For our installation image for Windows 10 (Education version), I'd like to prevent users from creating new folders on the C:\. The installation is used by students sharing PCs in a class room, and therefore we want to keep the main directory of the disk clean (they all have home directories to store their data). In the current installation of Windows 7 I could very simply edit the permissions using the standard Windows GUI. With Windows 10, it fails.
What I already tried:
- Changing the permissions from the GUI → Failed to enumerate objects in the container (Access is denied).
- Taking ownership of the
C:\directory from the GUI → Access is denied - Adding a Deny entry from the GUI, without changing the existing permissions → Access is denied
- Changing the permissions using
caclsfrom an elevated command prompt → Access is denied - Taking ownership from an elevated command prompt using the
takeown /f c:\ /acommand → Access is denied - Same
caclsandtakeowncommands from a command prompt running under the SYSTEM user (obtained withpsexec64) → Access is denied
Despite the fact that it should not be a security risk to allow users to create their own folder at C:\ (new files are not permitted), this is not what we want, because we would like to make sure people use their home (which has backups and snapshots, unlike the local PC hard drives).
The permissions on C:\ look the same that were on a Windows 7 Enterprise installation, including the mandatory label (icacls displays in both cases Mandatory Label\High Mandatory Level:(OI)(NP)(IO)(NW)), and the owner is the same (TrustedInstaller), so I wouldn't expect to see a difference between Windows 7 and Windows 10 on this.
Now, there is an option that actually works: using cacls from the Windows 10 recovery command prompt. However, although this solution is fine for the image deployment, we also have several machines that need to be corrected manually because we can't reimage them. Despite the fact that I can boot the Windows 10 recovery over PXE (using memdisk and an ISO image of the CD), it would be very helpful if this could be done from within the actual OS running on the machines. Even better if it can be one with a GPO.
Putting this in an answer so there's a permanent record: Windows 10 does not prevent you from changing the permissions on the root of the C drive. The OP has confirmed that this behaviour was caused by their anti-virus software.
Not a direct answer, but as it's shared computers, there is a GPO that will restrict the entire C drive while allowing program that are installed on it to work.
That will only block the user to navigate the C drive, even from a save as windows. It could be a good workaround.
User Configuration\Administrative Templates\Windows Components\Windows
Prevent access to drives from My Computer.
And Restrict C drive only