Dis­cover how to take back con­trol of Win­dows, with help from Nick Peers


Ever felt you’re los­ing con­trol of your PC? If you share it with other users—fam­ily mem­bers or friends, for ex­am­ple—it can be a frus­trat­ing ex­pe­ri­ence. First, there’s the need to keep your own data pri­vate from other peo­ple, then there’s the worry about what they might be do­ing be­hind your back. Win­dows has tools for man­ag­ing chil­dren’s use, but what hap­pens to a PC that’s shared be­tween a group of con­sent­ing adults— even those who should know bet­ter?

In this fea­ture, we’re go­ing to ex­am­ine two prin­ci­pal ways in which you can re­gain con­trol of your PC. The first is through user ac­counts. We’ll re­veal a tech­nique whereby ev­ery­one—in­clud­ing your­self —gets their level of ac­cess re­duced on a day-to-day level, tight­en­ing se­cu­rity, and pre­vent­ing the hap­haz­ard in­stal­la­tion of soft­ware and in­ju­di­cious tweak­ing of sys­tem set­tings. The se­cret to this tip is to cre­ate a mas­ter Ad­min ac­count— pass­word-pro­tected, of course—which is re­quired when­ever any el­e­vated ac­cess (in­clud­ing the in­stal­la­tion of many pro­grams) is re­quired.

We’ll also look at a tool those run­ning Win­dows 10 Pro­fes­sional can em­ploy in con­junc­tion with user ac­counts—namely the Lo­cal Group Pol­icy Editor—to tighten things fur­ther, giv­ing you com­plete con­trol over re­stric­tions on a user-by-user ba­sis. We’ll show you how to re­store the Guest ac­count that Mi­crosoft has mys­te­ri­ously dropped in Win­dows 10, too.

Then we’ll ex­am­ine how you can con­trol ac­cess to in­di­vid­ual files and fold­ers through per­mis­sions—af­ter re­mind­ing you to take pre­cau­tions, we’ll delve into how you can make peo­ple’s fold­ers pri­vate, while block­ing their ac­cess to other parts of your sys­tem (in­clud­ing in­di­vid­ual pro­grams, if re­quired). There’s even time for trou­bleshoot­ing file per­mis­sions is­sues (both those caused by your fid­dling and those cre­ated by Win­dows it­self), find­ing out the best way to trans­fer to a new PC, and in­te­grat­ing your OneDrive stor­age bet­ter into your user fold­ers. The end re­sult? A PC that may be shared with oth­ers, but which re­mains your own, is un­der more con­trol and bet­ter se­cured.

Let’s open with some­thing that might seem counter-in­tu­itive: Step one to re­claim­ing own­er­ship of your PC is to re­duce your level of ac­cess to it. Yes, you heard right—one of the most ef­fec­tive ways in which you can se­cure con­trol of your PC is to down­grade your user ac­count to that of a Stan­dard User.

Why would you do this? First, it re­duces your PC’s ex­po­sure to po­ten­tial harm—now, in­stead of sim­ply wav­ing through re­quests for el­e­vated ac­cess with a sim­ple click of the mouse, you need to in­voke a sep­a­rate Ad­min­is­tra­tor ac­count (and pass­word) in­stead. The in­con­ve­nience of do­ing so is out­weighed by the fact that it forces you to pause and con­firm what the di­a­log is there for—no more lazily wav­ing through some­thing ma­li­cious by mis­take.

It’s also es­sen­tial if you share your PC with oth­ers—by down­grad­ing ev­ery­one, they’re forced to ei­ther use the Ad­min pass­word (if you’ve shared it with them), or ask your per­mis­sion be­fore clut­ter­ing up your PC with more un­wanted soft­ware.

The first step of this process in­volves cre­at­ing a new Ad­min­is­tra­tor ac­count— click “Start > Set­tings > Ac­counts > Fam­ily & other users,” then click “Add some­one else to this PC” un­der “Other users.” Choose “I don’t have this per­son’s sign-in in­for­ma­tion,” fol­lowed by “Add a user with­out a Mi­crosoft ac­count.” Name the ac­count “Ad­min,” then en­ter a se­cure pass­word, be­fore click­ing “Next.”

