I removed the Administrators group from the security tab for the drive root "C:\" on a Windows Server 2003 system, to prevent granting Full Control to all Administrators.
Now, when I create a file in the drive root (or subfolders set to inherit permissions), the security for the files list the Administrators group, with Full Control permission, claiming to be inherited from the drive root "C:\".
How can files be inheriting Administrators group permissions that I removed from the drive root?
If you are a member of the Administrators group then it's an, erm, feature of Windows that it sets the owner to be the Administrators group not your user account.
I would guess that you're seeing Administrators in the permissions because you have CREATOR/OWNER in the root ACL. In this case the CREATOR/OWNER is Administrators (because of the behaviour above) hence Administrators appears in the ACL.
I'm not a big fan of including CREATOR/OWNER in ACLs precisely because you can get this sort of odd behaviour. I always set the root permissions to Administrators and SYSTEM only, with Full control, then add extra permissions to subdirectories only as and when they're need.
JR
This may be related to the Administrators group being the folder owner, and files being created with permission for the owner to access.
Sometimes they can be remembered especially if something has a handle on it. On the security tab go to advanced and select the option to replace permission entries, that should force it down.
Why do you want to do this? It sounds like you gave a bunch of users Admin accounts and now you don't want them installing software ... just a guess.
The question is why are Administrators permissions (Full Control) being inherited from the root when they are not present there?
EDIT: Even though I am the owner of the root folder, when I create a new file, its owner it set to Administrators, which seems to be by Administrators is showing up on the file. If I then set myself as the owner, and reset the permissions by un-checking/re-checking the inherit permissions box, then the Administrators group goes away.
EDIT: I agree with renniej; it seems to be a Windows feature; I can't imagine any other reason why Administrators is the owner of everything I create, even on my own desktop folder. It is an annoying feature, but as mystikphish said, it's got a decent reason for being there.
However, if Administrators owning the file is the cause, why does the permission still claim to be inherited from the drive root, and why after changing the owner to myself is Administrators still listed, and still claiming to be inherited from the drive root? It only goes away after I set myself as owner AND reset the permissions by un-checking/checking inherit permissions on the file.
EDIT: @ HipCzeck's comment. Yeah, I know that, but we're a small group, and they are unlikely to mess with the permissions. I just want to make it a pain in the ass to put files in the root, and I left a text file there with a note to stop doing it :) It's not really a security worry, it's more of a power struggle, lol. I'm just trying to keep things organized here.
EDIT: @ TheCleaner's answer. Output of "icacls c:" is: (I replaced my user account with "MyAccount")
MyAccount:(F)
NT AUTHORITY\SYSTEM:(F)
BUILTIN\Administrators:(F)
MyAccount:(OI)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
BUILTIN\Administrators:(OI)(CI)(IO)(F)
In the security tab for the file, it shows only:
CREATOR OWNER
Everyone
MyAccount
SYSTEM
Users
There is also a group that has SPECIAL permissions at the root of C. Either Authenticated Users or Everyone depending on what OS you are on.
You would really need to post the output of this command here for us to be sure of what is going on:
icacls c:
or
cacls c:
The output would help determine the issue.
