Help me to create 2 patch files to set permissions on all drives

[leprince2007]

I want to create a batch file to grant current user"Leprince2007" full access for all partitions "d-e-f-g-h"
I put this code in ".bat" file.Is this right?

takeown /[COLOR="Red"]f[/COLOR] [COLOR="darkgreen"]D:[/COLOR] /r /d y
takeown /[COLOR="Red"]f[/COLOR] [COLOR="DarkGreen"]E:[/COLOR] /r /d y
takeown /[COLOR="red"]f[/COLOR] [COLOR="darkgreen"]F:[/COLOR] /r /d y
takeown /[COLOR="red"]f[/COLOR] [COLOR="darkgreen"]G:[/COLOR] /r /d y
takeown /[COLOR="red"]f[/COLOR] [COLOR="darkgreen"]H:[/COLOR] /r /d y

I want to create another patch file to block guest from opening partition "D" and grant him read-only access for other partitions "e-f-g-h"
I put this code in ".bat" file.Is this right?

icacls [COLOR="darkgreen"]D:[/COLOR] /grant Guest:[COLOR="Red"]N[/COLOR] /T​
icacls [COLOR="darkgreen"]E:[/COLOR] /grant Guest:[COLOR="red"]R[/COLOR] /T​
icacls [COLOR="darkgreen"]F:[/COLOR] /grant Guest:[COLOR="red"]R[/COLOR] /T​
icacls [COLOR="darkgreen"]G:[/COLOR] /grant Guest:[COLOR="red"]R[/COLOR] /T​
icacls [COLOR="darkgreen"]H:[/COLOR] /grant Guest:[COLOR="red"]R[/COLOR] /T​

Questions:
1-Please tell me if there is any mistakes in my codes
2-Will the batch files apply all codes ?
3-How can I run all the codes in the batch file at the same time?because every code takes a lot of time to accomplish the task

 

[mrjimphelps]

The "takeown" example looks good to me, although I've never used the takeown command. But I do have a huge amount of experience with batch files, and your batch file code looks good. I'm not sure about the icacls code.

Wouldn't it be easier to create two user accounts, each with the desired access and limitations, with no password required on the guest account; and then make sure you log off when you leave the computer? In this way, the only thing a user other than you could do is log in as guest with the extremely limited rights.

 

[leprince2007]

The "takeown" example looks good to me, although I've never used the takeown command. But I do have a huge amount of experience with batch files, and your batch file code looks good. I'm not sure about the icacls code.

Wouldn't it be easier to create two user accounts, each with the desired access and limitations, with no password required on the guest account; and then make sure you log off when you leave the computer? In this way, the only thing a user other than you could do is log in as guest with the extremely limited rights.

But how can I do what I want using 2 accounts?
Guest can add,delete,copy and move files

 

[TechnoMage2016]

It's not always necessary to have 100% access to every file in the computer. But there are some files that you may want to have ready access to, especially if you're a programmer, guru, geek or just plain PC enthusiast.

And I'm sure you meant "BATCH" files and not "patch" files. Eh? Just so we're on the same page and speaking the same language.

But, since I'm a computer tech and I do have to work with a lot of files in the PC, especially in Windows 7,8.1 and 10, one of the very first things I do when setting up a new OS, is to install the "Grant Admin Full Control" program. Then I can right click on any file or folder and take ownership of it.
It's a very simple program, easy to install and it's FREE! And it causes no problems with other programs on the PC. I call it "Take Ownership" on Steroids!

Cheers mate!
TechnoMage

 

[mrjimphelps]

But how can I do what I want using 2 accounts?
Guest can add,delete,copy and move files

First, you do what TechnoMage suggested - log in as administrator, and take administrative control of all folders. My thought is that by doing this, the administrator account you are logged in on will then own all folders, and no one else will. In other words, you will block all other users from being able to access any folders.

If this is correct, then all you need to do after that is give the desired access to each user, because once you have taken away all access, the only thing that they will be able to access is what you specifically give them.

This applies only to the data files. Don't take away anyone's access to their own user profiles.

@TechnoMage2016, am I correct about this?