With the ac­count set up, you next need to make it an Ad­min­is­tra­tor ac­count—se­lect the ac­count un­der “Other users,” and click “Change ac­count type” to con­vert it to Ad­min­is­tra­tor. You’re now ready to log off your own ac­count and change it. Be­fore do­ing so, con­sider switch­ing your­self to a Mi­crosoft Ac­count, if you haven’t al­ready done so. It makes in­stalling apps from the Mi­crosoft Store eas­ier, for starters—they’re sand­boxed to your lo­cal ac­count folder, so don’t re­quire el­e­vated priv­i­leges.

Sign out of your ac­count, and log in as Ad­min (wait while the ac­count is first set up). Re­turn to the “Fam­ily & other users” screen, where you’ll see your own ac­count listed. Se­lect this, click “Change ac­count type,” then re­duce it to Stan­dard user. Re­peat for all other users of your PC.

Now, when you have to per­form any ad­min­is­tra­tive tasks, you’re prompted to se­lect an Ad­min­is­tra­tor ac­count (“Ad­min” should be pre-se­lected by de­fault), and en­ter its pass­word to pro­ceed. You can make this step a bit eas­ier by as­sign­ing a more mem­o­rable PIN num­ber, and en­ter­ing that in­stead—do this now via the “Sign-in op­tions” screen (click “Add” un­der “PIN”).

Once done, sign out of Ad­min, and log back into your own ac­count. For ad­di­tional

se­cu­rity, type “UAC” into the Search box, and click “Change User Ac­count Con­trol Set­tings”—you’ll see your first se­cu­rity prompt, re­quir­ing you to en­ter your Ad­min pass­word or PIN. Ver­ify the slider has been set to the top level.

One of the most vis­i­ble ways in which your ac­cess has been down­graded is seen when you open the Set­tings app—it’s now less func­tional than it was be­fore, be­cause all sys­tem-wide set­tings are now off lim­its. To get at them re­quires log­ging into the Ad­min ac­count di­rectly (do this quickly via the Start menu—click your user pic­ture at the top of the menu, and se­lect “Ad­min” to switch user with­out log­ging out). Or does it? In fact, most sys­tem-wide set­tings re­main ac­ces­si­ble via the clas­sic Con­trol Panel— just en­ter your Ad­min pass­word to ac­cess them when prompted.

Use Group Pol­icy set­tings

If you’re run­ning Win­dows 10 Pro­fes­sional, you can set fur­ther re­stric­tions on a userby-user ba­sis us­ing the Lo­cal Group Pol­icy Editor—launch gpedit.msc to take a tour. It’s a lit­tle baf­fling for first-time users, so take the time to ex­plore its set­tings, and make sure you take a drive image be­fore you be­gin—it’s very easy to lock your­self out of your sys­tem. Most Group Pol­icy set­tings are ba­si­cally Reg­istry ed­its, and if you’re run­ning Win­dows 10 Home Edi­tion, you can em­u­late most of these with the cor­rect set­ting. Thank­fully, Mi­crosoft has pro­vided a handy ref­er­ence guide con­tain­ing each pol­icy’s set­ting and its equiv­a­lent Reg­istry en­try—go to www.mi­ en- us/down­load/de­tails. aspx?id=25250, and se­lect “Win­dows 10 ADMX spread­sheet. xlsx” when prompted.

By de­fault, gpedit.msc shows the Lo­cal Com­puter Pol­icy set­tings, which means the set­tings are ap­plied across your en­tire PC. For a more gran­u­lar ap­proach, in­volv­ing a sin­gle user or group, you need to ap­ply a cus­tom­ized Lo­cal Group Pol­icy in­stead. Press Win-R, type “mmc,” and hit En­ter. Choose “File > Add/Re­move Snap-in.” Se­lect “Group Pol­icy Ob­ject Editor” from the left-hand pane, and hit “Add.” Click the “Browse” but­ton, and se­lect the “Users” tab. Choose your tar­get user (your­self, say) or group (“Non-Ad­min­is­tra­tors,” for ex­am­ple), and then click “OK > Fin­ish > OK.” Now choose “File > Save” to save a copy some­where ac­ces­si­ble (go­ing for­ward, you would dou­ble-click this file to view and edit it).

