Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Installing rights to standard user or prevent an admin user something

22 Aug 2013   #1
Maetco

Windows 7 Pro x64
 
 
Installing rights to standard user or prevent an admin user something

I tried to google this and it seems neither is possible but I wanted to hear the truths from the horses mouth.

I have a Win 7 Pro x64 computer with 2 users who boths needs to be able (this really is a must) install software on the computer but they can't have access to each other's private folders (user folder). Basically I see 2 theoretical options:

a) make 2 standard user accounts and give these accounts the right to install software. Is this possible and if yes how?

b) make 2 admin user accounts and prevent them from accessing to each other's user folder. I can do this but not in a way that doesn't mess with windows (basically I would encrypt the file but then windows wouldn't be able to use the folder like it is built to use it and I'm pretty sure this would cause problems). Is there another way to do this which doesn't cause problems with windows?

Thanks in advance to anyone willing to help.


My System SpecsSystem Spec
.
22 Aug 2013   #2
LMiller7

Windows 7 Pro 64 bit
 
 

a) This may be possible in theory but it would not be easy. Don't go there.
b) All administrators are equal. Any restrictions you impose can be undone by another.
The only practical way to do what you want is to encrypt the users folders. Windows doesn't care about user folders so that is not an issue.
My System SpecsSystem Spec
23 Aug 2013   #3
Maetco

Windows 7 Pro x64
 
 

Quote   Quote: Originally Posted by LMiller7 View Post
a) This may be possible in theory but it would not be easy. Don't go there.
b) All administrators are equal. Any restrictions you impose can be undone by another.
The only practical way to do what you want is to encrypt the users folders. Windows doesn't care about user folders so that is not an issue.
Are you 100 % certain. Eg isn't desktop located under user file and if so how can Windows load the desktop content if it can't access it?

Just to be sure by encrypting I would make a Truecrypt-file and place the whole use-folder in it -> there would be no user-folder for the windows to use.
My System SpecsSystem Spec
.

23 Aug 2013   #4
LMiller7

Windows 7 Pro 64 bit
 
 

Quote:
Are you 100 % certain. Eg isn't desktop located under user file and if so how can Windows load the desktop content if it can't access it?

Just to be sure by encrypting I would make a Truecrypt-file and place the whole use-folder in it -> there would be no user-folder for the windows to use.
I meant using NTFS encryption. This can be enabled from the advanced properties of the users folders. All files and folders that are later added will be encrypted. This encryption is completely transparent to the user who may need not even be aware they are encrypted. Other users will have not be able to read the files. The desktop is loaded by Explorer which runs under the users account and thus has full access.

Be very sure that all users files are backed up and kept in a secure location. If you were to later reinstall or upgrade the OS (to Windows 8 or later) all access to encrypted files will be lost.
My System SpecsSystem Spec
26 Aug 2013   #5
Maetco

Windows 7 Pro x64
 
 

Quote   Quote: Originally Posted by LMiller7 View Post
Quote:
Are you 100 % certain. Eg isn't desktop located under user file and if so how can Windows load the desktop content if it can't access it?

Just to be sure by encrypting I would make a Truecrypt-file and place the whole use-folder in it -> there would be no user-folder for the windows to use.
I meant using NTFS encryption. This can be enabled from the advanced properties of the users folders. All files and folders that are later added will be encrypted. This encryption is completely transparent to the user who may need not even be aware they are encrypted. Other users will have not be able to read the files. The desktop is loaded by Explorer which runs under the users account and thus has full access.

Be very sure that all users files are backed up and kept in a secure location. If you were to later reinstall or upgrade the OS (to Windows 8 or later) all access to encrypted files will be lost.
I had completely forgotten EFS (probably because I've never used it myself). Could you explain a bit how EFS wactually orks (Microsoft's own guides are absolutely useless). Let's say there are users a and b. I log in with user a and encrypt the folder using EFS. Does windows automatically decrypt the folder when a logs in or does s/he need to give a password at any point? Also when is it necessary to use the back-up key? Eg does changing the user's password activate this? If I back-up the folder, the backup is probably encrypted too?
My System SpecsSystem Spec
26 Aug 2013   #6
LMiller7

