?
Solved

possible to hide user data from Administrator?

Posted on 2003-03-16
15
Medium Priority
?
119 Views
Last Modified: 2010-04-13
I work on my own pc with an administrator account so that I can operate Internet Services Manager, since I use IIS to test webistes.

My boss wants me to use share a computer with him. Is there any way I will be able to manage the web server in order to test websites and yet be unable to access his data, which he would like to keep private? I will also be the only user who can  install programs.

Thanks in Advance.
0
Comment
Question by:Avikohl
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
  • 2
  • +2
15 Comments
 
LVL 12

Expert Comment

by:trywaredk
ID: 8146402
Please specify who'm is sharing what:

1. Your boss wants to be able to read/modify everything on Your hard disc?
2. Your boss wants that You will be able to install programs on his hard disc?
3. On which disc is the IIS installed, Yours or Your boss's or a sepate server?
4. Are You member of Global Domain Admin Group?

Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open
0
 
LVL 41

Expert Comment

by:stevenlewis
ID: 8146446
what OS?
with w2k/XP Pro he can password protect and even encrypt his data
and he won't even need to be a member of the admin group
0
 
LVL 41

Expert Comment

by:stevenlewis
ID: 8146449
Doh, this Q is in the w2k area, so I'm guessing w2k
check out encryption in the help file
0
Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

 
LVL 12

Expert Comment

by:trywaredk
ID: 8146476
AVIKOHL... Remember, if You choose to let Your boss password protect his files, that domain admins can't help, if Your boss forgets his password to these files.
0
 
LVL 3

Expert Comment

by:mfutty
ID: 8146658
Tell him not to surf sites that he doesn't want other people to see! (just kidding - couldn't resist)
0
 
LVL 1

Expert Comment

by:Mcscotsman
ID: 8147084
You can create two accounts:

Boss
Admin

Both could be adminstrators.

Boss logs in and creates a directory. Boss removes all users from directory's permissons except for boss (who has full control.) OR boss could deny access to user admin if he wants to keep other groups in. Boss should not deny access to administrators group. If boss is concerned with the data, then the data is worthy of being is backed up. He can also do the same for his profile directory.
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 8147270
MCSCOTSMAN...
"Both could be adminstrators."
"boss could deny access to user admin"

If both are administrators (members of local admin group) boss can't keep admin from anything
0
 
LVL 1

Expert Comment

by:Mcscotsman
ID: 8148260
Trywaredk-

Sorry, but denying the specific user "admin" will work. You know: "If admin is a member of the local administrator group and that group has been assigned read and write permissions for the specified folder- but admin has been specifically denied access- then what is admin's effective rights? Answer- Denied. Rights are cumulative- except when specifically denied.
0
 
LVL 1

Expert Comment

by:IanAtkin
ID: 8151116
How about using the Encrypted Filesystem?

You boss could simply encrypt the directory he wants secured. Only he could then read the files, regardless of the administrative permissions.

see:
http://www.microsoft.com/windows2000/techinfo/howitworks/security/encrypt.asp

http://support.microsoft.com/default.aspx?scid=KB;en-us;q223316

Ian./
0
 
LVL 1

Expert Comment

by:IanAtkin
ID: 8151128
I see StevenLewis already mentioned EFS. Is this not an option?
0
 
LVL 12

Accepted Solution

by:
trywaredk earned 150 total points
ID: 8154437
MCSCOTSMAN... "Rights are cumulative- except when specifically denied."

Yes and being member of the local admin group means that You can disable this setting again.

Local admin group means what it says. Members can do what they like, and You can't do anything about that with NTFS permissions.
0
 
LVL 1

Expert Comment

by:Mcscotsman
ID: 8154548
trywareddk-

My parachute was not fully deployed.
0
 
LVL 1

Expert Comment

by:Mcscotsman
ID: 8154581
trywareddk-

My parachute was not fully deployed.
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 8154741
;o) MCSCOTSMAN... Install more RAM
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 8438590
:o) glad I could help you

BTW - Be carefull with the local admin group

PLEASE READ THIS CAREFULLY:

You must NEVER NEVER add a Domain User Group to the Local Admin Group on each workstation.

And You must NEVER add the same Domain User to the Local Admin Group on more than his/hers own workstation

If You add a Domain User Group to the Local Admin Group, every member of this Domain User Group gets unlimited REMOTE access power of every workstation on Your network.

The unlimited REMOTE access involves:
1. Explorer: \\ComputerName\C$
2. Registry
3. Computer Management (Control Panel)


IF YOU WANT TO KNOW MORE ABOUT THIS ISSUE:
http://www.experts-exchange.com/Security/Win_Security/Q_20506528.html
http://www.tryware.dk/English/W2kLocalGroupPolicy/TotalAdminPower.html
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windows2000serv/evaluate/featfunc/07w2kadc.asp
http://support.microsoft.com/?kbid=182734



IF YOU WANT TO TEST IT:
You have to grant a Domain User Group to the Local Admin Group on BOTH test-workstations, AND logout and logon again.

Important: You have to make a new logon after creating the credentials, because they are given in W2k in the second where You press ENTER to password when logging on.

Please reply, when You have removed the Domain User Group from the Local Admin Group again!


Many Regards

Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open
0

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
This is a fine trick which I've found useful many times, when you just don't want to accidentally run a batch script or the commands needs administrator rights.
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question