Access Denied Windows 2008 Changing Security

I work for IBM and we have to lock down some directories. I'm trying to take
the no general users on %systemroot%\security. So I removed the user security
on this but I'm getting Access is Denied and I'm the Administrator. Thanks
for your help!

"Maida" <> wrote in message
news:280A56C6-48D8-4092-AB5B-...
> I work for IBM and we have to lock down some directories. I'm trying to
> take
> the no general users on %systemroot%\security. So I removed the user
> security
> on this but I'm getting Access is Denied and I'm the Administrator. Thanks
> for your help!
>

I don't quite follow what you mean by "I'm trying to take the no general
users on ...".

Also, are you getting "access denied" when you attempt to make the change
you are trying to make, or afterwards when you try to access the folder with
your administrator account?

When you say you removed the user security, does that mean you removed the
ACE with "users" as its trustee, or that you changed the permission from
"allow" do "deny"? Note that the "users" group probably includes all users
including admins. So if a deny permission is used, that could trump any
allow permission an admin might have.

Did you perhaps make the change with CACLS and forget the "/E" switch?

I'd suggest you give us a list of the permissions before and after the
change to help us wade through the ambiguity.

/Al

Hello,

You may also want to check the Owner of that folder.

--
Brock Hensley
http://BHensley.com
==
"Al Dunbar" <> wrote in message
news:...
>
> "Maida" <> wrote in message
> news:280A56C6-48D8-4092-AB5B-...
>> I work for IBM and we have to lock down some directories. I'm trying to
>> take
>> the no general users on %systemroot%\security. So I removed the user
>> security
>> on this but I'm getting Access is Denied and I'm the Administrator.
>> Thanks
>> for your help!
>>
>
> I don't quite follow what you mean by "I'm trying to take the no general
> users on ...".
>
> Also, are you getting "access denied" when you attempt to make the change
> you are trying to make, or afterwards when you try to access the folder
> with your administrator account?
>
> When you say you removed the user security, does that mean you removed the
> ACE with "users" as its trustee, or that you changed the permission from
> "allow" do "deny"? Note that the "users" group probably includes all users
> including admins. So if a deny permission is used, that could trump any
> allow permission an admin might have.
>
> Did you perhaps make the change with CACLS and forget the "/E" switch?
>
> I'd suggest you give us a list of the permissions before and after the
> change to help us wade through the ambiguity.
>
> /Al
>
>

I'm trying to remove the Local machine User from the directory but after
selecting Apply it gives me Access Denied. Thanks

"Al Dunbar" wrote:

>
> "Maida" <> wrote in message
> news:280A56C6-48D8-4092-AB5B-...
> > I work for IBM and we have to lock down some directories. I'm trying to
> > take
> > the no general users on %systemroot%\security. So I removed the user
> > security
> > on this but I'm getting Access is Denied and I'm the Administrator. Thanks
> > for your help!
> >
>
> I don't quite follow what you mean by "I'm trying to take the no general
> users on ...".
>
> Also, are you getting "access denied" when you attempt to make the change
> you are trying to make, or afterwards when you try to access the folder with
> your administrator account?
>
> When you say you removed the user security, does that mean you removed the
> ACE with "users" as its trustee, or that you changed the permission from
> "allow" do "deny"? Note that the "users" group probably includes all users
> including admins. So if a deny permission is used, that could trump any
> allow permission an admin might have.
>
> Did you perhaps make the change with CACLS and forget the "/E" switch?
>
> I'd suggest you give us a list of the permissions before and after the
> change to help us wade through the ambiguity.
>
> /Al
>
>
>

"Maida" <> wrote in message
news:B58E99D8-D420-407B-AB5E-...
> I'm trying to remove the Local machine User from the directory but after
> selecting Apply it gives me Access Denied. Thanks

OK, then what are the current permissions (exactly) and what account are you
using to try to make this change?


/Al


> "Al Dunbar" wrote:
>
>>
>> "Maida" <> wrote in message
>> news:280A56C6-48D8-4092-AB5B-...
>> > I work for IBM and we have to lock down some directories. I'm trying to
>> > take
>> > the no general users on %systemroot%\security. So I removed the user
>> > security
>> > on this but I'm getting Access is Denied and I'm the Administrator.
>> > Thanks
>> > for your help!
>> >
>>
>> I don't quite follow what you mean by "I'm trying to take the no general
>> users on ...".
>>
>> Also, are you getting "access denied" when you attempt to make the change
>> you are trying to make, or afterwards when you try to access the folder
>> with
>> your administrator account?
>>
>> When you say you removed the user security, does that mean you removed
>> the
>> ACE with "users" as its trustee, or that you changed the permission from
>> "allow" do "deny"? Note that the "users" group probably includes all
>> users
>> including admins. So if a deny permission is used, that could trump any
>> allow permission an admin might have.
>>
>> Did you perhaps make the change with CACLS and forget the "/E" switch?
>>
>> I'd suggest you give us a list of the permissions before and after the
>> change to help us wade through the ambiguity.
>>
>> /Al
>>
>>
>>