How to use cacls/xcacls to deny permissions (similar to features available on Security tab)

I'm running Win2k Pro (SP4) in a workgroup (non-domain) environment.  When I use the Explorer Security tab to deny Administrator permissions (Full Control) to a directory (%SystemRoot%\system32\GroupPolicy), this is what I get afterward when I run cacls/xcacls:

C:\WINNT\system32\GroupPolicy BUILTIN\Administrators:(OI)(CI)(DENY)(special access:)

                              NT AUTHORITY\Authenticated Users:(OI)(CI)R
                              NT AUTHORITY\SYSTEM:(OI)(CI)F

When I try to deny access using either cacls or xcalcs, I get this:

C:\WINNT\system32>xcacls GroupPolicy /e /d administrators
processed directory: C:\WINNT\system32\GroupPolicy

C:\WINNT\system32>xcacls GroupPolicy
C:\WINNT\system32\GroupPolicy BUILTIN\Administrators:(OI)(CI)N
                              NT AUTHORITY\Authenticated Users:(OI)(CI)R
                              NT AUTHORITY\SYSTEM:(OI)(CI)F

Note that the BUILTIN\Administrators have "None" privileges instead of "Deny" privileges.  When I look at the Explorer Security tab, however, it shows all permissions as "Deny."

Here's the reason I'm doing all this:  I'm using local Group Policy (gpedit.msc) to lock down the workstations, but I don't want the lockdown to apply to the Administrators.  I understand that if I deny Administrators Read access to the %SystemRoot%\system32\GroupPolicy directory, then the local group policy will not apply to the Administrators (  This all works fine when I deny access via the Explorer Security tab, but I can't get it to work using the cacls/xcacls commands.

Thanks for any help.
Who is Participating?
lacamsConnect With a Mentor Commented:
You can try with the tool : subinacl.exe

download site :
cme12345Author Commented:
I figured out how to do this using cacls.exe.  It turns out I was getting caught up in the quagmire of inherited folder permissions by specifying only the directory name and not using the /t parameter.

To open up permissions on the contents of the GroupPolicy folder so that I can run gpedit.msc, I can do the following:

cacls winnt\system32\grouppolicy\*.* /t /e /g administrators:f

To deny administrators permissions so that the group policy settings don't not take effect, I can do the following:

cacls winnt\system32\grouppolicy\*.* /t /e /d administrators

Thanks to "lacams" for suggesting subinacl.exe.  It opened my eyes to the directory permission inheritance issues.  For that he gets points.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.