Windows 7 Administrator gets access denied on folder access, must take ownership??:

sbalfour

New Member
I am an experienced system administrator (mostly on Unix, but also on Win XP).

I've recently upgraded from Windows XP to Windows 7. The data disk, where all of
the user project folders are stored is separate from the system disk, and untouched
by the upgrade.

I am the owner and administrator of the node. I enabled and logged into the
local Administrator account. When I navigate to and double click on any of the
hundreds of user project folders, I get:

You don't currently have permission to access this folder. Click continue to permanently
get access to this folder.

I click <continue> and get:

You have been denied permission to access this folder. To gain access to this folder, you will need to use the security tab.

I click on highlighted <security tab> and get the properties dialog box with
security tab selected. It does not show the tab contents, but says:

To continue, you must be an administrative user with permission to view this object's
security properties. Do you want to continue?

I *am* an administrator - why is it asking me this? I click <continue> and get the
Advanced Securities Settings popup with Owner tab selected. It says:

You do not have permission to view this object's security properties. To view its security properties, you can try taking ownership of the object.

I am administrator and cannot even view an object's security settings?? What if it's
a malicious object?
I cannot legitimately take ownership of another user's objects, or they will no longer
have access to them. Nor even if I did, would it be feasable to take ownership of ALL
data folders and files on the disk (Terabytes of them) in order to administer the machine. Nothing may be allowed to escape the inspection of Administrator. How do
I get read/write/execute/delete, etc dominion over the objects? None of the users
are complaining, so I believe folders and data in them are intact. When I first
encountered the problem, I removed the disk and installed it on another test
machine still running XP, and saw that everything was still there, accessible, and just
as it was before the upgrade to windows 7. While there, I ran a scandisk to check
for bad sectors, and chkdsk to check the integrity of the file system. No errors.
(It's NTFS 5.0, BTW). So I moved the disk back to the production machine.

In the control panel, under User Accounts, My Icon shows "Administrator" as my id,
and under that "Administrator" as account type, so I am indeed Administrator. When
I do "whoami" at a command prompt, it shows "my-pc\Administrator". I tried
"cacls D:\sdata" and it gives "Access is denied". Of course, I cannot <cd> to that
directory, either.

I tried the following run in a batch file as Administrator:

@echo off
subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=administrators=f
subinacl /subkeyreg HKEY_CURRENT_USER /grant=administrators=f
subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=administrators=f
subinacl /subdirectories %SystemDrive% /grant=administrators=f
subinacl /subdirectories %windir%\*.* /grant=administrators=f
subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=system=f
subinacl /subkeyreg HKEY_CURRENT_USER /grant=system=f
subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=system=f
subinacl /subdirectories %SystemDrive% /grant=system=f
subinacl /subdirectories %windir%\*.* /grant=system=f
@Echo =========================
@Echo Finished.
@Echo =========================
@pause

The problem persists. I cannot access any D: project data folders as administrator.

I conducted the following experiment. While on the XP test machine, I created a new user, "tester", logged in as tester, and created a folder "tester" with subfolders and
files under it on the data drive. On the Windows 7 machine, after moving the drive,
I cannot access the tester folder as administrator. I bring up the properties box for the folder. In the Advanced Securities Settings box, owner tab,
I clicked "Replace owner on subcontainers and objects". Under "Change Owner to",
I selected myself (Administrator) and then clicked <Ok>. I get:

You do not have permission to read the contents of directory D:\tester. Do you want
to replace the directory permissions with permissions granting you full control?

I click <yes>. I get two boxes:

Windows Security
Changing ownership of <blank line>

Error Applying Security
D:\tester Access is denied.

I click <continue> in the latter box. I get:

Windows Security
Unable to set new Owner on D:\tester. Access is denied.

I click <retry> and the box disappears. I'm back to the Owner tab in
Advanced Security Settings. I uncheck "Replace owner on subcontainers and
objects". I select Administrator again under "Change Owner to" and click <apply>. I get:

Windows Security
If you have just taken ownership of this object, you will need to close and
reopen this objects properties before you can view or change permissions.

I click <ok> in the box and close the properties box then reopen it, select Security Tab, click Advanced and select Owner tab. I am now the owner. I click <ok>. On the Security tab, I can now see the ACL and permissions lists and Administrator is not on it. Remember that a previous box asked me if I wanted to grant myself "full permissions" to this folder, and I clicked <yes>. Since I am not on the ACL, I have no permissions at
all. That's inconsistent. I click Edit, then Add, type in Administrator, and click <ok>. Now I'm on the ACL, select Administrator there, and check Full control in the permissions list, then click <apply>. I get two boxes:

Windows Security
Setting security on: < Blank line>

Error Applying Security
Access is denied.

