Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: How do I prevent all users access to the local Admin's My Documents

03 Jun 2015   #1
GvIntern

Windows 7 Professional 64bit
 
 
How do I prevent all users access to the local Admin's My Documents

Hey everyone,

First post here as we are having some issues at my job. We're a small sized school district and we are in the process of currently attempting to create a universal image to roll out across the district. As part of the initial process, we are following a spiceworks directed tutorial to create the image and we are enabling the local administrator account. After imaging, there are a few other things that need to be done on each individual machine so we have a "tech" folder set up to allow our techs to go step by step to get the machine to where we want it to be. Once a machine is imaged, it is then added to our domain.
The issue we are having is that whether we place this 'tech' folder on the desktop, the Admin's desktop, or the Admin's My Documents folder: any other user on the computer (even non-admins) are getting access to the Administrator's user folders (including desktop and documents). This means that any enterprising student can search hard enough and find it, and then access the files in the tech folder.

Now, it is our practice to then disable the local admin account after imaging, before sending the machine out. However, on the off chance one of the techs forgets or has a lapse in procedure, this could result in a few non-critical, but still important, pieces of software being accessible to all users.

Our question is this: What could be causing this lapse in policy? Or are we misunderstanding the way Win7 operates the local Admin account? Our understanding is that no users should by default have access to the Admin's files, so there must be something in the way we are creating the image that is causing this issue. Is there something we can do using domain GPOs or local GPOs to prevent this?

The image we are using is a SYSprepped, generalized image of Windows 7 professional, 64bit. Our domain is using Windows Server 2008 R2. We have fairly strict GPOs on our domain, but are unsure where to locate this specific issue. Any help would be greatly appreciated, and if there is any other information needed, I will be glad to provide what I can. Thanks!


My System SpecsSystem Spec
.
03 Jun 2015   #2
logicearth

Windows 10 Pro (x64)
 
 

No users have access to any other user's profile directory. "C:\Users\[username]" The only way they can get access is if they are an Administrator. The next way is if you are changing the permissions to give everyone access. But the default state for Windows is no user has access to another user's profile directory. Most likely you have done something to set it up to give users access or your method for detecting this is flawed. (I.e. you are using an Admin account to check the access of the directory, an Admin account can and will override permissions to give itself access.)
My System SpecsSystem Spec
03 Jun 2015   #3
GvIntern

Windows 7 Professional 64bit
 
 

That is what we thought, but where would we check to verify each individual user's permissions? We have tested with a number of different accounts (4 to be exact) and none of them are admins. They are all in the regular users group, and we verified in both AD and on the local machine that they do not have Admin access. Yet while using these accounts (3 of them are actual student accounts, the other is our Test Student account) we can access the C:\Users\Administrator folders and all files within.

Is it something to do with the generalize option in the Windows Sysprep for creating the universal image? Or is it coming down through our domain?
My System SpecsSystem Spec
.

03 Jun 2015   #4
GvIntern

Windows 7 Professional 64bit
 
 

Also, we have noticed that whenever you login as any other user the contents of the Administrator's my documents are being populated in ALL User's my documents folders. We just noticed this.
Our thought is that there is something going on with the Sysprep that is causing this.
My System SpecsSystem Spec
03 Jun 2015   #5
logicearth

Windows 10 Pro (x64)
 
 

I'm not sure what you could have done to get that mess, unless you used "CopyProfile" to modify the default user account by copying the Administrator account after you finished modifying it.

Anyway here is the default permission I have on my Administrator account folder:
How do I prevent all users access to the local Admin's My Documents-perms.png


My System SpecsSystem Spec
Reply

 How do I prevent all users access to the local Admin's My Documents




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
Allowing access to non-admin users
Hey all, I need to allow some of our users to start an application on their workstations, but UAC will only allow admin users to start this application (control software for remote security cameras). The workstations are running Windows 7, and our server architecture is Server 2003. We'd...
Network & Sharing
How can I prevent one Admin from deleting another Admin??
I am setting up a very basic computer for a company, and I have already activated "The Administrator" and created a secondary Administrator. I will need accesss to The Administrator often. So what I am asking; Is there a way to prevent one administrator from deleting the other intentionally or...
Network & Sharing
C:\Documents and Settings\all users\documents DENIED!!!
I am running Windows 7 on my notebook, as the owner and admin..... I try to access this folder, and I cannot...in fact it appears as a shortcut rather than a folder...i have run antivirus, and malware, found nothing.... tried to change the security....all users has rights to it, the admin does...
General Discussion
How to use Local Group policy to prevent access to User Account settin
I'm creating a local group policy to lock down a Win7 Pro Workstation for use in the Staff room. It's the first time I've used it, previously I've worked a bit with AD. but I've been following on line tutorials and using google and I'm nearly there with it. But I'm stuck on one thing. My...
Customization
Admin wants grant access to ALL documents, music, etc.
Today, I changed 2 of our computers (plan on doing them all) and now I am the administrator on those computers, I want to grant access to ALL documents, music, videos, etc. files that already exist on their PC's. I really just want to block internet porn and the likes. :o I installed...
General Discussion
one computer, 7 users accounts need to share admin documents
I want to be able to share Administrator documents and files with user acoounts on the same computer.... without having access to the internet. I only have one computer. But I have 7 different user accounts on that one computer. I want each of my users to have access to the Administrators...
Network & Sharing


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 01:10.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App