How to setup users/groups/permissions for a user "home" folder


  1. Posts : 4
    Windows 7 Enterprise, 64 bit
       #1

    How to setup users/groups/permissions for a user "home" folder


    I own a system running windows 7 enterprise and have an administrator account on it.

    I would like to setup a "standard user" (not admin) account for a new user.

    I plan to create a folder for the user inside of which the user will be allowed to create his own subfolders and files. I plan to right click on that folder and "send it to
    the desktop".

    When the user double clicks that desktop icon, he'll be running windows explorer and I don't want him to be able to see or do anything using windows explorer outside of his
    "home" folder other than creating or accessing items under it.

    I plan to have that user's home folder be directly under the c: drive.

    Questions:

    Is there a better place for it (inside of "my documents", etc) or is under the c: drive as good a place as any for these purposes?

    If I put the user's "home" folder under the c: drive, what should the permissions be for which users and which groups on the c: drive toplevel itself and on the user's
    "home" folder so the user can do what he wants in or under his home folder, can run a few applications located in "Program Files" such as Firefox (one of the desktop icons I will be installing) and in another folder under the c: drive where I will place a few .exe files he can also run, but NOT be able to read, write, execute or in any way modify the contents of any other folders anywhere under the c: drive?

    According to Microsoft "help", "standard users" can't see files created by administrators. But when I tried this with a "test" standard user account, I created some files logged into my admin account, then changed users to the standard user account and there I could not only see the files I had just created as admin, but I could even delete them. Is the Microsoft statement that standard users can't see admin files wrong or do you think somewhere I've improperly setup some permissions that are allowing this to happen?

    Thanks very much for any help.
      My Computer


  2. Posts : 11,269
    Windows 7 Home Premium 64 Bit
       #2

    If you do not want a user to have access to certain folders, it is fairly simple to do. For instance, say you do not want a user to see other user's files. With your administrator account, do the following:

    1. Click start menu
    2. Click My Computer/Computer
    3. Open C: (or whatever drive your users folder is in)
    4. Open the Users folder
    5. Right click your administrator user folder
    6. Click Properties
    7. Click the Security tab
    8. Click Edit
    9. (You don't want username John to open this folder ever) Click Add
    10. Type in John (or the username you do not want to access the folder) and hit Enter
    11. Under the Deny column, put a check in Full Control.
    12. Click OK and apply to all folders (you may need to do this in safe mode to apply to every folder since some folders will be in use in normal mode).
      My Computer


  3. Posts : 11,269
    Windows 7 Home Premium 64 Bit
       #3

    If you want to add permissions to run certain applications for a standard user, follow the steps 1-11, and then check the "Read and Execute" box for a specific program in Program Files or Program Files (x86). You may need to make a full program folder accessible (for instance the full firefox program folder) so firefox can run all needed files. Also, recommend not changing anything with system folders such as the Windows folder or SYSTEM VOLUME INFORMATION folder as this can have unforeseen consequences.

    If you want to give full access to a home folder, follow steps 1-10 and under the Allow column, put a check in Full Control.
      My Computer


  4. Posts : 4
    Windows 7 Enterprise, 64 bit
    Thread Starter
       #4

    Am I going to have to add that user as a security object with "deny full control" every single time I ever create a new folder in c: that I want to be kept hidden from him?
      My Computer


  5. Posts : 11,269
    Windows 7 Home Premium 64 Bit
       #5

    audioresearch said:
    Am I going to have to add that user as a security object with "deny full control" every single time I ever create a new folder in c: that I want to be kept hidden from him?
    You may be able to add the whole drive initially so any new folders set the permissions that way. I'll have to look into it. Edit: Okay, after looking into it, I have determined that setting permissions for the whole drive has the desired outcome. You will have to remove the denial permissions for the Windows folder and possibly other folders on the C: root drive or change them to at least allow Read/Execute (make sure if you do this to place a check in the box next to Write in the Deny column).

    You will have to set up each individual program that you do not want the user to have access to by going into the Program Files and Program Files (x86) folders and selecting the programs one at a time.

    For a more versatile approach, you may want to learn to use Group Policy management for IT pros.

