Re: Restricting Access to certain files

From: Doug Knox MS-MVP (dknox_at_mvps.org)
Date: 07/12/04 

Date: Mon, 12 Jul 2004 16:22:51 -0400

Uh, Chris, what about this scenario?

3 users
1) Doug (Administrator)
2) Bob (Limited User)
3) Administrator (Administrator)

Folder C:\Customer Information

Security Properties for the above folder:
1) User - Doug (has full control)
2) User - System (has full control)

All other Users and Groups are removed from this folder's Security properties page.

Why would Bob be able to access anything in the C:\Customer Information folder? Bob can see that the folder exists, but when he tries to open it, he gets access denied. Apply this same methodology, and allow inheritance of permissions, to the root directory of a drive and Bob can't even open the drive.

An Adminstrator can always adjust the permissions and security settings, but Bob is pretty well out of the picture.

The only thing you really need to be cautious of is the use of the Deny option, particularly when applying it to Groups (Deny Users denies everyone on the machine).

Windows XP Pro provides VERY granular control over who can access what on any physical disk. 

-- 
Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display
Win 95/98/Me/XP Tweaks and Fixes
http://www.dougknox.com
--------------------------------
Per user Group Policy Restrictions for XP Home and XP Pro
http://www.dougknox.com/xp/utils/xp_securityconsole.htm
--------------------------------
Please reply only to the newsgroup so all may benefit.
Unsolicited e-mail is not answered.
 
""Chris Ard [MSFT]"" <ChrisArd@online.microsoft.com> wrote in message news:SkZpPpEaEHA.3748@cpmsftngxa06.phx.gbl...
> Not natively in XP no.  XP is not that granular.  You can do things such as 
> limit a user so they can only read a file but not modify it or delete it.
> What you are referring to is known as Digital Rights Management (DMR).  
> This is available as part of Office 2003 and Windows Server 2003.
> 
> http://www.microsoft.com/windowsserver2003/technologies/rightsmgmt/default.m
> spx
> 
> Chris Ard
> Security Support
> Microsoft Corporation
> 
> This posting is provided "AS IS" with no warranties, and confers no rights.
>

Relevant Pages

  • Re: How to verify whether an account is admin or not?
    ... OK Doug, but my name was rejected and it was the software that suggested NET ... can you throw any light on the Administrator being shown as "SUPPORT ... An error has occcurred in the script on this page. ... shows guest account off. ...
    (microsoft.public.windows.mediacenter)
  • Re: passwords
    ... Log in to any account that has Administrator access. ... Reboot to Safe Mode, select Administrator, leave password blank. ... If you are using Windows XP Pro and have encrypted data, ... "Doug Kanneman" wrote in message ...
    (microsoft.public.windowsxp.security_admin)
  • Email incorrectly routed to Administrator
    ... a thread like this was started a couple of months ago by Doug ... but lands in the Administrator account in SBS 2003. ... user listed as "Administrator" and all subscribers are BCC'd. ... There must be a way around this, but I am not an admin. ...
    (microsoft.public.windows.server.sbs)
  • Re: Change security with "runas"
    ... >Is there a way to access the security properties of a file/folder without ... >logging on as Administrator? ... Like "runas" a program where I can change the ... Type the Administrator password. ...
    (microsoft.public.windows.server.general)
  • Re: Administrator Logon Message
    ... Oh ic, thanks Doug ... you can only logon to the built-in Administrator ... account in Safe Mode. ...
    (microsoft.public.windowsxp.general)