Obviously I didn't expect to be denied access myself being an Administrator and seeing that Administrators have full control as a separate permission from the one I just edited
File permissions on Windows work like this:
- All
Deny
entries have priority.
- Then, all
Allow
entries are considered.
- Finally, if the user is not on the list at all, then access is denied as well.
So in general, what you should have done is remove the Allow
access entries rather than add Deny
entries – don't use those if you can avoid them.
As an exception, the owner can always set new permissions – and an Administrator can always become the owner (take ownership) – so recovering from this almost always starts with setting either yourself or the Administrators group as the new owner. This lets you set a new access list that grants you full control – then you repeat the process with all sub-folders.
Windows Explorer sometimes offers to do that for you as soon as you try to open the folder (or when you try to see the permissions of something), but more commonly it's done using the takeown
program.
takeown /a /r /d y /f D:\
The /d y
asks it to automatically reset permissions as well, so it'll be able to recover the contents of the entire disk recursively.
Setting up the restrictions
Once you have your access back, edit the D:\ access list again, preferably through the Advanced
view (or through elevated CLI if you prefer, although one of the steps is tedious to do via CLI).
If you're restricting a subdirectory, disable "Inherit permissions" and choose 'Copy'. Not needed for the whole disk as there is nothing to inherit from.
icacls D:\Foo /inheritance:d
Remove "Users", "Authenticated Users", "Everyone", and similar entries if they're still there – keeping only Administrators
and SYSTEM
(and your own account, for UAC). Anyone else not on the list will automatically have no access, so there's no need to explicitly list them.
icacls D:\ /remove "Authenticated Users"
icacls D:\ /remove "Everyone"
Note: Due to Windows UAC, the Administrators
grant will only be effective when you run programs "elevated" (i.e. 'Run as Administrator'). So if you click 'Apply' at this point and you're not on the access list personally, then you'll lose access through Explorer (which never runs elevated) – but it's not an issue since you can just add yourself through elevated PowerShell or Total Commander or any other file manager.
Grant yourself full control access (takeown will probably already have done this, but do it anyway just in case).
icacls D:\ /grant "Bradley:(OI)(CI)(F)"
The (OI)
and (CI)
mark the entry as inheritable (i.e. equivalent of "Applies to: This folder, subfolders, and files").
Grant "Authenticated Users" read/list access again, but mark it as non-inheritable – i.e. "Applies to: This folder only" – so that they can still list the top-level folders but not descend into them.
icacls D:\ /grant "Authenticated Users:(R)"
The absence of (OI)(CI)
means the access entry won't be inherited. This step is technically optional (users can still access items if they know the path, e.g. if you create them a .lnk shortcut) but it'll make things more convenient.
Just in case, check the "Replace all child object permissions" box when saving the changes (this only needs to be done once), so that everything inside would be forced to inherit from the permissions you've just set on the root of the disk.
(the * is important, you want to only reset children)
icacls D:\* /reset /t
(approximate equivalent)
gci D:\ | % { icacls "$_.fullname" /reset /t }
Finally, on each of the specific folders that the user needs access to, just add them to the access list for that folder. This can be done through the normal view of the 'Security' tab.
icacls D:\Videos /grant "Users:(OI)(CI)(R,W)"
In case you want to allow access to a whole folder but disallow one specific subfolder, often it's still better to avoid 'Deny' entries and to instead disable permission inheritance on that folder, which would let you remove the unwanted entries from it specifically.
Side note: There is very little difference between Authenticated Users
and Everyone
(all Windows versions since XP exclude Anonymous from Everyone). There's also little difference between those and the regular Users
group if guest accounts aren't used.