0

I am the administrator in my PC and there are some other users on it. I set a folder (Gabi) as "Read only" for a specific user (Alice), using ICACLS via the Command Prompt (I am using windows 7 in VirtualBox). The folder has some ".txt" files. I used the following command:

icacls "C:\ITSM Lab1\Administration\Gabi" /grant:r Alice:(OI)(CI)R /T

The above command ran successfully in the Command Prompt. But the files in the folder can still be modified (Alice can change the text file and can save the file as well. He can rename as well. He can even delete the whole folder with the files).

I also tried this link : Use icacls to make a directory read-only on Windows 7. I followed the link and tried the following command:

C:\Windows\system32\Icacls "C:\ITSM Lab1\Administration\Gabi" /deny "Alice": (CI)(OI)(W,D)  /Grant:r "Alice":(CI)(OI)R /T

In the above command, I denied "write" and "delete" for Alice, and gave Alice "Read-only" permission. This command ran successfully, but the folder "Gabi" gets completely inaccessible and undeletable, which does not serve my purpose.

Then I restored windows 7 to the state before running the above code.

I don't know why the commands are not really setting the "read-only" permission. Actually I want to set the permission in such a way that Alice will be able to read the txt files, but won't be able to change/delete the files/folder, and he won't be able to create any new file/folder in "Gabi" folder . I just checked the permission for Alice via GUI (Security Tab): in the "Allow" column only ''Read'' is ticked (there is no other tick marks). So the GUI is showing that "read-only" permission is applied on Gabi folder. But, Alice can still change and delete those files and the folder. I don't know why.

What am I doing wrong?

Before running the first command icacls "C:\ITSM Lab1\Administration\Gabi" /grant:r Alice:(OI)(CI)R /T, I ran the following command:

icacls "C:\ITSM Lab1\Administration\Gabi" /grant Alice:R /T

When I run the command:icacls "C:\ITSM Lab1\Administration\Gabi I get the following result:

icacls "C:\ITSM Lab1\Administration\Gabi"
C:\ITSM Lab1\Administration\Gabi Tanvir-PC\Alice:(R)
                                 Tanvir-PC\Alice:(OI)(CI)(R)
                                 Tanvir-PC\Gabi:(OI)(CI)(F)
                                 Tanvir-PC\SysAdministrator:(OI)(CI)(F)
                                 Tanvir-PC\CEO:(OI)(CI)(F)
                                 Tanvir-PC\Managers:(I)(OI)(CI)(N)
                                 Tanvir-PC\SysAdministrator:(I)(OI)(CI)(F)
                                 Tanvir-PC\CEO:(I)(OI)(CI)(F)
                                 BUILTIN\Administrators:(I)(F)
                                 BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
                                 NT AUTHORITY\SYSTEM:(I)(F)
                                 NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
                                 BUILTIN\Users:(I)(OI)(CI)(RX)
                                 NT AUTHORITY\Authenticated Users:(I)(M)
                                 NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(IO)(M)
Successfully processed 1 files; Failed processing 0 files

the result screenshot

UPDATE:

In my Windows 7 (in VirtualBox) , there are 4 local groups (which I created by command line):

Administration
CEO
Managers
SysAdministrator

Each local group has user(s) (which I created by command line):

Users in "Administration" : Alice, Gabi

Users in "CEO": Chief

Users in "Managers" : Anthony, Elisa

Users in "SysAdministrator": Admin

groups Users

Improve this question
3
  • I ran the command C:\>icacls "C:\Work place\Topics\Rasu" The result I got for Hary is :--- C:\Work place\Topics\Rasu Kaly-PC\Hary:(R) Kaly-PC\Hary:(OI)(CI)(R)
    – kaly
    Commented Oct 15, 2017 at 17:23
  • OK. First of all, granting the (R)ead permission does not make an object (e.g. file or folder) read-only. NTFS permissions are "additive", meaning all permissions a user has are added together to determine what they can do. What is your end goal here? To make it so only a certain user (or group of users) can read but not modify this folder and its contents?
    – I say Reinstate Monica
    Commented Oct 15, 2017 at 18:05
  • 1
    my goal is : a certain user can read but cannot do anything else
    – kaly
    Commented Oct 15, 2017 at 18:48

1 Answer 1

Reset to default
1

The problem: You user is being granted additional rights

I want to set the permission in such a way that Alice will be able to read the txt files, but won't be able to change/delete the files/folder

To achieve this result, your user should only be granted NTFS Read permissions to the folder. The fact your user can still modify objects in this folder indicates he has been granted more than just the Read permission. NTFS permissions are additive. Therefore, all permissions granted to a user are added together to determine what the user can ultimately do.

A user can be granted permissions via those permissions being granted directly to their user object, or via permissions granted to a group of which the user is a member.

According to the output of the icacls "C:\ITSM Lab1\Administration\Gabi" command, the following identities have (M)odify or (F)ull permission to the folder (I excluded SYSTEM):

  • Tanvir-PC\Gabi:(OI)(CI)(F)
  • Tanvir-PC\SysAdministrator:(OI)(CI)(F)
  • Tanvir-PC\CEO:(OI)(CI)(F)
  • Tanvir-PC\SysAdministrator:(I)(OI)(CI)(F)
  • Tanvir-PC\CEO:(I)(OI)(CI)(F)
  • BUILTIN\Administrators:(I)(F)
  • BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
  • NT AUTHORITY\Authenticated Users:(I)(M)

The most obvious issue is that the special identity Authenticated Users has Modify permissions. This group automatically has as members all users with a valid account on the machine, which is going to include your user.

Further, if there are any other groups in this list of which your user is a member, his membership in those groups will likewise confer him with more than Read permissions.

Available solutions

Either remove the user from any group that is being granted more than Read permission to the folder, or revoke that group's permissions to the folder.

If the above isn't an option, you can Deny your user the following permissions on the folder. Deny permissions always override Allow permissions, so this will counteract any Allow permissions granted to the user, no matter how they are granted:

Permissions to Deny:

  • WD - write data/add file
  • AD - append data/add subdirectory
  • WA - write attributes
  • DC - delete child
  • DE - delete
  • WEA - write extended attributes

Note: Using Deny permissions is usually a bad idea and should be used only as a last resort.

A better way to manage permissions

It's typical to need to grant multiple users the following permissions to a folder:

  • Read
  • Modify

A best-practice approach that minimizes the work involved in granting/revoking permissions to users is to use Resource Groups. A resource group is simply a group that has been granted a specific type of permission to an object. For example, your folder would need the following groups:

  • r_Gabi-Read (Granted Read permissions)
  • r_Gabi-Modify (Granted Modify permissions)

To modify a user or group's permissions to the object, you simply add/remove them from membership in the appropriate resource group. This is faster than modifying the permissions on the object itself. It also has the distinct advantage of making it clear in the Active Directory Users and Groups MMC snap-in (or Local Accounts for non-domain PCs) exactly who can access what.

This strategy requires that in addition to the permissions granted to the resource groups, you only grant the additional permissions of Full Control to the SYSTEM and Administrators identities. No other permissions should be granted on the object.

Improve this answer
2

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .