Help! Access Denied Even To The System Owner...

[Guest]

Hi,

I have come across a problem with the UAC. I was changing the security
settings for all account users and set them all to deny. I admit I had no
idea that by doing that it would deny access to me, the only system
owner/admin on the Vista system.

It logs me in but it does not let me go into my drive C: at all, or
use/change important owner options. It always says "Access Denied" or does
nothing when I click on an option. I'm the only Vista account owner but it
won't let me have access to my files anymore.

Why doesn't Vista have some type of protection to prevent the only account
owner from locking themselves out when accidently changing all "User Account
Control / Access Control" to deny all?

Can someone please help me resolve this issue or tell me who else to contact
for help? I have many important files on my hard drive that Vista is now not
allowing me access to anymore, even though I'm the only account user/admin
setup on the system. It doesn't let me set up a new account with admin rights
or change the UAC options back to allow me access again. Please someone let
me know how I can resolve this problem. Thank you...

 

[Guest]

I'll admit up front that I'm not sure just how I would proceed at this point.
I'm participating in your thread as much to see if I can learn something as
to see if I might be able to help you. I am including a small sermon at the
end of my post to make a point. Because it is a sermon, you may wish to skip
it.

;-)

But before I get to that -- IF THERE IS DATA ON THIS SYSTEM WHICH CANNOT BE
REPLACED, AND IF THAT DATA IS TRULY IMPORTANT TO YOU, THEN YOU NEED TO
PROTECT IT. (Forgive me for shouting. But I want to emphasize that you must
not keep on working on this drive until you have made a copy of it. The first
law of holes is this: "When you are in over your head, stop digging."
Ideally, you would make a complete image of this drive onto another drive by
using one of the available Vista-compatible third party image software
packages which allows you to boot from a CD/DVD which contains the software
and make a full copy of this drive onto another drive. You might also
consider consulting a data recovery facility. They will charge you, of
course. Only you can determine what your data is worth.)

Now (bearing in mind that I've never had to go through this myself, so you
might want to consult someone who has) --

1. Are you able to open a command prompt with Administrator privileges?
(Right-click on the Command Prompt shortcut under Accessories in the Start
Menu. If so, it would be interesting to see if judicious use of the CACLS
command with appropriate options (You can get the info on the options by
issuing "CACLS /?" at the CLI.) could fix your problem. I suspect not.

2. If CACLS doesn't work, are you able to issue this command --

net user administrator /active:yes

from the CLI. If this command is issued successfully, are you able to log on
as Administrator and regain control of your drive? (I genuinely don't know.
Microsoft has somewhat changed the rules about how admin accounts work in
Vista. I don't know just how "special" this normally disabled admin account
might be.)

3. I would be interested to see if you could take ownership of the drive and
fix the problem if you placed this drive in another Vista system. If you try
this you MUST be certain that it isn't placed in the boot position. You would
want this drive to come up as a "data" drive. You would boot with the Vista
installation on the host machine and see if you can change the permissions
settings on this drive.

It is important for you to consider that the changes you have wrought on
this system drive have probably led to the cessation of true usefulness of
this installation of the OS. After you have recovered your data the only
admissible procedure is to wipe that drive and reinstall the OS. I think it's
extremely unlikely that you'll ever get it back into proper functionality,
security-wise. My opinion only. Might be worth nothing.

You should NOT be in a hurry. Get as much information before proceeding as
you can. You got where you are by using powerful tools without investigating
documentation beforehand. Do not continue in the same vein.

-- begin small sermon --

The first thing I can do to help you is to point out that you should have
learned TWO things (at least) so far in this adventure. The first (and most
important by far) is to keep current backups of all important data. When you
say that you have many important files on this system and that you need to
regain access to them you are tacitly admitting that you haven't been backing
up your data properly. A proper data backup is NOT copies of the data in
another directory, or on a different partition on the same disk, or on a
different disk in the same computer, or even on a different disk in a
different computer. It is multiple archives on durable, properly protected,
isolated storage media. That's if the data is truly important.

The second thing I can do to help you is to point out that Vista DOES have
safeguards to prevent people from "accidentally" changing permission settings
so that NO ONE can access files on the system. You ignored the implications
of some dialogs to get where you were when you made those changes. And then
you didn't do any research concerning the consequences of applying the
changes you were making. This is not a fault in the design of Vista or UAC.
You were exploring without proper planning, and you got bit.

-- end small sermon --

 

[Guest]

Shucks. I forgot to mention another command you should try at the CMD prompt.
You should try looking at the TAKEOWN command. That might be able to fix the
access issue. Again, just "TAKEOWN /?" to see the options.

 

[Guest]

Jimmuh, I know I made a terrible mistake and lost my common sence there, but
now I need help to hopefully fix this mistake.

If I log into safe mode and click on Run it basicly says that admin
privileges will be allowed.

So I should type exactly as you typed:

CLI.

And then:

CACLS /?

Or:

CMD.

And then:

net user administrator /active:yes

Is all that correct?

