- Thread Author
- #1
I am an experienced system administrator (mostly on Unix, but also on Win XP).
I've recently upgraded from Windows XP to Windows 7. The data disk, where all of
the user project folders are stored is separate from the system disk, and untouched
by the upgrade.
I am the owner and administrator of the node. I enabled and logged into the
local Administrator account. When I navigate to and double click on any of the
hundreds of user project folders, I get:
You don't currently have permission to access this folder. Click continue to permanently
get access to this folder.
I click <continue> and get:
You have been denied permission to access this folder. To gain access to this folder, you will need to use the security tab.
I click on highlighted <security tab> and get the properties dialog box with
security tab selected. It does not show the tab contents, but says:
To continue, you must be an administrative user with permission to view this object's
security properties. Do you want to continue?
I *am* an administrator - why is it asking me this? I click <continue> and get the
Advanced Securities Settings popup with Owner tab selected. It says:
You do not have permission to view this object's security properties. To view its security properties, you can try taking ownership of the object.
I am administrator and cannot even view an object's security settings?? What if it's
a malicious object?
I cannot legitimately take ownership of another user's objects, or they will no longer
have access to them. Nor even if I did, would it be feasable to take ownership of ALL
data folders and files on the disk (Terabytes of them) in order to administer the machine. Nothing may be allowed to escape the inspection of Administrator. How do
I get read/write/execute/delete, etc dominion over the objects? None of the users
are complaining, so I believe folders and data in them are intact. When I first
encountered the problem, I removed the disk and installed it on another test
machine still running XP, and saw that everything was still there, accessible, and just
as it was before the upgrade to windows 7. While there, I ran a scandisk to check
for bad sectors, and chkdsk to check the integrity of the file system. No errors.
(It's NTFS 5.0, BTW). So I moved the disk back to the production machine.
In the control panel, under User Accounts, My Icon shows "Administrator" as my id,
and under that "Administrator" as account type, so I am indeed Administrator. When
I do "whoami" at a command prompt, it shows "my-pc\Administrator". I tried
"cacls D:\sdata" and it gives "Access is denied". Of course, I cannot <cd> to that
directory, either.
I tried the following run in a batch file as Administrator:
@echo off
subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=administrators=f
subinacl /subkeyreg HKEY_CURRENT_USER /grant=administrators=f
subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=administrators=f
subinacl /subdirectories %SystemDrive% /grant=administrators=f
subinacl /subdirectories %windir%\*.* /grant=administrators=f
subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=system=f
subinacl /subkeyreg HKEY_CURRENT_USER /grant=system=f
subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=system=f
subinacl /subdirectories %SystemDrive% /grant=system=f
subinacl /subdirectories %windir%\*.* /grant=system=f
@Echo =========================
@Echo Finished.
@Echo =========================
@pause
The problem persists. I cannot access any D: project data folders as administrator.
I conducted the following experiment. While on the XP test machine, I created a new user, "tester", logged in as tester, and created a folder "tester" with subfolders and
files under it on the data drive. On the Windows 7 machine, after moving the drive,
I cannot access the tester folder as administrator. I bring up the properties box for the folder. In the Advanced Securities Settings box, owner tab,
I clicked "Replace owner on subcontainers and objects". Under "Change Owner to",
I selected myself (Administrator) and then clicked <Ok>. I get:
You do not have permission to read the contents of directory D:\tester. Do you want
to replace the directory permissions with permissions granting you full control?
I click <yes>. I get two boxes:
Windows Security
Changing ownership of <blank line>
Error Applying Security
D:\tester Access is denied.
I click <continue> in the latter box. I get:
Windows Security
Unable to set new Owner on D:\tester. Access is denied.
I click <retry> and the box disappears. I'm back to the Owner tab in
Advanced Security Settings. I uncheck "Replace owner on subcontainers and
objects". I select Administrator again under "Change Owner to" and click <apply>. I get:
Windows Security
If you have just taken ownership of this object, you will need to close and
reopen this objects properties before you can view or change permissions.
I click <ok> in the box and close the properties box then reopen it, select Security Tab, click Advanced and select Owner tab. I am now the owner. I click <ok>. On the Security tab, I can now see the ACL and permissions lists and Administrator is not on it. Remember that a previous box asked me if I wanted to grant myself "full permissions" to this folder, and I clicked <yes>. Since I am not on the ACL, I have no permissions at
all. That's inconsistent. I click Edit, then Add, type in Administrator, and click <ok>. Now I'm on the ACL, select Administrator there, and check Full control in the permissions list, then click <apply>. I get two boxes:
Windows Security
Setting security on: < Blank line>
Error Applying Security
Access is denied.
I click <continue> in the latter box. There follow about 20 boxes in succession just like
the second one above (corresponding to the number of subfolders and files under "tester"), and I click <continue> in each. In the end, I own folder "tester" and have
full control permissions. I cd into it and attempt to cd into a subfolder and get
"Access is denied". I do not own any of the subfolders, and cannot view any of their
security properties. I am starting over again, with each object below "Tester". I
give up. Too much work. No administrator could afford this kind of time on the
problem.
Then, I set ownership of the "tester" folder back to user
"tester", but user tester was not able to access the files (same problem as administrator had before). As Administrator,
I had to laboriously take ownership of each subfolder and subfile under "tester", add myself to the ACL, grant myself full permissions, then delete
it and finally delete the "tester" folder itself. Then I restored the tester folder from backup, and user tester was able to access his files in that folder.
I have been a system administrator a lot of years, and never seen anything like this
foul-up. What in the hell is going on? How do I get dominion over this disk as
administrator? It has to be simple. It has to be something I can do within seconds.
It cannot require taking ownership of anything... administrator isn't a permanent login
account; it can't really own anything.
Stuart
I've recently upgraded from Windows XP to Windows 7. The data disk, where all of
the user project folders are stored is separate from the system disk, and untouched
by the upgrade.
I am the owner and administrator of the node. I enabled and logged into the
local Administrator account. When I navigate to and double click on any of the
hundreds of user project folders, I get:
You don't currently have permission to access this folder. Click continue to permanently
get access to this folder.
I click <continue> and get:
You have been denied permission to access this folder. To gain access to this folder, you will need to use the security tab.
I click on highlighted <security tab> and get the properties dialog box with
security tab selected. It does not show the tab contents, but says:
To continue, you must be an administrative user with permission to view this object's
security properties. Do you want to continue?
I *am* an administrator - why is it asking me this? I click <continue> and get the
Advanced Securities Settings popup with Owner tab selected. It says:
You do not have permission to view this object's security properties. To view its security properties, you can try taking ownership of the object.
I am administrator and cannot even view an object's security settings?? What if it's
a malicious object?
I cannot legitimately take ownership of another user's objects, or they will no longer
have access to them. Nor even if I did, would it be feasable to take ownership of ALL
data folders and files on the disk (Terabytes of them) in order to administer the machine. Nothing may be allowed to escape the inspection of Administrator. How do
I get read/write/execute/delete, etc dominion over the objects? None of the users
are complaining, so I believe folders and data in them are intact. When I first
encountered the problem, I removed the disk and installed it on another test
machine still running XP, and saw that everything was still there, accessible, and just
as it was before the upgrade to windows 7. While there, I ran a scandisk to check
for bad sectors, and chkdsk to check the integrity of the file system. No errors.
(It's NTFS 5.0, BTW). So I moved the disk back to the production machine.
In the control panel, under User Accounts, My Icon shows "Administrator" as my id,
and under that "Administrator" as account type, so I am indeed Administrator. When
I do "whoami" at a command prompt, it shows "my-pc\Administrator". I tried
"cacls D:\sdata" and it gives "Access is denied". Of course, I cannot <cd> to that
directory, either.
I tried the following run in a batch file as Administrator:
@echo off
subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=administrators=f
subinacl /subkeyreg HKEY_CURRENT_USER /grant=administrators=f
subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=administrators=f
subinacl /subdirectories %SystemDrive% /grant=administrators=f
subinacl /subdirectories %windir%\*.* /grant=administrators=f
subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=system=f
subinacl /subkeyreg HKEY_CURRENT_USER /grant=system=f
subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=system=f
subinacl /subdirectories %SystemDrive% /grant=system=f
subinacl /subdirectories %windir%\*.* /grant=system=f
@Echo =========================
@Echo Finished.
@Echo =========================
@pause
The problem persists. I cannot access any D: project data folders as administrator.
I conducted the following experiment. While on the XP test machine, I created a new user, "tester", logged in as tester, and created a folder "tester" with subfolders and
files under it on the data drive. On the Windows 7 machine, after moving the drive,
I cannot access the tester folder as administrator. I bring up the properties box for the folder. In the Advanced Securities Settings box, owner tab,
I clicked "Replace owner on subcontainers and objects". Under "Change Owner to",
I selected myself (Administrator) and then clicked <Ok>. I get:
You do not have permission to read the contents of directory D:\tester. Do you want
to replace the directory permissions with permissions granting you full control?
I click <yes>. I get two boxes:
Windows Security
Changing ownership of <blank line>
Error Applying Security
D:\tester Access is denied.
I click <continue> in the latter box. I get:
Windows Security
Unable to set new Owner on D:\tester. Access is denied.
I click <retry> and the box disappears. I'm back to the Owner tab in
Advanced Security Settings. I uncheck "Replace owner on subcontainers and
objects". I select Administrator again under "Change Owner to" and click <apply>. I get:
Windows Security
If you have just taken ownership of this object, you will need to close and
reopen this objects properties before you can view or change permissions.
I click <ok> in the box and close the properties box then reopen it, select Security Tab, click Advanced and select Owner tab. I am now the owner. I click <ok>. On the Security tab, I can now see the ACL and permissions lists and Administrator is not on it. Remember that a previous box asked me if I wanted to grant myself "full permissions" to this folder, and I clicked <yes>. Since I am not on the ACL, I have no permissions at
all. That's inconsistent. I click Edit, then Add, type in Administrator, and click <ok>. Now I'm on the ACL, select Administrator there, and check Full control in the permissions list, then click <apply>. I get two boxes:
Windows Security
Setting security on: < Blank line>
Error Applying Security
Access is denied.
I click <continue> in the latter box. There follow about 20 boxes in succession just like
the second one above (corresponding to the number of subfolders and files under "tester"), and I click <continue> in each. In the end, I own folder "tester" and have
full control permissions. I cd into it and attempt to cd into a subfolder and get
"Access is denied". I do not own any of the subfolders, and cannot view any of their
security properties. I am starting over again, with each object below "Tester". I
give up. Too much work. No administrator could afford this kind of time on the
problem.
Then, I set ownership of the "tester" folder back to user
"tester", but user tester was not able to access the files (same problem as administrator had before). As Administrator,
I had to laboriously take ownership of each subfolder and subfile under "tester", add myself to the ACL, grant myself full permissions, then delete
it and finally delete the "tester" folder itself. Then I restored the tester folder from backup, and user tester was able to access his files in that folder.
I have been a system administrator a lot of years, and never seen anything like this
foul-up. What in the hell is going on? How do I get dominion over this disk as
administrator? It has to be simple. It has to be something I can do within seconds.
It cannot require taking ownership of anything... administrator isn't a permanent login
account; it can't really own anything.
Stuart