We had a user account that we wanted to preserve as a back-up but we also wanted to make sure that if anyone gained access to the machine, that they wouldn’t be able to access the data.
To do this we used the built in Windows 10 Pro encryption in conjunction with disabling the account. This means that they only way to access the data is from the user account, and that account is disabled. Furthermore, if someone copies the files from that user account they won’t be able to read them unless they are on this original computer under the correct account.
To encrypt the files for this User:
- Login to the account to lock, select the C:\User\<name> folder
- Right-Click and select Properties
- In the General tab click on Advanced…
- Encrypt contents to secure data
- Click on OK
- Click on Apply
- Select to “Apply to this folder, all subfolders and files” so that all existing files get encrypted (this may take a long time)
NOTE: If you only select “Apply to this folder” then only new files will be encrypted
To disable the User account:
- Logout of that User account
- Login to another User account
- Run cmd.exe as administrator
- For local User:
net user “User Name” /active:no
net user “User Name” /active:yes
For domain User:
net user “User Name” /active:no /domain
From this point the only way to access that User’s files are from logging in as that User. The User account is disabled and thus gaining access to the data requires special knowledge. Even if you access that User’s files from another account the files will be unreadable – of if you remove the hard drive and copy the files they will be useless.
You might want to back-up the encryption key. We backed up the data on a separate drive which was protected by an air gap, so we did not back-up the key.
If you want to preserve the key then press the Windows Key and type “encrypt” as a search term, you should see the “Manage file encryption certificates”, select that. This wizard will walk you through creating the security key. You should not store this key on this machine as if it is compromised the key to access the data would also be compromised.