none
Remove BUILTIN\Users group from NTFS ACL Denies Permission To Folder For All Users

    Question

  • I'm assuming this is by design but whenever I remove the BUILTIN\Users group from the NTFS ACL on a folder, I completely lose my permissions to the folder even though I am a local administrator. I can only regain access if I explicitly add my own user account to the ACL. I can access the folder without any issues using the UNC path \\computer\c$\folder and I only lose access locally on the machine. I was hoping to lock down this folder by having only SYSTEM, BUILTIN\Administrators, and one select user account have any permissions at all but it appears that Windows looks for BUILTIN\Users permissions first before it will look at any other ACE's in the ACL. Is this just how Windows is designed or is there any way around this? You can also tell me if I'm being silly and trying to take things too far but we really wanted to restrict read permissions, especially without having to create some crazy deny ACE's. Leaving the BUILTIN\Users group with read permissions allows all domain users to potentially browse the folder and execute which isn't what we want. Thanks in advance!
    Wednesday, July 09, 2014 5:11 PM

Answers

  • Hi,

    If you remove the permission of the users group or any other user, that will block the access permission, but also it denies you access the disk, I am afraid this is by design.If you want just have one account or user group to have permissions, just add the account to the group, and remove other account from the permission item.

    Any other problem, you can post back.

    Regards


    Wade Liu
    TechNet Community Support




    Friday, July 11, 2014 10:31 AM

All replies

  • Hi,

    If you remove the permission of the users group or any other user, that will block the access permission, but also it denies you access the disk, I am afraid this is by design.If you want just have one account or user group to have permissions, just add the account to the group, and remove other account from the permission item.

    Any other problem, you can post back.

    Regards


    Wade Liu
    TechNet Community Support




    Friday, July 11, 2014 10:31 AM
  • Thank you, this is very helpful information!
    Monday, July 14, 2014 1:14 PM