File permission changing

Santhosh B S 61 Reputation points
2023-02-27T07:29:59.5733333+00:00

I have a run.bat file where I have disabled inheritance option and I have restricted folder access to different type of users. Even restricted to Authenticated users. But when I save the file on c drive on a domain joined device, automatic authenticated users get full permission. Can I have some clue how it is?

Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
10,599 questions
Azure
Azure
A cloud computing platform and infrastructure for building, deploying and managing applications and services through a worldwide network of Microsoft-managed datacenters.
931 questions
{count} votes

3 answers

Sort by: Most helpful
  1. Limitless Technology 43,931 Reputation points
    2023-02-27T13:02:00.5533333+00:00

    Hello,

    In this case, you need to use specific parameters to copy the file and also its ACL permissions.

    If you copy with XCOPY you need to use the command line XCOPY /o or XCOPY /x

    Reference: https://learn.microsoft.com/en-us/troubleshoot/windows-client/windows-security/permissions-on-copying-moving-files

    --If the reply is helpful, please Upvote and Accept as answer--

    0 comments No comments

  2. SaiKishor-MSFT 17,181 Reputation points
    2023-03-06T19:32:46.61+00:00

    @Santhosh B S Thanks for reaching out to Microsoft Q&A.

    The issue you are facing is because of the default permissions assigned to the Authenticated Users group. The Authenticated Users group has the following permissions on the root directory of a file share:

    NT AUTHORITY\Authenticated Users:(OI)(CI)(M)

    Please refer to this doc- https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/storage/files/storage-files-identity-ad-ds-configure-permissions.md

    This means that Authenticated Users have Modify permissions on the root directory of a file share. When you save the run.bat file on the C drive on a domain-joined device, the Authenticated Users group automatically gets full permission to the file.<sup>[0]</sup>

    If you want to restrict access to the run.bat file, you can use Windows ACLs to configure directory and file-level permissions for Active Directory authentication to Azure file shares.

    Hope this helps. If you have further questions, please do let me know. Thank you!

    0 comments No comments

  3. Santhosh B S 61 Reputation points
    2023-07-03T16:05:50.79+00:00

    Team, How can I use Xcopy command to copy run.bat from one location to remote devices (multiple devices)? Need a script .....

    0 comments No comments