 

[TechnoMage2016]

First, you do what TechnoMage suggested - log in as administrator, and take administrative control of all folders. My thought is that by doing this, the administrator account you are logged in on will then own all folders, and no one else will. In other words, you will block all other users from being able to access any folders.
If this is correct, then all you need to do after that is give the desired access to each user, because once you have taken away all access, the only thing that they will be able to access is what you specifically give them.
This applies only to the data files. Don't take away anyone's access to their own user profiles.
@TechnoMage2016, am I correct about this?

I would hope that anyone using this forum would always be logged into their own PC as the Administrator. Eh? So that should go unsaid. Using "Grant Admin Full Control" goes beyond the control normally given to the normal "Administrator". For instance, just being the only user on a system, and having so called "Administrator Privileges" does not give me the rights I need to move, delete, or rename files considered to be "System files".

Let me give an example: When installing Windows 10, I don't want 'Cortana' running in the background and scooping up info on me and reporting it to MS, as I've heard that it can and will. That's my personal preference! So after some experimenting, I found that if I just rename the 'Cortana.Core.dll' file to something like 'Cortana.Core.kkk' then the file cannot load and run and Cortana is subsequently disabled, without disabling any other programs that may also use some of the files related to Cortana.

But it's a more or less Protected file, and until I take ownership of it, using Grant Admin Full Control, I can't do anything with it at all.
So my process is to first navigate, with Windows Explorer, to the file, "C:\Windows\SystemApps\Microsoft.Windows.Cortana_CW5n1h2txyewy\Cortana.Core.dll"

I then right click on the file and select Grant Admin Full control from the drop-down menu. Then I can right click on the file again and select "Rename" and change the extension to something non-executable.
Now the file is effectively DEAD, and I no longer have Cortana running in the background.

So I suggest that everyone who wants to fuss around with their computer, install the program "Grant Admin Full Control" and then only take ownership of those files you really need to have control over.
It's counter productive, and very time consuming, to try to take ownership of the entire computer and all it's thousands of files.

Just my thoughts.....

Cheers Mates!

 

[mrjimphelps]

Thanks for that explanation.

A further question: How can the OP limit the guest user to read-only access for the drives he listed? I'm pretty sure that the guest user has read and write access by default to all drives and folders which are not (1) Windows system folders and (2) the folders in other users' profiles. So is there a way to restrict the guest user to read-only access for all of the drives and folders that aren't included in (1) and (2)?

 

[Barman58]

If you fully understand the whole concept of and have a good bit of experience with, the practical procedures you can set up any access system you wish, without the total destruction of the system security of the operating system. The way that XP was set-up was totally inadequate for the current security threats to each and every computer user.

You should never run as the Full admin user (linux calls it Root access), for longer than the absolute minimum time possible to correct a serious access fault.

If you revert the rights to those used in XP and run as administrator you are giving those full rights to lock, delete, or anything else, to each and every piece of malware that gets through your AV system. a virus or any other malware runs with the rights of the user logged in at the time of infection.

Vista brought in the tokenized Admin user to replicate the system used by professional network systems admins - You run two accounts, one standard for use for all day to day work and one admin for the times when you are dealing with admin matters. This has been developed further in Windows 7 and more modern windows versions to deal with the threats to security in the current decade and century.

If you need more access to system activities you elevate rights using Run as Administrator and OK the virtualized access.

On a standard windows system, as designed, a guest account should only have access to files on the Users - Public - folders. you can then add access rights to folders on other drives required by selecting the root of the drive, (or any suitable sub branch), and add the Guest user to the list and allocate the access rights with read and navigate rights only and let these cascade down the tree. You may have issues where the Everyone user has rights greater than is needed for guest but the everyone right may be removed as long as you have already set up rights for admin accounts or even better the actual user who you will be specifically logged in as .

It's not as simple as simply removing all the carefully set up safety and security built into the OS, and it will take a longer time to, learn the practical skills, and apply the rights manually, (or semi Auto), but it will produce a system that is less likely to fall apart

 

[mrjimphelps]

On a standard windows system, as designed, a guest account should only have access to files on the Users - Public - folders. you can then add access rights to folders on other drives required by selecting the root of the drive, (or any suitable sub branch), and add the Guest user to the list and allocate the access rights with read and navigate rights only and let these cascade down the tree. You may have issues where the Everyone user has rights greater than is needed for guest but the everyone right may be removed as long as you have already set up rights for admin accounts or even better the actual user who you will be specifically logged in as.

That's what I wanted to know. Thank you.