With the tem­plate in place, you can now start to cus­tomize set­tings or re­strict ac­cess. The Ad­min­is­tra­tive Tem­plates sec­tion is a good first port of call. Se­lect a sec­tion, then click on a set­ting in the right­hand pane to read a de­scrip­tion of what it does. Dou­ble-click it to make a change— this usu­ally means en­abling or dis­abling the pol­icy, but some­times you also get other op­tions based on your set­tings, too. Make a note of the ini­tial set­ting (typ­i­cally “Not con­fig­ured”), in case you ever need to re­set your poli­cies.

If you want to block ac­cess to a spe­cific pro­gram that’s been in­stalled, ex­pand “Win­dows Set­tings > Se­cu­rity Set­tings > Soft­ware Re­stric­tion Poli­cies,” and choose “Ac­tion > New Soft­ware Re­stric­tions Pol­icy.” Se­lect “Ad­di­tional Rules,” then “Ac­tion > New Path Rule.” Click “Browse” to se­lect the par­ent folder of a pro­gram you wish to block, leave “Se­cu­rity level” set to “Dis­al­lowed,” and pro­vide a de­scrip­tion to help iden­tify the rule go­ing for­ward. Click “OK.” Se­lect “File > Save,” then close the win­dow, and re­boot your PC. Test the rule by log­ging into the user ac­count in ques­tion, then try launch­ing the pro­gram—you should see a mes­sage telling you it’s blocked.

Sadly, this gran­u­lar level of con­trol is re­stricted to Win­dows 10 Pro­fes­sional users only. How­ever, you don’t need to try to en­force Fam­ily Safety on your 30-some­thing room-mate in order to re­strict their ac­cess to pro­grams—you can achieve much the same thing through the use of per­mis­sions.

File and folder per­mis­sions

Win­dows’ NTFS filesys­tem ap­plies per­mis­sions to files, fold­ers, and other ob­jects (even in­di­vid­ual Reg­istry en­tries). This gives you con­trol over your PC by spec­i­fy­ing which users and groups have ac­cess to which files and fold­ers, and what level of ac­cess they have.

By way of ex­pla­na­tion, open the C:\ Users folder to view each in­di­vid­ual user’s per­sonal folder. In­side here are their per­sonal di­rec­to­ries (Doc­u­ments, Down­loads, and so on), and var­i­ous other ac­count-spe­cific files and set­tings. Try to open a folder other than your own user direc­tory, and you get an “Ac­cess De­nied” er­ror. All well and good—ex­cept that if you’re run­ning as an ad­min­is­tra­tor, you’re

prompted to click “Con­tinue” to be granted ac­cess to the folder. Not ex­actly se­cure.

Para­noid users wish­ing to keep spe­cific files and fold­ers pri­vate should in­ves­ti­gate a third-party en­cryp­tion app, such as the open-source Ver­acrypt ( https://ver­acrypt. code­, where you cre­ate a pass­word-pro­tected “file con­tainer,” which acts like a vir­tual drive, in­side which you store your most sen­si­tive files.

How­ever, if you’re the only one with ac­cess to the Ad­min ac­count on your PC, and you trust your­self not to abuse that power, then Win­dows’ NTFS per­mis­sions are ad­e­quate for ba­sic pri­vacy. To view a folder or file’s per­mis­sions, right-click it, choose “Prop­er­ties,” and switch to the “Se­cu­rity” tab. You need read-only ac­cess to the item in order to view its per­mis­sions; if this is the case, you’ll see a list of “Group or user names,” plus per­mis­sions for the se­lected group or user.

Groups are ba­si­cally col­lec­tions of users, and in­clude the fol­low­ing: Ad­min­is­tra­tors, Users, SYS­TEM, and Ev­ery­one. Any­one who is a stan­dard user is part of the Users group, for ex­am­ple, while Ev­ery­one is a group de­signed to al­low you to set univer­sal per­mis­sions for ev­ery sin­gle per­son who uses your PC.

