Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!
  • Students Click Here

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here


Default drive C permissions?

Default drive C permissions?

Default drive C permissions?

I notice that even on a fresh install of XP SP2 that the creator owner group have full permissions, everyone are limited to read and execute. After discovering a few folders that seem to of been created by either spyware or rogue apps i'd like to remove this.

1. Who here removes the creator owner group from the root of the C: drive?

2. What problems is this likely to cause?

3. How can i go about removing this access on clients that are already on the network?

Thanks for any input.

RE: Default drive C permissions?


I notice that even on a fresh install of XP SP2 that the creator owner group have full permissions, everyone are limited to read and execute.

Is this true? - that is you don't mention that system and administrators also have full permissions (generally the creator is also administrator).

If you don't use internet from Administrator level accounts, you greatly reduce the chance of what you have had happening.

1. I don't remove creator/owner - can't see the point.
2. Don't know as don't do it, but can't see problems as system and administrators will still have full permissions.
3. What does being already on the network have to do with changing permissions? Or are you asking how to change lots of machines remotely?

As I mentioned earlier, best approach afaik is to use limited accounts for internet access.

RE: Default drive C permissions?

"You might see an account with the name "Owner" when you first log on. The owner account, with computer administrator privileges, is created during installation if no user accounts are set up at that time. You can rename this account with a user's name".

In SP2 this is listed as "Creator Owner" with no boxes checked under the Permissions, except for "Special Permissions".  By checking for "Creator Owner" under Advanced/ Effective Permissions, you can see the Permissions for the Owner.  On this machine, there were no boxes checked in Effective Permissions, which means that it has no access whatsoever.

User listed under the Security Tab of C: -

Creator Owner

How To Reset Security Settings Back to the Defaults

How to apply the same Group Policy to many machines in a Workgroup environment.
FAQ779-5596: How to apply the same Group Policy to many machines in a Workgroup environment.

Script/Batch changing file permissions?
thread779-1300502: Script/Batch changing file permissions?

RE: Default drive C permissions?

wolluf yes the admin and system permissions are listed as well.

Linney, these are domain machines and everyone logs on as a restricted user so they can't write data to program files or windows. I've noticed that even though they can't see the C: drive it is possible for them to create folders or file in the root of C:.

If they manage to do this then the user is listed as creator owner and has full permissions when you view the advanced NTFS permissions. I'd like to make it so users cannot create folders at all.

RE: Default drive C permissions?

If the users don't belong to any groups defined to have security access to the C: drive, then they shouldn't be able to create anything in the root (are there other permissions there you haven't mentioned?). How is it possible for them to create files/folders - specially as they can't see C: (is it the users or a system process. If it is the users, is it intentional - ie, do you have clever users who are trying to circumvent security?). As I said earlier, can't see why removing create/owner cause problems - why not try it out on one machine and see if:-

1. It does/doesn't cause problems
2. It stops the creation of files/folders under C:.

RE: Default drive C permissions?

Well i suspect it's an app that some users are running off the net like a java game that sometimes created the folders. I also suspect these students are trying to get around security and maybe installing apps in the directory e.g. firefox portable.

If i logon to a standard XP SP2 box as a restricted user i can create a folder in the root of C: have you tried this?

The permissions on C are:

Administrators: FULL
CRATOR OWNER: Special permissions (if i create a folder as a student their username shows as the OWNER and they have FULL special permissions.
Everyone: READ
Users: READ


RE: Default drive C permissions?

Yes, by default, a limited user is able to create a folder in the root of a drive, and then as he is the owner of the folder he can then create files in that owned folder.  A limited user is not able to create files in the root of a drive.  This seems to hold for both XP and Vista.

By fine tuning the permissions, see the earlier link, you can prevent the creation of folders too.

RE: Default drive C permissions?

Right cheers i'll take a look at that.

Do you know if it's possible to set permissions as a station builds off our RIS server, unattend.txt option maybe or will i have to script this once windows is installed?


RE: Default drive C permissions?

Ok that worked so now i only see Admins, System and users on the root of C:.

I had a look at the windows folder and noticed that Creator owner also has FULL special permissions there but they 'cant' create folders in there.

Any chance you can put my mind at rest and explain that i'm feeling a bit confused?


RE: Default drive C permissions?

Not really, now you see why I am happy to plod along with Default Settings, life is so much simpler.

Is it Inheriting anything from the C: drive permissions?  Conversely is in NOT Inheriting the permissions you set for C:?  Have a look at Inheritance, and I don't mean what your rich relative may have left you in their will.

"How Inheritance Affects File and Folder Permissions"

Set permissions for folders and files

Have a look at this tool, it may come in handy?

SubInACL (SubInACL.exe)

RE: Default drive C permissions?

Ok i think i've worked it out. Windows and Program Files are not to set to inherit permissions so changing the C: drive root permissions doesn't affect them.

The difference is in the advanced permissions area, you can select a number of options from the 'Applies to' drop down box when editing the advanced permissions. In these areas the drop down is set to 'Subfolders and files only' not 'This folder, sub folders and files' so the creator owner 'write' permissions never apply to the current folder.

Bit odd but that seems to be it.

Thanks for your help along the way.

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close