Windows UAC Protected folders
13,166
Change the folder permissions.
- right click on the folder
- select Properties
- in the Security tab
- click Advanced
- under Owner tab click Edit
- Select Admin
To keep non-Admin users from accessing the folder:
- Go to the same Security tab
- Click Edit
- Deny Full Control by checking the deny box
Author by
linquize
Updated on September 18, 2022Comments
-
linquize almost 2 years
By default, C:\Program Files, C:\Windows are UAC protected. How to make additional folders to be UAC protected?
-
Harry Johnston about 12 yearsWhat exactly do you mean by "UAC protected"? What is the behaviour you're trying to replicate?
-
linquize about 12 yearsWhen you need to make changes inside that folder, such as overwriting a file, creating a folder, deleting a file, etc..., UAC prompt will show up and the user confirm the action
-
Harry Johnston about 12 yearsThis will happen for any folder that doesn't grant write permissions to the user in question or to all users. Remove write access for groups like "Users", "Everyone", or "INTERACTIVE". Secure folders typically only grant write permission to the Administrators group, CREATOR OWNER, and SYSTEM.
-
-
Harry Johnston about 12 yearsDeny Full Control will deny all access, including read access, and typically will block administrators as well as non-administrators; e.g., if you Deny Full Control to Users, you'll block out everyone, because Users includes Authenticated Users and deny entries take precedence.
-
WikiWitz about 12 years@HarryJohnston: Deny Full Control only applies to the user in question. Actually I suggested blocking non-Admin users. He can select them at his own discretion.
-
Harry Johnston about 12 yearsWhat, you mean give each user you don't want to have access an individual deny entry? That would work, I suppose, on non-domain-joined machines, provided you remembered to update the permissions every time you added a new user. But blacklists aren't good practice except in special cases. Instead, you should grant access only to the specific users you want to have it, which in this case would be the Administrators group.
-
Harry Johnston about 12 yearsAlso, deny entries won't work at all in this case, because the user wants to be able to gain access via the UAC approval dialog. Since the elevated token contains all the security primitives contained in the non-elevated token, any deny entry that applies to the non-elevated user will also apply to the elevated user.
-
WikiWitz about 12 yearsAt least not as you say, "..typically will block administrators..." We would appreciate it if you will offer a workaround in Windows 7 to do this "Only allow Admins" settings.
-
WikiWitz about 12 yearsI tried this in my machine before posting the answer. The Admin will have no problems accessing the file.
-
WikiWitz about 12 years