Answer the question
In order to leave comments, you need to log in
Changing access for \Program Files in Windows Vista Home Premium?
Hello!
I'm going to take the laptop in for repair to fix intermittent problems, I want to create a new account for the service center employees in case they need to run some testing utilities.
I want to deprive this account of all rights to \Program Files - so that there is no unnecessary temptation to cut into toys instead of work, for example. However, as it turned out, administrators do not have the rights to change access rights.
If you look closely, there is a trick here.
The \Program Files directory is owned by someone called TrustedInstaller. Administrators have two kinds of special permissions:
1) directly for \Program Files - everything except changing permissions and changing ownership
2) for subdirectories and files inside \Program Files - full control
I cannot add a ban for a new account directly to the access settings for \Program Files (permission denied), even if I specify the scope of this ban the same as I have full access to. Setting up a denial of access for each subdirectory is a chore, although this option works.
I would be grateful if you could suggest an elegant solution to the task in a minimum of actions and without changing the current access settings for other accounts, including system ones.
Answer the question
In order to leave comments, you need to log in
Close write access to program files? in vista? and from what fig you have it open? Only the administrator has access there, and only when a UAC request is accepted. Have you turned it all off?
umm… want to close access to your computer to specialists who will repair it? options:
* if we don’t want them to install something and break the system (i.e., a 100% hardware failure) - without bothering to make a full backup (with regular means of an OS or laptop), and when you return, without looking, roll back - business for 3 mouse clicks and waiting time.
* if we don’t want the data to be readable (hide personal porn), then either delete it (backup it to external storage) or encrypt it. Permissions are child's play; if you have direct access to the hardware, it's not protection.
ps You shouldn't complicate the life of repairmen by blocking their access, since administrative rights will almost certainly be needed to test the equipment, and if they are available, all rights to the directories are reconfigured.
And yet, by agreement, you can generally pick up your screw (you may only have to remove it at the service center).
> everything except changing permissions and changing ownership
Administrators have SeTakeOwnershipPrivilege by default, which means they can open any object with WRITE_OWNER access. Object owners always have implicit allow WRITE_DAC access, meaning they can change permissions on their objects regardless of whether it's an allow (or even deny) ACE on WRITE_DAC.
In short, you must first "own" the object (the Owner tab in the Advanced security dialog, or takeown.exe if you prefer the command line). And then you can change access to anything.
If you really want after these manipulations, you can return ownership of TrustedInstaller.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question