This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(22.400000000000002, 5%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
I have written a .NET program that should be run on Windows 10 by different computer users, and this program stores the settings file in a c:\ProgramData\MyProgram folder.
I found that if one user creates a settings file in c:\ProgramData\MyProgram folder, then other users cannot access it, even for reading. Moreover, access to the settings file is lost even for the same user if the executable file of the program has been moved to another folder on the computer.
The only way to restore access to the settings file in the c:\ProgramData\MyProgram folder is to create it again.
Why is this happening? How do I store settings that are common to all computer users?
Any updates on this issue?
MyProgram is inheriting the "Creator Owner" and Users ACLs from ProgramData which is limiting access.
When you create the MyProgram folder, you have to set the permissions on it to define how users can access the files.
C:\>icacls c:\ProgramData\
c:\ProgramData\ NT AUTHORITY\SYSTEM:(OI)(CI)(F)
BUILTIN\Administrators:(OI)(CI)(F)
CREATOR OWNER:(OI)(CI)(IO)(F)
BUILTIN\Users:(OI)(CI)(RX)
BUILTIN\Users:(CI)(WD,AD,WEA,WA)
Successfully processed 1 files; Failed processing 0 files
C:\>md c:\ProgramData\MyProgram
C:\>icacls c:\ProgramData\MyProgram
c:\ProgramData\MyProgram NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
BUILTIN\Administrators:(I)(OI)(CI)(F)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(OI)(CI)(RX)
BUILTIN\Users:(I)(CI)(WD,AD,WEA,WA)
Successfully processed 1 files; Failed processing 0 files
C:\>
Note that the permissions on MyProgram all have "(I)" which indicates an inherited ACL which was defined on ProgramData.
The simple solution is to remove ACL inheritance and just grant Users full control. That may or may not be a security risk, it all depends on what your requirements are.
icacls.exe c:\ProgramData\MyProgram /grant "NT AUTHORITY\SYSTEM:(OI)(CI)(F)" /grant "BUILTIN\Administrators:(OI)(CI)(F)" /grant "BUILTIN\Users:(OI)(CI)(F)" /inheritance:r
It would look like this.
C:\>icacls.exe c:\ProgramData\MyProgram /grant "NT AUTHORITY\SYSTEM:(OI)(CI)(F)" /grant "BUILTIN\Administrators:(OI)(CI)(F)" /grant "BUILTIN\Users:(OI)(CI)(F)" /inheritance:r
processed file: c:\ProgramData\MyProgram
Successfully processed 1 files; Failed processing 0 files
C:\>icacls c:\ProgramData\MyProgram
c:\ProgramData\MyProgram BUILTIN\Users:(OI)(CI)(F)
BUILTIN\Administrators:(OI)(CI)(F)
NT AUTHORITY\SYSTEM:(OI)(CI)(F)
Successfully processed 1 files; Failed processing 0 files
C:\>
Another option that provides more granular control would be to create a group (e.g., MyProgramUsers) to which all accounts that run the program belong. Then you can add that group to the security descriptor for C:\ProgramData\MyProgram with Full control only for files in that folder. That way only users of the program have complete access to that folder's contents while any other user accounts on the system would only have read/execute access.
If you want to revoke complete access by an account to any files it did not create remove the account from the MyProgramUsers group.
Group for MyProgram users -
Security Descriptor for C:\ProgramData\MyProgram
File created by Bozo in MyProgram folder -
File created by Clown in MyProgram folder -
Both Bozo and Clown have Full control of all files in MyProgram folder due to membership in MyProgramUsers group