Password protected folder on Windows 2008 server share?

Posted on 2013-06-28
Medium Priority
Last Modified: 2013-07-02
I'm a network administrator, it's a Windows 2008 file server and Windows XP/7 network with domain. Each user login to domain with their password.
The problem is, how can I secure the folder by password, not by user permission.
We have a few managers, each manager has 2 or 3 assistants (or secretary), these assistants know the manager's Windows login password, so when the manager is not in the office, they can access their computer to get information to assistant our customers.
But each manager has some confidential documents on the share on file server which are not supposed to expose to these assistants. I think if I can put a password on these folders then the manager can access them but assistant.
In Outlook I have done it by assign password to PST files, but in Windows obviously there is no easy way to do it.
(Please do not recommend use different login on the computer, it's too complicated for the end user to understand user profiles.)
Question by:urbuddy
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 10

Assisted Solution

honestman31 earned 168 total points
ID: 39285535
There seems to be some confusion here about terminology. Regardless of what Ondrej has posted up to this point, there is no way in Windows (any version) to password protect a shared folder, it simply is not possible without some kind of 3rd party software

LVL 24

Assisted Solution

smckeown777 earned 166 total points
ID: 39285537
There are a few utilities to do this but none that I know of that are free...


Assisted Solution

dec0mpile earned 166 total points
ID: 39285554
Windows has the ability to encrypt folders. However, in your case this is not useful because they know the password and can log in as the user and still view the file.

The only option left in this case is to use third party application that you install on the user's PC to protect the folder.

I recommend: http://www.winability.com/folderguard/

But you can try to find free software that can do it, like:
http://www.axantum.com/Start.html - I think it only does files
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 15

Assisted Solution

by:Giovanni Heward
Giovanni Heward earned 166 total points
ID: 39285568
@urbuddy: Consider the information security concepts of availability, integrity, confidentiality, and accountability.  Accountability would dictate that each assistant must be given their own unique username.  This way you can audit and track changes made by individual assistants while avoiding exposure of manager credentials and giving assistants plausible deniability.

Once the accountability and confidentiality considerations are taken into account, you may then apply permissions as needed.  Consider creating an assistants group for each manager and using that group object when applying permissions to relevant files.

In short, create a unique user for each assistant, create assistant groups as needed, have the managers change their passwords, and apply proper file permissions.

If this creates the perception of "too much administrative overhead" due to frequent turnover, etc., at the very least consider creating a dedicated "assistant" user object and apply permissions at that level, and then have your managers change their passwords.

No need to add additional layers of security if you incorporate best practices.

Assisted Solution

nate0187 earned 166 total points
ID: 39285597
Use peazip or any other zipper program to encrypt the folder with a password

Author Comment

ID: 39285644
Thank you all for the reply!
The problem is, there are a few proprietary software that installed on the manager's PC, the assistants need to access them. If I create a new user account for the assistant, then this would created new user profiles on the computer, these would involve in reconfiguration of the software, licensing, etc etc.
Logically the first solution to think about is to create user accounts for each assistants, but it just does not work in my case.
The most folder encryption utilities only work on local drive, not a network shared drive. These managers needs to share the "password protected folders". Not just encrypt a file.
I can setup another stand along file server (not part of domain) and store file there with different login password, that is my last resort if I can not get a better solution here.
I'll take a look at the links that provided here.
LVL 83

Accepted Solution

David Johnson, CD, MVP earned 168 total points
ID: 39285872
these assistants know the manager's Windows login password, so when the manager is not in the office, they can access their computer to get information to assistant our customers.

I know why this has been done (for reasons of convenience) and it breaks every tenet of windows security.  It is out and out the wrong way to do things. Since more than 1 person knows the username / password combination then there is no way that you can prove who did what and when. Was it the manager or was it one of the assistants? Which assistant? You will never be able to prove it. Even as an enterprise administrator I don't know your password. I can reset it but that action leaves an identifiable record and the user will know right away that the password has been changed since their password will no longer work.

Truecrypt is a good option for you in the short time just as long as the password is not again shared (for convenience)..  Security is always at odds with convenience.  Going through TSA scanners and removing ones shoes is inconvenient but in order to fly you have to put up with it.

Featured Post

How Blockchain Is Impacting Every Industry

Blockchain expert Alex Tapscott talks to Acronis VP Frank Jablonski about this revolutionary technology and how it's making inroads into other industries and facets of everyday life.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question