No announcement yet.

Folder group permissions in Windows 10

  • Filter
  • Time
  • Show
Clear All
new posts

  • Folder group permissions in Windows 10

    I want to run this past some other people to see if I am missing something

    [Assumption: you are logged on as an administrators account; in my case: administrator]

    If you create a folder in windows 10 and go to properties, security you will see a list of all the inherited permissions:
    Click image for larger version

Name:	1.png
Views:	1
Size:	113.1 KB
ID:	494836

    Then click on “advanced” then “add”, click on “select a principal” then add the “Administrators” group with full access:
    Click image for larger version

Name:	2.png
Views:	1
Size:	74.9 KB
ID:	494837

    Then click on “Disable Inheritance” and select “remove all inherited permissions on this object”
    Click image for larger version

Name:	3.png
Views:	1
Size:	89.0 KB
ID:	494839

    You should be left with only administrators on the ACL

    Click ok twice and try to access the folder; you will get the following message:
    Click image for larger version

Name:	5.png
Views:	1
Size:	38.3 KB
ID:	494838

    If you select continue it will add your account to the acl and let you in but my point is you are a member of the administrators group so you should have access

    Thought a reboot would sort this but it doesn’t, also turning off uac doesn’t help

    The effective access says I can access:
    Click image for larger version

Name:	7.png
Views:	1
Size:	170.0 KB
ID:	494840

    I have tried this on windows 10 enterprise, and pro and both are affected but not windows 7 pro, or server 2008

    The method above is not the only way to produce this, you can replicate this using icacls (with removing inheritance switch).

    Another note is you add the “users“ group, the folder can be accessed. This only happens with the built in “Administrators” group – for instance when tying down access to a restricted folder.

    Am I missing something fundamental? – not tried on windows 8, maybe microsoft have changed the way the acl works and I have missed it, but surely if you want to tie down folder access to only administrators you should be able to!

  • #2
    The administrators group already has access (1st image). I think that it does not matter that you explicitly added the group - it's already there. When you remove inheritable permissions you are removing administrator group access as well.
    A recent poll suggests that 6 out of 7 dwarfs are not happy


    • #3
      Thanks for the response
      Click image for larger version

Name:	6.png
Views:	1
Size:	16.0 KB
ID:	494852

      The icacls ACL shows full access for Administrators though - ignoring inheritance why does this explicit permission not work?

      Its also the fact that this doesn't happen on windows 7 this must be a windows 10 bug surely?


      • #4
        I've no idea. I'm not on a Win10 machine so can't test it. As to whether it is a bug - only Microsoft can answer that one
        A recent poll suggests that 6 out of 7 dwarfs are not happy


        • #5
          Did you click "Apply" before disabling the inheritance?

          Daniel Petri
          Microsoft Most Valuable Professional - Active Directory Directory Services
          MCSA/E, MCTS, MCITP, MCT


          • #6
            Yes tried that doesn't appear to make any difference, its also the same when using icacls (that's how I found that problem initially)
            Could someone mind trying this to see if they can replicate this themselves?


            • #7
              Is this something that only happens when logged on as a local Administrator or THE Admnistrator? What about sticking it on a domain and trying the same thing as a Domain Admin?

              Strange that this hasn't happened in Windows 8.1 but can appreciate the MS may have made changes within their ACL as the the OS's move forward. Potentially a bug but do you fancy spending $250 to find out?


              • #8
                Have you looked at this using different accounts? i.e. adding an account that was not already listed? And, we have always been able to take control ('Continue'), when trying to access certain folders when logged in with admin privileges without the need to explicitly add the account to the Security permissions. I wonder if this is, therefore, by design.
                A recent poll suggests that 6 out of 7 dwarfs are not happy


                • #9
                  OK so I thought it might be a problem with removing the inherited permissions, and adding - so I thought why not disable inheritance and and COPY (convert) the permissions into explicit permissions instead, and THEN remove the permissions from the users I didn't want on the ACL. (removing "Authenticated users" and "Users")
                  That doesn't work either! and still cant access the folder


                  • #10
                    here is the icacls command I ran:

                    md %systemdrive%\1234
                    icacls %systemdrive%\1234 /inheritance:d
                    icacls %systemdrive%\1234 /remove:g "Authenticated Users" /remove:g "Users"

                    also doesn't work in the GUI


                    • #11
                      Blood - I want a script to run after sysprep that creates folders that are only accessible by members of the administrators group, the membership of which is dictated by group policy. I know you can select continue and add yourself to the ACL when you are logged in as an administrator, but I don't want any manual steps in this process!