4

I am on Windows Server 2008.

I'm trying to set deny permissions for a certain user on the Windows folder with the following command:

    cacls Windows /E /D sneakyUser

I get the error message "Access is denied." I'm running Command Prompt as Administrator.

I also tried ICACLS -- no luck.

    icacls Windows /deny sneakyUser:f

These commands work on individual files within the Windows folder, but not on the folder itself. Is this behavior by design, or am I doing something wrong?


Edit: Interestingly enough, the command works fine in Windows Server 2003.

anonymous
  • 53
  • 1
  • 4

2 Answers2

2

Access to a lot of stuff in the Windows folder is restricted to the TrustedInstaller account. This is by design.

http://msdn.microsoft.com/en-us/library/windows/desktop/aa382530%28v=vs.85%29.aspx

Chris McKeown
  • 7,128
  • 1
  • 17
  • 25
  • So there's no way to change the permissions? In my example, "sneakyUser" is actually one of the anonymous IUSR accounts. I'm trying to protect system files from being read by untrusted code. – anonymous Apr 27 '12 at 21:06
0

If you have UAC still enabled, log in as the Local Admin (non-domain account) to see if it works. Running as Administrator may not be enough, even thought it should be.