How can I limit other (administrator) users access to my profile?

We in our club have a computer with Windows 7 Professional that every club member may use. And everyone has their own separate account.

Those accounts have to have administrator priveleges since I want everyone to be able to install any software and use any feature they want. However, there is a single thing that they shouldn't be allowed to do - that is, look into another users' profiles. Now when anyone goes to 'c:\Users(Any User Name)' a little prompt appears that this folder is secured and whether you really want to look inside. Simply clickinh 'ok' give you access to any profile.

I tried disabling taking ownership for Administrators group in Group Policies but that had no effect. How can I effectively prohibit administrators looking into each others' profiles and documents?

kojo

Posted 2010-04-17T22:39:38.123

Reputation: 211

Answers

You can't, it's as simple as that.

Nifle

Posted 2010-04-17T22:39:38.123

Reputation: 31 337

Any prooflink on that? Isn't there any way to protect a directory from an administrator on NTFS partition? – kojo – 2010-04-17T23:06:37.540

2How can you protect a directory from an administrator? The administrators group inherently has the ability to change permissions on NTFS volumes, so no matter what you change it to, they can change it back. – MDMarra – 2010-04-18T00:27:11.137

And limiting 'Administrators' group's permissions is also impossible? And there is no easy way of creating a new group that may do anything except for changing permissions on main NTFS partition? – kojo – 2010-04-18T21:45:07.987

1@kojo - I think you're trying to solve this problem the wrong way. Having users keep files on a network share with the necessary ACLs or even a flash drive that you carry with them would be more appropriate than trying to neuter the Administrators group. – MDMarra – 2010-04-21T15:03:35.547

This is true. The admin group is a built in group. The permissions cannot be changed. – surfasb – 2011-03-08T13:08:50.823

Try to change your point of view: change every account in common users, then give 'em permission to install softwares, thus holding your super-admin-powers for yourself!

dag729

Posted 2010-04-17T22:39:38.123

Reputation: 1 894

Thought of that. Though, it seemed to me that difference between User and Administartor in Windows 7 is not only installation of sofware. They should be able to succesfully elevate in UAC and be detected by legacy software as administrator. I just thought there must be an easier way. – kojo – 2010-04-17T23:04:48.417

Probably the best solution is for each user to encrypt their files using EFS. While you cannot prevent other admins from listing the contents of each folder, EFS will encrypt the files to where not even an Admin can decrypt them unless it has been provided a copy of the private key or a backup certificate.

Since the Administrator group is built in, you cannot change the permissions for it.

surfasb

Posted 2010-04-17T22:39:38.123

Reputation: 21 453

If you want to protect files from other admins or restrict them to spesific group, you want to use ACL's. But All administrators can take ownership of files. In domain or local security policy, change take ownership of files permission to spesific group and their members.

Second method is smoother but dangerous.. If you use EFS, nobody can steal, view, copy or use your files. But you still need to protect your efs certificate and hide it in a safe/personal location.

plus, if an administrator account has EFS recovery agent permission, he/she can decrypt your files..

Darkyyy

Posted 2010-04-17T22:39:38.123

Reputation: 11

You can change the ownership to your folder to your only (remove all other users).

But trick only prevents others administrators until they retain ownership. If they don't know how to change ownership, you are safe.

Anoop

Posted 2010-04-17T22:39:38.123

Reputation: 111