Connecting to a shared folder w/ a different user account

There are a few questions I have about a connection I want to make to a shared folder that's on an NTFS volume.  What I wanted to achieve was to have a single, non-admin user account on that target machine to which I only know the password.  The shared folder would give that user account full control while denying full control to all other accounts including administrators.  In other words, if you forget the password, you cannot access the data unless you remove the hard drive itself from the machine.  I would think that this would make it difficult for the likes of Ransomware to encrypt the contents and my backups would be relatively safe.

Next would be to program a backup software to perform nightly backups to this folder.  In this example, I'm using Veeam Endpoint Protection.  The software is programmed with said user account and performs backups nightly.  I'm assuming that while Veeam uses the username and password to open a connection, other programs and users on that originating computer cannot.  In other words, Veeam has a private connection using said credentials.

Is this correct?  Please let me know what you think.
LVL 11
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David Johnson, CD, MVPRetiredCommented:
Can't be done with permissions as an administrator can always take ownership. All you can do is encrypt the file/files.  In some cases one can use the SYSTEM account which has global god permissions
On the security tab of the shared folder properties, remove administrators after you add the user that needs full rights. The user you want to gave full rights can not be a member of the domain users group as that might restrict their access.
I.e. Security
Server\users of which domain users is a memeber set to read only
On the share tab, you can
Have setver\users read only
Your user full rights.

As was pointed out, administrators on a folder one level up can reassert their rights on subfolders.

Any admin will need to login onto the server where the share is to reassert.

Often backups use volume shadow copy, (snapshot) such that the backup would not interfere with user access to files. An open fire by a user however, will prevent the file backup.
Protecting backups against ransomware by using a dedicated backup account and only entitling that account to access the data is a good idea - there's nothing more to say.
btanExec ConsultantCommented:
Access granted based on least privileges. Whatever you do, please don’t use DOMAIN\Administrator for everything.
Good practice to use different credentials for backup storage. Consider authentication in the design and implement as much separation as possible from production workloads.
Also reduce the use of network shares as ransomware spreads from it. Common shares should be per individual granted wirh restricted access rights e.g. Read only etc. Nonetheless the Veeam endpoint agent setect if there are excessive write that increases the CPU resource.

Some good practices from Veeam on backup.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.