Remove administrators from Local Profiles

Can anyone tell me how to prevent the Administrator Group from getting access automatically to any of the profiles under Documents and Settings?? ie. can Documents and Settings be setup such that when a new user logs in, their profile will only have the user and other "selected" users/groups with access to that profile?
I realise that anyone in the Administrators group will (probably) still be able to take ownership of the directory, I am just trying to "deter" prying....

Thanks
John.

Jason
Thu May 06 07:17:50 CDT 2004

* John <anonymous@discussions.microsoft.com>:
> Can anyone tell me how to prevent the Administrator Group from getting access automatically to any of the profiles under Documents and Settings?? ie. can Documents and Settings be setup such that when a new user logs in, their profile will only have the user and other "selected" users/groups with access to that profile??
> I realise that anyone in the Administrators group will (probably) still be able to take ownership of the directory, I am just trying to "deter" prying.....
>
> Thanks,
> John.

If you don't trust your administrators you have greater problems then
them poking around in areas they should be able to go to.

Jason

anonymous
Thu May 06 16:56:06 CDT 2004

A little bit more information.....
Due to the "unfriendly" software that we need to install, all users logged on to the PC need to be in the Administrators group to successfully run it.... Therefore, we still wish to maintain a 'certain' degree of privacy on the users files - hence remove "Administrators" from the security...

John.

Stanlay
Sat May 08 04:17:14 CDT 2004

Am Thu, 6 May 2004 05:06:03 -0700 schrieb John:

> Can anyone tell me how to prevent the Administrator Group from getting access automatically to any of the profiles under Documents and Settings?? ie. can Documents and Settings be setup such that when a new user logs in, their profile will only have the user and other "selected" users/groups with access to that profile??
> I realise that anyone in the Administrators group will (probably) still be able to take ownership of the directory, I am just trying to "deter" prying.....
>
> Thanks,
> John.

the only secure way will be encrypting these files... there are several
very good tools existing for such jobs like pgp which is also availible as
freeware!

Kent
Sun May 09 23:20:39 CDT 2004

john wrote:

> A little bit more information...... Due to the "unfriendly" software
> that we need to install, all users logged on to the PC need to be in
> the Administrators group to successfully run it.... Therefore, we
> still wish to maintain a 'certain' degree of privacy on the users
> files - hence remove "Administrators" from the security....
>
> John.

When you first create an account password using the User Accounts
control panel, if you are logged into that account, the GUI will ask if
you want to "make the files private". This removes access from the
Administrators and Users groups so that only the user that owns the
profile can read the files (and SYSTEM still has access). Of course, any
Administrator can "take ownership" of the profile and add read/write
permission back in order to view the private files.

You might try running the recalcitrant software with accounts in the
Power Users group (XP Pro only) as an alternative to having the users be
in the Administrators group. If this works, then your files will stay a
bit more private.

You must be using NTFS for these access controls to work.

--
Kent W. England, Microsoft MVP for Windows Security

anonymous
Wed May 12 17:36:02 CDT 2004

Kent, thanks for the info, but the users we are talking about are domain users, therefore we don't get a choice in the matter! So, what does say "make my files private" actually do, and is it possible to set it up automatically?

Thanks....

Kent
Wed May 12 22:32:52 CDT 2004

John wrote:

> Kent, thanks for the info, but the users we are talking about are
> domain users, therefore we don't get a choice in the matter! So, what
> does say "make my files private" actually do, and is it possible to
> set it up automatically??
>

I don't know about domain usage, since that is greatly affected by the
Group Policy objects.

--
Kent W. England, Microsoft MVP for Windows Security