Files can still be modified even after setting ''Read-only'' permission by ICACLS. Why is it not working?

0

I am the administrator in my PC and there are some other users on it. I set a folder (Gabi) as "Read only" for a specific user (Alice), using ICACLS via the Command Prompt (I am using windows 7 in VirtualBox). The folder has some ".txt" files. I used the following command:

icacls "C:\ITSM Lab1\Administration\Gabi" /grant:r Alice:(OI)(CI)R /T

The above command ran successfully in the Command Prompt. But the files in the folder can still be modified (Alice can change the text file and can save the file as well. He can rename as well. He can even delete the whole folder with the files).

I also tried this link : Use icacls to make a directory read-only on Windows 7. I followed the link and tried the following command:

C:\Windows\system32\Icacls "C:\ITSM Lab1\Administration\Gabi" /deny "Alice": (CI)(OI)(W,D)  /Grant:r "Alice":(CI)(OI)R /T

In the above command, I denied "write" and "delete" for Alice, and gave Alice "Read-only" permission. This command ran successfully, but the folder "Gabi" gets completely inaccessible and undeletable, which does not serve my purpose.

Then I restored windows 7 to the state before running the above code.

I don't know why the commands are not really setting the "read-only" permission. Actually I want to set the permission in such a way that Alice will be able to read the txt files, but won't be able to change/delete the files/folder, and he won't be able to create any new file/folder in "Gabi" folder . I just checked the permission for Alice via GUI (Security Tab): in the "Allow" column only ''Read'' is ticked (there is no other tick marks). So the GUI is showing that "read-only" permission is applied on Gabi folder. But, Alice can still change and delete those files and the folder. I don't know why.

What am I doing wrong?

Before running the first command icacls "C:\ITSM Lab1\Administration\Gabi" /grant:r Alice:(OI)(CI)R /T, I ran the following command:

icacls "C:\ITSM Lab1\Administration\Gabi" /grant Alice:R /T

When I run the command:icacls "C:\ITSM Lab1\Administration\Gabi I get the following result:

icacls "C:\ITSM Lab1\Administration\Gabi"
C:\ITSM Lab1\Administration\Gabi Tanvir-PC\Alice:(R)
                                 Tanvir-PC\Alice:(OI)(CI)(R)
                                 Tanvir-PC\Gabi:(OI)(CI)(F)
                                 Tanvir-PC\SysAdministrator:(OI)(CI)(F)
                                 Tanvir-PC\CEO:(OI)(CI)(F)
                                 Tanvir-PC\Managers:(I)(OI)(CI)(N)
                                 Tanvir-PC\SysAdministrator:(I)(OI)(CI)(F)
                                 Tanvir-PC\CEO:(I)(OI)(CI)(F)
                                 BUILTIN\Administrators:(I)(F)
                                 BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
                                 NT AUTHORITY\SYSTEM:(I)(F)
                                 NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
                                 BUILTIN\Users:(I)(OI)(CI)(RX)
                                 NT AUTHORITY\Authenticated Users:(I)(M)
                                 NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(IO)(M)
Successfully processed 1 files; Failed processing 0 files

the result screenshot

UPDATE:

In my Windows 7 (in VirtualBox) , there are 4 local groups (which I created by command line):

Administration
CEO
Managers
SysAdministrator

Each local group has user(s) (which I created by command line):

Users in "Administration" : Alice, Gabi

Users in "CEO": Chief

Users in "Managers" : Anthony, Elisa

Users in "SysAdministrator": Admin

groups Users

kaly

Posted 2017-10-15T16:58:54.790

Reputation: 3

I ran the command C:>icacls "C:\Work place\Topics\Rasu"
The result I got for Hary is :--- C:\Work place\Topics\Rasu Kaly-PC\Hary:(R) Kaly-PC\Hary:(OI)(CI)(R) – kaly – 2017-10-15T17:23:11.260

