How to limit rights on C drive for Authenticated Users

In some cases, it can be interesting to control the level of authorization that we leave to users on the C: drive. 
With this in mind and to respond to certain customer requests, I made a PowerShell script to limit write rights for authenticated users using the icacls command.

The script is available on github :

Script details

This script allows you to revoke user rights in C:
and thus prevent creating folders or files anywhere on the hard disk system.

  Version:        1.0
  Author:         Christopher Mogis
  Creation Date:  07/11/2023


#Script Parameters
[ValidateSet("Remove", "Add")]

$Date = Get-Date

#Log Folder
Function CreateLogsFolder
    If(!(Test-Path "C:\CCMTune\Logs\"))
    Write-Host "$($Date) : Create logs folder C:\CCMTune\Logs"
    New-Item -Force -Path "C:\CCMTune\Logs\" -ItemType Directory
    Write-Host "$($Date) : The folder C:\CCMTune\Logs\ already exists !"

#Create Log Folder

#Remove right
If ($Param -eq "Remove")
  #Righs modification
  $Logs = "C:\CCMTune\Logs\CCMTRemoveRightsOnC.log"
  Remove-Item -Path "C:\CCMTune\Logs\CCMTAddRightsOnC.log" -Force
  Write-Output "$($Date) : Remove user rights on C:" | Tee-Object -FilePath $Logs -Append
  Invoke-Expression -Command "icacls C:\ /remove:g *S-1-5-11" | Tee-Object -FilePath $Logs -Append

#Add right
If ($Param -eq "Add")
  #Righs modification
  $Logs = "C:\CCMTune\Logs\CCMTAddRightsOnC.log"
  Remove-Item -Path "C:\CCMTune\Logs\CCMTRemoveRightsOnC.log" -Force
  Write-Output "$($Date) : Add user rights on C:" | Tee-Object -FilePath $Logs -Append

Invoke-Expression -Command "icacls C:\ /grant *S-1-5-11:'(AD)'" | Tee-Object -FilePath $Logs -Append
  Invoke-Expression -Command "icacls C:\ /grant *S-1-5-11:'(OI)(CI)(IO)M'" | Tee-Object -FilePath $Logs -Append

Script execution

The script has two parts, the first allows you to delete user rights and the second part allows you to restore them.

Command line to remove permissions:
  • powershell.exe -ExecutionPolicy Bypass -file DriveC_RightsModification.ps1 -Param Remove
Command line to restore permissions:
  • powershell.exe -ExecutionPolicy Bypass -file DriveC_RightsModification.ps1 -Param Add


A logs files is created depending on the action taken in the CCMTune directory on C:
  • CCMTRemoveRightOnC.log for "Remove" action
  • CCMTAddRightOnC.log for "Add" action
In this log file are stored the information below :

Demo video

Popular posts from this blog

How to implement Applocker with Microsoft Intune

How to reset computer in OOBE mode

Microsoft Intune, Uninstall Win32 app with the company portal