Blocking Folders from other users

Discussion in 'Windows Desktop Systems' started by Mike89, Apr 22, 2002.

  1. Mike89

    Mike89 Guest

    I am running XP Pro in NTFS.

    I have the computer set up for mulitiple users, myself of course the administator.

    I have been messing around trying to block certain folders so only I have access to them.

    So far I have found that the only folders I can block are the ones in C:\Documents and Settings\Myname.

    Is that all I can block? For example, let's say I want to block a particular folder on another drive so no one but me can open it. Seems I can't do that. If I right click on the particular folder and go to properties/sharing, the 'make this folder private' is greyed out. It's only not greyed out on folders in the C:\documents and settings\myname folder. I am trying to make sense of the security stuff. Seems like it's rather worthless if I can only block what's in my documents and settings folder. I mean another user would not have access to that anyway because it wouldn't even be seen on another user's account.

    What am I not understanding here?
     
  2. BigPete

    BigPete OSNN Sexual Deviant

    Messages:
    69
    Well bud,

    You can do one of two things. First of all, I would turn off simple file sharing by going to Tools -> Folder Options -> View, then scroll all the way down and uncheck "Use Simple File Sharing".

    From here, you can right click on a folder and go down to the sharing and security option(or down to properties if that is not available) and remove everyone that isnt you from the list of people.

    Secondly, you can encrypt the file using EFS. In order to do this, right click on the folder or file you wish to make available only to yourself and go down to properties, then click "Advanced". Finally, select the "Encrypt contents to secure data" box and hit apply and ok.

    Unless you know about EFS or are willing to learn a bit about it, I recommend against it. Without proper knowledge, a system crash could render those encrypted files unrecoverable.

    Hope this helps,
    Pete
     
  3. Mike89

    Mike89 Guest

    Thanks for the info. Taking that box out of the simple file sharing opened up a whole new view.

    It wouldn't let me take users out of that box as you suggested. Some kind of message about auditing. I was also very confused on those two checkbox options at the bottom of the advanced section. I don't even know what the difference between the two options are. Reading the info confused me even more. Jeez.

    I messed with it a bit and came up with something that seems to work. First I tried clicking on the users group and then checking the deny boxes. Well that worked alright but also denied me access since I am the administrator but also in the users group. Doesn't seem like there is anyway around that.

    So next I ADDED the specific users NAME that are in my user's group (there are 3 people that access this computer besides me).

    So I added all three names and then did the 'deny' thing to whatever folder I didn't want them messing with.

    So I just repeat this whole process for each folder in question.

    I tested this by first trying to access the folder myself. I could, so far so good.

    I then logged out and logged back in on one of the users accounts. I then tried to access the same folder and it wouldn't let me in. Good deal, that's just what I wanted.

    Man this stuff is a bit complicated. I have to learn more about this stuff as I go.

    That file encryption stuff you mentioned scared me a bit. Is there a skull and crossbones icon that comes up when trying to do this? You made it sound rather spooky. Heh heh
     
  4. Twink

    Twink Guest

    don't deny access, just don't allow it (ie take the tick out of the allow box), so it won't allow users into it, but since allow is on admin it will still allow you. Deny overrides allow
     
  5. Mike89

    Mike89 Guest

    OK I just looked at that and can't see how it would work.

    I go to a folder, right click, choose properties/security.
    Now I click on the user group.
    There already is no 'allow' checked. There are 3 that are whited out checked, Read, Read and Execute, and List Folder contents. These cannot be unchecked except to deny.

    I want to block certain folders from even being opened to anyone but me.

    The way I did it in my last post is the only way I could get that to work.
     
  6. BigPete

    BigPete OSNN Sexual Deviant

    Messages:
    69
    Well, you can disable auditing by going to Control Panel -> Administrative Tools -> Local Security Policy, and turn off audits, unless you want them for some reason.

    If you are in the Administrators group, thats great and all but the way Windows NT(thus XP) works is that you are granted the HIGHEST security setting. Basically it means if you are in both the Administrators Group and the Users Group, you only have User access. So, in order to make yourself an Administrator, log in with the admin account and go to Control Panel -> Administrative Tools -> Computer Management -> Local Users and Groups -> Users. Once there, right click on the username of the accounts you want in users and click on the "Member Of" tab. Make sure the account you want to use is only part of the "Admininstrators Group" Once you get your user groups worked out, you should be able to add and remove users from files and folders and set your permissions properly.

    As far as encrypting goes, it can be a very good thing and is much more secure, but the way it works is via a "key", like a lock. If your computer crashes or something happens and you need to reformat, unless you have that "key" backed up, there is NO way to get your files back.

    I always prefer using standard permissions on files, its easy and gets the work done, so lets try to stick with that and forget encrypting for now, let me know if you need anymore help, or you can reach me via AIM at CapinPete.

    P.S. Do not forget that the highest security setting ALWAYS takes the place of anything other settings. For example, if john is part of the users group and you EXPLICITLY give john access to a file but deny the users group that same access, john is still denied, because his group(Users) has been denied. This is the most important rule to remember when setting file permissions.

