Duplicate permissions of "C:\Program Files" for other directories

I am setting up a computer that uses an SSD for the operating system (Windows 7 Professional) and a hard disk for data and most programs.

I would like to have two "Program Files" directories, one on the SSD (the original one) and a second one on the hard disk, say "D:\Program Files".

This second directory should have the same protection as the original "C:\Program Files", i.e., any user should be able to read and execute files but only an elevated account should be able to write to it.

What are the exact permissions I need to assign to what directories (D:\, D:\Program Files)?
How do I ensure that all sub-directories inherit these permissions properly?

Bonus points:

How do I setup "islands" where unelevated users have write access? So that for instance "D:\Program Files\Product\config" is writable.
How can I do this from the command line (PowerShell)?

Note I do not want to simply move the "C:\Program Files" to "D:\Program Files", as I want to install some programs on the SSD. Also I'm interested in a solution that would work for any directory.

SealedSun

Posted 2011-04-08T12:32:07.340

Reputation: 1 999

What version of Windows 7 (Home, Pro, Ultimate, etc.)? – Ƭᴇcʜιᴇ007 – 2011-04-08T13:06:28.440

@techie007: I use Windows 7 Professional (have updated question accordingly) – SealedSun – 2011-04-08T16:24:52.507

Answers

One can use robocopy with the parameter /COPY:DATSOU to copy just a bit of C:\Program Files. This will copy all security and owner information.

By default, any sub-folders will inherit this data from their parent. To add permissions to a sub-folder, just right-click it, select Properties, then use the Security tab.

To change permissions from the command-line, use the old and built-in cacls command, available from any command-prompt.

harrymc

Posted 2011-04-08T12:32:07.340

Reputation: 306 093

I think this is tougher than it first appears and your results will depend on how the installers for the applications you are using are written. The Program Files location has a registry entry and environment variables associated with it so depending on the installer one of those are usually checked but occasionally you will run into some where the installer assumes the default location. I have done this in a slight different way: For most apps I leave them as they are but Steam I install on second drive - that installer allows the choice. For the permissions issue - where I have a few apps that I want the config writable I generally use the portable install option and put those in a folder I create outside of program files so subfolders already have the correct permissions. If possible you should consider avoiding changing permissions in Program Files. Some apps don't use the new Win7 config location well (users directory) for those install to a separate directory you create. Remember however you set this up you will at some point in the future need to replicate the setup when you reinstall windows or get a new system.

jtreser

Posted 2011-04-08T12:32:07.340

Reputation: 940

I don't care about the default install locations for programs. Changing the installation directory when prompted is easy enough. – SealedSun – 2011-04-08T16:23:46.423