Admin users can see other users My Documents folders in Explorer

Posted February 26, 2008 · February 26, 2008

How can I prevent admin users from seeing and accessing other admin My

Documents folders? I am using XP Pro SP2 and they are listed in Explorer in

My Computer.

--

Thanks!

Posted February 26, 2008 · February 26, 2008

Re: Admin users can see other users My Documents folders in Explorer

Saucer Man wrote:

> How can I prevent admin users from seeing and accessing other admin

> My Documents folders? I am using XP Pro SP2 and they are listed in

> Explorer in My Computer.

Take away their administrative rights.

Anything else you do is a kludge and can be gotten around with ease.

--

Shenan Stanley

MS-MVP

--

How To Ask Questions The Smart Way

http://www.catb.org/~esr/faqs/smart-questions.html

Posted February 26, 2008 · February 26, 2008

Re: Admin users can see other users My Documents folders in Explorer

"Saucer Man" <saucerman@nospam.com> wrote in message

news:47c4270a$0$20786$cc2e38e6@news.uslec.net...

> How can I prevent admin users from seeing and accessing other admin My

> Documents folders? I am using XP Pro SP2 and they are listed in Explorer

> in My Computer.

>

Turn off simple file sharing and use the 'Security' tab under properties to

set who can access what. But whatever you do, make sure that at least one

admin account can see everything (preferably the default 'Administrator'

account).

Posted February 26, 2008 · February 26, 2008

Re: Admin users can see other users My Documents folders in Explorer

Saucer Man wrote:

> How can I prevent admin users from seeing and accessing other admin

> My Documents folders? I am using XP Pro SP2 and they are listed in

> Explorer in My Computer.

Shenan Stanley wrote:

> Take away their administrative rights.

> Anything else you do is a kludge and can be gotten around with ease.

Think of it this way...

You go into an office building and rekey all the rooms on a given floor.

Each door has a key that works only on that door. However - for safety,

security and other reasons (janitorial, maintenance, etc) - you also have a

master key made up that fit all the doors.

What you have done (by making everyone administrator level on a given

machine) equates to you handing everyone a copy of the master key. Now -

you can go by the *hope* that if you don't TELL them they have the master

key, they won't ever find out and everything will be fine (or even if they

find out, they'll be honest and not use it) - or you can do the wise thing

and give each of them their own specific door key and nothing more.

So yes - you could make it where each user only sees THEIR "My Documents"

folder in Windows Explorer/My Computer (meaning a list of shared/my

documents folders is not visible by default) - but all you have done is

*not* tell them they all have "master key" and they can just go into

"%SystemDrive%\Documents and Settings\" and pretty well do what they want -

whether or not they know it - yet. ;-)

You can even go in with each user and change the rights on the folders for

that user so that only that user has access... However - since they all

have the equivalent of the master key - they can get around that too...

How to Take Ownership of a File or Folder in Windows XP

http://support.microsoft.com/kb/308421

Read *carefully* - do not just skim the page and start following steps.

There is important information there dependent on the version of Windows XP.

--

Shenan Stanley

MS-MVP

--

How To Ask Questions The Smart Way

http://www.catb.org/~esr/faqs/smart-questions.html

Posted February 26, 2008 · February 26, 2008

Re: Admin users can see other users My Documents folders in Explorer

On Feb 26, 10:49 am, "Saucer Man" <saucer...@nospam.com> wrote:

> How can I prevent admin users from seeing and accessing other admin My

> Documents folders? I am using XP Pro SP2 and they are listed in Explorer in

> My Computer.

>

> --

> Thanks!

Look into encryption. XP Pro comes with EFS but if you don't make a

backup of your keys you're royally screwed if you try to recover the

data after a hard drive crash, etc. I think you also get screwed if

you reset the password from another account. Other uses will be able

to see the file names (just not access them)

Truecrypt is a free solution that will let you make encrypted

containers keeping anyone from knowing the contents.

http://www.truecrypt.org/

Posted February 26, 2008 · February 26, 2008

Re: Admin users can see other users My Documents folders in Explorer

In article <47c4259d_1@glkas0286.greenlnk.net>,

no.one@no.where.NO_SPAM.co.uk says...

>

> "Saucer Man" <saucerman@nospam.com> wrote in message

> news:47c4270a$0$20786$cc2e38e6@news.uslec.net...

> > How can I prevent admin users from seeing and accessing other admin My

> > Documents folders? I am using XP Pro SP2 and they are listed in Explorer

> > in My Computer.

