Win 7 Folder/ File Security - Need Some Help.

I’ve used security on Vax Vms and also Win NT server. I’m usually pretty comfortable with it. Win 7 has me stumped. They have Document & Settings restricted. Even for Administrators. I guess they are worried about users documents being read. Win XP did not restrict this folder and that’s the way I want to continue using it.

Manipulating Documents & Settings is a big part of my job. I routinely copy icons into All Users Desktop. So that any user sees the icon. Or I copy a document from one user to another’s my documents. I also copy the users folder tree to a backup partition. In Win NT this is known as a roaming profile. All part of the Support Techs job.

Anyhow, I can’t get the security to propagate down. I set full control access on Documents & Settings for Everyone, System, and Administrators. I can now see the folders underneath. I can click on All Users and see the folders. But, I can’t click into allusers\desktop.

I can’t set security on all users either. I get an error message scolding me for conflicting security settings.

This should be simple. You set security by right clicking, properties, security. Click on a group (Administrator), Edit, Full Control, Apply. Then you do it for System and (maybe) Everyone.

Then Advanced, Edit Security has a check box for Replace All Child Object Permissions

that should propagate the security down. But, It’s not doing it.

I even tried adding my account (AceP for example) on Document & Settings with full control. I checked security on All Users and it didn’t propagate down either.

Anyone figured this out yet? So far, I still have no access to any account under Documents & Settings except for my own personal one.

(Be warned that I’m not too familiar with the system so these are just educated guesses)

  1. Where is this “All Users” folder? I think Win 7 replaced it C:\Users\Public\Desktop – is that where you’re already at?

If not, is it possible that “All Users” (and even “Documents and Settings”) is a leftover from a previous Windows installation and which didn’t inherit the correct permissions for whatever reason?

Or is it possible that you’re looking at a virtual folder? Windows 7 doesn’t use “Documents and Settings” anymore, just \Users, but it does automatically allow the use of those folders as links to the new locations (for backward compatibility)… but I can see that giving you trouble with permissions.

The whole “All Users” meme has been replaced by the new “Public” user, which everyone should have access to.

  1. As far as I know, administrators CAN manipulate the user folders of limited users, just not other administrators. You can “take possession” of other administrators’ files if they’re not encrypted, but I don’t think that’s the best way. If you and another administrator both need to share some files, make a separate folder and assign it to a group that you both belong to.

  2. Roaming profiles… a lot of data is now stored in \Users\user\AppData (hidden), not My Documents.

I was in the original Documents & Settings Folder.
I see the Users folder too. That’s new to Win7.

Maybe these two folders need to stay in sync? Maybe that’s why Win7 has security setup to deny access?

Yes! I checked my own
C:\Documents and Settings\acep\Downloads

They have the same files I downloaded earlier with Firefox. It does look like Win7 is keeping them in sync. It copied the same file both places when I downloaded.

I wonder if we can still manipulate these folders manually? A lot of times I copy documents from a thumb drive into C:\Documents and Settings\acep. I might create a subfolder like WorkProj1. That’s separate from My Docs.

It looks like I need to do some reading & research. They’ve really complicated this. I may need to stay away from those folders. I can always create C:\WorkProjects\WorkProj1 and do my own thing. Leave their crap alone.

Documents and Settings is just a link to Users. It’s just an alias, not a separate copy. Users is where the files actually live. Try setting the permissions on Users and see if D&S inherits them.

It won’t let me change C:\users – security blows off with an denied message.
Same as any of the folders under C:\users.

They seem to have this locked down pretty tight. I need to research and see whats going on.

Meanwhile, I’m going to experiment. create C: ry, C: ry 1, C: ry ry2 etc. and set security different ways. I should be able to restrict it to a specific user account, or admins etc. I want to get a feel for how this is working. I’m familiar with security on user groups. I Did it all the time on NT.

Is anyone else logged in? Could it be a matter of the files being in use?

Yes. \Documents & Settings is just a link to \Users.

You may want to drop to a command prompt and use the ICACLS tool.

No one on the pc but me. :wink:

I tried creating a test folder c: ry, c: ry 1, C: ry 1 1a and setting security on the top level (c: ry). I added acep1 user account security (full access) to the folder. Worked fine and when I checked a sub-folder (t1a) it showed the inherited permissions.

What I’m doing works like I’d expect it. Except on the C:\users folder. Then another file/file etc. There’s something preventing security changes there.

the actual message box says

An error occured while applying security information to


Access Denied

When I click continue I get an error on another folder in C:\users\default. This continues until I finally click cancel.

The problem is different from when I was trying to set security on documents & settings. I’m glad you told me about the alias.

Perhaps UAC is getting in the way? On my Win 7 test system, members of the Administrators group have full control over all the users’ private directories. However, even if you’ve logged in with your Admin account, you’re only executing under a restricted login token without any admin power unless you’ve explicitly told the system you wish to run as an admin (which is what happens when you right-click on a shortcut and select “Run as administrator”. Some executables are also specially annotated in the manifest to tell the system to automatically launch them with the unrestricted admin token.)

If that’s the problem, I don’t know how to launch the Explorer GUI as a full admin. I would just launch a command prompt window as admin (using the right-click, then “Run as admin” trick), then tweak things as needed using the icacls tool mentioned above.

Alternatively, perhaps you can see if it is practical to take advantage of the Users\Public folder available on Win 7 instead? It may be an easier and safer option. As you have discovered, there’re many nuances in how access control lists are processed, and it’s very easy to make a subtle mistake and create a security hole that can be exploited if you try to tweak them manually.

ONe thing I’m still not sure about: Are you upgrading from a previous Windows installation? Is it possible there are files belonging to an older admin user (not the current 7 admin), requiring you to first take ownership with the new account?

No, this was a fresh install on a new hard drive. Win7 32bit, OEM.

Right now I’m still getting a feel for Win7. Experimenting and seeing what software installs ok. I normally wouldn’t be so aggressive in changing the folder & file permissions. You can only learn by trying.

I plan to format the drive and reinstall fresh. Win7 installs quickly. It took less than an hour last time.

I found out quickly that file security is a lot more complicated these days. They actually had a special permission set up to deny access to the All Users Desktop folder. It does make me pause and wonder if its something I should remove.

Later today I’ll post a screen cap of the default security settings. I find it interesting to study. Traditionally there was very little file security on pc’s unless they were part of a big network. Microsoft has really locked down certain folders in Win7. That has good and bad consequences. There are times that I need to manipulate those folders as a support tech.

The answer was mentioned: there is no “Documents and Settings” folder; it’s now users. What looks like a folder is merely a redirect, put there so older programs will know where to go. You can’t get into the folder, but all the files that would have been there are in the “Users” folders.