Home / server / Questions / 341933
Accepted
RomanSt
Asked: 2011-12-18 09:53:57 +0800 CST

Setting up a limited user account on Windows Server

  • 772

I'd like to create a user account on a Windows Server which can read whatever bits of C:\ it needs to be able to execute programs, but have no read access to D:\ except for D:\Special.

It seems that the only sane way of achieving the former is to make this user part of the Users group. Unfortunately that also gives the user read access to all of D:\. If I add a Deny rule for D:\, however, this rule also applies to D:\Special, and it seems to be impossible to override by design.

Is there any way to do what I want, namely the "usual" Users access to C:\, but on D:\ no access except for read access to D:\Special?

windows-server-2008 user-permissions user-accounts

2 Answers

  1. Best Answer

    Your content on D:\ should not be available to "Users" since a newly created user is put into this group by default. Just remove the "Users" and "Everyone" entries from D:\ and all subdirectories - do not use "deny" type ACEs as they effectively will deny access for everyone who is the member of "Users", even if the user would otherwise have been granted access by the other defined ACEs.

    Is there any way to do what I want, namely the "usual" Users access to C:\, but on D:\ no access except for read access to D:\Special?

    It depends on your requirements. Technically, a user does not need any permissions granted on the parent directory to access a subdirectory. But if you need the user to be able to do the clickety-navigation through Windows Explorer, it obviously will be a problem if the parent directory cannot be listed. Your options here:

    1. just grant the access to D:\special and remove access for D:\, then create either a shortcut, a mapping or a symlink there so the user would not have to navigate through D:\ to access special
    2. grant access to D:\special and only grant the "List Folder Contents" permission to the user/group in question without inheritance. This way the user will be able to list the entire directory, but not open any of the files or subdirectories.

    If the file or directory names in D:\ are not exposing something confidential, the second approach is to be preferred since it is more "organic" and works better for the user's and application programmer's expectations.

    Edit: since TomTom has expresses some concerns about whether method #1 is really going to work, here is a short screencap demo from my Windows system (sorry, the output's German, but the idea should be apparent nonetheless)

    C:\Users\denis>mkdir server

C:\Users\denis>mkdir server\fault

C:\Users\denis>echo "test" > server\fault\text.txt

C:\Users\denis>cacls server /d denis
Sind Sie sicher (J/N)?j
Bearbeitetes Verzeichnis: C:\Users\denis\server

C:\Users\denis>dir server
 Volume in Laufwerk C: hat keine Bezeichnung.
 Volumeseriennummer: C4CB-6B0E

 Verzeichnis von C:\Users\denis\server

Datei nicht gefunden

C:\Users\denis>dir server\fault
 Volume in Laufwerk C: hat keine Bezeichnung.
 Volumeseriennummer: C4CB-6B0E

 Verzeichnis von C:\Users\denis\server\fault

17.12.2011  21:08    <DIR>          .
17.12.2011  21:08    <DIR>          ..
17.12.2011  21:08                 9 text.txt
               1 Datei(en),              9 Bytes
               2 Verzeichnis(se), 14.307.930.112 Bytes frei

C:\Users\denis>type server\fault\text.txt
"test"
    • 4

  2. Is there any way to do what I want, namely the "usual" Users access to C:\, but on D:\ no access except for read access to D:\Special?

    No, because one needs to access D:\ in order to access D:\Special. Whoever came up with that idea left his common sense at the door before planning.

    This simply is not possible and has nothing to do with windows - it is the same in any hierarchical file system. A folder in anotehr folder can not be accessed without any access to the root folder.

    • 0