RECLAIM OWNERSHIP OF YOUR PC
Discover how to take back control of Windows, with help from Nick Peers
Ever felt you’re losing control of your PC? If you share it with other users—family members or friends, for example—it can be a frustrating experience. First, there’s the need to keep your own data private from other people, then there’s the worry about what they might be doing behind your back. Windows has tools for managing children’s use, but what happens to a PC that’s shared between a group of consenting adults— even those who should know better?
In this feature, we’re going to examine two principal ways in which you can regain control of your PC. The first is through user accounts. We’ll reveal a technique whereby everyone—including yourself —gets their level of access reduced on a day-to-day level, tightening security, and preventing the haphazard installation of software and injudicious tweaking of system settings. The secret to this tip is to create a master Admin account— password-protected, of course—which is required whenever any elevated access (including the installation of many programs) is required.
We’ll also look at a tool those running Windows 10 Professional can employ in conjunction with user accounts—namely the Local Group Policy Editor—to tighten things further, giving you complete control over restrictions on a user-by-user basis. We’ll show you how to restore the Guest account that Microsoft has mysteriously dropped in Windows 10, too.
Then we’ll examine how you can control access to individual files and folders through permissions—after reminding you to take precautions, we’ll delve into how you can make people’s folders private, while blocking their access to other parts of your system (including individual programs, if required). There’s even time for troubleshooting file permissions issues (both those caused by your fiddling and those created by Windows itself), finding out the best way to transfer to a new PC, and integrating your OneDrive storage better into your user folders. The end result? A PC that may be shared with others, but which remains your own, is under more control and better secured.
Let’s open with something that might seem counter-intuitive: Step one to reclaiming ownership of your PC is to reduce your level of access to it. Yes, you heard right—one of the most effective ways in which you can secure control of your PC is to downgrade your user account to that of a Standard User.
Why would you do this? First, it reduces your PC’s exposure to potential harm—now, instead of simply waving through requests for elevated access with a simple click of the mouse, you need to invoke a separate Administrator account (and password) instead. The inconvenience of doing so is outweighed by the fact that it forces you to pause and confirm what the dialog is there for—no more lazily waving through something malicious by mistake.
It’s also essential if you share your PC with others—by downgrading everyone, they’re forced to either use the Admin password (if you’ve shared it with them), or ask your permission before cluttering up your PC with more unwanted software.
The first step of this process involves creating a new Administrator account— click “Start > Settings > Accounts > Family & other users,” then click “Add someone else to this PC” under “Other users.” Choose “I don’t have this person’s sign-in information,” followed by “Add a user without a Microsoft account.” Name the account “Admin,” then enter a secure password, before clicking “Next.”
With the account set up, you next need to make it an Administrator account—select the account under “Other users,” and click “Change account type” to convert it to Administrator. You’re now ready to log off your own account and change it. Before doing so, consider switching yourself to a Microsoft Account, if you haven’t already done so. It makes installing apps from the Microsoft Store easier, for starters—they’re sandboxed to your local account folder, so don’t require elevated privileges.
Sign out of your account, and log in as Admin (wait while the account is first set up). Return to the “Family & other users” screen, where you’ll see your own account listed. Select this, click “Change account type,” then reduce it to Standard user. Repeat for all other users of your PC.
Now, when you have to perform any administrative tasks, you’re prompted to select an Administrator account (“Admin” should be pre-selected by default), and enter its password to proceed. You can make this step a bit easier by assigning a more memorable PIN number, and entering that instead—do this now via the “Sign-in options” screen (click “Add” under “PIN”).
Once done, sign out of Admin, and log back into your own account. For additional
security, type “UAC” into the Search box, and click “Change User Account Control Settings”—you’ll see your first security prompt, requiring you to enter your Admin password or PIN. Verify the slider has been set to the top level.
One of the most visible ways in which your access has been downgraded is seen when you open the Settings app—it’s now less functional than it was before, because all system-wide settings are now off limits. To get at them requires logging into the Admin account directly (do this quickly via the Start menu—click your user picture at the top of the menu, and select “Admin” to switch user without logging out). Or does it? In fact, most system-wide settings remain accessible via the classic Control Panel— just enter your Admin password to access them when prompted.
