Improve company productivity with a Business Account.Sign Up

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 7988
  • Last Modified:

Password protected folder on Windows 2008 server share?

I'm a network administrator, it's a Windows 2008 file server and Windows XP/7 network with domain. Each user login to domain with their password.
The problem is, how can I secure the folder by password, not by user permission.
We have a few managers, each manager has 2 or 3 assistants (or secretary), these assistants know the manager's Windows login password, so when the manager is not in the office, they can access their computer to get information to assistant our customers.
But each manager has some confidential documents on the share on file server which are not supposed to expose to these assistants. I think if I can put a password on these folders then the manager can access them but assistant.
In Outlook I have done it by assign password to PST files, but in Windows obviously there is no easy way to do it.
(Please do not recommend use different login on the computer, it's too complicated for the end user to understand user profiles.)
6 Solutions
There seems to be some confusion here about terminology. Regardless of what Ondrej has posted up to this point, there is no way in Windows (any version) to password protect a shared folder, it simply is not possible without some kind of 3rd party software

There are a few utilities to do this but none that I know of that are free...
Windows has the ability to encrypt folders. However, in your case this is not useful because they know the password and can log in as the user and still view the file.

The only option left in this case is to use third party application that you install on the user's PC to protect the folder.

I recommend:

But you can try to find free software that can do it, like: - I think it only does files
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Giovanni HewardCommented:
@urbuddy: Consider the information security concepts of availability, integrity, confidentiality, and accountability.  Accountability would dictate that each assistant must be given their own unique username.  This way you can audit and track changes made by individual assistants while avoiding exposure of manager credentials and giving assistants plausible deniability.

Once the accountability and confidentiality considerations are taken into account, you may then apply permissions as needed.  Consider creating an assistants group for each manager and using that group object when applying permissions to relevant files.

In short, create a unique user for each assistant, create assistant groups as needed, have the managers change their passwords, and apply proper file permissions.

If this creates the perception of "too much administrative overhead" due to frequent turnover, etc., at the very least consider creating a dedicated "assistant" user object and apply permissions at that level, and then have your managers change their passwords.

No need to add additional layers of security if you incorporate best practices.
Use peazip or any other zipper program to encrypt the folder with a password
urbuddyAuthor Commented:
Thank you all for the reply!
The problem is, there are a few proprietary software that installed on the manager's PC, the assistants need to access them. If I create a new user account for the assistant, then this would created new user profiles on the computer, these would involve in reconfiguration of the software, licensing, etc etc.
Logically the first solution to think about is to create user accounts for each assistants, but it just does not work in my case.
The most folder encryption utilities only work on local drive, not a network shared drive. These managers needs to share the "password protected folders". Not just encrypt a file.
I can setup another stand along file server (not part of domain) and store file there with different login password, that is my last resort if I can not get a better solution here.
I'll take a look at the links that provided here.
David Johnson, CD, MVPOwnerCommented:
these assistants know the manager's Windows login password, so when the manager is not in the office, they can access their computer to get information to assistant our customers.

I know why this has been done (for reasons of convenience) and it breaks every tenet of windows security.  It is out and out the wrong way to do things. Since more than 1 person knows the username / password combination then there is no way that you can prove who did what and when. Was it the manager or was it one of the assistants? Which assistant? You will never be able to prove it. Even as an enterprise administrator I don't know your password. I can reset it but that action leaves an identifiable record and the user will know right away that the password has been changed since their password will no longer work.

Truecrypt is a good option for you in the short time just as long as the password is not again shared (for convenience)..  Security is always at odds with convenience.  Going through TSA scanners and removing ones shoes is inconvenient but in order to fly you have to put up with it.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now