OK. First of all, granting the (R)ead permission does not make an object (e.g. file or folder) read-only. NTFS permissions are "additive", meaning all permissions a user has are added together to determine what they can do. What is your end goal here? To make it so only a certain user (or group of users) can read but not modify this folder and its contents? – I say Reinstate Monica – 2017-10-15T18:05:43.427

1my goal is : a certain user can read but cannot do anything else – kaly – 2017-10-15T18:48:29.613

Answers

1

The problem: You user is being granted additional rights

I want to set the permission in such a way that Alice will be able to read the txt files, but won't be able to change/delete the files/folder

To achieve this result, your user should only be granted NTFS Read permissions to the folder. The fact your user can still modify objects in this folder indicates he has been granted more than just the Read permission. NTFS permissions are additive. Therefore, all permissions granted to a user are added together to determine what the user can ultimately do.

A user can be granted permissions via those permissions being granted directly to their user object, or via permissions granted to a group of which the user is a member.

According to the output of the icacls "C:\ITSM Lab1\Administration\Gabi" command, the following identities have (M)odify or (F)ull permission to the folder (I excluded SYSTEM):

  • Tanvir-PC\Gabi:(OI)(CI)(F)
  • Tanvir-PC\SysAdministrator:(OI)(CI)(F)
  • Tanvir-PC\CEO:(OI)(CI)(F)
  • Tanvir-PC\SysAdministrator:(I)(OI)(CI)(F)
  • Tanvir-PC\CEO:(I)(OI)(CI)(F)
  • BUILTIN\Administrators:(I)(F)
  • BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
  • NT AUTHORITY\Authenticated Users:(I)(M)

The most obvious issue is that the special identity Authenticated Users has Modify permissions. This group automatically has as members all users with a valid account on the machine, which is going to include your user.

Further, if there are any other groups in this list of which your user is a member, his membership in those groups will likewise confer him with more than Read permissions.

Available solutions

Either remove the user from any group that is being granted more than Read permission to the folder, or revoke that group's permissions to the folder.

If the above isn't an option, you can Deny your user the following permissions on the folder. Deny permissions always override Allow permissions, so this will counteract any Allow permissions granted to the user, no matter how they are granted:

Permissions to Deny:

  • WD - write data/add file
  • AD - append data/add subdirectory
  • WA - write attributes
  • DC - delete child
  • DE - delete
  • WEA - write extended attributes

Note: Using Deny permissions is usually a bad idea and should be used only as a last resort.

A better way to manage permissions

It's typical to need to grant multiple users the following permissions to a folder:

  • Read
  • Modify

A best-practice approach that minimizes the work involved in granting/revoking permissions to users is to use Resource Groups. A resource group is simply a group that has been granted a specific type of permission to an object. For example, your folder would need the following groups:

  • r_Gabi-Read (Granted Read permissions)
  • r_Gabi-Modify (Granted Modify permissions)

To modify a user or group's permissions to the object, you simply add/remove them from membership in the appropriate resource group. This is faster than modifying the permissions on the object itself. It also has the distinct advantage of making it clear in the Active Directory Users and Groups MMC snap-in (or Local Accounts for non-domain PCs) exactly who can access what.

This strategy requires that in addition to the permissions granted to the resource groups, you only grant the additional permissions of Full Control to the SYSTEM and Administrators identities. No other permissions should be granted on the object.

I say Reinstate Monica

Posted 2017-10-15T16:58:54.790

Reputation: 21 477

Authenticated Users is NOT the same as Users. Those are two separate groups. Here's some reading that will help you: About NTFS Permissions; Explicit vs. Inherited Permissions; Basic Permissions; Determining effective permissions; – I say Reinstate Monica – 2017-10-15T21:17:13.117

Comments are not for extended discussion; this conversation has been moved to chat.

– Journeyman Geek – 2017-10-17T00:00:57.720

Asked: 2017-10-15T16:58:54.790

Viewed: 752 times

Active: 2017-10-15T21:02:51.050