How can I lock and secure (prevent access) to a Windows 10 User Account without deleting it?

We had a user account that we wanted to preserve as a back-up but we also wanted to make sure that if anyone gained access to the machine, that they wouldn’t be able to access the data.

To do this we used the built in Windows 10 Pro encryption in conjunction with disabling the account. This means that they only way to access the data is from the user account, and that account is disabled. Furthermore, if someone copies the files from that user account they won’t be able to read them unless they are on this original computer under the correct account.

To encrypt the files for this User:

  1. Login to the account to lock, select the C:\User\<name> folder
  2. Right-Click and select Properties
  3. In the General tab click on Advanced…
  4. Encrypt contents to secure data
  5. Click on OK
  6. Click on Apply
  7. Select to “Apply to this folder, all subfolders and files” so that all existing files get encrypted (this may take a long time)
    NOTE: If you only select “Apply to this folder” then only new files will be encrypted

To disable the User account:

  1. Logout of that User account
  2. Login to another User account
  3. Run cmd.exe as administrator
  4. For local User:
    net user “User Name” /active:no
    net user “User Name” /active:yes
    For domain User:
    net user “User Name” /active:no /domain

From this point the only way to access that User’s files are from logging in as that User. The User account is disabled and thus gaining access to the data requires special knowledge. Even if you access that User’s files from another account the files will be unreadable – of if you remove the hard drive and copy the files they will be useless.

You might want to back-up the encryption key. We backed up the data on a separate drive which was protected by an air gap, so we did not back-up the key.

If you want to preserve the key then press the Windows Key and type “encrypt” as a search term, you should see the “Manage file encryption certificates”, select that. This wizard will walk you through creating the security key. You should not store this key on this machine as if it is compromised the key to access the data would also be compromised.

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s