Avikohl
asked on
possible to hide user data from Administrator?
I work on my own pc with an administrator account so that I can operate Internet Services Manager, since I use IIS to test webistes.
My boss wants me to use share a computer with him. Is there any way I will be able to manage the web server in order to test websites and yet be unable to access his data, which he would like to keep private? I will also be the only user who can install programs.
Thanks in Advance.
My boss wants me to use share a computer with him. Is there any way I will be able to manage the web server in order to test websites and yet be unable to access his data, which he would like to keep private? I will also be the only user who can install programs.
Thanks in Advance.
what OS?
with w2k/XP Pro he can password protect and even encrypt his data
and he won't even need to be a member of the admin group
with w2k/XP Pro he can password protect and even encrypt his data
and he won't even need to be a member of the admin group
Doh, this Q is in the w2k area, so I'm guessing w2k
check out encryption in the help file
check out encryption in the help file
AVIKOHL... Remember, if You choose to let Your boss password protect his files, that domain admins can't help, if Your boss forgets his password to these files.
Tell him not to surf sites that he doesn't want other people to see! (just kidding - couldn't resist)
You can create two accounts:
Boss
Admin
Both could be adminstrators.
Boss logs in and creates a directory. Boss removes all users from directory's permissons except for boss (who has full control.) OR boss could deny access to user admin if he wants to keep other groups in. Boss should not deny access to administrators group. If boss is concerned with the data, then the data is worthy of being is backed up. He can also do the same for his profile directory.
Boss
Admin
Both could be adminstrators.
Boss logs in and creates a directory. Boss removes all users from directory's permissons except for boss (who has full control.) OR boss could deny access to user admin if he wants to keep other groups in. Boss should not deny access to administrators group. If boss is concerned with the data, then the data is worthy of being is backed up. He can also do the same for his profile directory.
MCSCOTSMAN...
"Both could be adminstrators."
"boss could deny access to user admin"
If both are administrators (members of local admin group) boss can't keep admin from anything
"Both could be adminstrators."
"boss could deny access to user admin"
If both are administrators (members of local admin group) boss can't keep admin from anything
Trywaredk-
Sorry, but denying the specific user "admin" will work. You know: "If admin is a member of the local administrator group and that group has been assigned read and write permissions for the specified folder- but admin has been specifically denied access- then what is admin's effective rights? Answer- Denied. Rights are cumulative- except when specifically denied.
Sorry, but denying the specific user "admin" will work. You know: "If admin is a member of the local administrator group and that group has been assigned read and write permissions for the specified folder- but admin has been specifically denied access- then what is admin's effective rights? Answer- Denied. Rights are cumulative- except when specifically denied.
How about using the Encrypted Filesystem?
You boss could simply encrypt the directory he wants secured. Only he could then read the files, regardless of the administrative permissions.
see:
http://www.microsoft.com/windows2000/techinfo/howitworks/security/encrypt.asp
http://support.microsoft.com/default.aspx?scid=KB;en-us;q223316
Ian./
You boss could simply encrypt the directory he wants secured. Only he could then read the files, regardless of the administrative permissions.
see:
http://www.microsoft.com/windows2000/techinfo/howitworks/security/encrypt.asp
http://support.microsoft.com/default.aspx?scid=KB;en-us;q223316
Ian./
I see StevenLewis already mentioned EFS. Is this not an option?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
trywareddk-
My parachute was not fully deployed.
My parachute was not fully deployed.
trywareddk-
My parachute was not fully deployed.
My parachute was not fully deployed.
;o) MCSCOTSMAN... Install more RAM
:o) glad I could help you
BTW - Be carefull with the local admin group
PLEASE READ THIS CAREFULLY:
You must NEVER NEVER add a Domain User Group to the Local Admin Group on each workstation.
And You must NEVER add the same Domain User to the Local Admin Group on more than his/hers own workstation
If You add a Domain User Group to the Local Admin Group, every member of this Domain User Group gets unlimited REMOTE access power of every workstation on Your network.
The unlimited REMOTE access involves:
1. Explorer: \\ComputerName\C$
2. Registry
3. Computer Management (Control Panel)
IF YOU WANT TO KNOW MORE ABOUT THIS ISSUE:
https://www.experts-exchange.com/questions/20506528/DomainUsers-in-LocalAdminGroup.html
http://www.tryware.dk/English/W2kLocalGroupPolicy/TotalAdminPower.html
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windows2000serv/evaluate/featfunc/07w2kadc.asp
http://support.microsoft.com/?kbid=182734
IF YOU WANT TO TEST IT:
You have to grant a Domain User Group to the Local Admin Group on BOTH test-workstations, AND logout and logon again.
Important: You have to make a new logon after creating the credentials, because they are given in W2k in the second where You press ENTER to password when logging on.
Please reply, when You have removed the Domain User Group from the Local Admin Group again!
Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark
:o) Your brain is like a parachute. It works best when it's open
BTW - Be carefull with the local admin group
PLEASE READ THIS CAREFULLY:
You must NEVER NEVER add a Domain User Group to the Local Admin Group on each workstation.
And You must NEVER add the same Domain User to the Local Admin Group on more than his/hers own workstation
If You add a Domain User Group to the Local Admin Group, every member of this Domain User Group gets unlimited REMOTE access power of every workstation on Your network.
The unlimited REMOTE access involves:
1. Explorer: \\ComputerName\C$
2. Registry
3. Computer Management (Control Panel)
IF YOU WANT TO KNOW MORE ABOUT THIS ISSUE:
https://www.experts-exchange.com/questions/20506528/DomainUsers-in-LocalAdminGroup.html
http://www.tryware.dk/English/W2kLocalGroupPolicy/TotalAdminPower.html
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windows2000serv/evaluate/featfunc/07w2kadc.asp
http://support.microsoft.com/?kbid=182734
IF YOU WANT TO TEST IT:
You have to grant a Domain User Group to the Local Admin Group on BOTH test-workstations, AND logout and logon again.
Important: You have to make a new logon after creating the credentials, because they are given in W2k in the second where You press ENTER to password when logging on.
Please reply, when You have removed the Domain User Group from the Local Admin Group again!
Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark
:o) Your brain is like a parachute. It works best when it's open
1. Your boss wants to be able to read/modify everything on Your hard disc?
2. Your boss wants that You will be able to install programs on his hard disc?
3. On which disc is the IIS installed, Yours or Your boss's or a sepate server?
4. Are You member of Global Domain Admin Group?
Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark
:o) Your brain is like a parachute. It works best when it's open