Per­mis­sions con­sist of var­i­ous types: Read, Write, Read & Ex­e­cute, List Folder Con­tents (fold­ers only), Mod­ify, and Full Con­trol. Some per­mis­sions are a com­bi­na­tion of oth­ers—for ex­am­ple, Mod­ify al­lows you to read, write, and delete, so both Read and Write per­mis­sions are set to “Al­low” if Mod­ify is. Read & Ex­e­cute pro­vides you with both read ac­cess to a

file, plus the abil­ity to ex­e­cute it—vi­tal for pro­gram and script files, for ex­am­ple— and it’s this at­tribute you can tweak to block in­di­vid­ual users’ ac­cess to spe­cific pro­grams, as we’ll see shortly. Fi­nally, Full Con­trol ba­si­cally gives you carte blanche— read, write, ex­e­cute, delete, and so on.

Change per­mis­sions

File per­mis­sions are a dan­ger­ous sub­ject— it’s all too easy to lock your­self out of a file, or even mess up your en­tire Win­dows in­stal­la­tion, if you screw around with no real thought for the con­se­quences. So, be­fore you be­gin, con­sult our backup fea­ture from the June is­sue for ad­vice on tak­ing a full Win­dows drive image, which you can roll back to should the worst hap­pen.

Sec­ond, limit your­self to tweak­ing per­mis­sions for non-sys­tem files and fold­ers. That means mak­ing any of the root fold­ers on drive C off lim­its—even with pro­grams, you’ll want to limit your­self to a spe­cific sub-folder in­side Pro­gram Files and Pro­gram Files (x86). In­stead, fo­cus on in­di­vid­ual user fold­ers, or fold­ers and files you’ve got stored on a data par­ti­tion or drive.

Third, you don’t nec­es­sar­ily need to be logged on as an ad­min­is­tra­tor to make changes to a file or folder’s per­mis­sions. Two types of user can mod­ify per­mis­sions— any mem­ber of the Ad­min­is­tra­tors group (so your Ad­min user, for ex­am­ple), and the “owner” of the item in ques­tion. Who’s the owner? Typ­i­cally, this is the user ac­count that cre­ated the file—for ex­am­ple, when you set up and save a new doc­u­ment, the file is as­signed to you as owner. Note you can edit per­mis­sions us­ing your Ad­min cre­den­tials, with­out log­ging on to the ac­count it­self.

You’ve re­viewed the per­mis­sions for your tar­get file and folder, and now you’d like to change them. Click the “Edit” but­ton. You can now se­lect a user or group to view their per­mis­sions, plus make changes us­ing the check­boxes un­der­neath “Al­low” and “Deny.” If you se­lect cer­tain per­mis­sions (say, Read & Ex­e­cute), then other per­mis­sions (Read in our ex­am­ple) may be checked, too. If you choose to ex­plic­itly set a per­mis­sion type to “Deny,” Win­dows throws up a warn­ing about group per­mis­sions, and how this over­rides them. What this means is that even if the group a user be­longs to has ac­cess to that folder or file, choos­ing “Deny” (rather than leav­ing both “Al­low” and “Deny” boxes unchecked) ex­plic­itly tells Win­dows to ig­nore the group per­mis­sion set­tings for that user.

You’ll also see “Add” and “Re­move” but­tons—these en­able you to se­lect ad­di­tional users or groups, plus re­move ex­ist­ing ones, so they ei­ther have no ac­cess, or rely on their group per­mis­sions to have ac­cess. Click “Add,” and you need to type the name of your user, then click “Check Names” to se­lect them be­fore click­ing “OK” to set their per­mis­sions.

Once done, click “Ap­ply,” and Win­dows starts to set per­mis­sions for that item; if you’ve se­lected a folder, then all the items in­side it are set the same per­mis­sions, too. Don’t panic if you get an “Ac­cess de­nied” er­ror ap­ply­ing se­cu­rity—it means ac­cess is re­stricted to that folder, so the set­tings re­main un­changed. Click “Con­tinue” to carry on.

Block ac­cess to pro­grams

So, how can you use per­mis­sions to re­strict ac­cess to a cer­tain pro­gram? Note that the fol­low­ing doesn’t work with cer­tain sys­tem-in­stalled pro­grams, such as In­ter­net Ex­plorer, but should work with any ap­pli­ca­tions that you have in­stalled your­self. First, browse to the pro­gram’s ex­e­cutable file (typ­i­cally in­side the Pro­gram Files or Pro­gram Files (x86) fold­ers). Rightclick the file, and choose “Prop­er­ties > Se­cu­rity tab.” Click “Edit,” then click “Add” to se­lect the user you wish to block. Once added, check the “Deny” box next to “Read & Ex­e­cute,” and click “OK.” Note the warn­ing, and click “OK” again.

