1
i have an administrator login to a windows 7 PC, i want to make a folder for a non-administrator user, and make this folder not viewable by me (administrator), is it possible? if so, how to achieve this?
thanks for reading this post!
restrict windows administrator access right
Answers
1
I agree that using file encryption tools out there or even EFS sounds like it might be a better choice. With that said, you can grant your non-admin account full rights to the folder and assign deny to built-in\administrators group. This should fool only the greenhorn admins out there. They will receive an access denied message when trying to open the folder. However, they can just open the security permissions and remove the deny ACEs from the DACL (providing they know this) and gain access.
thanks for your answers!
i want to do this because that's my boss PC, i hope to let him manipulate his files as easy as possible, truecrypt may be difficult for him. i havn't tried EFS, but i heard from ppl that it may have problem on backup issue, e.g. if the PC die & key lost, the files are dead, is that true? – None – 2013-05-15T03:09:29.847
Have you tried using TrueCrypt? It's ridiculously easy. "Even for a boss". If he can log in, he can use TC. – Floris – 2013-05-15T03:13:12.980
yes, i personally use truecrypt, i think he may not want to mount drive every day. is there even easier tools? thanks! – None – 2013-05-15T03:23:49.777
0
After giving this some more thought I am convinced that creating an encrypted partition is the way to go - and TrueCrypt is as good a tool as any. This can be mounted at startup (only if the right person logs in) so the process is transparent to the intended user - and an administrator cannot get to the files unless he/she has the password. The only thing is that the person who owns the encrypted partition is responsible for maintaining a safe copy of the key - lose it, and the data is unrecoverable. The nice thing about this approach is that the files can be backed up seamlessly by the administrator - just because you can't read a file doesn't mean you can't back it up... You will probably find backup is slow when the partition is large (to the uninitiated it looks like a giant file, so not much use for differential backups).
Floris
Posted 2013-05-15T02:22:58.737
Reputation: 900
thanks for both of you inspiring, i think auto mount at startup & leave him to type passowrd is an good idea. thanks! – None – 2013-05-15T03:40:37.643
I believe it's possible to cache the password - so when the correct user logs in, the correct drive gets mounted without further prompting for passwords. Not 100% sure as I don't use it on my current machine so no easy way for me to test (but that's what I gathered from the documentation; I have used it in the past but never tried automounting. I'm not a boss...). – Floris – 2013-05-15T03:54:15.137
1
The best way not to see a folder when you are an administrator is not to look... Seriously, if it's your computer (you are the administrator - that makes it "your" computer by some definitions) what is going on that you want to not see something? Perhaps the other person with privacy issues should encrypt the directory they don't want you to see? There are plenty of (free) utilities to achieve that. See http://www.truecrypt.org for example.
– Floris – 2013-05-15T02:37:36.753