DIY optimize

How do I... Regain access to a file Windows Vista has mistakenly denied?


This blog entry is also available as TechRepublic download.

Information technology in general and computer operating systems in particular can often be frustrating. In many cases, the most annoyingly frustrating thing is that you are never given a reason why something does not work -- all you know is that it doesn't. Microsoft Windows Vista is not immune to these annoying glitches. For reasons too many and too varied to name, Windows Vista may deny you access to certain files and folders. However, with a few clicks of the mouse you can reinstate your permissions to that file or folder. This TechRepublic How do I... shows you how it is done.

Frustration sets in

Here is an example of the frustration. I have permission to access the My Music folder, but I do not have permission to access the shortcut to the Music folder highlighted in Figure A.

Figure A

I want access to that shortcut
To re-establish access to the shortcut, or by extension any folder or file, you right-click the file or folder in question (My Music in this case) and click the Properties link in the menu. You will need to have administrator access for this to work. From that dialog box, click the Security tab. (Figure B)

Figure B

Security tab of Properties
Now, you might think you can click the Edit button from here to get what you need, but you'd be incorrect. You first must click the Advanced tab to get to the proper administrative level where you can change permissions. As Figure C reveals, for some reason, looking under the Effective Permission tab, this shortcut has no permissions assigned to it.

Figure C

Where are my permissions?

Relieving frustration

Click on the Permissions tab of the Advanced Security Settings screen (Figure D) and then click the name Everyone in the Permission entries section of the screen.

Figure D

Permissions tab -- now we are getting somewhere
Now you get to the Permissions screen for the My Music shortcut. (Figure E) From here, when you click the Edit button, you get the actual permissions objects you can modify. (Figure F) Note that the only object checked is in the Deny column.

Figure E

Permissions tab screen

Figure F

Permission objects
Change the permission settings to your preference (Figure G) and then click OK four times to close all of the windows. Now, when I click the My Music shortcut, I have permission and it opens up the file folder as it was supposed to all along. This technique should work on any file or filter assuming you are running in administrator mode.

Figure G

Full control

About

Mark Kaelin is a CBS Interactive Senior Editor for TechRepublic. He is the host for the Microsoft Windows and Office blog, the Google in the Enterprise blog, the Five Apps blog and the Big Data Analytics blog.

17 comments
alexj.klein
alexj.klein

and when you get this in the 'Owner' tab "Unable to display current owner." or this in the the 'Permissions" tab "You do not have permission to view or edit this object's permission settings" this only happens on one file and for the rest in that folder, I can view and change the permissions. odd?

john
john

I've been a victim of this too, and it has to be a bug in Vista. Example: I always move my outlook PST to a "Data" drive - on copying and pasting it to the new drive I was then unable to open it from Outlook - access denied. However I have access to other PSTs in the same folder, and I WAS able to rename it in Explorer. Checking permissions on the moved PST, Vista claims Administrators have Full Control. I AM an administrator... "it's illogical Captain..." Effective permissions for the Everyone group are indeed none, but I really don't want to change permissions for Everyone when I'm the only one who needs access. It was easier to create a new PST and import from a backup than wrestle with this, but the removal of permissions has happened several times on various files, so I am really hoping Redmond can deliver a patch to sort this out.

snodger
snodger

I have no experience of Vista, but it looks as if the procedure you describe is identical to that required for editing permissions in XP. Your desription is essentially correct, but your comment that "for some reason, looking under the Effective Permission tab, this shortcut has no permissions assigned to it" needs some clarification. Since no Group or User is entered, no permissions are shown. If you returned to this screen after you gave Everone full control, the screen would still show no permissions granted. Read the sentence at the top of the screen. You must click on the 'Select' button and enter a Group or User name in the box before any 'Effective Permissions' are displayed.

rignatius
rignatius

I appreciate the write up, and I actually had to struggle through to find these steps just the other day. However, I was not able to set the permissions on a high-level folder, and have them propagate down to every file and folder below. Can you document how to do that as well? Thanks

