I’ve recently created a new administrator account and converted my original admin account into a standard user account for “best practice security”
I noticed that as a standard user I’m able to access the administrators user folder which AFAIK a standard user should not be able to do.
On checking the properties of the “Users” folder and the “Advanced sharing” section of the “Sharing” tab the “Everyone” group has full control over the users folder. The folder is also indicated as being in State:Shared.
I did not initiate these permissions on the users folder so the only thing I can think of is that when I created a Homegroup the Homegroup initiated the share. I only created the Homegroup for testing purposes and removed it afterwards. I’ve read a similar report about Win 7 where in the creation of a Homegroup or public sharing automatically shares the entire users folder and even after removing the Homegroup the users folder remains shared!
Is it possible Windows 10 has inherited the same behavior? At this stage I’m purely speculating about what’s happened but the Homegroup issue does seem feasible.
Basically I want to get this all set back to normal or default and I’m concerned that this also a security issue. Not knowing exactly what’s happened here I’m unsure about what permissions to go and start changing without breaking anything or making things worse. Can anyone help me?
I don’t have a Windows 10 system near me to check at the moment, but I’d guess just unsharing the folder would probably be sufficient.
Also note that share permissions do not override filesystem permissions. So, if the Users directory has share permissions of
Everyone: Full, but the filesystem permissions are configured with more restrictive permissions such as
Everyone: Read, Administrators: Full, Creator/Owner: Full, then the more restrictive permissions between the two are effective. So, in that scenario, the Everyone group/security principal is restricted to read only. Furthermore, if a subdirectory under Users has no permissions at all configured for the Everyone group/security principal then “Everyone” can see the subdirectory, but they can not open or read it.
On a side note, I’m not sure what best practices you’ve been reading, but unless something drastic changed in Windows 10 that I missed, the built-in administrator account (the one with a RID/SID ending in -500), can not be changed to a “standard user” account. It will always have administrative permissions.
The best practice I’m familiar with is to disable the built-in account (though it is still usable in safe mode should you ever have an emergency situation where you need it), rename it, create a new standard user account named “Administrator” which is also disabled (just to throw off would be hackers), and then create an administrator account under a different name for your own use.
Per the conversation in the comments I realize you’re referring to the default user created during installation. Not the built-in administrator as I misunderstood you to be speaking of. That user can be converted to a standard user as you stated. My apologies for the confusion.
As for the default permissions, I’ve stood up a test Windows 10 Virtual Machine (Anniversary update 1607) and found that the Users directory defaults to
Everyone: Read/Execute/List. However, all the profile directories (Users\someone) under the Users directory are set to NOT inherit permissions from Users and are set explicitly to
SYSTEM: Full; Administrators: Full; Profile Owner: Full. So, no one other than admins and the user who owns that profile has permissions to read, list, or change anything under another user’s profile directory.
So, to reset your permissions to the defaults:
Unshare the Users directory
Reset the file system permissions for the “Users” directory (security tab) to
Everyone: Read/List/Execute; SYSTEM: Full; Administrators: Full; Users: Read/List/Execute
Change any user profile directories under Users directory to not inherit permissions from the parent directory (security tab -> Advanced) and then explicitly set the permissions to
SYSTEM: Full; Administrators: Full; <user name>: Full
These steps can of course be accomplished using PowerShell commands and such, but in the spirit of keeping things at your experience level and help you learn the ropes, I’ll stick to the GUI methods. Here are some screen shots to help.
Individual user profile directory permissions (note that the permissions are NOT inherited)