Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Guest account access problem


21 Aug 2010   #1

Windows 7 Home Premium (build 7600)
 
 
Guest account access problem

I have just set up a guest account and want to stop that account from accessing the C drive, which it is able to do at the moment by clicking on “Computer” / “Cdrive” then right click “open”
I have gone into the C drive properties / permissions area on my own account and want to change the permissions for the “users” from “full access” to “deny” which I hope will then stop anyone using the guest account from accessing the C drive.
Two questions, the first one being will that work ?
And secondly I am concerned that although I am the administrator and still have full access, I came across a little snippet while trying to sort this out that said if I was registered as having full access in two areas e.g. Administrator and User, if access was denied to one of those (User) then that would take priority over the other one (Administrator).
I am concerned that I may lock myself out of my computer.
Can anyone give me any help or advice on this ?
Thanks in anticipation,
FBW


My System SpecsSystem Spec
.

21 Aug 2010   #2

Windows 7 Ultimate x64 x2 + x86 + Windows 8.1 x64 x2
 
 

IMPORTANT

Users is a group that contains all users on the system (including the administrator accounts)
Deny rights do override all others so you are likely to lock yourself out if you follow the path you describe.

By default the guest user can see the c: drive but can only access the public areas, a guest user cannot change anything that will effect the operating system - if a guest attempts to run any system level commands they will be prompted to enter administrator credentials and the request will be looged in the security log (event Viewer)

If you wish to prevent the guest from "seeing" the c:drive the only way to do this safely is to remove the everyone group from the areas concerned whilst retaining the administrators group's access and manually adding your actual user to the permissions (assuming UAC is correctly set-up).

Due to the complex permissions schema used for Windows 7 system drives I would actually advise against trying this on the C: drive

It is however quite simple to do on data drives but even here I suggest that you experiment with a test folder tree to ensure you get things correct

one more thing if you are going to work with this sort of permissions changes image your system before you start and enable the hidden administrator as a backup user
My System SpecsSystem Spec
21 Aug 2010   #3

 

Good advice Barman. Another thing to consider is. Is this a domain account or just your home computer. Do you have Windows 7 Home Premium or Professional? Not sure if they have changed this in 7 Pro, but Gpedit.msc is how you get to group policy settings in previous version of windows.

There you can set many different policies. One of them is denying access to the C-Drive. Easiest thing to do is log into the account you want to restrict, launch Gpedit.msc as the admin, click on the User Configuration Tree, and start searching for it. I'm really tired, so I just don't have the energy to search for it, but we've done this numerous times at my job. You can restrict the C-Drive, You can remove the icon, but leave access, you can just remove my computer and anything else you want.

If your a domain admin setting AD policy, well, hell, Sky's the limit.
My System SpecsSystem Spec
.


21 Aug 2010   #4

Windows 7 Home Premium (build 7600)
 
 

Thank you both for your advice

I will have a little dabble tomorrow and see what happens

Cheers
FBW
My System SpecsSystem Spec
21 Aug 2010   #5

Windows 7 Home Premium (build 7600)
 
 

Had a little dabble tonight instead.
Wish that I had not because all it has done is wind me up!
Why do Windows make something that should be very simple to do so very difficult ??
At the moment if you are using the guest account and you go into "Computer" and right click on either of the two hard drives I have, then click "open" you can then access "documents and settings" and then almost anything that you want.
What I want to happen is when you right click on said hard drives you get the Administrators box pop up saying access denied and asking you to enter a password.
Why should it be so difficult to set this up ??
Regards,
FBW
My System SpecsSystem Spec
21 Aug 2010   #6

Windows 7 Ultimate x64 x2 + x86 + Windows 8.1 x64 x2
 
 

I assume you mean My documents, as documents and settings is only a link in Windows 7 so will work from that assumption.

right click on the documents folder or the user Folder, ( one level up), if you wish to control other personal folders such as pictures Etc., and select security,

select advanced,
select the users entry
select change permissions ,
uncheck the inherit from parent checkbox,
remove the users entry.
Select the replace all child ... checkbox
ok the dialog to close

This should prevent any user not specifically given permissions from accessing the area

It is not good practice to do this for the drive as the system folders require special permissions that this methods would corrupt
My System SpecsSystem Spec
21 Aug 2010   #7

 

What Barman is saying is good advice, especially if you are new to setting up permissions. Give me a few minutes and I'll post some screen-shots which I think will make things clearer for you, and how to achieve what you want.
My System SpecsSystem Spec
21 Aug 2010   #8

 

The following is an example of how to prevent guests (or any group or user) from accessing whatever resource you decide to restrict. Also, you don't have to mess with the built in USERS group, which can lead to further frustrations.

It's important to note that there is a difference between a group and user. However, MSFT doesn't make this necessarily easy to realize, as they name accounts so similarly. For example: The Administrator Account is not the same as the Administrators Group.