I click <continue> in the latter box. There follow about 20 boxes in succession just like
the second one above (corresponding to the number of subfolders and files under "tester"), and I click <continue> in each. In the end, I own folder "tester" and have
full control permissions. I cd into it and attempt to cd into a subfolder and get
"Access is denied". I do not own any of the subfolders, and cannot view any of their
security properties. I am starting over again, with each object below "Tester". I
give up. Too much work. No administrator could afford this kind of time on the
problem.

Then, I set ownership of the "tester" folder back to user
"tester", but user tester was not able to access the files (same problem as administrator had before). As Administrator,
I had to laboriously take ownership of each subfolder and subfile under "tester", add myself to the ACL, grant myself full permissions, then delete
it and finally delete the "tester" folder itself. Then I restored the tester folder from backup, and user tester was able to access his files in that folder.

I have been a system administrator a lot of years, and never seen anything like this
foul-up. What in the hell is going on? How do I get dominion over this disk as
administrator? It has to be simple. It has to be something I can do within seconds.
It cannot require taking ownership of anything... administrator isn't a permanent login
account; it can't really own anything.

Stuart
 

That blog post is similar to others I have read. Of course, I know the standard procedure for taking ownership and adding permissions to files and
folders - I do it routinely. This problem is deeper than you are digging. I have 3TB of data and hundreds of folders belonging to projects, i.e.
users inherited from an XP upgrade. I cannot legitimately take ownership of any of them, or the user whose folder it is will not be able to
access it. What I need is a non-disruptive way of restoring default administrator/SYSTEM access to these folders.

When I bring up the properties dialog, security tab, it will not show me the security settings - no permissions to view the security settings. Under
advanced->owner tab, it says "current owner cannot be displayed". I do not even have permission to see the folder owner's name! On WinXP,
the folder quite definitely has an owner, and I could see his userid there. So, even assuming I take ownership of a folder temporarily, to add administrator access permissions, since I do not know who the real owners was, how can I restore ownership afterward to him/her? If the
folder was in use when I do that, user processes may fault, and/or user data get corrupted. It's just not appropriate for Administrator to
take ownership of legitimate user objects. "Administrator" isn't a permanent logon, anyway - I only enabled it because my Protected
Administrator account couldn't access the folders.

Since my original post, I've tried bringing up a command window running in the LOCAL SYSTEM context (i.e. my userid is NT Authority\SYSTEM)
and tried to access the folders from there, but even SYSTEM gets "Access denied". Absolutely astonishing! (I'm not going to detail in a public
forum how to get such a command window - if you're an experienced system administrator, you've probably already figured it out. If you aren't
such a person, you shouldn't be doing it.)

What I think has happened here is that the CLSIDs associated with the folders inherited from XP, including those for SYSTEM, Administrator,
Administrators group, and even EVERYONE are different than the CLSIDs for those objects under Windows 7. So all of the security descriptors
granting access though the associated ACLs are invalid. Since I can't get access to the folders to read the descriptors, I can't validate my conjecture.

The Windows security system is ACL based - there's no access to anything except through a permission granted by membership on the ACL.
We are so used to Windows (Vista & later) default permissions on operating system created objects which invariably include SYSTEM and
Administrator access to the objects, that we're completely lost when those defaults somehow aren't set. It's emphatically true that Owner
can lock out Administrator, and even the operating system (SYSTEM) itself! It's even weirder when the objects aren't registered, i.e. have
no entries in the registry, because they weren't created on the running operating system. So running a script to restore default access to
all system objects via the registry (which is what I did) has no effect on folders inherited from elsewhere. This happens all the time, actually,
when you attach an external device which mounts a file system on Windows 7, like a flash drive. An object without a footprint in the registry
is kind of an orphan. But if it's on an NTFS file system, access is via the NTFS API and the only permissions are those found in the security
descriptors' ACLs.

Administrators have various privileges which interact with ACL permissions, like the SeTakeOwnership privilege which overrides the ACL Take Ownership permission setting. There is no privilege for Read/Write Attributes which would allow Administrator to directly modify ACL's. The
"hole" here is that Take Ownership is a 'destructive' action - it denies to the user rights which he had before, and no longer has. A priviliege
which allows Administrator to modify ACLs to add Administrator access is a 'preserving' action, nothing is taken away. No such privilege
exists, and therein is my problem.

