Stopping admin accounts accessing another's documents

[yohan]

Hi, I have two administrator accounts setup, but they can access each other's documents (C:\Users\Example). I tried removing all but the owner in the security tab, but administrators can take ownership this way somehow, anyone know what I can do (besides making them non-administrator accounts)

 

[Dark Nova Gamer]

Correct me if I am wrong (which I likely am) but wouldn't creating a password for those two admin accounts prevent them from accessing each other without the other ones password?

 

[dmex]

Hi, I have two administrator accounts setup, but they can access each other's documents (C:\Users\Example). I tried removing all but the owner in the security tab, but administrators can take ownership this way somehow, anyone know what I can do (besides making them non-administrator accounts)

Hi Yohan,

You can remove the Administrators Group from always being able to take ownership of objects via the Local Security Policy

If you remove all users and groups from this setting then no one can universally take ownership of anything if they don't already have the permission for that file or folder

Just to be safe leave at least one account or group here so they can always take ownership of any object encase you accidentally get locked out of your own files



Hope it helps.

Steven

Correct me if I am wrong (which I likely am) but wouldn't creating a password for those two admin accounts prevent them from accessing each other without the other ones password?

Users in the administrative group can always take ownership of anything regardless of what user or permission they have set for that file or folder, it all depends on this local Sec policy setting as to what group has unrestricted security access

 

[Dark Nova Gamer]

No, users in the administrative group can always take ownershiop of anything on the system regardless of what user or permission they have set, it all depends on this local Sec policy setting

Well at least I tried. That kind of defeats the purpose of a password doesn't it though?

Also.. OMG we have the same name! lol had to say it.

 

[dmex]

Well at least I tried. That kind of defeats the purpose of a password doesn't it though?

Also.. OMG we have the same name! lol had to say it.

Administrators are Administrators, they can just reset your password if they like (you can remove that privilege for admins via group policy too)

Hope it helps Steven

Steven

 

[yohan]

Thanks for your help, but it seems after setting the "Policy take-owner ability" to user "Bob", user "Dave" can still access Bob's area, after giving UAC permission to do so. After he does this, in the share tab, Bob is still owner, but Dave is now there, and has "Read/Write" access. How can I stop this?

Thanks so far by the way Steven & Steven.

 

[happinessiseasy]

The point of Administrators is to have full access. If you don't want full access, make each other power users.

 

[Dark Nova Gamer]

The point of Administrators is to have full access. If you don't want full access, make each other power users.

Yes but an admin having the ability to spy on the other admin is stupid in my opinion.

=\

 

[yohan]

The point of Administrators is to have full access. If you don't want full access, make each other power users.

I don't think Power Users exist anymore.

Edit:

I'm wrong.

This works.

 

[dmex]

I don't think Power Users exist anymore.

Edit:

I'm wrong.

This works.

Your welcome

Steven

 

[sup3rsprt]

You can remove the Administrators Group from always being able to take ownership of objects via the Local Security Policy

That's a good trick, and funny, but if the other Admin is smart enough he can also edit the Local Security Policy.

I wonder if, besides using a Power User, there is a way to solve this using built-in encryption? I know EFS was a pretty weak system but have there been any improvements to this in Win7?

 

[dmex]

That's a good trick, and funny, but if the other Admin is smart enough he can also edit the Local Security Policy.

If you take ownership of mmc.exe and gpedit.msc then set the security to prevent access, other admins would be unable to edit policy's

I wonder if, besides using a Power User, there is a way to solve this using built-in encryption? I know EFS was a pretty weak system but have there been any improvements to this in Win7?

Unless an Admin configures a recovery key, other users cant access EFS protected files. I would keep regular backups of your EFS key encase your password is reset since it will also erase your EFS key as a security measure

Steven

 

[sup3rsprt]

Unfortunately I don't think EFS will protect the files from being deleted, unless of course something has changed in Windows 7.

 

[cmdahome]

One Caveat

Bear in mind that the folder you are trying to protect must have been created by the user who is trying to secure and own it; ie, if root creates it, then fred tries to secure it, he cannot.