none
How to remove the "Authenticated Users" "Create Folders" permission from the root of the C Drive via command-line? RRS feed

  • Question

  • How to remove the "Authenticated Users" "Create Folders" permission from the root of the C Drive via command-line?

    I know this question has been asked many times before, but nothing works for us!

    We tried the following:
    Take ownership: I cannot take ownership using the Administrator account (local and Domain Admin accounts) of the root C:. Error Access Denied
    Cuurent root C: owner is TrustedInstaller and acnnot be changed.
    We cannot change or remove the Create Folders permission of the Authenticated Users of the root C: . Error Access Denied.
    Drive C: is hidden via GPO, but many users can enter it from the File-Explorer and create folders in the root C:.
    We do not want -for many reasons- to Block/ Prevent Access to C: via GPO.
    We also tried to run cacls and/or icacls under the system-account (PSEXEC -i -s -d CMD). Error Access Denied.

    icacls C:\ /deny *S-1-5-11:(NP)(AD)
    Error Access Denied.

    icacls C:\ /remove:g *S-1-5-11
    Error Access Denied.

    cacls c:\ /e /c /R "Authenticated Users"
    Error Access Denied.

    Also using GPO "Computer Configuration\Security Settings\Restricted Groups ..." does not work!

    Now we have this issue on over 450 pc's on our network. Nothing work. Please help! How to remove the "Authenticated Users" "Create Folders" permission from the root of the C: Drive on command-line?


    win_builder

    Wednesday, October 8, 2014 12:37 PM

All replies

  • Hi,

    Did you run the CMD as an Administrator?

    On windows 7, with the UAC, even if you are an administrator, you have to right click on the cmd and click "Run as administrator"


    Wednesday, October 8, 2014 1:19 PM
  • Hi,

    Like ErtugrulArik said, you need to have the full permission of the computer and run "cmd" as administrator.

    Do as the screenshot below:

    And it will result as below:


    Karen Hu
    TechNet Community Support

    Thursday, October 9, 2014 7:59 AM
    Moderator
  • Thanks Karen and ErtugrulArik  for your reactions!

    I will try it and let you know. But I have even used the local Admin account, and system account, and the Domain Admin with no luck. OK. I will try this via a startup script within a GPO and it and let you know...


    win_builder

    Thursday, October 9, 2014 11:20 AM
  • NO. Not working. Still receive Access_Denied on both cmd:
    icacls C:\ /deny *S-1-5-11:(NP)(AD)
    and
    icacls C:\ /remove:g *S-1-5-11

    I also tried psexec -h and elevate64.exe with no luck. Still receive the Acces Denied error! :-(


    win_builder

    Friday, October 10, 2014 8:21 AM
  • Hi,

    If it's possible, please give us a screenshot about the command prompt when you run that command.

    In addition, I suspect your account have some restriction on domain, please contact your domain administrator for help.


    Karen Hu
    TechNet Community Support

    Monday, October 13, 2014 8:40 AM
    Moderator
  • Please see attached screenshot.
    cmd.exe runs as Administrator.

    The text is in Dutch. Which is the pc- language I'm using. It means mainly:
    C:\: Access Denied
    Successfully processed 0 files; Failed processing 1 files  

    Please let me know. Thanks.


    win_builder

    • Edited by w7builder Tuesday, October 14, 2014 8:01 AM
    Tuesday, October 14, 2014 7:26 AM
  • Please see screenshot posted earlier.

    I have tried both the local Administrator and the DomainAdmin account with no luck.
    I just cannot believe that we are stuck with all our domain computers having this issue.
    How come that Microsoft just add such permission to the C: root for the Authenticated Users? How come that the corporate-admin cannot easily got rid of that permission? Have the designers at MS ever heard of user portable applications?


    win_builder

    Thursday, October 16, 2014 12:46 PM
  • Hi,

    We could try logon with the built-in administrator account to do these action.

    By default, the built-in account is disabled. you could follow the guide below to enable it:

    Enable / Disable the Local (Hidden, Built-In) Administrator Account in Windows 7

    http://social.technet.microsoft.com/wiki/contents/articles/3040.enable-disable-the-local-hidden-built-in-administrator-account-in-windows-7.aspx


    Karen Hu
    TechNet Community Support

    Friday, October 17, 2014 9:44 AM
    Moderator
  • Already tried that as first. Not working!
    ...... ??? Any new hints??


    win_builder

    Monday, October 27, 2014 6:29 AM
  • Hi,

    This is almost impossible. Built-in administrator have the highest priority permission to access the system.

    Have you really done that?

    Anyway, from your description, this is really a permission issue. Thus please follow the guide below to check your user account type:

    How to determine your user account type in Windows

    http://support.microsoft.com/kb/2663817


    Karen Hu
    TechNet Community Support

    Thursday, October 30, 2014 11:32 AM
    Moderator
  • I've just had the same problem, even with full admin privileges etc.

    My workaround:

    Scheduled Task that runs at System Startup (not user logon), with SYSTEM privileges and Highest privileges ticked.

    This task points at a batch file with the following:

    icacls c:\ /remove:g *S-1-5-11 (strips permissions)
    icacls c:\ /grant *S-1-5-11:(OI)(CI)(IO)(M) (restores permissions with the exception of the additional (AD), which we wanted to remove).

    That seems to do the trick. Using Deny stops Admins creating folders in the root, which is undesirable. Simply trying to remove the (AD) doesn't appear to work either.

    Let me know how you get on.

    Thursday, January 22, 2015 7:02 PM
  • I tried all options. Run as Administrator, Scheduled Task with SYSTEM and highest privileges. None worked.

    My resolution was to boot from WinPE and run the "icacls c:\ /remove:g *S-1-5-11" command to remove the authenticated users. This worked fine. As I am building a virtual machines for VDI this is perfect solution for me now. Also I could fix this with SCCM task sequence before the Windows loads the applied image!


    Best regards, Ivan Versluis
    Networknet.nl Blog

    Tuesday, November 15, 2016 1:08 PM