blocking folders with icacls

Discussion in 'Windows 7 Help and Support' started by nginmu, May 1, 2016.

  1. nginmu

    nginmu New Member

    Joined:
    May 1, 2016
    Messages:
    16
    Likes Received:
    0
    Using the command line, I would like to write a simple script that creates two folders C:\$X.~01 and C:\$X.~01 and then maybe uses the icacls command to set the permissions on both folders such that neither folder may be read, written or modified in any manner except specifically by a single logged-in human Administrator called "Admin". Even that specific Administrator account should be able to do only one limited action, which would be to view then entirely delete the folders.

    The restriction on the folders should propagate down into anything stored within the folders.

    Essentially I want to prevent any automated program or other user (or even the system itself) coming along and creating those folders by itself.

    Is this possible using icacls command?

    So far I have

    Code:
    cd\
    mkdir C:\$X.~01\
    mkdir C:\$X.~02\
    icacls C:\$X.~01\*.* /T /grant administrators:F
    icacls C:\$X.~02\*.* /T /grant administrators:F
    pause
    
    ..but this just creates the folders with full admin permissions? it's the correct syntax to *remove* all permissions from the folders and anything inside them, I'm looking for.
     
    #1 nginmu, May 1, 2016
    Last edited: May 1, 2016
  2. ussnorway

    ussnorway Windows Forum Team
    Staff Member Premium Supporter

    Joined:
    May 22, 2012
    Messages:
    2,532
    Likes Received:
    314
    its not possible within Windows to have a folder that nobody has control over... the default in w7 is administrator
     
  3. nginmu

    nginmu New Member

    Joined:
    May 1, 2016
    Messages:
    16
    Likes Received:
    0
    I'm trying to block the upgrade to Windows 10, by attempting to pre-empt the creation of the two folders it uses to preload the installation files. I figured if they're already there and they're locked, it won't be able to proceed.
     
  4. ussnorway

    ussnorway Windows Forum Team
    Staff Member Premium Supporter

    Joined:
    May 22, 2012
    Messages:
    2,532
    Likes Received:
    314
    The simple way to block GWX on w7pro is to join a domain... this disables the app because Microsoft does not want to piss off business customers

    if you have a non-pro version or don't want to join a domain for whatever reasion then your next best bet is a group policy edit... in any event you should make a back up first then find a code that matches the windows copy you use... don't just google the first regedit code | app you see and assume because they are only good on the right build.
     
  5. nginmu

    nginmu New Member

    Joined:
    May 1, 2016
    Messages:
    16
    Likes Received:
    0
    Sounds good, thanks for the info :) I'm working on a Windows 7 Ultimate SP1 x64 machine - I'll go google, but if you have any pointers regarding how to join a domain that'd be helpful. I'm not so hot on the commercial side of Windows.
     
  6. ussnorway

    ussnorway Windows Forum Team
    Staff Member Premium Supporter

    Joined:
    May 22, 2012
    Messages:
    2,532
    Likes Received:
    314
  7. nginmu

    nginmu New Member

    Joined:
    May 1, 2016
    Messages:
    16
    Likes Received:
    0
    Many thanks. I now have all the info I need :)
     

Share This Page

Loading...