> >

> Turn off simple file sharing and use the 'Security' tab under properties to

> set who can access what. But whatever you do, make sure that at least one

> admin account can see everything (preferably the default 'Administrator'

> account).

Won't change anything. Any local administrator can access all files,

even if you setup NTFS Permissions - an Administrator is considered GOD

on computers and can access anything.

--

Leythos

- Igitur qui desiderat pacem, praeparet bellum.

- Calling an illegal alien an "undocumented worker" is like calling a

drug dealer an "unlicensed pharmacist"

spam999free@rrohio.com (remove 999 for proper email address)

Posted February 27, 2008 · February 27, 2008

Re: Admin users can see other users My Documents folders in Explorer

"M.I.5¾" <no.one@no.where.NO_SPAM.co.uk> wrote in message

news:47c4259d_1@glkas0286.greenlnk.net...

>

> "Saucer Man" <saucerman@nospam.com> wrote in message

> news:47c4270a$0$20786$cc2e38e6@news.uslec.net...

>> How can I prevent admin users from seeing and accessing other admin My

>> Documents folders? I am using XP Pro SP2 and they are listed in Explorer

>> in My Computer.

>>

> Turn off simple file sharing and use the 'Security' tab under properties

> to set who can access what. But whatever you do, make sure that at least

> one admin account can see everything (preferably the default

> 'Administrator' account).

That plainly isn't true. I have set up my folders so that my other half

can't see my files. Both are administrator accounts because we both run

applications that won't work under limited accounts.

Posted February 27, 2008 · February 27, 2008

Re: Admin users can see other users My Documents folders in Explorer

"Leythos" <void@nowhere.lan> wrote in message

news:MPG.222e665b45587494989a8a@Adfree.usenet.com...

> In article <47c4259d_1@glkas0286.greenlnk.net>,

> no.one@no.where.NO_SPAM.co.uk says...

>>

>> "Saucer Man" <saucerman@nospam.com> wrote in message

>> news:47c4270a$0$20786$cc2e38e6@news.uslec.net...

>> > How can I prevent admin users from seeing and accessing other admin My

>> > Documents folders? I am using XP Pro SP2 and they are listed in

>> > Explorer

>> > in My Computer.

>> >

>> Turn off simple file sharing and use the 'Security' tab under properties

>> to

>> set who can access what. But whatever you do, make sure that at least

>> one

>> admin account can see everything (preferably the default 'Administrator'

>> account).

>

> Won't change anything. Any local administrator can access all files,

> even if you setup NTFS Permissions - an Administrator is considered GOD

> on computers and can access anything.

>

That plainly isn't true. I have set up my folders so that my other half

can't see my files. Both are administrator accounts because we both run

applications that won't work under limited accounts.

Posted February 27, 2008 · February 27, 2008

Re: Admin users can see other users My Documents folders in Explorer

Saucer Man wrote:

> How can I prevent admin users from seeing and accessing other admin

> My Documents folders? I am using XP Pro SP2 and they are listed in

> Explorer in My Computer.

M.I.5¾ wrote:

> Turn off simple file sharing and use the 'Security' tab under

> properties to set who can access what. But whatever you do, make

> sure that at least one admin account can see everything (preferably

> the default 'Administrator' account).

Leythos wrote:

> Won't change anything. Any local administrator can access all files,

> even if you setup NTFS Permissions - an Administrator is considered

> GOD on computers and can access anything.

M.I.5? wrote:

> That plainly isn't true. I have set up my folders so that my other

> half can't see my files. Both are administrator accounts because

> we both run applications that won't work under limited accounts.

First off - there are very few applications that truly require you to have

full administrative rights on a computer in order to run properly. This is

not to say that there are none (there are some I can think of by Intuit that

make it quite difficult for no apparent reason) or to say that it is an

*easy* endeavor to figure out what you need to change in order to run said

applications without administrative rights. In fact - it usually requires

the use of RegMon and FileMon on the more difficult cases. On the easy

ones - you simply change the NTFS permissions on the installation directory

to allow "users" full rights to that given folder and perhaps find the

applications registry keys and do the same.

Secondly - you have done nothing *really* to prevent your "other half" from

seeing your files. If you are both system administrators and you are not

using some form of encryption, compression with a password or a third party

application - then that other administrator can take ownership of your files

whenever they please and see everything you have - and unless you go

checking file/folder permissions every time you use the computer - you may

never know they did it.

I gave this example in this very conversation already, but I will give it

again here. Think of it this way...