Common System folder permissions

In the
Explorer
 configure permissions to control whether a user-computer pair can view and change:
  • Product and system policies.
  • Computer accounts and computer group accounts.
  • Networks and devices.
  • User accounts and user group accounts.
    To do this
    For this item
    Secure this action
    Prevent all access to the System folder and its contents
    System folder
    Read
    Denying
    Read
     access does
    not
     prevent users from reading tag values for devices in the Networks and Devices tree.
    Prevent users from modifying the properties of all items in the System folder
    System folder
    Write
    • Denying
      Write
      also prevents deleting user and group accounts if the accounts have group memberships associated with them. This is because group memberships are updated automatically when an account is deleted, and updating group memberships is controlled by the Write action.
    • Denying
      Write
       access does not prevent users from writing tag values to devices in the Networks and Devices tree.
    Prevent users from changing access to items in the System folder, but allow users to view and modify items in the System folder
    System folder
    Configure Security
    Allow users to see the System folder, but none of the folders within it
    System folder
    List Children
    Prevent users from deleting anything in the System folder
    System folder
    Delete
    Securing user and computer accounts
    Allow users to only view user and computer accounts, but prevent users from modifying or deleting them
    Computers and Groups;
    Users and Groups
    Allow
    Read
    , and
    List Children
    ;
    Deny
    Write
    ,
    Configure Security
    , and
    Delete
    Allow users to create or delete user and computer accounts, but prevent users from locking other users out of the System folder
    System folder
    Deny
    Configure Security
    ;
    Allow
    Read, Write, List Children
    , and
    Delete
    Securing policy settings
    Prevent users from viewing or changing policy settings
    Policies folder
    Read
    Allow users to view policy settings, but prevent users from changing policy settings
    Policies folder
    Allow
    Read
     and
    List Children
    ;
    Deny
    Write
    , and
    Delete
    Securing logical names for Networks and Devices
    Prevent users from viewing Networks and Devices
    Networks and Devices
    Read
    Allow users to view logical names but prevent users from modifying them
    Networks and Devices
    Allow
    Read
     and
    List Children
    ;
    Deny
    Write
Provide Feedback
Have questions or feedback about this documentation? Please submit your feedback here.
Normal