blocking folders with icacls

#1
Using the command line, I would like to write a simple script that creates two folders C:\$X.~01 and C:\$X.~01 and then maybe uses the icacls command to set the permissions on both folders such that neither folder may be read, written or modified in any manner except specifically by a single logged-in human Administrator called "Admin". Even that specific Administrator account should be able to do only one limited action, which would be to view then entirely delete the folders.

The restriction on the folders should propagate down into anything stored within the folders.

Essentially I want to prevent any automated program or other user (or even the system itself) coming along and creating those folders by itself.

Is this possible using icacls command?

So far I have

Code:
cd\
mkdir C:\$X.~01\
mkdir C:\$X.~02\
icacls C:\$X.~01\*.* /T /grant administrators:F
icacls C:\$X.~02\*.* /T /grant administrators:F
pause
..but this just creates the folders with full admin permissions? it's the correct syntax to *remove* all permissions from the folders and anything inside them, I'm looking for.
 


Last edited:

ussnorway

Windows Forum Team
Staff member
Premium Supporter
#2
Essentially I want to prevent any automated program or other user (or even the system itself) coming along and creating those folders by itself.
its not possible within Windows to have a folder that nobody has control over... the default in w7 is administrator
 


#3
I'm trying to block the upgrade to Windows 10, by attempting to pre-empt the creation of the two folders it uses to preload the installation files. I figured if they're already there and they're locked, it won't be able to proceed.
 


ussnorway

Windows Forum Team
Staff member
Premium Supporter
#4
The simple way to block GWX on w7pro is to join a domain... this disables the app because Microsoft does not want to piss off business customers

if you have a non-pro version or don't want to join a domain for whatever reasion then your next best bet is a group policy edit... in any event you should make a back up first then find a code that matches the windows copy you use... don't just google the first regedit code | app you see and assume because they are only good on the right build.
 


#5
Sounds good, thanks for the info :) I'm working on a Windows 7 Ultimate SP1 x64 machine - I'll go google, but if you have any pointers regarding how to join a domain that'd be helpful. I'm not so hot on the commercial side of Windows.
 


ussnorway

Windows Forum Team
Staff member
Premium Supporter
#6
but if you have any pointers regarding how to join a domain that'd be helpful.
  1. Windows 7 Ultimate needs update 3065987 to enable a block using the Local Group Policy Editor (Gpedit.msc)
  2. Microsoft official notes are = https://support.microsoft.com/en-us/kb/3080351
  3. imo this acticle explains it better but perhaps thats just me = Microsoft expands Get Windows 10 program to domains, publishes opt-out instructions | ZDNet
 


#7
Many thanks. I now have all the info I need :)
 


This website is not affiliated, owned, or endorsed by Microsoft Corporation. It is a member of the Microsoft Partner Program.