Deny all folders permission from all users/administrators via CMD/Batch in Windows 7/8/10
Solution 1
Try this code
cacls D:\Desktop\Test /e /c /d %username%
I hope I have helped you, This will change the permissions to ALL deny. To undeny it simply do this code
cacls D:\Desktop\Test /e /c /g %username%:f
Solution 2
I think you should learn more about NTFS permissions (technically, the Discretionary Access Control Lists (DACL)) before complaining the appearances of the GUI.
The Security tab in files' Properties dialog box have limited control over what permissions you can allow, and what you can deny. You should also ideas about the purposes of the built-in user groups, because specifically, the groups that appear in the GUI are never the only groups your system has (it only shows users or groups that have permission entries applied on the files).
For now, I will assume that you want to deny access to Everyone.
First: simply clicking Deny on Full control on all the users on the list is not enough.
You need to Deny two groups for this: the Everyone group and the Anonymous Logon group. (Because "Everyone" no longer includes anonymous logon since Windows XP)
After everyone is denied, it might be a good idea to remove inherited permission entries as well, since they no longer apply and waste your system a little time processing those entries.
With the guide above, I think you can teach yourself to operate all these on the GUI. The result should look something like this:
If you still have no idea what to do, here is the command-line equivalent (using icacls command - you need Windows Vista SP1 or later because of /inheritance
option):
rem /inheritance:r - Remove all inherited entries
rem /deny - Set denial of permissions
rem (OI) - "Object inherit" - Also applies to files within the folder
rem (CI) - "Container inherit" - Also applies to subfolders
rem (F) - "Full control"
icacls /inheritance:r /deny "Everyone:(OI)(CI)(F)" "ANONYMOUS LOGON:(OI)(CI)(F)"
If the names "Everyone" or "Anonymous Logon" don't work for you...
icacls /inheritance:r /deny "*S-1-1-0:(OI)(CI)(F)" "*S-1-5-7:(OI)(CI)(F)"
(Yes, it's the same thing, but with SIDs specified in place of user names.)
Here is one caveat though: The owner of the files can change permissions whenever they want. And the Administrators can change the owner of the files at least to themselves. These are special privileges granted by the system that you can't deny, so with a bit of effort, all process of setting this DACL are reversible by Administrators.
rafaelfndev
Updated on June 04, 2022Comments
-
rafaelfndev almost 2 years
I need to deny all folder permissions for all users, include administrators and others groups via batch file.
I found two topics about this, but i can't solve my problem
icacls Deny Everyone Directory Delete Permission
How to grant permission to users for a directory using command line in Windows?
This command works
icacls D:\Desktop\test /deny Administrator:(OI)(CI)(DE,DC)
, but this command affects only special permissions:But I need to deny all others permissions like image:
I need to deny all permissions to all all users (administrators, system, and others) via batch, so that nobody can access this folder, not even the system, or the creator of the folder.