0

I need to give a non-admin account most admin permissions except for modifying system files. I'd like that admin account to retain all normal admin permissions but not be able to modify the hosts file. I've written a guide on how to do this in Ubuntu, and I'd like to do something similar in Windows 10.

The best solution I've found is to make something like this script start when the user logs in. Source

#Specify the file name
$fileName = "C:\Windows\System32\Drivers\etc\hosts"

#Open the file in read only mode, without sharing (I.e., locked as requested)
$file = [System.io.File]::Open($fileName, 'Open', 'Read', 'Read')

I understand that it won't be bullet proof, but I would like something that makes it sufficiently inconvenient to modify this file.

Improve this question
11
  • As an Administrator on Windows, you can give yourself permissions to any file on the system, it is just a matter of hoops you must jump through.
    – Ramhound
    Commented Feb 14, 2019 at 16:23
  • As I linked above it's not always as simple as changing read/write access. Another way to put this puzzle: How do you give a non-admin account permissions to do any admin task except modifying system files.
    – DanielArnett
    Commented Feb 14, 2019 at 16:33
  • I could not access your link, so I have no idea what it says, but that information only applies to Linux. As an Administrator on Windows, one can take ownership of any file on the system, just a matter of what hoops you must jump through (or if it will break the system).
    – Ramhound
    Commented Feb 14, 2019 at 16:39
  • This is still a duplicate. The top answer on the linked question is your answer: You cannot do this within the confines you have defined. By very definition, Admin access is the ability to modify the permissions and properties of files on a system and can grant themselves the access you wish to remove from them. If you wish to prevent accounts from accessing a file, you cannot give them Admin.
    – music2myear
    Commented Feb 14, 2019 at 17:25
  • 1
    (1) You ask for “most admin permissions except …”.  To paraphrase Han Solo, ‘most admin permissions’ is quite a bit.  If you identified specific permissions that you want this non-admin account to have, you might get an answer more to your liking.  P.S. “Most admin permissions” include the power to terminate any process, so your lock file approach is probably doomed to fail.   (2) Your Ubuntu solution appears to be about as bullet-proof as aluminum foil.
    – Scott - Слава Україні
    Commented Feb 14, 2019 at 18:20

1 Answer 1

Reset to default
0

An admin can access any file on the system. The system hosts file you are referring to handles local name resolution for the machine so it needs to be able to be readable by all users of the system. You could probably remove admin access to "write" to the file but another admin could easily give themselves "write" access back.

Improve this answer
4
  • Even more than that: By definition Admin rights include the ability to MODIFY the permissions and properties of any object on the system. If you cannot do this, you do not have Admin.This ability to modify permissions and properties means that they can grant themselves the access you wish to exclude them from.
    – music2myear
    Commented Feb 14, 2019 at 17:23
  • @music2myear: How is what you said “even more than” what Marcus Patman already said?
    – Scott - Слава Україні
    Commented Feb 14, 2019 at 17:44
  • Because the access to an item is not the same thing as the ability to change the access to an item. One admin could adjust the permissions of a given object and ostensibly prevent another admin from viewing it. This would appear to give the lie to Marcus' answer. I was adding to it that even this is a technicality which the admin rights of the other account would be able to easily overcome. I was expanding the information to clarify that it covers even seeming exceptions.
    – music2myear
    Commented Feb 14, 2019 at 17:52
  • @music2myear Marcus’s answer already says «another admin could easily give themselves "write" access back.» If you are saying something more than that, I don’t understand it.
    – Scott - Слава Україні
    Commented Feb 14, 2019 at 19:01

Not the answer you're looking for? Browse other questions tagged .