-1

I created a special user who should never be able to CD into several system directories like program files, Windows directory, etc.

Whilte I can use icacls to setup the permissions on most of them, I cannot seem to do it on C:\Windows, because I get Access denied message. I'm trying it with an administrator account.

Why is this? How can I deny a user from listing (CD into) Windows directory?

Daniel
  • 6,940
  • 6
  • 33
  • 64
Zoltán Tamási
  • 101
  • 4
  • 1
    Are you running in an elevated CMD? Anyway, I think this is a bad idea. e.g. How this user would be able to open Explorer.exe? Also, why do you can where he can navigate? assuming he not admin, he can't do anything with it... – EliadTech Apr 16 '15 at 08:47
  • @EliadTech thank you, I think you have the point about for example explorer.exe, I haven't thought it over. After my question I decided to redesign the structure so that it won't be needed. If you form an answer I'll accept it. – Zoltán Tamási Apr 16 '15 at 09:13
  • 1
    Changing permissions on system folders is the wrong solution in 99,99% of all cases. – Daniel Apr 16 '15 at 11:39

1 Answers1

3

You mustn't deny the user listing permission in the Windows directory, because he wouldn't be able to open vital programs (e.g. Explorer.exe), and that would cause all sorts of problem.

EliadTech
  • 1,240
  • 9
  • 14