The drive must be using NTFS. You cannot do this on FAT/exFAT.
On an NTFS volume, all such protections are based on ordinary file ACLs which you can change through icacls.exe
, Set-Acl
, or the "Security" tab in the folder's "Properties" window.
An easy way to clone the existing ACL is via PowerShell (which produces the same effective ACL but in a slightly different order):
PS> Get-Acl "C:\Program Files" | Set-Acl D:\Games
...or using the backup/restore feature in icacls (produces exact copy):
CMD> cd/d "C:\Program Files"
CMD> icacls . /save C:\theacl.txt
CMD> cd/d D:\Games
CMD> icacls . /restore C:\theacl.txt
Alternatively, you could disable inheritance on the main folder, remove existing access entries and build up the ACL from scratch:
> icacls D:\Games /inheritance:r
> icacls D:\Games /grant SYSTEM:(OI)(CI)F
> icacls D:\Games /grant "NT SERVICE\TrustedInstaller:(OI)(CI)F"
> icacls D:\Games /grant Administrators:(OI)(CI)F
> icacls D:\Games /grant Users:(OI)(CI)RX
> icacls D:\Games\Foo\Screenshots /grant Users:(OI)(CI)M
In icacls 'I' means "inherited", 'OI' means "inheritable by files" (objects), 'CI' means "inheritable by subfolders" (containers), 'IO' means "inherit-only" (applies to children but not to the object itself). It doesn't matter if you use icacls or the "Security" window, they both have the same options.
Don't forget to check whether all subfolders are using inherited permissions – if any subfolder has inheritance disabled, it won't automatically receive the protection you've set up. icacls D:\Games\Foo /reset /t
would do the trick.
As the last step, give away the directory's ownership to e.g. Administrators or even TrustedInstaller, as the owner is always allowed to edit permissions (so malware running as you could technically grant itself full access):
> takeown /f "D:\My Programs" /a /r
Okay, I now know what's the problem. For some reason, every subfolder still retained full rights for a standard User account and I can't remove it, because I would have to disable inheritance first. – Richard V. – 2019-09-07T11:27:28.933
Then disable inheritance for the main folder, not a problem. (Or edit the ACLs on the whole drive, but that's overkill.) – user1686 – 2019-09-07T11:42:23.967