3

I need to deny all folder permissions for all users, include administrators and others groups via batch file.

I found two topics about this, but i can't solve my problem

icacls Deny Everyone Directory Delete Permission

How to grant permission to users for a directory using command line in Windows?

This command works icacls D:\Desktop\test /deny Administrator:(OI)(CI)(DE,DC) , but this command affects only special permissions:

enter image description here

But I need to deny all others permissions like image:

enter image description here

I need to deny all permissions to all all users (administrators, system, and others) via batch, so that nobody can access this folder, not even the system, or the creator of the folder.

Community
  • 1
  • 1
rafaelfndev
  • 679
  • 2
  • 9
  • 27
  • 1
    Hmm... if nobody has got the permission to modify anything, then nobody seems to be left who could remove deny permissions, don't you think? – aschipfl Dec 20 '15 at 15:39
  • While you have permission to modify, you can remove permissions, after this, you can't access more, so you can remove folder permission before that lost permission... I do this with a WindowsPE that load on boot, but I need do this logged with my user. This is not really idea that what I need to do, but I can access this folder via Linux or other systems that not recognize NTFS permissions. But at this moment, this is not idea, but I need remove this permissions... – rafaelfndev Dec 20 '15 at 16:52
  • 2
    If you want to deny everybody access to the target folder , `icacls d:\desktop\test /deny Everyone:(OI)(CI)(F)` would work - except that I think it will lock you out of the folder before it has applied the permission change to files and subfolders. There isn't any way that I know of to resolove that problem in batch. – Harry Johnston Dec 20 '15 at 20:35
  • 2
    @aschipfl: the owner of a file or folder can always change the permissions. And an administrator can always claim ownership. So you can't get locked out completely, although admittedly the built-in tools for recovering from this situation aren't very good. – Harry Johnston Dec 20 '15 at 20:40
  • This solve my problem, thanks. Sorry for taking so long to respond :D – rafaelfndev Feb 06 '16 at 19:26

2 Answers2

3

Try this code

cacls D:\Desktop\Test /e /c /d %username%

I hope I have helped you, This will change the permissions to ALL deny. To undeny it simply do this code

cacls D:\Desktop\Test /e /c /g %username%:f
Anonymous
  • 31
  • 2
1

I think you should learn more about NTFS permissions (technically, the Discretionary Access Control Lists (DACL)) before complaining the appearances of the GUI.

The Security tab in files' Properties dialog box have limited control over what permissions you can allow, and what you can deny. You should also ideas about the purposes of the built-in user groups, because specifically, the groups that appear in the GUI are never the only groups your system has (it only shows users or groups that have permission entries applied on the files).

For now, I will assume that you want to deny access to Everyone.

First: simply clicking Deny on Full control on all the users on the list is not enough.

You need to Deny two groups for this: the Everyone group and the Anonymous Logon group. (Because "Everyone" no longer includes anonymous logon since Windows XP)

After everyone is denied, it might be a good idea to remove inherited permission entries as well, since they no longer apply and waste your system a little time processing those entries.

With the guide above, I think you can teach yourself to operate all these on the GUI. The result should look something like this:

Advanced Security Settings for a folder that denies all access by everyone

If you still have no idea what to do, here is the command-line equivalent (using icacls command - you need Windows Vista SP1 or later because of /inheritance option):

rem /inheritance:r - Remove all inherited entries
rem /deny - Set denial of permissions
rem (OI) - "Object inherit" - Also applies to files within the folder
rem (CI) - "Container inherit" - Also applies to subfolders
rem (F) - "Full control"
icacls /inheritance:r /deny "Everyone:(OI)(CI)(F)" "ANONYMOUS LOGON:(OI)(CI)(F)"

If the names "Everyone" or "Anonymous Logon" don't work for you...

icacls /inheritance:r /deny "*S-1-1-0:(OI)(CI)(F)" "*S-1-5-7:(OI)(CI)(F)"

(Yes, it's the same thing, but with SIDs specified in place of user names.)

Here is one caveat though: The owner of the files can change permissions whenever they want. And the Administrators can change the owner of the files at least to themselves. These are special privileges granted by the system that you can't deny, so with a bit of effort, all process of setting this DACL are reversible by Administrators.

Explorer09
  • 569
  • 5
  • 9