    Restrict Access to Programs with AppLocker in Windows 7 may also be of interest to you. It uses the group policy editor to change permissions for program files.
    Last edited by writhziden; 28 Dec 2011 at 07:52. Reason: Determined the suggestion works
      My Computer


  6. Posts : 4
    Windows 7 Enterprise, 64 bit
    Thread Starter
       #6

    I did some more researching and found "icacls"-looks like possibly that would be a good tool to use.

    On my win 7 system, I can't seem to just check and uncheck the security attributes I want to assign without win 7 forcing me to do them in what seems to be forced packages. To give a novice user limited access to, say, the "Windows" folder, I think I would like to just check for him for that folder ("allow read & execute") and be sure that "modify" was a "deny", but win 7 won't let me make those choices. The instant I check allow "read & execute", win 7 automatically puts checks in the "allow" boxes for everything else under that choice in the list of choices. If I then check "deny" on the "modify" attribute, win 7 screws up most of the settings I just made.

    The places you just pointed me to look very interesting-thanks very much-I'll check them out tonight.
    Last edited by audioresearch; 28 Dec 2011 at 14:09. Reason: removed extraneous stuff
      My Computer


  7. Posts : 11,269
    Windows 7 Home Premium 64 Bit
       #7

    audioresearch said:
    I did some more researching and found "icacls"-looks like possibly that would be a good tool to use.

    On my win 7 system, I can't seem to just check and uncheck the security attributes I want to assign without win 7 forcing me to do them in what seems to be forced packages. To give a novice user limited access to, say, the "Windows" folder, I think I would like to just check for him for that folder ("allow read & execute") and be sure that "modify" was a "deny", but win 7 won't let me make those choices. The instant I check allow "read & execute", win 7 automatically puts checks in the "allow" boxes for everything else under that choice in the list of choices. If I then check "deny" on the "modify" attribute, win 7 screws up most of the settings I just made.

    The places you just pointed me to look very interesting-thanks very much-I'll check them out tonight.
    Yeah, Windows has some strange behavior with its permissions. The only thing you can deny once clicking allow for "read & execute" is the "write" permissions. This prevents users from writing to the folder, and I believe it may also prevent modifying in the same token, but I would have to play around with it to see... okay, it does prevent modification, but it does not prevent deleting... That I could see as a big issue.
      My Computer


  8. Posts : 4
    Windows 7 Enterprise, 64 bit
    Thread Starter
       #8

    That's what I thought happened. It sure is an issue.

    I did find that one can go into the "real" underlying base security attributes (there are far more of those than the ones like "read & execute", "modify", etc that are usually shown, but if I remember right, even there one may not be able to set things up so a user can just read & execute and do nothing more-I'll have to play around with it when I have a little more time. This was all infinitely easier to do in Linux where I simply set "read" and "execute" and it just worked the way it should. On the other hand, if Microsoft makes things super complicated, well then I'll just be able to get higher pay if I take work setting these sorts of things up for a living!
      My Computer


  9. Posts : 11,269
    Windows 7 Home Premium 64 Bit
       #9

    audioresearch said:
    That's what I thought happened. It sure is an issue.

    I did find that one can go into the "real" underlying base security attributes (there are far more of those than the ones like "read & execute", "modify", etc that are usually shown, but if I remember right, even there one may not be able to set things up so a user can just read & execute and do nothing more-I'll have to play around with it when I have a little more time. This was all infinitely easier to do in Linux where I simply set "read" and "execute" and it just worked the way it should. On the other hand, if Microsoft makes things super complicated, well then I'll just be able to get higher pay if I take work setting these sorts of things up for a living!
    Yeah, I found where you need to go:
    1. Right Click Folder that you want to change permissions on
    2. Click Properties
    3. Security tab
    4. Click Edit (add user and deny full control as described before and apply to folder and subfolders/subcontainers and hit ok)
    5. Click Advanced
    6. Permissions tab
    7. Click Continue if needed.
    8. Click on the user who is denied access
    9. Click Edit
    10. Apply only the read attributes to Allow (see screenshot for which should be allowed)

    You could do the above for the entire drive and then set up individual folders as you wanted them. Or you could set them up to deny all access until you change certain folders to have the attributes in the image.
    Attached Thumbnails Attached Thumbnails How to setup users/groups/permissions for a user "home" folder-advancedpermissions.jpg  
      My Computer


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 01:48.
Find Us