You share your PC with other users or you give them access to certain data via the network. Great, but of course you prefer to do that in such a way that they cannot disrupt your Windows configuration, nor can they access data that you want to keep private. To achieve that, you need to have a well thought-out user policy, with the right settings and permissions.
Most desktop operating systems take into account that there can be multiple users and that each user should be able to decide for themselves which resources, such as data and devices, to share or not with fellow users. You can also create different user accounts in Windows. The data in the profile folders are not easily accessible to fellow users and via a sophisticated permissions policy you can also indicate for other folders who can do what with what data. Since most PCs are linked to a (home) network, you should not only take into account locally logged in users, but also family members, colleagues or visitors who access your PC via the network. This can all be arranged in Windows, but you still have to fine-tune a few things.
01 User Accounts
It's your PC and you're in charge. That starts with creating the user accounts. Make sure you are the only one with an administrator account and provide it with a strong password that only you know. For all other users, a standard account is sufficient, so that they cannot just tinker with your Windows configuration. For security reasons, it is also not a good idea for yourself to log in with your administrator account every day, because that gives malware or a hacker more elbow room if they succeed in penetrating your system.
A user's account type can be changed as follows: go to Windows Institutions and select Accounts / Family and other users. Click on the intended account, choose Change account type and follow the further instructions.
02 Quick User Manager
From Windows Institutions you only get very limited options in terms of user management. You get more options via Control Panel / User Accounts / User Accounts / Manage Another Account, but even here you cannot apply all possibilities. Windows Pro has the module for that Local users and groups (see box 'Windows Pro'), but in this article we assume that you have Windows Home.
The free portable tool Quick User Manager offers more options than the Windows Home version. You can use this to enable and disable accounts, make sure that an account name is no longer visible in the welcome screen, change passwords, change account pictures and ensure that a user cannot change their password - useful if, for example, as a parent you want to avoid you can no longer log in with your child's account to check yourself.
03 Control via commands
So Quick User Manager offers more options, but for even more advanced user management you have to use the Command Prompt (also called the command line interface) in Windows Home. Press the Windows key, tap assignment in, right click on Command Prompt and choose Run as administrator.
For example, you ensure that a user can no longer change his password with the command:
net user /passwordchg:no
If you want a user to be able to log in to Windows only at certain times, you can arrange this with, for example:
net user /times:Mon-Fri,5pm-7pm;Sat-Sun,11am-7pm
To open all time points again, simply use the parameter /times:all.
You can also create your own user groups (for example parents or children) and then add existing user accounts to such a group. You do this with these two commands:
net localgroup /add
net localgroup /add
In section 4 you can read how you can assign certain access permissions to such a group in one go.
You can check the result of your commands with:
net user and
net local group
The assignments just user /help and just localgroup /help give you extensive information about the available options.
It is important that you do not forget the slash (/) in your commands where applicable. After all, without that slash, Windows considers the entered parameter as a new password for that visitor and that is not the intention.
Windows Pro
Windows Pro and above includes the module Local users and groups, from which you can control certain aspects of the user accounts. Press Windows Key+R, tap lusrmgr.msc and press Enter. This opens the local user manager. When you join the group here Users opens and double-clicks on an account name, you can, for example, prevent that person from changing their password. On the tab Member you can open the account via the button Add in a specific user group. You can also create your own groups: right-click on in the left window Groups and choose New group.
04 Local permissions
When you store all your data in your own profile folder, they are in principle nicely shielded from your fellow users. You can find that profile folder in Windows Explorer by going to This PC and successively double-click the C: drive / Users / . Or tap the path C:\Users\ in the address bar.
This system is not completely watertight, because an administrator - so you - can still force access. Even if someone boots up the PC with a live Linux boot medium, the data in any profile folder is easily accessible (we won't go into such a scenario in this article, by the way).
Suppose you want to make any folder accessible only to specific users, for example a folder on the root of your C: drive or on a mounted external ntfs drive. Then you can proceed as follows. It is best to try this on an empty folder first. Right click on a folder in Windows Explorer, choose Characteristics and open the tab Security. Press on the button To process and then Add. Top up Give the object names on the desired username or group name and check it with the button Check names. Confirm with OK and To apply. Select the added name from the list; in the column To allow you read the assigned permissions. The default permissions are normally sufficient to read and write data in that folder, but in the column To allow you can also by placing a check mark Full management grant.
05 More Permissions
You will notice that other users also have (write) access to this folder. If you only want to give your own account and the added user or user group access to this folder, you must use the default groups Users and Verified Users remove. Select those groups one after the other and press . each time Edit delete. If that doesn't work right away and an error message pops up, open the tab Security and click Advanced / Disable inheritance. Select the option Convert […] and confirm with OK. Now you can still remove both groups. The items SYSTEM and Administrators are left untouched!
