changed by an admin account.
I do not know if A has similar rights to view my private folders like B.

They are all admins - whether or not "A' does now - they can in a few
moments time and a couple of clicks.
I'm really troubled by this. How can I fix it so that B do not have any
rights to view my private files?

Stop making everyone admins. That's your real problem.
I physically own the computer but am sharing it.

You need to create one administrative level account and make everyone else
"users". You will have to do some work-arounds (I am sure) for some
applications and menu items - but that is what you have to do in order to
use a computer (manage a computer) responsibly.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top