Known Issue: User with local admin access can gain access to other user's files

Tags y2k20

Windows 10 has two types of user accounts: Standard and Administrator.

  • Users with standard account can perform all common daily tasks, such as run programs, surf the Web, check e-mail, stream movies and so on.
  • Users with administrator accounts can perform tasks that make major changes to the system, such as installing software; add, remove or change user accounts; change ownership of local files; or run elevated commands. 

On a Multi-user PC, users are signed on as a standard account.  Computers that are single user (assigned to a primary user) are setup so that the primary user has full administrative access.

Each account is associated with Windows profile which includes a user folder in C:\Users where files associated with each account are stored. Users with standard account can only access their own profile files, however users with administrator account can gain access to other users' files. This is working as designed and it is not possible to change this behaviour.

Computers that are setup as Multi-user PC's do not have this problem. When users sign on, their files are protected from other users. 

Computers that are assigned to a primary user can pose a security risk when another (non-primary) user signs on and saves files to their profile (Desktop, Documents, etc.)

When you sign on to a computer that is not shared and you are not the primary user do not save any confidential files to the computer.  Non-primary users should not sync files with OneDrive.  If this is not possible, or poses a problem, please consider converting the device to a Multi-user PC.

Details

Article ID: 86172
Created
Wed 9/4/19 8:59 AM
Modified
Thu 10/10/19 1:42 PM