NIM Posted January 16, 2007 Share Posted January 16, 2007 This is becoming a very common question as people move to Windows Vista. You have an external or extra hard drive formatted under Windows XP. In Windows XP you were running as a member of the Built-in Administrators Group, and you could write to it just fine. In Vista, you are also a member of the Built-in Administrators group, but now you can't write to it. The reason is permissions, but the reason they become a problem is because of User Account Control (UAC). If you run whoami /all /FO list on Vista you get a printout of your token. It will have a few lines that look like this:Group Name: BUILTIN\AdministratorsType: AliasSID: Attributes: Group used for deny onlyYou are a member of Administrators, but your security token does not actually have the Administrators group in it in the normal way. UAC marks that group as a "deny" which means it is never used to grant permissions, only to allow them. If you now look at the Access Control List (ACL i.e. the permissions) for the drive:C:\Users\foo>icacls d:\d:\ NT AUTHORITY\SYSTEM:(OI)(CI)(F) BUILTIN\Administrators:(OI)(CI)(F) BUILTIN\Users:(OI)(CI)(RX)The parts causing you trouble are the last two lines. The second line grants Administrators full control. You are an administrator, but because you are running under a non-elevated token, you do not have Administrators in your token, so that membership doesn't help you. The second line grants users read. You are also a member of users. Thus, when running in admin approval mode under UAC, your total rights to this drive is read.To fix this, you need to grant Users modify privileges to the drive. Really simple to do. Option one:Right-click the drive letter in Explorer and select propertiesClick the security tabClick "Edit." You will be asked to elevate. Remember, until you do you are still in admin approval mode and for all practical purposes you are not an adminSelect "Users" and check the Modify boxClick OK enough times to get back to where you were.The other option is to do it from an elevated command line. Click the Window circleClick All Programs: AccessoriesRight-click on Command Prompt and select "Run as administrator"ElevateRun this command: icacls d:\ /grant BUILTIN\Users:(OI)(CI)(M)Substitute whatever drive letter your external drive is mapped to for d:\. OI means "let objects (files) inherit this ACE". CI means "let containers (directories) inherit this ACE". M means "modify". An ACE is an Access Control List Entry, in other words, the entries in the ACL that grants or denies someone permission to the object.Once you do this regular users will be able to read and write to the drive. As long as you have not broken inheritance somewhere along the directory hierarchy of the drive you will not need to modify any more ACLs on this whole drive. If you want an ACL that mirrors the default ACL in Windows Vista, that turns out to be a bit more complicated. I'll address that another time. Jesper's Blog Quote Link to comment Share on other sites More sharing options...
cavman Posted November 7, 2007 Share Posted November 7, 2007 Ok, i know this is an old post, but I need some serious help with my external drive. I have a Lacie 500GB external that was hooked up to a Win XP computer forever. I moved it on to Vista and it would not let me acess it at all although the system recognised the drive. So I went under properties-security and tried to change the permissions of the users and it would not let me, so beeing the genius I am, I deleted the users and added the administrator and all users again and clicked full control for both of them (and all subdirectories). When I clicked apply it said that access was denied to the sub-folders. So now i can access the root directory of the Drive, but not each individual folder. I mean I have to go in every folder and change every file access rights, because as it stands they're all in unclaimed ownership, but for some reason i cannot mass change them either. To make maters worst, I cannot access the folders in Win XP either now!!! Did I mention that theres thousands of MP3 and family Pictures in that drive. So I'm extlemely frustated and confused, and my wife if on my ass constantly with "see I told you so". HELP!!!!!! Quote Link to comment Share on other sites More sharing options...
NIM Posted November 7, 2007 Author Share Posted November 7, 2007 Ok, i know this is an old post, but I need some serious help with my external drive. I have a Lacie 500GB external that was hooked up to a Win XP computer forever. I moved it on to Vista and it would not let me acess it at all although the system recognised the drive. So I went under properties-security and tried to change the permissions of the users and it would not let me, so beeing the genius I am, I deleted the users and added the administrator and all users again and clicked full control for both of them (and all subdirectories). When I clicked apply it said that access was denied to the sub-folders. So now i can access the root directory of the Drive, but not each individual folder. I mean I have to go in every folder and change every file access rights, because as it stands they're all in unclaimed ownership, but for some reason i cannot mass change them either. To make maters worst, I cannot access the folders in Win XP either now!!! Did I mention that theres thousands of MP3 and family Pictures in that drive. So I'm extlemely frustated and confused, and my wife if on my ass constantly with "see I told you so". HELP!!!!!!You have to take ownership of the whole drive, and then add permissions for folders or drive itself. Quote Link to comment Share on other sites More sharing options...
cavman Posted November 7, 2007 Share Posted November 7, 2007 How do I do that without going to each individual file!!! There's like 10,000+ files on that drive? :confused02: :confused02: Quote Link to comment Share on other sites More sharing options...
NIM Posted November 7, 2007 Author Share Posted November 7, 2007 How do I do that without going to each individual file!!! There's like 10,000+ files on that drive? :confused02: :confused02:Click on that disk icon --> properties --> security --> advanced --> take ownership Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.