Which build of 20H2 was this?
Default file system permissions
We used to remove authenticated users / change from the acl on the root drive post install within a task sequence. After updating the image with 20H2, I noticed while validating that the dacl from a fresh install now appears as:
BUILTIN\Administrators, full, inherited
BUILTIN\Administrators, full, container_inherit+object_inherit+inherit_only+inherited
NT AUTHORITY\SYSTEM, full, inherited
NT AUTHORITY\SYSTEM, full, container_inherit+object_inherit+inherit_only+inherited
NT AUTHORITY\Authenticated Users, change, inherited
NT AUTHORITY\Authenticated Users, change, container_inherit+object_inherit+inherit_only+inherited
BUILTIN\Users, read_execute, inherited
BUILTIN\Users, read_execute, container_inherit+object_inherit+inherit_only+inherited
When you view the dacl in the UI and display the advanced view, it appears as expected, not inherited. Where exactly does the above get inherited from given it is the dacl on the c: drive?
4 answers
Sort by: Most helpful
-
Glenn Wasserman 1 Reputation point Microsoft Employee
2020-12-04T20:29:12.453+00:00 -
danieldmu 1 Reputation point
2020-12-08T18:04:11.663+00:00 I has a similar problem after installing postgres 9.1 on windows 10 20H2, all the permissions of c:\ were removed except for the postgres user. Nothing worked after that, because windows did not had access to the c drive (not even the disk size bar of the drive on windows explorer). I solved it by taking owneship and the manually adding the respective permissions to the c: drive.
-
JULIEN 1 Reputation point
2020-12-11T15:40:35.807+00:00 Hi , you got any update about this please? this issue is very problematic. As others, when trying to remove the "Modify" right to 'authenticated Users" it deletes all permissions on the drive, so the system becomes unbootable.
It used to work in 1909.Build is 20H2 19042.508
Here is the powershell i use (doing it with the system account)
$ACL = Get-ACL -Path "C:\" $AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("NT AUTHORITY\Authenticated Users","Modify","Allow") $ACL.RemoveAccessRule($AccessRule) $ACL | Set-Acl -Path "C:\"
Can't even see the permission with system account :
thanks for updating
-
sc_msft 1 Reputation point Microsoft Employee
2021-03-12T10:35:15.967+00:00 Please check on latest released version of 20H2 eg 19042.631
as their are unconfirmed reports of acl issues like this on root on the earlier .508 version