Chug
Chug

I've had this happen too, created a file somewhere and then couldn't edit it or delete it. Regarding your comment that it gives Admins full control and you are an admin, BUT, do you have UAC turned on? If so, you're not considered an Admin at that moment and that's why you don't have rights. Your own ID would need to have specific rights assigned to be accessible with UAC turned on even if that ID is an Admin. Regarding the original blog's idea to assign the full rights to the Everyone object, I don't know that I'd do that. That's certainly the easy way out but it's not secure. Instead I'd assign the rights to the specific ID you use to log into Windows. I'd only use Everyone if it's something you genuinely want anybody and everybody who could log into that computer to be able to access.

Mark W. Kaelin
Mark W. Kaelin

I should have been slightly more specific - what I was trying to convey is the fact that I could not open that shortcut because I did not have permission. I was, and still am, unsure why I would not have permission to open that shortcut since I am the one who created it in the first place. For some reason, I had to use this procedure to give myself permission to open it.

john
john

Many thanks Chug - I did suspect something like UAC interfering but there's no indication of it anywhere... Anyway I've assigned my (Admin/non-Admin) user Full Control on all my drive's roots and hopefully won't experience this any more... if this is deliberate from M$ it's a mad idea IMHO... Can you expand on when/what other situations Admin users lose their Admin group status and become mere mortals, or point to a web resource? What with the nagging every time I open MMC, install pgms, etc and now this, I'm sooo tempted to turn UAC off... Respect, john

Lantoc
Lantoc

Were you the one who created the shortcut? Or was it the one Microsoft put there by default? I can?t quite tell from the picture, but it looks like it was a hidden file. The ?protected operating system file? that was there from the moment the account was created. I may be wrong here, please correct me if I am, but it appears to be a junction point. Most likely placed there to redirect older applications that try to save something to ??\{username}\My Documents\My Music\? to the new location ??\{username}\Music\? in order to maintain compatibility. I seem to remember reading something about these junction points, though I don?t recall where. If it is that, I can see why Microsoft would have both hidden it and restricted the permissions. I would guess it was to prevent one from deleting/changing them and removing the redirect.

Chug
Chug

To John's message about UAC sometimes not prompting for elevation... I've seen that too that sometimes UAC just denies actions without ever prompting. I don't know why it does that and it can be annoying. Still though, I go back to what I said in my previous post. If you're going to grant yourself full rights to the root of your drives then you might as well just turn UAC off entirely. Turning UAC off will return you to the model used in 2000 and XP. Regarding your comment about issues with network resources, there are a couple things here. Per the other message I just posted about UAC changing accounts, search for an MS knowledgebase article about network drives with UAC turned on and see if that may be part of your issue. Making the registry entry may resolve that. The other fact is, UAC only operates on the local PC. If your account doesn't have rights to other network locations UAC is not going to be able to override that. You have to go fix the permissions on the host system. If UAC could override file system rights on remote PC's or servers, it would make those file system rights useless. Just because you're an Administrator on your own local PC doesn't automatically give you full Admin rights to every other resource out on the network.

Chug
Chug

To wyattharris' reply about whether UAC is actually changing accounts or not... It depends. If the account you're logged in as is a member of the local Administrators group, you are correct, UAC does not change accounts. It does change security tokens and this can sometimes cause issues. I ran into one myself. If you have mapped network drives, then when it switches to the admin security token, that security token may not have already authenticated to the network resources and you could get prompted for authentication again. There is a MS knowledgebase article on this (sorry, don't have the specific article number handy but I found it by searching so you should be able to too) and this article mentiones a registry setting you can make to force Vista to pass any network resource authentications from the "user" token to the "admin" token. Now, if the account you're logged in to Vista as is NOT a member of Administrators, it's a whole different story. As I mentioned in my previous message, in this case when UAC prompts for elevation the user must provide the authentication credentials for an Admin account, and then I believe (but I'm not 100% sure) that Vista DOES switch to the Admin account temporarily. But this is still much easier than having to completely log out as the user and log back in as the Admin, then back out and back in as the user again.

