Windows 10: Standard user able to access Admin folders? Solved

  1.    22 Nov 2017 #1

    Standard user able to access Admin folders?


    Hello,

    Not sure if this is by default, but I've noticed it on 3 different computers. 2 running Windows 10 Home, 1 running Windows 10 Pro. When logged on as standard user, I'm able to access the folders of an Administrator. I may get prompted for password the first time, but after logging off, restarting, etc, I'm still able to access the folders forever after that. Not sure if there's something I'm doing to accidentally enable this.

    Any ideas??
      My ComputerSystem Spec


  2. Posts : 925
    Windows 10 Home x64 and Pro x86
       23 Nov 2017 #2

    Dirk,

    The password you entered earlier was that of an Admin user account and it permanently authorised your access to the folder concerned.

    You will be able to see this by right-clicking on the folder, selecting Properties, Security tab - your standard user account name will be shown as having permission to access the folder. You can change that entry to undo what you have done if you want to [use either Edit or Advanced].

    Change Permissions of Objects for Users and Groups in Windows 10 User Accounts Tutorials

    Denis
    Last edited by Brink; 23 Nov 2017 at 09:54. Reason: added tutorial link for more info
      My ComputerSystem Spec

  3.    23 Nov 2017 #3

    Thanks for the reply.

    Why would it be permanent, even after a reboot? That seems to defy the fundamental separation of Admins and users.
    If this is the default, how can I set it to prompt for a password each time?
      My ComputerSystem Spec

  4. TairikuOkami's Avatar
    Posts : 3,417
    10.6 Home 1809 x64
       23 Nov 2017 #4

    Default standard user has more rights than admin with full UAC.

    Set ConsentPromptBehaviorUser to 0 to block any admin tasks.

    Code:
    rem 0 - Elevate without prompting / 1 - Prompt for credentials on the secure desktop / 2 - Prompt for consent on the secure desktop / 3 - Prompt for credentials / 4 - Prompt for consent / 5 (Default) - Prompt for consent for non-Windows binaries
    reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t REG_DWORD /d "1" /f
    
    rem 0 - Automatically deny elevation requests / 1 - Prompt for credentials on the secure desktop / 3 (Default) - Prompt for credentials
    reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorUser" /t REG_DWORD /d "0" /f
    
    rem 2 (Default)
    reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableFullTrustStartupTasks" /t REG_DWORD /d "0" /f
    
    rem Detect application installations and prompt for elevation / 1 - Enabled (default for home) / 0 - Disabled (default for enterprise)
    reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableInstallerDetection" /t REG_DWORD /d "1" /f
    
    rem Run all administrators in Admin Approval Mode / 0 - Disabled (UAC) / 1 - Enabled (UAC)
    reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d "1" /f
    
    rem Only elevate UIAccess applications that are installed in secure locations / 0 - Disabled / 1 (Default) - Enabled
    reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableSecureUIAPaths" /t REG_DWORD /d "1" /f
    
    rem 0 (Default) = Disabled / 1 - Enabled
    reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableUwpStartupTasks" /t REG_DWORD /d "0" /f
    
    rem Allow UIAccess applications to prompt for elevation without using the secure desktop / 0 (Default) = Disabled / 1 - Enabled
    reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableUIADesktopToggle" /t REG_DWORD /d "0" /f
    
    rem 0 - Disabled / 1 - Enabled (Default)
    reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableVirtualization" /t REG_DWORD /d "0" /f
    
    rem Admin Approval Mode for the built-in Administrator account / 0 (Default) - Disabled / 1 - Enabled
    reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "FilterAdministratorToken" /t REG_DWORD /d "1" /f
    
    rem Allow UIAccess applications to prompt for elevation without using the secure desktop / 0 (Default) - Disabled / 1 - Enabled
    reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "PromptOnSecureDesktop" /t REG_DWORD /d "1" /f
    
    rem 1 - Enable command-line auditing
    reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit" /v "ProcessCreationIncludeCmdLine_Enabled" /t REG_DWORD /d "1" /f


      My ComputerSystem Spec

  5.    24 Nov 2017 #5

    Thanks for the replies.

    I think ConsentPromptBehaviorUser is the only one I'm looking for, but it doesn't prompt each time. It grants access permanently.

    Setting it to 1 or 3 seems to do the same thing. 0 completely denies it.

    I want it to prompt for password each time, or at least after a reasonable period of time, or a reboot, etc.
      My ComputerSystem Spec

  6. Bree's Avatar
    Posts : 8,833
    10 Home x64 (1809) (10 Pro on 2nd pc)
       24 Nov 2017 #6

    dirkd said: View Post
    When logged on as standard user, I'm able to access the folders of an Administrator. I may get prompted for password the first time, but after logging off, restarting, etc, I'm still able to access the folders forever after that....
    You were explicitly told that this would happen. When you first tried to access the administrator's folder you saw...

    Click image for larger version. 

Name:	get permissions.PNG 
Views:	20 
Size:	5.4 KB 
ID:	165446

    ...and you were asked for the password after you clicked Continue.
      My ComputersSystem Spec

  7.    24 Nov 2017 #7

    Correct.

    I also asked "If this is the default, how can I set it to prompt for a password each time"?
      My ComputerSystem Spec

  8. Bree's Avatar
    Posts : 8,833
    10 Home x64 (1809) (10 Pro on 2nd pc)
       25 Nov 2017 #8

    By granting yourself access to the administrator's folders you have added your account to the permissions for those folders. This is the way Windows has always worked, it was the same in Windows 7. You can't change the way Windows works on permissions.

    If you want to be asked for a password next time, you need to look at the Security Properties for that folder and remove your account from those granted access.
      My ComputersSystem Spec

  9.    28 Nov 2017 #9

    Thanks for the info.
      My ComputerSystem Spec


 

Related Threads
I set up standard user accounts for my three Grandchildren. They are not proficient but are capable of using a PC. My concern is that I use Google Chrome & have a password keeper extension that is set to automatically log me into my bank & PayPal...
Hello All, I'm delighted to have found you and after a long day of trying to help myself i am now requiring your much appreciated assistance please!:cry: I'm not a techy person at all and am hoping someone can help:) Last week my husband purchased...
Solved shortcut w/admin privileges for standard user in User Accounts and Family Safety
Hello, I've just cleaned up a massive malware infection on my grandson's computer (HP Pavilion notebook) and upgraded it to Win 10 from its native Win 8. His account is a standard user vs admin. Everything's working fine. EXCEPT, he plays an...
Hi everyone first post here, and first time here as well. Thank you. I am trying to "lock down" standard user accounts from being able to use the control panel sop they cannot change settings on a shared work computer. I created the account and...
How to restrict standard user access to folders in User Accounts and Family Safety
On my secondary hard drive, I have some folders that I don't want standard users to see or access. How can I go about doing this? Thanks!
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 07:05.
Find Us