SOLVED

Restrict common users from creating a folder in root of system drive

Copper Contributor

Hello professionals, 

hope you can help me with an issue I am struggling with on both Windows Server 2019 and 2022. Common/ordinary users (domain users who are member of Remote Desktop Users group) should not be able to create a folder in root of system drive C:, but members of Administrators group should have those privileges.

 

Typical solution is to drop Write/Modify for Users in context menu Security, like this:

C_Security.PNG

Unfortunately it doesn't work. Members of Remote Desktop Users, who are not members of Administrators group, can create and delete folder in C: Following pictures are snipped on Windows Server 2022.

 

Remote Desktop Users:

gRemoteDesktopUsers.PNG

Users:

gUsers.PNG

Folder creation/deletion of a user from Remote Desktop User group:

cmdCommonUser.PNG

Do you have any idea why NTFS permissions do not work on system drive C:?

Do you have any suggestion how to solve the issue, i.e. prevent non-administrator users from creating their own folders in root of system drive?

 

Regards

 

Leos

 

3 Replies
If i were you, i would not play with the permission on the drive "c", because if you mess with this, you could mess with the "c:\users" and thing could be turn really bad.
I would suggest to only hide the drive "c:" because at the end, If you hide the drive, user can't play the drive.

@L_Youtell_974My preference would be that users could still browse the C: drive, but could not create folders in the root.
If Windows Server 2022 doesn't allow this setting, I'll accept it and arrange accordingly. But it's a mystery to me why this restriction simply can't be set.

best response confirmed by nautil125 (Copper Contributor)
Solution

@nautil125 

Correct setting was hidden in advanced permission configuration. There is a step-by-step directions to solve my problem:

 

  1. right mouse click on drive C:
  2. (item) Properties
  3. (card) Security
  4. (button) Advanced
  5. (button) Change Permissions
  6. select line with Users group and privilege "Create folders / append data" granted on "This folder and subfolders"
  7. (button) Edit
  8. (hyperlink) Show advanced permissions
  9. (select list) Applies to: "This folder and subfolders", change to "Subfolders and files only"
  10. (button) OK
  11. (button) OK
  12. (button) Yes (confirm a warning about changing permissions on the root directory of the startup disk

Changing of permission failed for those hidden system files, because there were in use by another process:

  • C:\DumpStack.log.tmp
  • C:\pagefile.sys

 

1 best response

Accepted Solutions
best response confirmed by nautil125 (Copper Contributor)
Solution

@nautil125 

Correct setting was hidden in advanced permission configuration. There is a step-by-step directions to solve my problem:

 

  1. right mouse click on drive C:
  2. (item) Properties
  3. (card) Security
  4. (button) Advanced
  5. (button) Change Permissions
  6. select line with Users group and privilege "Create folders / append data" granted on "This folder and subfolders"
  7. (button) Edit
  8. (hyperlink) Show advanced permissions
  9. (select list) Applies to: "This folder and subfolders", change to "Subfolders and files only"
  10. (button) OK
  11. (button) OK
  12. (button) Yes (confirm a warning about changing permissions on the root directory of the startup disk

Changing of permission failed for those hidden system files, because there were in use by another process:

  • C:\DumpStack.log.tmp
  • C:\pagefile.sys

 

View solution in original post