Also, I'm on XP at the moment, but everything should pretty much be the same in Windows 7. I may post some Windows 7 screen-shots later, but I just migrated over, so bear with me.

1. You want to create a new group, call it something like MyGroup. Go To Start and in search box type Control UserPasswords2. You can also launch that same command from the Command Line.

Name:  CUP2.JPG
Views: 13
Size:  11.8 KB

2. Once in the User Accounts Dialog, select the Advanced tab, and click the Advanced button under the "Advanced User Management" section (see how MSFT uses the same names over and over)

Name:  ADVUSERMGT.JPG
Views: 11
Size:  38.7 KB

3. You should now be in the Local Users & Groups tool. Right Click on the Groups folder and click New Group

Name:  NEWGRP.JPG
Views: 11
Size:  46.4 KB

4. In the New Group dialog, enter a name for your new group, I'll use MyGuestGroup, as an example here. You can add a description if you like.

Name:  MYGSTGRP.JPG
Views: 11
Size:  16.3 KB

5. Next, click the Add button, then click the Advanced button at the bottom of the Select User's Windows. Click Find Now and select the Guest account. It will be the icon with a single face, not the double face.

Finally, add the Guest account as a member of that group. Click Ok until you have confirmed that the Guest Account is now a member of the MyGuestGroup Group.

Name:  FNDNOW.JPG
Views: 6
Size:  42.2 KB

6. You can now close all those open dialogs. Next, go back to run, or the command line, and run Control UserPasswords2 again. This time click the Users tab, select the Guest account, and click properties.

Name:  CUSRPW222.JPG
Views: 10
Size:  33.5 KB

7. Under the Guest Properties dialog, select Group Membership. Under the "What level of access" section select Other and then select "MyGuestsGroup," click Apply and then Ok.

Name:  Other LVL of access.JPG
Views: 9
Size:  26.2 KB

8. Now, go to your folder, or C-Drive, in this case. Right click and select Sharing & Security. Select the Security tab. Click Add to add the MyGuestGroup to the Access Control List. Under the Permissions for MyGuestGroup, under the Deny column, select List Folder Contents. This should be enough to prevent them from viewing what is inside of the C-Drive.

You may have to play around with the deny permissions to get it to do exactly what you want.

Name:  DNYMGSTGRP.JPG
Views: 8
Size:  36.6 KB


And that's it. Now, if anyone logs in under the Guest account, they are subject to the permissions of your MyGuestGroup, and since you have stated that MyGuestGroup cannot list folder contents of the C-Drive, they should be denied when they try to access C:\.

Now for a disclaimer, I'm new to Windows 7, and IDK if there is a new feature which will prompt for a password when you try to access a restricted drive ( you don't mean UAC do you?) , but in XP, I'm pretty sure there is no way to make windows prompt for a password just by clicking on a restricted folder. You do have things such as Secondary Login, but that is used for launching executables under a different permission.

If you want run Windows 7 as a guest, and still be able to access certain privileged files or applications, you can either access them through the command line, or if they are applications (executable) then you should be prompted by UAC. However, I don't think UAC works the same way on directories. But again, you'll have to ask one of the Windows 7 Gurus on this forum.

Hope that helps.


Attached Images
 
My System SpecsSystem Spec
23 Aug 2010   #9

Windows 7 Home Premium (build 7600)
 
 

Hello again Dranfu.........
Thanks for taking the time and trouble to post such a detailed and informative reply.
I am at work at the moment and will play around later this evening after refreshing myself first in the pub
It is a pity that so much has to be done to put in place such a simple function. When I first migrated from XP to 7 I had the opposite problem. I kept getting "Access denied" boxes popping up all over the place while I was trying to set the system up how I wanted it, which wound me up even more than this problem has .
There is one thing that I am slightly unclear about. The guest user will still need access to things like Adobe and various other general programmes that are all installed on the Cdrive. Presumably the actions you have listed above will not block the guest account from running all the usual passive programmes stored on the main drive.
Once again thanks to you and Barman for your help.
Cheers
FBW
My System SpecsSystem Spec
23 Aug 2010   #10

Windows 7 Ultimate x64 x2 + x86 + Windows 8.1 x64 x2
 
 

What I actually do is to re-locate all data from the c: drive to a data drive using the location feature built into Windows 7 and rely on the built-in controls to protect C:

If you want to then further control a guest user's access to this data you can more easily adjust the permissions on the data drive, without the possibility of locking the user from Programs that they need to run
My System SpecsSystem Spec
Reply

 Guest account access problem




Thread Tools



Similar help and support threads for2: Guest account access problem
Thread Forum
How can I grant my guest account access to certain files in explorer? Network & Sharing
Guest account Internet access not working. Network & Sharing
Speech recognition in guest account - Problem Sound & Audio
Win7 permission problem, with guest account System Security
No wireless access with guest account Network & Sharing
guest account and other accounts won't access General Discussion
guest account and Internet access Network & Sharing

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 11:18 PM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App
  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33