This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(153.6, 93%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
We used to remove authenticated users / change from the acl on the root drive post install within a task sequence. After updating the image with 20H2, I noticed while validating that the dacl from a fresh install now appears as:
BUILTIN\Administrators, full, inherited
BUILTIN\Administrators, full, container_inherit+object_inherit+inherit_only+inherited
NT AUTHORITY\SYSTEM, full, inherited
NT AUTHORITY\SYSTEM, full, container_inherit+object_inherit+inherit_only+inherited
NT AUTHORITY\Authenticated Users, change, inherited
NT AUTHORITY\Authenticated Users, change, container_inherit+object_inherit+inherit_only+inherited
BUILTIN\Users, read_execute, inherited
BUILTIN\Users, read_execute, container_inherit+object_inherit+inherit_only+inherited
When you view the dacl in the UI and display the advanced view, it appears as expected, not inherited. Where exactly does the above get inherited from given it is the dacl on the c: drive?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 96%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFF%3C/text%3E%3C/svg%3E)
Hi,
To know the issue more clearly, please help collect information for the following questions:
1,How did you validate that the dacl, if possible , please share a screenshot (remember to hide the private information)
2,When you said the dacl in the UI and display the advanced view, it appears as expected, did it work normally?
Best Regards,
Hi,
Welcome to share your current situation if there are any updates.
Please feel free to let us know if you need further assistance.
Best Regards,
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(32, 47%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMD%3C/text%3E%3C/svg%3E)
I have noticed the same thing, a fresh install of 20H2 creates significantly different DACLs for C:\ compared to previous versions. Also, owner and group are no longer "TrustedInstaller"/"TrustedInstaller", but "Administrators"/"S-1-5-21-2469211566-71358270-794700764-513" ... whatever that SID is.
When I try to remove the ACEs for "Authenticated Users" with Powershell or icacls.exe, it strips all ACEs from C:\, rendering the system mostly unbootable. I guess that has something to do with the ACEs now being marked as inherited, despite there being no parent object to inherit anything from.
All these strange changes don't really seem intentional to me.
Hi,
If the owner changed to a sid , it seems the owner can't be recognized by the system.
What's the result if you change the own back to the administrator or other users.
Best Regards,
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 2%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKA%3C/text%3E%3C/svg%3E)
I also ran into this issue. This is on a brand new virtual machine, just installed Windows 10 professional 20H2 and ran windows updates. The permissions originally look like this:
When I list the permissions from powershell I see they are listed as being inherited, see attached powershell transcript. 40349-powershell-transcriptdesktop-euke76fehnuc3n5202011.txt
For this machine I don't want any authenticated user to be able to create new folders directly on C: so I use icacls to remove the permissions (see transcript). In Windows 10 professional 2004 this works just fine. In 20H2 the result is that all ACLs are removed and pretty much nothing works any longer:
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(259.20000000000005, 7.000000000000001%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGW%3C/text%3E%3C/svg%3E)
Which build of 20H2 was this?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(307.2, 9%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED%3C/text%3E%3C/svg%3E)
I has a similar problem after installing postgres 9.1 on windows 10 20H2, all the permissions of c:\ were removed except for the postgres user. Nothing worked after that, because windows did not had access to the c drive (not even the disk size bar of the drive on windows explorer). I solved it by taking owneship and the manually adding the respective permissions to the c: drive.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 69%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
Hi , you got any update about this please? this issue is very problematic. As others, when trying to remove the "Modify" right to 'authenticated Users" it deletes all permissions on the drive, so the system becomes unbootable.
It used to work in 1909.
Build is 20H2 19042.508
Here is the powershell i use (doing it with the system account)
$ACL = Get-ACL -Path "C:\"
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("NT AUTHORITY\Authenticated Users","Modify","Allow")
$ACL.RemoveAccessRule($AccessRule)
$ACL | Set-Acl -Path "C:\"
Can't even see the permission with system account :
thanks for updating
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(192, 6%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
Please check on latest released version of 20H2 eg 19042.631
as their are unconfirmed reports of acl issues like this on root on the earlier .508 version