Windows 7 Pro 64 bit
 
 

The use of EFS is totally transparent to the user. Many users are not even aware that the files they are using are encrypted. When copied to external media encrypted files will be unencrypted so you need to keep such copies in a secure location. Hopefully other members can help with issues concerning backing up the encryption key. I haven't done this for years.
My System SpecsSystem Spec
26 Aug 2013   #7
Alejandro85

Windows 7 Ultimate x64
 
 

Problem with your problem is that both requirements are basically in conflict with each other. On one hand you want 2 users to be able to install programs, that absolutely needs administrator rights, because that requires writing to program files and to system wide folders and registry keys. On the other hand, you need both users to be unable to tamper with each other files, which basically means no-admin rights, because administrators are always able to do what they want with anything in the system (permissions put on them can always be lifted).

Encrypting sensitive files would be a reasonable workaround, but not without pitfalls. Problem is that, being admins, they can always try to decrypt, or simply delete data or monitor whatever activity is in the system. For encryption, use the vastly superior TrueCrypt rather than the built-in NTFS cryptography, put a strong password on the container, and maybe use a keyfile for extra security. In any case, a good extra measure may be to make both users standards and create a third account, which will be admin, and use UAC to elevate to it when needed.

My preferred option, if you absolutely must share the machine, would be to NOT save private data there. Using a pendrive or external HD and putting everything there, unplugged when not working on it is probably a safer alternative anyway, or store files offsite, in some online service or in another computer you might have available.
My System SpecsSystem Spec
27 Aug 2013   #8
Maetco

Windows 7 Pro x64
 
 

I would love to make the accounts standard user-accounts but unfortunately that is not possible. They need to be able to install softwares. It would be so much easier if Windows would just allow some changes to the restrictions standard users have. Now standard users can't change anything and admins can change everything and there is no way to get a middleway.

Deleting data isn't a huge problem (there's always the back-up) and we know if this is done (the person can be held liable for the action) and the person can't benefit from such an act.

Can user b decrypt user a's crypted folder (when EFS is used)? And I mean without being a pro. We are talking about average computer users who in general have limited knowledge about these matters. If windows prevents it then they usually don't have a clue how to bypass that and that would be enough in this situation. Normally we don't share computers but now there is a special situation and that is why I need to improvise.

Thanks Alejandro85 and LMiller7 for your help!
My System SpecsSystem Spec
Reply

 Installing rights to standard user or prevent an admin user something




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
How to prevent standard user from terminating processes?
Hello everyone! Can anyone please help me with this annoyance I have? How can I prevent standard users from closing certain processes in task manager? I don't want to restrict them from using task manager, but I would like to prevent them from terminating processes that I want to be always...
System Security
Cant Access Administrative Rights in Standard User Accounts
Hello, i m using Win7 Home Premium 64b, and till a few days back, i was enjoying a trouble free OS with a Standard User , along with an Admin one, where i always use the standard user account. When installing and uninstalling softwares(in the standard user account), it will ask for Administrative...
General Discussion
New admin user acting differently than standard user changed to admin
I have created two new user accounts. The first I set up as a standard account, logged on, did a few things, then logged off, logged on as my administrator account and editted the account to be an administrator. When I log back on as this account, it appears that the user still does not have...
General Discussion
admin user lost some admin rights
I can't delete a file from the desktop. When I try, it says to get the rights from the specified admin user (which I'm logged on). The strange thing is that I still can create other users from this account (including admins). Any suggestion on what to do?
BSOD Help and Support
no admin rights but user only
hi I am helping friends mom and dad who's son ended up in jail. Got caught and done for DD (DUI)and got 8 months (not the first time) His mom and dad want to recover the pictures and some other financial files but all were kept under admin account Here is the catch. There is only 1 user account...
System Security
How to give Adminstrative Rights to standard user ?
Hi All, For some reason i need to give adminstrative rights to Standard User in Windows 7.How can i do that ? As of now standard user can access all the programs but when he runs IIS it asks for admin password. Any help will be appreciated . Thank You
Network & Sharing


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 05:42.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App