Use icacls to make a directory read-only on Windows 7
If your user has administrative rights, he can always regain any permissions you revoke from him. Admin accounts on Windows are pretty much the same as root on Linux in this respect.
What you can do, though is create an ACL that will deny
write access to Everyone
. That's makes a folder as read-only as it can be on Windows.
icacls DIRECTORY /deny Everyone:(CI)(OI)W
Beware that deny
ACLs always override allow
ACLs, so even if someone is granted explicit access, his access will effectively still be denied.
Dave G
Updated on September 18, 2022Comments
-
Dave G over 1 year
I'm attempting to test some filesystem exceptions in a Java based application.
I need to find a way to create a directory that is located under %TMP% that is set to read-only.
Essentially on UNIX/POSIX platforms, I can do a chmod -w and get this effect. Under Windows 7/NTFS this is of course a different story.
I'm running into multiple issues on this. My user has "administrative" right (although this may not always be the case) and as such the directory is created with an ACL including:
- NT AUTHORITY\SYSTEM
- BUILTIN\Administrators
- <my current user>
Is there a way using icacls to essentially get this directory into a state where it is read-only PERIOD, do my test, then restore the ACL for removal?
EDIT With the information provided by @Ansgar Wiechers I was able to come up with a solution.
I used the following:
icacls dirname /deny %username%:(WD)
In the page located here I found this in the remarks section:
icacls preserves the canonical order of ACE entries as: * Explicit denials * Explicit grants * Inherited denials * Inherited grants
By performing the above icalcs command, I was able to set the current user's ability to write or append files (WD) to the directory to deny.
Then it was a question of returning it to a state post test:
icacls dirname /reset /t /c
Done
-
Dave G over 11 yearsThis is close enough to what I needed
-
Dave G over 11 yearsThanks again for this. Basically I just needed this for a test with the current user, so setting for Everyone is a bit on the overkill side.
-
Pierre almost 3 yearsThe given command prevents the user to go into the folder and to open any files in it.