    Pete
     
  7. Mike89

    Mike89 Guest

    Now I'm a bit confused.

    I am the administrator but I also have my name in there. When I log on, I use my name and password. I have full administrator priveleges.

    Where you said to go my name is not in the users group. It's in the admistrator group. There are two names in there. My name and 'administrator'. Both are administrators. I took that as both are the same.

    So are you saying I should log in with 'administrator' in the name field and use the same password?

    But yet when I try to set the security for a folder, if I click on the users group, and click deny, then I can't get into the folder either.
     
  8. BigPete

    BigPete OSNN Sexual Deviant

    Messages:
    69
    In one of your previous post you had mentioned that your particular user account is in BOTH the Administrators Group AND the Users Group, now you are saying its only part of the Administrators Group. So,continue to read, as long as you are ONLY part of the Administrators Group.

    When you go to the security tab of a file you should have more than one thing listed there, such as Administrators, Users, SYSTEM, just REMOVE any user account or user group that doesnt belong there.

    Furthermore, if you still have problems with removing names from the list due to your "Auditing" problem, you can remove auditing all together from the files or folders by going to the Security Tab -> Advanced -> Auditing Tab.

    Pete
     
  9. jonex

    jonex OSNN Junior Addict

    Messages:
    37
    more than one admin??

    how do you do that when you have more than óne admin.. how can i block folders or files now so only me (one of the admins) can access it??
     
  10. BigPete

    BigPete OSNN Sexual Deviant

    Messages:
    69
    Remove the admin GROUP from having access to the folder or file then just add the individual USER. So if you have admin "A" and "B" who are both members of the Administrators Group, remove the Administrators Group(be sure not to DENY access to Admins, just remove them altogether) from the file or folder, then add "A" or "B", whichever you want.

    OR, you could just add both admins and DENY access to the one you dont want to have access, either one should work. This will work because as said above, the HIGHEST security setting always comes before anything else.
     
  11. jonex

    jonex OSNN Junior Addict

    Messages:
    37
    thanx

    thank you.. what does the SYSTEM do.. i mean cani also remove his.. what does this do??

    thank you you helped me alot
     
  12. BigPete

    BigPete OSNN Sexual Deviant

    Messages:
    69
    It gives the operating system control of the files, its not bad like it sounds. Unless the folder contains system or program files, you can remove SYSTEM from the list.

    And you're welcome for the help:)
     
  13. jonex

    jonex OSNN Junior Addict

    Messages:
    37
    one correction

    allow me to correct you.. it's right that it doesn't do anything to the folder but you can't save to the folder from for example IE so i guess it's ood to have it..

    well whatever maybe i'm wrong..
     
  14. BigPete

    BigPete OSNN Sexual Deviant

    Messages:
    69
    Hey, I dont believe what you are saying is true, as long as you have access to the folder, you should be able to save whatever you want to it. I am in Amsterdam right now and wont be home till Sunday night, when I can answer your question.

    Pete
     
  15. Hutch

    Hutch Guest

    Hey Big Pete,your brilliant man!theres no way i could have answered all that if i was in Amsterdam.:cool:
     
  16. Mike89

    Mike89 Guest

    I have a related question. What does encrypting do exactly?

    I read about it and even encrypted a small file. When I did it, I expected it to ask to put a password in or something. It didn't. So what happens when someone else tries to access that file?

    The help also referred to a key. What's that all about and how/why would someone use it? Where would the key be?

    You can see I'm not understanding all about it. Maybe my brain is encrypted and I just can find the key to get to it. Heh heh.
     
  17. Twink

    Twink Guest

    basically it stops any other user, even if the security allows them from using the document. the key is personal to each user.
     
  18. Mike89

    Mike89 Guest

    Well when I think of a key, I would assume I would have that key to lock something.

    Well when I did encrypt a file, there was no mention of a key in the process, in fact there was no process, just clicking a checkbox. So if a key was made, how come I don't know anything about it or have access to it?

    So the 'key' is just a meaning that only I can access the file or remove the encryption. So why would the word key even come up?
     
  19. BigPete

    BigPete OSNN Sexual Deviant

    Messages:
    69
    The downside to encryption is that anyone with the ability to log in as you can access that file, this is where the word "key" comes in. The "key" is directly linked to your username. Now, lets say that someone "stole" your computer or hard disk for that matter. Even though they can use another computer to read the contents of the drive, they will not be able to read anything that is encrypted, no matter what.

    Windows generates a unique key for you, which is stored on your computer and linked to your username as I stated before. Even if you created that same username on another computer, you still would not be able to access the encrypted file because the randomly generated key would be totally different.

    Making a back up of the key is like putting a spare key under the rug in the front of your house. If anything should happen, you can still access the files.

    File permissions and Encryption both rely heavily on your user password. If other people know your password or can login as you, then both are worthless. Encryption takes it a step further since the security is actually built into the file and no matter what, you arent going to get in without the "key".

    Hutch - When its 5 in the afternoon, raining, and cold as hell, you stop in the first dry place you can(EasyEverything) and chill. =)