0

I need to set user permissions using windows command line as following.

I've folder in path "C:\Program Files<folder><folderName>" I need to have following permission for this folder

1. Deny all users from group "Users"
2. Keep Full permission for following user: Administrator and "testuser"

I've batch script that will be invoked using qt installer framework , in that batch file I'm creating user and folders like this,

net user /add testuser password

mkdir "C:\Program Files\<folder>\<folderName>"

Initial permissions,

C:\>icacls "C:\Program Files\<folderName>"
C:\Program Files\<folderName>     WIN-VLK3TB8O520\Administrator:(F)
                                  WIN-VLK3TB8O520\testuser:(F)
                                  NT SERVICE\TrustedInstaller:(F)
                                  NT SERVICE\TrustedInstaller:(CI)(IO)(F)
                                  NT AUTHORITY\SYSTEM:(F)
                                  NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
                                  BUILTIN\Administrators:(F)
                                  BUILTIN\Administrators:(OI)(CI)(IO)(F)
                                  CREATOR OWNER:(OI)(CI)(IO)(F)
                                  APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX)
                                  APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(RX)
                                  APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(RX)
                                  APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(OI)(CI)(IO)(RX)
                                  WIN-VLK3TB8O520\testuser:(OI)(CI)(F)
                                  WIN-VLK3TB8O520\Administrator:(OI)(CI)(F)
                                  NT SERVICE\TrustedInstaller:(I)(F)
                                  NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
                                  NT AUTHORITY\SYSTEM:(I)(F)
                                  NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
                                  BUILTIN\Administrators:(I)(F)
                                  BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
                                  BUILTIN\Users:(I)(RX)
                                  BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
                                  WIN-VLK3TB8O520\Administrator:(I)(F)
                                  CREATOR OWNER:(I)(OI)(CI)(IO)(F)
                                  APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
                                  APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
                                  APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)
                                  APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)

Successfully processed 1 files; Failed processing 0 files

I've user named "testuser" this is under "Users" local group. When I try to remove this user group using following command,

icacls "C:\Program Files\<folder>\<folderName>"/deny Users:F /T /C

C:\>icacls "C:\Program Files\<folder>\<folderName>" /deny Users:F /T /C
processed file: "C:\Program Files\<folder>\<folderName>"
"C:\Program Files\<folder>\<folderName>"\*: Access is denied.
Successfully processed 1 files; Failed processing 1 files

This access denied is reasonable since I'm running this command as admin , I guess for administrator user also permissions are gets denied and I'm unable to access this folder as administrator.

I expected if I'm able to remove following permission , then it would solve,

 BUILTIN\Users:(I)(RX)
 BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)

So I executed,

ICACLS "C:\Program Files\<folder>\<folderName>" /remove Users /T /C

For above command I got no error, also after this command executed, I didn't get proper permissions,

Successfully processed 57 files; Failed processing 0 files

C:\>icacls "C:\Program Files\<folder>\<folderName>"
C:\Program Files\<folder>\<folderName>    WIN-VLK3TB8O520\Administrator:(F)
                                  WIN-VLK3TB8O520\testuser:(F)
                                  NT SERVICE\TrustedInstaller:(F)
                                  NT SERVICE\TrustedInstaller:(CI)(IO)(F)
                                  NT AUTHORITY\SYSTEM:(F)
                                  NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
                                  BUILTIN\Administrators:(F)
                                  BUILTIN\Administrators:(OI)(CI)(IO)(F)
                                  CREATOR OWNER:(OI)(CI)(IO)(F)
                                  APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX)
                                  APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(RX)
                                  APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(RX)
                                  APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(OI)(CI)(IO)(RX)
                                  WIN-VLK3TB8O520\testuser:(OI)(CI)(F)
                                  WIN-VLK3TB8O520\Administrator:(OI)(CI)(F)
                                  NT SERVICE\TrustedInstaller:(I)(F)
                                  NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
                                  NT AUTHORITY\SYSTEM:(I)(F)
                                  NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
                                  BUILTIN\Administrators:(I)(F)
                                  BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
                                  BUILTIN\Users:(I)(RX)
                                  BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
                                  WIN-VLK3TB8O520\Administrator:(I)(F)
                                  CREATOR OWNER:(I)(OI)(CI)(IO)(F)
                                  APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
                                  APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
                                  APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)
                                  APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)

Successfully processed 1 files; Failed processing 0 files

For the following comments also there are no changes.

ICACLS "C:\Program Files\<folder>\<folderName>" /remove Everyone /T /C

ICACLS "C:\Program Files\<folder>\<folderName>" /grant testuser:(F) /T /C

Now I understand that, all users are will be under "Users" group so that I cannot /deny directly "Users".

Can I create new user group with these two users i.e, administrator and testuser and set permissions that this folder only accessible to this user group ?

Improve this question
4
  • A Windows user must be a member of the Users user group. So you are both explicitly denying and allowing permissions to that file by denying access to members of the Users user group. A user who is a member of the Administrators user group also is a member of the Users user group. In order to do something like this you have to implicitly allow permissions. If I am not mistaken Deny permissions always takes priority.
    – Ramhound
    Commented Nov 11, 2021 at 4:49
  • yeah , got it but is there a way to provide full access to only these two users ?
    – imaheshwaran s
    Commented Nov 11, 2021 at 9:42
  • Can you provide a screenshot of the ACL of a sample folder by chance? I do everything through the ACL GUI typically just easier to tell you what needs to be done if I can see it. What I would do is create a new user group, give access to that user group, then explicitly assign whom you want to access to the folder to that user group. But I need to see the ACL of a example folder that isn't working to provide instructions on how to do that.
    – Ramhound
    Commented Nov 11, 2021 at 13:34
  • thankyou ramhound, updated question.
    – imaheshwaran s
    Commented Nov 11, 2021 at 14:49

1 Answer 1

Reset to default
0

After lot of documentation understanding and experiments, I found following

/deny is used to completely "deny" all user in that group.

However we can remove that group from ACL, and grant permission to particular user and change ownership to that user. So whenever any user try to access that folder UAC window will pop up and request admin to grant permission for that specific user. This solves my problem.

Also some of the permissions are inherited so I couldn't change ACL directly.

To solve my problem I used following,

// To remove inheritance.
icacls %FOLDER_PATH% /inheritance:d

// To remove all the granted and denied permission for users.
icacls %FOLDER_PATH% /remove:g Users
icacls %FOLDER_PATH% /remove:d Users

// TO grant full permission to current user
icacls %FOLDER_PATH% /GRANT %USERNAME%:F /T /Q

// TO grant full permission to different user
icacls %FOLDER_PATH% /GRANT %Another_USERNAME%:F /T

Note that these about two users will be in users group and able to access this particular folder. 
And other users from "users" group will not able to access this folder unless required permissions are granted.

// TO change ownership for desired user.
icacls %FOLDER_PATH% /setowner %Another_USERNAME% /T

Hope this helps!

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .