CACLS and Interactive User Account

I needed to create a command line script that could remove the local users access from sensitive log folder in Windows XP/7.  You can use a built in command "cacls" with many different switches to get the desired results.  However a word of caution when you do not use the /E "edit" switch.

I had tried to remove the local users account from the folder with command "cacls C:\<folder> /D users".  The /D switch is used to Deny a specified user access.  When I went back to look at the folder permissions, ALL of the other accounts had been removed.  The only thing on the folder was Deny all for Users.  Make sure and use the /E "edit ACL" switch so that all of the other account permissions are retained.

Also, after I removed the permissions for local users, I logged in as a test user and was still able to access the directory.  The reason was that there was another security account called "Interactive" that had read access.  This is a local system account and will apply to anyone logged into the system.  Removing the Interactive account achieved the desired results.

General Windows 7