2

A computer with Windows 10 Pro has several users (let's use administrator A and standard users B and C as examples). In addition to the already existing standard folders (in the /users/), I would like to make further folders that only a specific user has access to, possibly on other drives. I don't mind if the administrator account(s) can have access to those folders. But the other regular users should not have access.

I have found instructions about restricting access by other users (for example here). The advice is to prohibit user B's folder from user C (and possible other already existing users). But this approach has at least two major flaws:

  1. If you have many users, it's quite cumbersome to go through all new folders and prohibit all others of using them. 2)
  2. If the computer has a new user (say, D), the new user will have access to B's and C's private folders (unless the administrator who created the account remembers to assign the appropriate prohibitions).

So is there a way to define folder permissions in such a way that all other users cannot access the folder by default? I'm thinking of setting something in the permissions of the user's folder, not something that affects the folder functions in a more complicated manner.

Improve this question

3 Answers 3

Reset to default
6

Disable permission inheritance for those folders. Then remove the "Users" or "Everyone" access entries, replacing them with just the specific accounts or groups that you need to grant access to. Everyone else will be automatically denied access.

Windows permissions are generally evaluated in this order:

  1. If a user matches a "Deny" entry, they're denied the permission.
  2. If a user matches an "Allow" entry, they're granted the permission.
  3. If a user doesn't match any entries, they're denied the permission.
Improve this answer
11
  • Thanks, this sounds good, will need to try it. When doing so, I removed the permission and there is a checkbox "Replace all child object permissions entries with inheritable permission entries from this object". What does this mean and should I select it too? What about subfolders of this folder? If the user creates ones, are those automatically also protected, or is it precisely this "child object" checkbox that defines it?
    – kissel
    Commented Mar 8, 2021 at 12:22
  • They're related, but not exactly as you imagine. Permission inheritance is specified individually for each entry, in the "Applies to" column -- if you leave it set to "This folder, subfolders, and files" then that entry will indeed apply to newly created subfolders and files.
    – grawity_u1686
    Commented Mar 8, 2021 at 13:02
  • However, just like I told you to disable inheritance for this folder (so that it would no longer receive permissions from its parent, instead allowing them to be directly edited), it is possible that you might have some file or subfolder deep inside that also has its inheritance disabled. It is also possible that you might have some file/subfolder that is inheriting permissions, but also has additional entries granting or denying access.
    – grawity_u1686
    Commented Mar 8, 2021 at 13:04
  • So the "Replace" checkbox isn't a permanent setting, instead it performs a one-time cleanup operation -- it forces all items inside this folder to enable inheritance and discard any custom ACLs, ensuring that all of the folder's contents will have consistent permissions inherited from the folder that you're currently editing. It is not strictly needed, as most of the items inside will already be set this way, but it can be used if you want to be 100% sure.
    – grawity_u1686
    Commented Mar 8, 2021 at 13:05
  • (And by "one-time" I mean that you do not need to use it every time you edit permissions on the folder. Even without it, inheritable permissions will be automatically carried over to all files and subfolders that have inheritance enabled. The checkbox is just a "reset this mess" feature.)
    – grawity_u1686
    Commented Mar 8, 2021 at 13:07
0

This Thing Work in Most of Windows

Follow the Following Steps:-

  • Firstly open the Folder in Windows Explorer
  • Right Click on Folder
  • Select Properties
  • a New Window appears
  • Goto Security tab
  • Click on Edit Button
  • Select Users, it Will be Displayed as (Computername/Users)
  • Check Full Control in Deny row...... And you are Done
Improve this answer
3
  • Thanks this sounds good too. But it seems to be that there is a bit difference here compared to the answer by @user1686. Are there any different consequences in doing it one way or the other?
    – kissel
    Commented Mar 8, 2021 at 12:31
  • @kissel: The consequences are that a "Deny" overrides all "Allow" entries. If you deny all permissions to the "Users" group, then nobody who's a member of that group will be able to gain access -- even if you try to add "Allow" entries for them individually. (Most admin accounts belong to the "Users" group too, so doing so would deny access to admins as well.)
    – grawity_u1686
    Commented Mar 8, 2021 at 13:15
  • Thanks again for the clarification!
    – kissel
    Commented Mar 8, 2021 at 20:42
0

I followed @user1686 's answer which is accurate and self explanatory, I would although improvise on steps for novice users below:

  1. Right click folder > Properties > Security > Advanced > Disable inheritance > Convert inherited permissions into explicit permissions on this object > Apply.
  2. Explicitly add your user that should continue to have access, to this list by clicking Add > Select a principal > type Username > Check names > (ensure it has guessed correct user) > Ok. Now ensure Type is set to: Allow > tick [ ] Full control > Ok.
  3. click on below entries and click Remove one by one:
    a. Authenticated Users
    b. Users (your-PC-Name/Users)
  1. tick [ ] Replace all child object permission entries with inheritable permission entries > Apply > Ok.
Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .