Installing rights to standard user or prevent an admin user something


  1. Posts : 4
    Windows 7 Pro x64
       #1

    Installing rights to standard user or prevent an admin user something


    I tried to google this and it seems neither is possible but I wanted to hear the truths from the horses mouth.

    I have a Win 7 Pro x64 computer with 2 users who boths needs to be able (this really is a must) install software on the computer but they can't have access to each other's private folders (user folder). Basically I see 2 theoretical options:

    a) make 2 standard user accounts and give these accounts the right to install software. Is this possible and if yes how?

    b) make 2 admin user accounts and prevent them from accessing to each other's user folder. I can do this but not in a way that doesn't mess with windows (basically I would encrypt the file but then windows wouldn't be able to use the folder like it is built to use it and I'm pretty sure this would cause problems). Is there another way to do this which doesn't cause problems with windows?

    Thanks in advance to anyone willing to help.
      My Computer


  2. Posts : 2,497
    Windows 7 Pro 64 bit
       #2

    a) This may be possible in theory but it would not be easy. Don't go there.
    b) All administrators are equal. Any restrictions you impose can be undone by another.
    The only practical way to do what you want is to encrypt the users folders. Windows doesn't care about user folders so that is not an issue.
      My Computer


  3. Posts : 4
    Windows 7 Pro x64
    Thread Starter
       #3

    LMiller7 said:
    a) This may be possible in theory but it would not be easy. Don't go there.
    b) All administrators are equal. Any restrictions you impose can be undone by another.
    The only practical way to do what you want is to encrypt the users folders. Windows doesn't care about user folders so that is not an issue.
    Are you 100 % certain. Eg isn't desktop located under user file and if so how can Windows load the desktop content if it can't access it?

    Just to be sure by encrypting I would make a Truecrypt-file and place the whole use-folder in it -> there would be no user-folder for the windows to use.
      My Computer


  4. Posts : 2,497
    Windows 7 Pro 64 bit
       #4

    Are you 100 % certain. Eg isn't desktop located under user file and if so how can Windows load the desktop content if it can't access it?

    Just to be sure by encrypting I would make a Truecrypt-file and place the whole use-folder in it -> there would be no user-folder for the windows to use.
    I meant using NTFS encryption. This can be enabled from the advanced properties of the users folders. All files and folders that are later added will be encrypted. This encryption is completely transparent to the user who may need not even be aware they are encrypted. Other users will have not be able to read the files. The desktop is loaded by Explorer which runs under the users account and thus has full access.

    Be very sure that all users files are backed up and kept in a secure location. If you were to later reinstall or upgrade the OS (to Windows 8 or later) all access to encrypted files will be lost.
      My Computer


  5. Posts : 4
    Windows 7 Pro x64
    Thread Starter
       #5

    LMiller7 said:
    Are you 100 % certain. Eg isn't desktop located under user file and if so how can Windows load the desktop content if it can't access it?

    Just to be sure by encrypting I would make a Truecrypt-file and place the whole use-folder in it -> there would be no user-folder for the windows to use.
    I meant using NTFS encryption. This can be enabled from the advanced properties of the users folders. All files and folders that are later added will be encrypted. This encryption is completely transparent to the user who may need not even be aware they are encrypted. Other users will have not be able to read the files. The desktop is loaded by Explorer which runs under the users account and thus has full access.

    Be very sure that all users files are backed up and kept in a secure location. If you were to later reinstall or upgrade the OS (to Windows 8 or later) all access to encrypted files will be lost.
    I had completely forgotten EFS (probably because I've never used it myself). Could you explain a bit how EFS wactually orks (Microsoft's own guides are absolutely useless). Let's say there are users a and b. I log in with user a and encrypt the folder using EFS. Does windows automatically decrypt the folder when a logs in or does s/he need to give a password at any point? Also when is it necessary to use the back-up key? Eg does changing the user's password activate this? If I back-up the folder, the backup is probably encrypted too?
      My Computer


  6. Posts : 2,497
    Windows 7 Pro 64 bit
       #6

    The use of EFS is totally transparent to the user. Many users are not even aware that the files they are using are encrypted. When copied to external media encrypted files will be unencrypted so you need to keep such copies in a secure location. Hopefully other members can help with issues concerning backing up the encryption key. I haven't done this for years.
      My Computer


  7. Posts : 2,465
    Windows 7 Ultimate x64
       #7

    Problem with your problem is that both requirements are basically in conflict with each other. On one hand you want 2 users to be able to install programs, that absolutely needs administrator rights, because that requires writing to program files and to system wide folders and registry keys. On the other hand, you need both users to be unable to tamper with each other files, which basically means no-admin rights, because administrators are always able to do what they want with anything in the system (permissions put on them can always be lifted).

    Encrypting sensitive files would be a reasonable workaround, but not without pitfalls. Problem is that, being admins, they can always try to decrypt, or simply delete data or monitor whatever activity is in the system. For encryption, use the vastly superior TrueCrypt rather than the built-in NTFS cryptography, put a strong password on the container, and maybe use a keyfile for extra security. In any case, a good extra measure may be to make both users standards and create a third account, which will be admin, and use UAC to elevate to it when needed.

    My preferred option, if you absolutely must share the machine, would be to NOT save private data there. Using a pendrive or external HD and putting everything there, unplugged when not working on it is probably a safer alternative anyway, or store files offsite, in some online service or in another computer you might have available.
      My Computer


  8. Posts : 4
    Windows 7 Pro x64
    Thread Starter
       #8

    I would love to make the accounts standard user-accounts but unfortunately that is not possible. They need to be able to install softwares. It would be so much easier if Windows would just allow some changes to the restrictions standard users have. Now standard users can't change anything and admins can change everything and there is no way to get a middleway.

    Deleting data isn't a huge problem (there's always the back-up) and we know if this is done (the person can be held liable for the action) and the person can't benefit from such an act.

    Can user b decrypt user a's crypted folder (when EFS is used)? And I mean without being a pro. We are talking about average computer users who in general have limited knowledge about these matters. If windows prevents it then they usually don't have a clue how to bypass that and that would be enough in this situation. Normally we don't share computers but now there is a special situation and that is why I need to improvise.

    Thanks Alejandro85 and LMiller7 for your help!
      My Computer


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 02:29.
Find Us