Profiles Question

Hello,
is one user profile can acess ither user
7 answers Last reply
More about profiles question
  1. The title of this topic has been edited by Buwish
  2. battinavenkat said:
    Hello,
    is one user profile can acess ither user


    Hello. No, normal user account could not access other users data stored inside their profile folders.
  3. If the user is administrator can access to any profile in the "Users" folder and it's the same for Domain users.
  4. saint19 said:
    If the user is administrator can access to any profile in the "Users" folder and it's the same for Domain users.
    That's not true, at least not directly. Users home folders are normally created with no access by administrators. An administrator can neither view the files nor change their security attributes to grant himself access.

    If an administrator wants to view files in someone else's profile, he first needs to "take ownership" of the files and folders - this then gives him the ability to change the access control lists so that he can see the files.

    Of course doing this means that the user no longer owns the files, and there's no UI way for the administrator to "give back" ownership, so if the user checks he'll be able to see that someone has compromised his security.
  5. sminlal said:
    That's not true, at least not directly. Users home folders are normally created with no access by administrators. An administrator can neither view the files nor change their security attributes to grant himself access.

    If an administrator wants to view files in someone else's profile, he first needs to "take ownership" of the files and folders - this then gives him the ability to change the access control lists so that he can see the files.

    Of course doing this means that the user no longer owns the files, and there's no UI way for the administrator to "give back" ownership, so if the user checks he'll be able to see that someone has compromised his security.


    That is not entirely true either. ;)

    While everything is correct as members of the Administrators group has the privilige/user right to take ownership and through that they can gain access to every file and folder, it is actually very possible to give back the ownership.

    The user right/privilige "Take ownership of files and other objects" in the Access Token has always given you the possibility to do so, and back in the Windows NT days there was no GUI for this. I used to do this at work with a command line called "chown.exe" which was great.

    However, in for example Windows 7 it is very simple to do this. Just be a member of Administrators, choose any file, go through the different properties-security-advanced-ownership and so on, and then you could just browse for any user to give the ownership to.
  6. ricno said:
    However, in for example Windows 7 it is very simple to do this. Just be a member of Administrators, choose any file, go through the different properties-security-advanced-ownership and so on, and then you could just browse for any user to give the ownership to.
    Ah, I wasn't aware of that, thanks for pointing it out!
  7. sminlal said:
    Ah, I wasn't aware of that, thanks for pointing it out!


    No problem! There was a somewhat silent change about this around Vista/Server 2008 I think.
Ask a new question

Read More

Security Windows 7