06 Network access
So far, we've focused on users logging in on the PC itself. But you may also want to make data available on your PC via the (home) network. Until Windows 10 version 1803, you could use the HomeGroups concept for this, but in more recent Windows versions you have to take a different path.
Before you actually start sharing folders, it is best to check a few things. Press the Windows key, tap advanced sharing and select Advanced sharing settings. Open the section Private network and select here both the option Enable network discovery if the option Enable file and printer sharing. By the way, you do well with both options in the section Guest or Public to turn it off correctly. Confirm your choices with Saving Changes.
Also check the name of your computer: go to Institutions, choose System / Info and click Rename PC if you want to give a more suitable name, under this name your PC will appear in the network environment of other computers.
07 Share folders
If you are logged in as an administrator, you can now share specific folders on your PC with others. Navigate to the desired folder with File Explorer, right click on it and choose Grant access to. If in this menu only Advanced sharing pop up, open the tab in File Explorer's Ribbon Image, click the icon Options and open the tab Display. Scroll to the bottom and place a checkmark Using Sharing Wizard (recommended). Various options are now available in the menu, including two with Homegroup […], but since Windows 10 1803 you can no longer use those options. Instead, choose here Specific people.
A dialog box will appear, where you select the user(s) you want to grant network access from the drop-down menu. Custom user groups (such as parents, children, etc.) do not appear here, but you can type in those group names yourself, so that they can be replaced after pressing a button. Add are included in the list. If you want to grant access to every user (with an account), choose Everybody in the drop-down menu.
Via the arrow at Permission Level indicate whether you want to leave that user alone Read, or want to leave Reading writing. In the latter case, a user can open, create, modify and delete files. You can remove a user (group) with remove. When you're done here, press To share.
08 ntfs vs share
We'll tell you in Section 9 how a user reaches a shared folder over the network, but pay attention to the following points first. To begin with, that user must log in to another network PC with exactly the same account name and preferably also with the same password – so that account must also be available on that PC.
Also, when attempting access over the network, Windows not only looks at the share permissions granted for that account (as described in Section 7) but also checks the local ntfs permissions (as described in Section 4). Windows automatically applies the most restrictive combination. For example, if the shared folder is set to read/write only and the local permissions have only read permissions, the user will still only have read access over the network. In principle, Windows will normally automatically match the ntfs and share permissions: for example, change the shared folder to Reading writing, then the ntfs permissions are automatically updated Full management set – and vice versa. But if you unexpectedly encounter authorization problems, it is a good idea to check both the share and ntfs permissions.
09 Access Shared Folder
How do you reach a shared folder via another PC in the network? That should be very easy. First check whether network discovery and file sharing are enabled on this PC (see section 6): if this is not the case, network computers (with shared folders) cannot be detected.
Once you've done that, open Windows Explorer and click in the navigation pane Network. The name of the computer with the shared folders should show up here, which you can double-click and continue navigating to the shared folder – provided you have the appropriate permissions to do so.
It can sometimes happen that the network PC does not appear in this overview. In that case you can still reach it by entering the so-called unc path in the address bar of the Explorer: \\\, for example \desktoppc-tvd\data folder. By the way, this method is the right way to go when a shared folder has been made invisible because the sharer, for example, prefers not to see that folder appear in Explorer (see box 'Advanced sharing').
10 Share management
If you have shared a number of folders, where you may have assigned different permissions to different users, you soon risk losing the overview. Fortunately, Windows provides a handy management module. Right click on the Windows icon from the start menu and choose computer management. In the left pane, go to Computer Management (Local) / Shared Folders / Shares. An alternative is that you press Windows key + R and the text fsmgmt.msc (folder sharing management).
You will see an overview of all available shares (shared folders), including the local path to the share as well as the number of active client connections. When you right-click on one of your shares, you will see the option End sharing, click it if you no longer wish to share that folder. In the left pane, click Sessions, then you will see from which computer a shared folder is accessed and how long that connection has been active. Bee Open files you can see which data is involved.
By the way, you can also call up a list of hidden or unhidden shares from the Command Prompt: the command net share takes care of that.
Advanced sharing
Windows has a more advanced way of sharing: right click on a folder in Windows Explorer, choose Characteristics, open the tab To share and click Advanced sharing. This method is more advanced for several reasons.
More features are available: for example, you can set the share name yourself (including a $ in the end, if you want to make the folder invisible to Explorer) and you can limit the number of concurrent users. Furthermore, granting the desired rights via the button Permissions slightly more complex, because you have to add the desired users yourself and provide them with the correct permissions. Incidentally, there is no automatic synchronization between share and ntfs permissions via this route (see section 8). In other words: you have to make sure that the share rights (via the button Permissions) and the local ntfs permissions (via the Security) are consistent with each other. After all, it doesn't make sense for the same visitor to have different folder permissions depending on whether he logs in locally on the PC or comes in via the network.
