Forum Discussion

nautil125's avatar
nautil125
Copper Contributor
May 02, 2024

Restrict common users from creating a folder in root of system drive

Hello professionals, 

hope you can help me with an issue I am struggling with on both Windows Server 2019 and 2022. Common/ordinary users (domain users who are member of Remote Desktop Users group) should not be able to create a folder in root of system drive C:, but members of Administrators group should have those privileges.

 

Typical solution is to drop Write/Modify for Users in context menu Security, like this:

Unfortunately it doesn't work. Members of Remote Desktop Users, who are not members of Administrators group, can create and delete folder in C: Following pictures are snipped on Windows Server 2022.

 

Remote Desktop Users:

Users:

Folder creation/deletion of a user from Remote Desktop User group:

Do you have any idea why NTFS permissions do not work on system drive C:?

Do you have any suggestion how to solve the issue, i.e. prevent non-administrator users from creating their own folders in root of system drive?

 

Regards

 

Leos

 

  • nautil125 

    Correct setting was hidden in advanced permission configuration. There is a step-by-step directions to solve my problem:

     

    1. right mouse click on drive C:
    2. (item) Properties
    3. (card) Security
    4. (button) Advanced
    5. (button) Change Permissions
    6. select line with Users group and privilege "Create folders / append data" granted on "This folder and subfolders"
    7. (button) Edit
    8. (hyperlink) Show advanced permissions
    9. (select list) Applies to: "This folder and subfolders", change to "Subfolders and files only"
    10. (button) OK
    11. (button) OK
    12. (button) Yes (confirm a warning about changing permissions on the root directory of the startup disk

    Changing of permission failed for those hidden system files, because there were in use by another process:

    • C:\DumpStack.log.tmp
    • C:\pagefile.sys

     

  • nautil125's avatar
    nautil125
    Copper Contributor

    nautil125 

    Correct setting was hidden in advanced permission configuration. There is a step-by-step directions to solve my problem:

     

    1. right mouse click on drive C:
    2. (item) Properties
    3. (card) Security
    4. (button) Advanced
    5. (button) Change Permissions
    6. select line with Users group and privilege "Create folders / append data" granted on "This folder and subfolders"
    7. (button) Edit
    8. (hyperlink) Show advanced permissions
    9. (select list) Applies to: "This folder and subfolders", change to "Subfolders and files only"
    10. (button) OK
    11. (button) OK
    12. (button) Yes (confirm a warning about changing permissions on the root directory of the startup disk

    Changing of permission failed for those hidden system files, because there were in use by another process:

    • C:\DumpStack.log.tmp
    • C:\pagefile.sys

     

  • L_Youtell_974's avatar
    L_Youtell_974
    Brass Contributor
    If i were you, i would not play with the permission on the drive "c", because if you mess with this, you could mess with the "c:\users" and thing could be turn really bad.
    I would suggest to only hide the drive "c:" because at the end, If you hide the drive, user can't play the drive.
    • nautil125's avatar
      nautil125
      Copper Contributor

      L_Youtell_974My preference would be that users could still browse the C: drive, but could not create folders in the root.
      If Windows Server 2022 doesn't allow this setting, I'll accept it and arrange accordingly. But it's a mystery to me why this restriction simply can't be set.

Resources