Remove administrators from Local Profiles

Discussion in 'Security Software' started by John, May 6, 2004.

  1. John

    John Guest

    Can anyone tell me how to prevent the Administrator Group from getting access automatically to any of the profiles under Documents and Settings?? ie. can Documents and Settings be setup such that when a new user logs in, their profile will only have the user and other "selected" users/groups with access to that profile?
    I realise that anyone in the Administrators group will (probably) still be able to take ownership of the directory, I am just trying to "deter" prying....

    John, May 6, 2004
    1. Advertisements

  2. John

    Jason Guest

    If you don't trust your administrators you have greater problems then
    them poking around in areas they should be able to go to.

    Jason, May 6, 2004
    1. Advertisements

  3. John

    john Guest

    A little bit more information.....
    Due to the "unfriendly" software that we need to install, all users logged on to the PC need to be in the Administrators group to successfully run it.... Therefore, we still wish to maintain a 'certain' degree of privacy on the users files - hence remove "Administrators" from the security...

    john, May 6, 2004
  4. Am Thu, 6 May 2004 05:06:03 -0700 schrieb John:
    the only secure way will be encrypting these files... there are several
    very good tools existing for such jobs like pgp which is also availible as
    Stanlay Hanks, May 8, 2004
  5. When you first create an account password using the User Accounts
    control panel, if you are logged into that account, the GUI will ask if
    you want to "make the files private". This removes access from the
    Administrators and Users groups so that only the user that owns the
    profile can read the files (and SYSTEM still has access). Of course, any
    Administrator can "take ownership" of the profile and add read/write
    permission back in order to view the private files.

    You might try running the recalcitrant software with accounts in the
    Power Users group (XP Pro only) as an alternative to having the users be
    in the Administrators group. If this works, then your files will stay a
    bit more private.

    You must be using NTFS for these access controls to work.
    Kent W. England [MVP], May 10, 2004
  6. John

    John Guest

    Kent, thanks for the info, but the users we are talking about are domain users, therefore we don't get a choice in the matter! So, what does say "make my files private" actually do, and is it possible to set it up automatically?

    John, May 12, 2004
  7. I don't know about domain usage, since that is greatly affected by the
    Group Policy objects.
    Kent W. England [MVP], May 13, 2004
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.