It appears that data exchange between XP/Win2K3 and older OS's with Win7 via NTFS will be difficult because of this problem. Simultaneous,
sequential or interactive exchange of data between a running XP and Win7 will be impossible, because the CLSIDs are inconsistent between
installed OS's. It gets worse, though, because the following also happened to me on Win7: I did a Custom install of Win7, created a user
account <stuart>, installed my apps, ran them to produce data, which got stored on my separate data disk. Win7 crashed overnight,
and could not be rebooted or repaired from the install disk console. I had to format the disk (in case the file system, MBR or someting else
got corrupted) and re-install Win7. I re-created my account <stuart>, and attempted to access my previously generated data. I got
"Access Denied". Administrator also got "Access Denied". Yes, it's that bad. It could be made to work, if I edited the registry to manually
create the CLSID of the old <stuart> account, and manually create and insert the appropriate keys to set up a valid account <stuart> with
that CLSID. That requires improbably precise bit-twiddling, perfect keypunching, and knowledge of the registry internals not found in the
public domain (the data format and encryption of security descriptors, for example).

Consider this: on Unix, we have a passwd file (human readable text file) with a one-line entry for each name (userid) which associates a unique
number
(usually 4 digits) with the ersatz name, which is used in the creation of all objects and processes. That number is the "owner" . The passwd file
can be copied to each machine and/or installation so users will have the same number on each, and the same access to their files and processes.
There's no simple way to do that on Windows, via the registry. The registry keys have different names and formats from XP (Win98, Win2K,
etc) to Windows 7. The translation would have to be manual. And what about the encryption keys for privilege descriptors? I would say the
process is impossible. Domains and networked machines have distributed methods of sharing accounts, but I only have two independent
machines with vastly different versions of Windows (and two independent serial installations of Win7, as above). Anyone upgrading from an
XP machine to Win7 will have this problem, because XP cannot be upgraded in place from WinXP, and all re-created user and administrator accounts will have different CLSIDs on Win7. Microsoft, are you listening?

Stuart
 
I am not a system admin and have no experience with such things, but I thought I would bring some things up just for the heck of it, so actual responses are not required.

Does the XP machine have some type of encryption or special permission for those folders?

Can you connect to the XP machine and open the folders that way?

Have you tried copying the folders to another location on the Win 7 partition to see if you can open them?

In system properties, have you or do you need to use the Network ID button to set up your Win 7 machine for your domain?

Has Win 7 indexed the folders on that partition?

When you take ownership of the drive, are you using your user or just Administrator?

I don't suppose there is anything in the gpedit.msc that could help?

You may have answered some or all of these earlier, but since I did not understand most of what you were referring to, I did not read your entire posts.
 
Hello,

To over come security issue the first step i would recommend would to disable UAC until to gain access. Then from your post I'm assuming you are logged in under build-in administrator. If you can't even Take Ownership seems like the security itself is messed up.

Start | CMD | Right Click and run as administrator | secedit /configure /cfg %windir%\inf\defltbase.inf /db defltbase.sdb /verbose this will reset the default security resetting

http://support.microsoft.com/kb/313222

Good Luck,
Captain
 
Besides:

From Win7 on there are areas you no longer can access even being an admin - the admin no longer is the highest instance.. the system is!

Just one example for limited admin rights - ever tried to create write access for *Everyone* in the users subfolder area - no such luck! you have to move those folders out of the user area to be able to grant write access for Everyone. The security arena of 7 is somewhat fishy and maybe cleaned up with SP1.
 
Yes... and the other three Windows 7 macines and two XP machines do as well... which is why I am looking for help with the one machine that has this problem...
 
well, all I can suggest is a repair install from CD and see if that fixes your problem (restore admin rights)

if not wipe the box and clean install will certainly fix it - your problem sounds odd!
 
Actually can I correct this. If you take ownership all you are doing is saying that you can now access it because you have added your user name to the list of allowed users. Taking ownership will not affect other users. I know as I have taken ownership of my mothers account folder. Yet she can still access this folder. This is evidence to back up what is said above.
 
I have experienced this on several occasions. You are probably aware that, up to Vista, you were what is known as the "global" Administrator, by default. Since then, although it deceptively say you are the Administrator, this is only of you own machine. You can try opening the global administrator account, you probably know how to do that, and seeing if that will be successful. But, in my case, it was that , even as a Global Administrator on my new installation, I could not access certain information/files, on the alternative machine or partition, as it did not recognise me as being authorised on that OS.. The only way which was successful for me was to return to the original OS and totally free those files of all security, and transfer them to another area accessible to the new installation
 
Back
Top