I need to set user permissions using windows command line as following.
I've folder in path "C:\Program Files<folder><folderName>" I need to have following permission for this folder
1. Deny all users from group "Users"
2. Keep Full permission for following user: Administrator and "testuser"
I've batch script that will be invoked using qt installer framework , in that batch file I'm creating user and folders like this,
net user /add testuser password
mkdir "C:\Program Files\<folder>\<folderName>"
Initial permissions,
C:\>icacls "C:\Program Files\<folderName>"
C:\Program Files\<folderName> WIN-VLK3TB8O520\Administrator:(F)
WIN-VLK3TB8O520\testuser:(F)
NT SERVICE\TrustedInstaller:(F)
NT SERVICE\TrustedInstaller:(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(F)
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
BUILTIN\Administrators:(F)
BUILTIN\Administrators:(OI)(CI)(IO)(F)
CREATOR OWNER:(OI)(CI)(IO)(F)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(RX)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(RX)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(OI)(CI)(IO)(RX)
WIN-VLK3TB8O520\testuser:(OI)(CI)(F)
WIN-VLK3TB8O520\Administrator:(OI)(CI)(F)
NT SERVICE\TrustedInstaller:(I)(F)
NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(RX)
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
WIN-VLK3TB8O520\Administrator:(I)(F)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
Successfully processed 1 files; Failed processing 0 files
I've user named "testuser" this is under "Users" local group. When I try to remove this user group using following command,
icacls "C:\Program Files\<folder>\<folderName>"/deny Users:F /T /C
C:\>icacls "C:\Program Files\<folder>\<folderName>" /deny Users:F /T /C
processed file: "C:\Program Files\<folder>\<folderName>"
"C:\Program Files\<folder>\<folderName>"\*: Access is denied.
Successfully processed 1 files; Failed processing 1 files
This access denied is reasonable since I'm running this command as admin , I guess for administrator user also permissions are gets denied and I'm unable to access this folder as administrator.
I expected if I'm able to remove following permission , then it would solve,
BUILTIN\Users:(I)(RX)
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
So I executed,
ICACLS "C:\Program Files\<folder>\<folderName>" /remove Users /T /C
For above command I got no error, also after this command executed, I didn't get proper permissions,
Successfully processed 57 files; Failed processing 0 files
C:\>icacls "C:\Program Files\<folder>\<folderName>"
C:\Program Files\<folder>\<folderName> WIN-VLK3TB8O520\Administrator:(F)
WIN-VLK3TB8O520\testuser:(F)
NT SERVICE\TrustedInstaller:(F)
NT SERVICE\TrustedInstaller:(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(F)
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
BUILTIN\Administrators:(F)
BUILTIN\Administrators:(OI)(CI)(IO)(F)
CREATOR OWNER:(OI)(CI)(IO)(F)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(RX)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(RX)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(OI)(CI)(IO)(RX)
WIN-VLK3TB8O520\testuser:(OI)(CI)(F)
WIN-VLK3TB8O520\Administrator:(OI)(CI)(F)
NT SERVICE\TrustedInstaller:(I)(F)
NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(RX)
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
WIN-VLK3TB8O520\Administrator:(I)(F)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
Successfully processed 1 files; Failed processing 0 files
For the following comments also there are no changes.
ICACLS "C:\Program Files\<folder>\<folderName>" /remove Everyone /T /C
ICACLS "C:\Program Files\<folder>\<folderName>" /grant testuser:(F) /T /C
Now I understand that, all users are will be under "Users" group so that I cannot /deny directly "Users".
Can I create new user group with these two users i.e, administrator and testuser and set permissions that this folder only accessible to this user group ?