Use Group Policy settings
If you’re running Windows 10 Professional, you can set further restrictions on a userby-user basis using the Local Group Policy Editor—launch gpedit.msc to take a tour. It’s a little baffling for first-time users, so take the time to explore its settings, and make sure you take a drive image before you begin—it’s very easy to lock yourself out of your system. Most Group Policy settings are basically Registry edits, and if you’re running Windows 10 Home Edition, you can emulate most of these with the correct setting. Thankfully, Microsoft has provided a handy reference guide containing each policy’s setting and its equivalent Registry entry—go to www.microsoft.com/ en- us/download/details. aspx?id=25250, and select “Windows 10 ADMX spreadsheet. xlsx” when prompted.
By default, gpedit.msc shows the Local Computer Policy settings, which means the settings are applied across your entire PC. For a more granular approach, involving a single user or group, you need to apply a customized Local Group Policy instead. Press Win-R, type “mmc,” and hit Enter. Choose “File > Add/Remove Snap-in.” Select “Group Policy Object Editor” from the left-hand pane, and hit “Add.” Click the “Browse” button, and select the “Users” tab. Choose your target user (yourself, say) or group (“Non-Administrators,” for example), and then click “OK > Finish > OK.” Now choose “File > Save” to save a copy somewhere accessible (going forward, you would double-click this file to view and edit it).
With the template in place, you can now start to customize settings or restrict access. The Administrative Templates section is a good first port of call. Select a section, then click on a setting in the righthand pane to read a description of what it does. Double-click it to make a change— this usually means enabling or disabling the policy, but sometimes you also get other options based on your settings, too. Make a note of the initial setting (typically “Not configured”), in case you ever need to reset your policies.
If you want to block access to a specific program that’s been installed, expand “Windows Settings > Security Settings > Software Restriction Policies,” and choose “Action > New Software Restrictions Policy.” Select “Additional Rules,” then “Action > New Path Rule.” Click “Browse” to select the parent folder of a program you wish to block, leave “Security level” set to “Disallowed,” and provide a description to help identify the rule going forward. Click “OK.” Select “File > Save,” then close the window, and reboot your PC. Test the rule by logging into the user account in question, then try launching the program—you should see a message telling you it’s blocked.
Sadly, this granular level of control is restricted to Windows 10 Professional users only. However, you don’t need to try to enforce Family Safety on your 30-something room-mate in order to restrict their access to programs—you can achieve much the same thing through the use of permissions.
File and folder permissions
Windows’ NTFS filesystem applies permissions to files, folders, and other objects (even individual Registry entries). This gives you control over your PC by specifying which users and groups have access to which files and folders, and what level of access they have.
By way of explanation, open the C:\ Users folder to view each individual user’s personal folder. Inside here are their personal directories (Documents, Downloads, and so on), and various other account-specific files and settings. Try to open a folder other than your own user directory, and you get an “Access Denied” error. All well and good—except that if you’re running as an administrator, you’re
prompted to click “Continue” to be granted access to the folder. Not exactly secure.
Paranoid users wishing to keep specific files and folders private should investigate a third-party encryption app, such as the open-source Veracrypt ( https://veracrypt. codeplex.com), where you create a password-protected “file container,” which acts like a virtual drive, inside which you store your most sensitive files.
However, if you’re the only one with access to the Admin account on your PC, and you trust yourself not to abuse that power, then Windows’ NTFS permissions are adequate for basic privacy. To view a folder or file’s permissions, right-click it, choose “Properties,” and switch to the “Security” tab. You need read-only access to the item in order to view its permissions; if this is the case, you’ll see a list of “Group or user names,” plus permissions for the selected group or user.
Groups are basically collections of users, and include the following: Administrators, Users, SYSTEM, and Everyone. Anyone who is a standard user is part of the Users group, for example, while Everyone is a group designed to allow you to set universal permissions for every single person who uses your PC.
Permissions consist of various types: Read, Write, Read & Execute, List Folder Contents (folders only), Modify, and Full Control. Some permissions are a combination of others—for example, Modify allows you to read, write, and delete, so both Read and Write permissions are set to “Allow” if Modify is. Read & Execute provides you with both read access to a
file, plus the ability to execute it—vital for program and script files, for example— and it’s this attribute you can tweak to block individual users’ access to specific programs, as we’ll see shortly. Finally, Full Control basically gives you carte blanche— read, write, execute, delete, and so on.
Change permissions
File permissions are a dangerous subject— it’s all too easy to lock yourself out of a file, or even mess up your entire Windows installation, if you screw around with no real thought for the consequences. So, before you begin, consult our backup feature from the June issue for advice on taking a full Windows drive image, which you can roll back to should the worst happen.
Second, limit yourself to tweaking permissions for non-system files and folders. That means making any of the root folders on drive C off limits—even with programs, you’ll want to limit yourself to a specific sub-folder inside Program Files and Program Files (x86). Instead, focus on individual user folders, or folders and files you’ve got stored on a data partition or drive.
Third, you don’t necessarily need to be logged on as an administrator to make changes to a file or folder’s permissions. Two types of user can modify permissions— any member of the Administrators group (so your Admin user, for example), and the “owner” of the item in question. Who’s the owner? Typically, this is the user account that created the file—for example, when you set up and save a new document, the file is assigned to you as owner. Note you can edit permissions using your Admin credentials, without logging on to the account itself.
You’ve reviewed the permissions for your target file and folder, and now you’d like to change them. Click the “Edit” button. You can now select a user or group to view their permissions, plus make changes using the checkboxes underneath “Allow” and “Deny.” If you select certain permissions (say, Read & Execute), then other permissions (Read in our example) may be checked, too. If you choose to explicitly set a permission type to “Deny,” Windows throws up a warning about group permissions, and how this overrides them. What this means is that even if the group a user belongs to has access to that folder or file, choosing “Deny” (rather than leaving both “Allow” and “Deny” boxes unchecked) explicitly tells Windows to ignore the group permission settings for that user.
You’ll also see “Add” and “Remove” buttons—these enable you to select additional users or groups, plus remove existing ones, so they either have no access, or rely on their group permissions to have access. Click “Add,” and you need to type the name of your user, then click “Check Names” to select them before clicking “OK” to set their permissions.
Once done, click “Apply,” and Windows starts to set permissions for that item; if you’ve selected a folder, then all the items inside it are set the same permissions, too. Don’t panic if you get an “Access denied” error applying security—it means access is restricted to that folder, so the settings remain unchanged. Click “Continue” to carry on.
Block access to programs
So, how can you use permissions to restrict access to a certain program? Note that the following doesn’t work with certain system-installed programs, such as Internet Explorer, but should work with any applications that you have installed yourself. First, browse to the program’s executable file (typically inside the Program Files or Program Files (x86) folders). Rightclick the file, and choose “Properties > Security tab.” Click “Edit,” then click “Add” to select the user you wish to block. Once added, check the “Deny” box next to “Read & Execute,” and click “OK.” Note the warning, and click “OK” again.
Now when that user attempts to open the program in question, they’re shown a dialog telling them they can’t access it due to permissions issues. They won’t be able to change the file’s permissions (or view them)
unless they have administrator access. It’s a crude method, but it works.
Take ownership
You’ll notice an “Advanced” button on the Security tab of a file’s properties. Click this, and you gain the ability to view more information about the permissions assigned to individual users, complete with an “Inherited from” field that shows which folder the permissions were assigned from.
Look out for a button marked “Disable inheritance”—click this to unlink the item from its parent folder. What this means is that any permission changes you apply to the parent won’t automatically apply to this file or sub-folder going forward. When prompted, choose the “Convert” option to apply the parent’s settings to the item before removing the link, or “Remove” to clear them all. The latter option scrubs all existing permissions, blocking all access to the file or folder until new permissions are set by the item’s owner. Note, however, that nothing actually happens until you click the “Apply” button—click “Cancel” to make no changes.
You’ll also see a line listing the “owner” of the item in question. From here, you can change ownership to another user or group. You might do this to prevent the original owner—assuming they’re a standard user—from undoing any permission changes you implement. You might also do this to take back ownership of a file or folder after you’ve either switched to a new user account (perhaps your old account corrupted), or reinstalled Windows in certain circumstances.
Taking the latter as an example, you might reinstall Windows from scratch using a different username and/or password, leaving your data folders on a separate drive or partition. You then find you’re locked out of these folders because they’re assigned to the old user account (even though it no longer exists). You can regain access to the folder via the “Continue” button while logged on as an administrator, then transfer ownership to your new account.
What you’ll see when you view the item’s permissions is an “Account Unknown” entry with a name like “S-1-5-25-12345.” This refers to your previous, redundant account. Click “Advanced,” and you see it’s the owner of the folder, so click “Change” to transfer ownership to your new account, allowing you to set the permissions you need.
And there you have it—everything you need to know about locking down your PC that little bit tighter. Of course, things can— and do—go horribly wrong when messing about with permissions. Before reaching for your backed-up image of Windows, though, check out the box below, which contains information about some handy tools that can help resolve problems with permissions-related issues, both selfinflicted and otherwise.