Now when that user at­tempts to open the pro­gram in ques­tion, they’re shown a di­a­log telling them they can’t ac­cess it due to per­mis­sions is­sues. They won’t be able to change the file’s per­mis­sions (or view them)

un­less they have ad­min­is­tra­tor ac­cess. It’s a crude method, but it works.

Take own­er­ship

You’ll no­tice an “Ad­vanced” but­ton on the Se­cu­rity tab of a file’s prop­er­ties. Click this, and you gain the abil­ity to view more in­for­ma­tion about the per­mis­sions as­signed to in­di­vid­ual users, com­plete with an “In­her­ited from” field that shows which folder the per­mis­sions were as­signed from.

Look out for a but­ton marked “Dis­able in­her­i­tance”—click this to un­link the item from its par­ent folder. What this means is that any per­mis­sion changes you ap­ply to the par­ent won’t au­to­mat­i­cally ap­ply to this file or sub-folder go­ing for­ward. When prompted, choose the “Con­vert” op­tion to ap­ply the par­ent’s set­tings to the item be­fore re­mov­ing the link, or “Re­move” to clear them all. The lat­ter op­tion scrubs all ex­ist­ing per­mis­sions, block­ing all ac­cess to the file or folder un­til new per­mis­sions are set by the item’s owner. Note, how­ever, that noth­ing ac­tu­ally hap­pens un­til you click the “Ap­ply” but­ton—click “Can­cel” to make no changes.

You’ll also see a line list­ing the “owner” of the item in ques­tion. From here, you can change own­er­ship to an­other user or group. You might do this to pre­vent the orig­i­nal owner—as­sum­ing they’re a stan­dard user—from un­do­ing any per­mis­sion changes you im­ple­ment. You might also do this to take back own­er­ship of a file or folder af­ter you’ve ei­ther switched to a new user ac­count (per­haps your old ac­count cor­rupted), or re­in­stalled Win­dows in cer­tain cir­cum­stances.

Tak­ing the lat­ter as an ex­am­ple, you might re­in­stall Win­dows from scratch us­ing a dif­fer­ent user­name and/or pass­word, leav­ing your data fold­ers on a sep­a­rate drive or par­ti­tion. You then find you’re locked out of these fold­ers be­cause they’re as­signed to the old user ac­count (even though it no longer ex­ists). You can re­gain ac­cess to the folder via the “Con­tinue” but­ton while logged on as an ad­min­is­tra­tor, then trans­fer own­er­ship to your new ac­count.

What you’ll see when you view the item’s per­mis­sions is an “Ac­count Un­known” en­try with a name like “S-1-5-25-12345.” This refers to your pre­vi­ous, re­dun­dant ac­count. Click “Ad­vanced,” and you see it’s the owner of the folder, so click “Change” to trans­fer own­er­ship to your new ac­count, al­low­ing you to set the per­mis­sions you need.

And there you have it—every­thing you need to know about lock­ing down your PC that lit­tle bit tighter. Of course, things can— and do—go hor­ri­bly wrong when mess­ing about with per­mis­sions. Be­fore reach­ing for your backed-up image of Win­dows, though, check out the box be­low, which con­tains in­for­ma­tion about some handy tools that can help re­solve prob­lems with per­mis­sions-re­lated is­sues, both self­in­flicted and oth­er­wise.

Down­grade all users (in­clud­ing your­self) to Stan­dard User level.

Go­ing for­ward, you’ll need to sup­ply a pass­word for ad­min­is­tra­tive tasks.

Win­dows 10 Pro users can go to town on user re­stric­tions.

You need read- only ac­cess to view a file or folder’s per­mis­sions.

Folder and file per­mis­sions are set on an al­low or deny ba­sis.

Use per­mis­sions to block in­di­vid­ual users from launch­ing pro­grams.

In­her­i­tance is used to ap­ply a folder’s per­mis­sions to its con­tents.

Newspapers in English

Newspapers from Australia

© PressReader. All rights reserved.