CACLS "Access is denied"

Question

I am on Windows Server 2008.

I'm trying to set deny permissions for a certain user on the Windows folder with the following command:

    cacls Windows /E /D sneakyUser

I get the error message "Access is denied." I'm running Command Prompt as Administrator.

I also tried ICACLS -- no luck.

    icacls Windows /deny sneakyUser:f

These commands work on individual files within the Windows folder, but not on the folder itself. Is this behavior by design, or am I doing something wrong?

Edit: Interestingly enough, the command works fine in Windows Server 2003.

@mdpc - I'm scared to use it because it automatically applies permissions to subfolders. — anonymous, Apr 27 '12 at 20:33
use the "Advanced" dialog. In there, you can specify whether the permissions apply to "This folder, subfolders, and files", or "Subfolders and files only". — pepoluan, Apr 28 '12 at 02:45

score 2 · Answer 1 · answered Apr 27 '12 at 20:37

2

Access to a lot of stuff in the Windows folder is restricted to the TrustedInstaller account. This is by design.

http://msdn.microsoft.com/en-us/library/windows/desktop/aa382530%28v=vs.85%29.aspx

answered Apr 27 '12 at 20:37

Chris McKeown

7,128
1
17
25

So there's no way to change the permissions? In my example, "sneakyUser" is actually one of the anonymous IUSR accounts. I'm trying to protect system files from being read by untrusted code. – anonymous Apr 27 '12 at 21:06

score 0 · Answer 2 · answered Apr 28 '12 at 01:41

0

If you have UAC still enabled, log in as the Local Admin (non-domain account) to see if it works. Running as Administrator may not be enough, even thought it should be.

answered Apr 28 '12 at 01:41

Kevin Marquette

1

CACLS "Access is denied"

2 Answers2

Linked