john
john

Thank you Chug for that explanation. One further point of annoyance with this though is that Vista does NOT just give you a Propmpt to elevat eyour privileges. In fact the final straw for me, and why I granted myself full rights to all roots (which of course is what Admins always had pre-Vista anyway) was that many operations are simply denied, with a message such as "You do not have rights to access this resource". There is no option to authorise on the spot - it requires a log off/on, or a visit to the location and change of permissions then a retry of the operation. This particularly seems to happen with copies across network locations. If it was just clicking a confirmation prompt I could live with it but it can be much more timeconsuming.

wyattharris
wyattharris

So to clarify. When your rights are elevated you are not actually changing accounts (ala Linux/Root) you are simply being given the rights you already had but are initially restricted from. Does this sound correct? I was initially thinking that ownership was changing to a new user if you elevate your account and therefore don't have rights under your normal account but if the user is actually not changing then this is likely not it. Additionally, this scenario in general sounds like a nightmare for a non-tech person and like plenty of work for the help desk person trying to explain it. A good follow up article might be some of the many causes of rights being lost/changed mysteriously. Provided someone actually knows why its happening.

Chug
Chug

First, this 2 token and switching token thing only applies if your account is an Administrator, and if you have UAC turned on. In that situation you by default operate under the user-only token. When UAC detects that you're doing something that requires full Admin privaleges it prompts you for confirmation and then switches tokens to the full Admin token. What you describe is perfectly explainable under UAC. You moved your User directory to a location that your own user account did not explicitly have rights to. With UAC on since you're still considered a "user" by default you didn't have rights to that directory even though you are an Admin. Just granting full file system rights for the directory you moved your User directory to to directly to your user account will resolve that. It let you change the rights EXACTLY because you answered "yes" to the UAC prompt. That's what UAC does. It detected that assigning rights is an admin thing and it prompted for confirmation. When you said yes it switched to the Admin token and let you do it. It may seem silly to have to respond to such a prompt, but it's not just about your user interactive session. Suppose some piece of mal-ware were trying to change permissions programmatically behind the scenes. UAC would stop it. You'd see the UAC prompt appear all of a sudden when you had no idea why, and presumably you'd answer NO since you, as an experienced tech, would know it was not something you initiated. I saw in your previous post that you granted your account full file system rights to the roots of all of your drives. I don't recommend that. Yes, by all means grant your own account the full rights to your new User directory location, but if you're going to assign full rights to the entire drive you might as well just disable UAC. If you disable UAC then you will have full admin rights across the board if your account is a member of the Administrators group (just like in 2000 and XP). What UAC does is give even Admin accounts a bit of protection by running under standard user rights most of the time but allowing the user to easily elevate to full admin privileges by just having to click "yes" to a prompt. Compared to having to completely log out of a "user" account and log back in as an "admin" account, just clicking a confirmation prompt is a whole lot easier. If you're still bothered by that, then you should just turn UAC off. Note, if an account is a true "user" only account (i.e., not a member of the Administrators group), the UAC does not automatically grant them Admin privilages by just clicking "yes". When a standard "user" gets a UAC prompt they are required to provide the user ID and password of an Administrator account to elevate. Or you can turn UAC off for a standard user and then any Admin activities are just outright denied like they were for standard users on 2000 and XP.

