I'm on Windows 10.0.16299 Pro. I have a particular folder containing script files. I want all users to be able to read and execute them. Additionally, I want members of a particular local group to be able to edit them in-place without having to authenticate (or indeed perform any other special action) each time. In principle the “particular local group” could be any arbitrary group created for the purpose. For my current application the most natural choice would be Administrators, but I could use another one if that specific group has special behavior that complicates what I'm trying to do. So basically I’m looking for behavior analogous to what you get after setting rwxrwxr-x permissions on a file in a POSIX system.

I followed the procedure below and the permissions ended up looking right in theory. However, when I (as a logged-in member of the Administrators group) go to save edits to one of the files, the editor tells me I do not have permission.

Here's what I did. I right-clicked on the folder, selected "Properties" and went to the "Security" tab, then clicked the "Advanced" button. I clicked "Disable inheritance" and chose to convert existing inherited permissions into explicit permissions. I then edited the permissions and they ended up looking like the following screenshot:

screenshot of properties->security->advanced pane for the enclosing folder

For the script files themselves, this automatically makes the equivalent pane look the same as above, except that inheritance is still enabled and the "Inherited from" column shows the name of the enclosing folder. All of that looks theoretically correct to me. Why can't I, as a member of the designated group, modify the files' content?

  • Even though you might be a member of Snap08\Administrators, when you are logged in to Snap08, you have a set of permissions that do not include membership in that group. Whenever you need to do something that requires membership in that group, you have to get temporarily elevated. Either by explicitly launching the program using the "Run As Administrator" option, or by having the program detect what you are trying to do, and then opening a UAC prompt. See en.wikipedia.org/wiki/User_Account_Control to learn more about this concept, called User Account Control.
    – Doug Deden
    Commented Jan 31, 2019 at 20:05
  • @DougDeden thanks. Sounds like this is a particular behavior that is specific to the group named "Administrators"? In that case, can my problem be worked around if I create another more-arbitrarily-named group, add all the current admins to it, and give write permission to that group? Or does this principle, of not getting your group's privileges until you do something special to specifically ask for them, apply to all groups?
    – jez
    Commented Jan 31, 2019 at 21:28
  • @jez - No; A process will run with the lowest possible permissions possible until they are elevated. It is Absolutely NOT limited to just the Administrator user group. If you want a user to be able to edit a file without an elevation prompt, then you need to elevate the permissions of the editor, that is modifying the file. This will, of course, result in a single prompt to elevate the permissions which cannot be prevented without disabling UAC entirely. If you disable UAC on Windows 10 you disable ALL UWP applications including the Settings application.
    – Ramhound
    Commented Jan 31, 2019 at 21:32
  • @Ramhound Thanks. That would mean that there's simply no way of emulating rwxrwxr-x behavior in Windows (at least not without system-wide side effects). Given all the added complexity of Windows' permissions system, that's surprising to hear.
    – jez
    Commented Jan 31, 2019 at 21:41
  • @Ramhound what would be the procedure for “elevating” your permissions to those of a non-admin group? In uac settings I only see mention of Administrator privileges.
    – jez
    Commented Feb 2, 2019 at 1:44

1 Answer 1


OK, what worked for me was to steer clear of using the Administrators group for this purpose, and instead to create a different local group (say "Developers"). I gave the Developers group write permission on a file, and any member of that group could then edit the file while others could not. There was no special "elevation" step that members of Developers had to perform each time they wanted to edit the file, whereas there was if I tried to use the Administrators group for the same purpose (this is contrary to my best understanding of the comments above).

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .