Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: How to setup users/groups/permissions for a user "home" folder


27 Dec 2011   #1

Windows 7 Enterprise, 64 bit
 
 
How to setup users/groups/permissions for a user "home" folder

I own a system running windows 7 enterprise and have an administrator account on it.

I would like to setup a "standard user" (not admin) account for a new user.

I plan to create a folder for the user inside of which the user will be allowed to create his own subfolders and files. I plan to right click on that folder and "send it to
the desktop".

When the user double clicks that desktop icon, he'll be running windows explorer and I don't want him to be able to see or do anything using windows explorer outside of his
"home" folder other than creating or accessing items under it.

I plan to have that user's home folder be directly under the c: drive.

Questions:

Is there a better place for it (inside of "my documents", etc) or is under the c: drive as good a place as any for these purposes?

If I put the user's "home" folder under the c: drive, what should the permissions be for which users and which groups on the c: drive toplevel itself and on the user's
"home" folder so the user can do what he wants in or under his home folder, can run a few applications located in "Program Files" such as Firefox (one of the desktop icons I will be installing) and in another folder under the c: drive where I will place a few .exe files he can also run, but NOT be able to read, write, execute or in any way modify the contents of any other folders anywhere under the c: drive?

According to Microsoft "help", "standard users" can't see files created by administrators. But when I tried this with a "test" standard user account, I created some files logged into my admin account, then changed users to the standard user account and there I could not only see the files I had just created as admin, but I could even delete them. Is the Microsoft statement that standard users can't see admin files wrong or do you think somewhere I've improperly setup some permissions that are allowing this to happen?

Thanks very much for any help.

My System SpecsSystem Spec
.

27 Dec 2011   #2

Windows 7 Home Premium 64 Bit
 
 

If you do not want a user to have access to certain folders, it is fairly simple to do. For instance, say you do not want a user to see other user's files. With your administrator account, do the following:

1. Click start menu
2. Click My Computer/Computer
3. Open C: (or whatever drive your users folder is in)
4. Open the Users folder
5. Right click your administrator user folder
6. Click Properties
7. Click the Security tab
8. Click Edit
9. (You don't want username John to open this folder ever) Click Add
10. Type in John (or the username you do not want to access the folder) and hit Enter
11. Under the Deny column, put a check in Full Control.
12. Click OK and apply to all folders (you may need to do this in safe mode to apply to every folder since some folders will be in use in normal mode).
My System SpecsSystem Spec
27 Dec 2011   #3

Windows 7 Home Premium 64 Bit
 
 

If you want to add permissions to run certain applications for a standard user, follow the steps 1-11, and then check the "Read and Execute" box for a specific program in Program Files or Program Files (x86). You may need to make a full program folder accessible (for instance the full firefox program folder) so firefox can run all needed files. Also, recommend not changing anything with system folders such as the Windows folder or SYSTEM VOLUME INFORMATION folder as this can have unforeseen consequences.

If you want to give full access to a home folder, follow steps 1-10 and under the Allow column, put a check in Full Control.
My System SpecsSystem Spec
.


28 Dec 2011   #4

Windows 7 Enterprise, 64 bit
 
 

Am I going to have to add that user as a security object with "deny full control" every single time I ever create a new folder in c: that I want to be kept hidden from him?
My System SpecsSystem Spec
28 Dec 2011   #5

Windows 7 Home Premium 64 Bit
 
 

Quote   Quote: Originally Posted by audioresearch View Post
Am I going to have to add that user as a security object with "deny full control" every single time I ever create a new folder in c: that I want to be kept hidden from him?
You may be able to add the whole drive initially so any new folders set the permissions that way. I'll have to look into it. Edit: Okay, after looking into it, I have determined that setting permissions for the whole drive has the desired outcome. You will have to remove the denial permissions for the Windows folder and possibly other folders on the C: root drive or change them to at least allow Read/Execute (make sure if you do this to place a check in the box next to Write in the Deny column).

You will have to set up each individual program that you do not want the user to have access to by going into the Program Files and Program Files (x86) folders and selecting the programs one at a time.

For a more versatile approach, you may want to learn to use Group Policy management for IT pros.

Restrict Access to Programs with AppLocker in Windows 7 may also be of interest to you. It uses the group policy editor to change permissions for program files.
My System SpecsSystem Spec
28 Dec 2011   #6

Windows 7 Enterprise, 64 bit
 
 

I did some more researching and found "icacls"-looks like possibly that would be a good tool to use.

On my win 7 system, I can't seem to just check and uncheck the security attributes I want to assign without win 7 forcing me to do them in what seems to be forced packages. To give a novice user limited access to, say, the "Windows" folder, I think I would like to just check for him for that folder ("allow read & execute") and be sure that "modify" was a "deny", but win 7 won't let me make those choices. The instant I check allow "read & execute", win 7 automatically puts checks in the "allow" boxes for everything else under that choice in the list of choices. If I then check "deny" on the "modify" attribute, win 7 screws up most of the settings I just made.

The places you just pointed me to look very interesting-thanks very much-I'll check them out tonight.
My System SpecsSystem Spec
28 Dec 2011   #7

Windows 7 Home Premium 64 Bit
 
 

Quote   Quote: Originally Posted by audioresearch View Post
I did some more researching and found "icacls"-looks like possibly that would be a good tool to use.

On my win 7 system, I can't seem to just check and uncheck the security attributes I want to assign without win 7 forcing me to do them in what seems to be forced packages. To give a novice user limited access to, say, the "Windows" folder, I think I would like to just check for him for that folder ("allow read & execute") and be sure that "modify" was a "deny", but win 7 won't let me make those choices. The instant I check allow "read & execute", win 7 automatically puts checks in the "allow" boxes for everything else under that choice in the list of choices. If I then check "deny" on the "modify" attribute, win 7 screws up most of the settings I just made.

The places you just pointed me to look very interesting-thanks very much-I'll check them out tonight.
Yeah, Windows has some strange behavior with its permissions. The only thing you can deny once clicking allow for "read & execute" is the "write" permissions. This prevents users from writing to the folder, and I believe it may also prevent modifying in the same token, but I would have to play around with it to see... okay, it does prevent modification, but it does not prevent deleting... That I could see as a big issue.
My System SpecsSystem Spec
28 Dec 2011   #8

Windows 7 Enterprise, 64 bit
 
 

That's what I thought happened. It sure is an issue.

I did find that one can go into the "real" underlying base security attributes (there are far more of those than the ones like "read & execute", "modify", etc that are usually shown, but if I remember right, even there one may not be able to set things up so a user can just read & execute and do nothing more-I'll have to play around with it when I have a little more time. This was all infinitely easier to do in Linux where I simply set "read" and "execute" and it just worked the way it should. On the other hand, if Microsoft makes things super complicated, well then I'll just be able to get higher pay if I take work setting these sorts of things up for a living!
My System SpecsSystem Spec
28 Dec 2011   #9

Windows 7 Home Premium 64 Bit
 
 

Quote   Quote: Originally Posted by audioresearch View Post
That's what I thought happened. It sure is an issue.

I did find that one can go into the "real" underlying base security attributes (there are far more of those than the ones like "read & execute", "modify", etc that are usually shown, but if I remember right, even there one may not be able to set things up so a user can just read & execute and do nothing more-I'll have to play around with it when I have a little more time. This was all infinitely easier to do in Linux where I simply set "read" and "execute" and it just worked the way it should. On the other hand, if Microsoft makes things super complicated, well then I'll just be able to get higher pay if I take work setting these sorts of things up for a living!
Yeah, I found where you need to go:
1. Right Click Folder that you want to change permissions on
2. Click Properties
3. Security tab
4. Click Edit (add user and deny full control as described before and apply to folder and subfolders/subcontainers and hit ok)
5. Click Advanced
6. Permissions tab
7. Click Continue if needed.
8. Click on the user who is denied access
9. Click Edit
10. Apply only the read attributes to Allow (see screenshot for which should be allowed)

You could do the above for the entire drive and then set up individual folders as you wanted them. Or you could set them up to deny all access until you change certain folders to have the attributes in the image.


Attached Images
 
My System SpecsSystem Spec
Reply

 How to setup users/groups/permissions for a user "home" folder




Thread Tools




Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 08:03 PM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App
  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33