ZT3000
ZT3000

A few comments and a couple links (in brackets): >Making me confirm an action does not necessarily make an OS more secure. And what's the logical extension of this approach? A message asking you to confirm if you're really sure? And then one asking if you are you really really REALLY sure? [As you well know in the past, requiring a user to "confirm" an action has been implemented principally to give users a second chance to back out (or rethink) a potentially damaging action. It was not initially intended to be formal part of the OS security heirarchy, but people sometimes do regard it as a security feature or rather ...as an annoyance issue. You are right, though, simply confirming an action does not "necessarily" make an OS more secure, as in, "Is XP more secure because the trash bin prompts you a second time?" Even so, it's likely some people would argue the issue.] [In Vista's case, the OS is more secure by design and "elevated rights prompting" is an "effect" of the "cause" of increased security, of which one part is the Standard User Account, the UAC and another the newly implemented integrity levels.] >Or how about giving Admin users 100 different tokens when they log on and then choosing which to invoke depending on the task being attempted? [Giving an Admin 100 different tokens depending on the task invoked would substantially increase directory/file attributes and put an unnecessary and undue strain on internal OS housekeeping. As a tech, I can feel that headache coming from afar.] >This might be good as a memory-jogger for students but for those of us with many years live experience it's a pain - we don't take unnecessary risks in the first place. [My consulting experience has unfortunately seen plenty of "unnecessary risk" being taken by otherwise competent techs/admins. I'll leave it at that.] >What I described is a ludicrous situation - [Admittedly.] >As an Admin user I moved a file from a default location to my (admittedly relocated) User folder. Vista then decided I could no longer access it normally. Instead I had to change permissions on my own file to access it. [Was the "relocated" User folder on the same drive/computer? Could the relocated file have taken propagated security rights based on the destination parent folder/drive?] >And did Vista prevent me from changing the permissions on the file it decided I wasn't authorised to access? NO, it let me do it. Why? [Because you, as an Admin, had an integrity level that allowed rights to access/change file/folder ACL permissions, whereas a lesser integrity level user or process would be denied access. The new Vista OS Integrity levels (ACE) are not the same as file/folder permissions (DACL), but they are automatically consulted prior to the access control list.] >Under what circumstances does Vista decide to "remove" Admin authority from Admin users? Please post a full explanation or link to a resource? [Integrity levels and file/folder permissions:] [Microsoft Big read] http://msdn2.microsoft.com/en-us/library/bb625964.aspx [Mark Minasi column] http://www.windowsitpro.com/Windows/Article/ArticleID/95973/95973.html http://www.windowsitpro.com/Articles/ArticleID/96306/96306.html

john
john

Some points: - Making me confirm an action does not necessarily make an OS more secure. And what's the logical extension of this approach? A message asking you to confirm if you're really sure? And then one asking if you are you really really REALLY sure? Or how about giving Admin users 100 different tokens when they log on and then choosing which to invoke depending on the task being attempted? - This might be good as a memory-jogger for students but for those of us with many years live experience it's a pain - we don't take unnecessary risks in the first place. And when you get into the workplace you'll be responsible for your productivity, & things that slow you down will annoy you too. - If you give a user Admin rights you should give them responsibility for their actions and trust their knowledge. If you aren't really really really sure then you should not be given Admin rights. - What I described is a ludicrous situation - As an Admin user I moved a file from a default location to my (admittedly relocated) User folder. Vista then decided I could no longer access it normally. Instead I had to change permissions on my own file to access it. And did Vista prevent me from changing the permissions on the file it decided I wasn't authorised to access? NO, it let me do it. Why? Because I WAS deemed an Admin at that point? Or because I said "Yes" to a confirmation message? Durrrrr Vista, that's really secure... NOT. - I'm all for increasing security and stability, and taking good ideas from other OS's. This obviously is not implemented well - you are right about that! - I don't need Prozac thanks, but what would be good is an answer to my question: Under what circumstances does Vista decide to "remove" Admin authority from Admin users? Please post a full explanation or link to a resource? Cheers

Fil0403
Fil0403

In Windows XP, when you'd log in with an admin account, you'd be given an admin token only and that token would be used for everything you'd do. In Vista, when you log in to an admin account, you're given 2 different token, one admin, the other regular and the admin one is only used when needed, thus incresing overall security. I have to say I find it quite curious how some people have to have Prozac just because they need to click "Yes" every now and then, Mac and Linux users do that for years and I've never seen anyone complaining (on the opposite); I guess, as usual, when something good in other OSs is implemented in Windows, it turns terrible, useless and annoying.