 

[Guest]

I tried the following at the cmd. prompt ( C:\Users\AAD> ):

net user administrator /active:yes

It then says "The Command Completed Successfully" but when I click on my C:
drive it still says "Access Denied". By the way AAD is the only Vista user on
my Vista PC.

Also at the cmd. prompt ( C:\Users\AAD> ) I tried:

TAKEOWN /?

And a bunch of options that I do not understand show up.

For instance my important directories and files are under the directory:

C:\1-Saved

But when I try ( TAKEOWN /F C:\1-Saved /R /D Y ) at the cmd. prompt
(C:\Users\AAD>):

I get "ERROR Access Denied" message.

Can someone please tell me the exact way to allow me to take back ownership
of my 1-Saved directory under my C: drive?

 

[Guest]

No, you need to read more carefully. I said that after you activated that
account you should log in under that account. You have successfully activated
the Administrator account. You can believe me when I say that this account
exists in addition to your AAD account. Now you need to log off, and then log
on as Administrator. (No password will be required.) If you are not allowed
access to the drive when logged on as Administrator, then you're going to
have to try a different tack. Like placing the drive in a different system
and using another installation of Vista to try to change the Access Control
Lists on that drive.

From here on I really can't, in good conscience, try to talk you through by
way of newsgroup messages. You said you had important data on that drive. Did
you make a copy of it as I suggested? If you don't understand the
explanations you get when you type TAKEOWN /? at the CMD line, then I fear
that you aren't familiar enough with the administrative concepts involved to
proceed. That's what got you into trouble in the first place. There's no
shame in that. It's just not something with which you're familiar. But, if
that data is important to you, you need to calm down and proceed SLOWLY and
WISELY. Please remember that you can make matters even worse than they
already are. I promise you that someone who knows what s/he is doing can get
that data back. (Well, I'm almost sure. I'm not really quite certain about
the exact steps you took to get where you are.) But someone with experience
and judgement in supporting the OS is going to need to look at this and
handle it if you are going to be sure of recovering the data. Impatience is
your worst enemy right now. As long as you are doing nothing to that drive,
then nothing is changing in your situation. Please consider what I'm saying.
Operating systems do what you TELL them to do, NOT what you WANT them to do.

 

[Guest]

I did create a backup of the most crusial day to day data but the rest of the
data that I now don't have access to, it is important but just a little less
than the latter.

Anyways thank you for your input, I just hope that I can resolve this issue
eventually...

By the way the "CACLS" command has now been deprecated to "ICACLS".

 

[Guest]

Sorry about CACLS vs ICACLS. I was rushed, but the deprecated commands lead
you to the extant ones.

Did you log on as Administrator and see if you could get access to the drive
now? If that doesn't work I think you're pretty much left with setting the
drive up in another system as a data drive amd trying to work with it from
there. I do, however, still think it highly advisable to seek local help --
if there's anyone who works as a system administrator (with MS Windows
systems). I am NOT talking about the local guy who "knows computers". I'm
talking about someone who really does know how to use the admin tools. I know
it can be hard to know who to trust. But that's true of online conversations,
too.

;-)

Your situation has convinced me that I should, if and when I ever get time,
test a Vista system to destruction in just this manner -- just to satisfy my
curiosity. This is not the sort of situation I've ever had to deal with
because I lock my users down so they couldn't possibly get into this type of
trouble.

That "Deny" setting has caused a lot of people trouble in the past, but it
had been quite a while since I had heard of a situation like this, like NT4
and Windows 2000 days. I don't actually remember anyone denying access to the
whole system drive, but I'm certain it has been done. It is usually easy
enough to fix an issue where Deny has been applied just to a particular
directory structure, but denying root and all subdirectories, which is what I
think you have done, is something I just haven't ever seen or heard of.

 

[Guest]

Okay I rebooted and went into the Admin account but I still get the same
access denied message when I click on my C: drive it doesn't even let me
create/modify a accounts.

I guess no one on my PC can have any access to my drive C: anymore. Well
maybe by puting the drive on another Vista setup that will do the trick to
reset the access controls. Or maybe if I reinstall/recovery on the same drive
it will reset all user access settings. I just wonder if it will erase my
data at C:/1-Saved but I'll wait to see if I get more input from other folks
first.

Various input on this issue is welcomed...

 

[Guest]

Be careful about "install / recovery". If this is an OEM Vista installation
you need to be sure that you're actually doing a "repair" installation of
Windows. What the OEM refers to as a "repair" can be a total wipe and
reinstallation. An actual repair installation might do the trick, though I've
never seen this particular situation before. The repair installation (which
is what I would call an in-place upgrade because you install Windows again
just as though you were doing an upgrade installlation of Windows) is
supposed to fix permissions issues (on file system and registry). It should
not remove data structures, but it may affect some or all of your software
installations, though it isn't supposed to. Many software vendors (most)
haven't really got Vista right, yet.

I'm hoping you'll get this figured out.

 

[Guest]

What happen was I was working late around 3:00 am (I must of been totally out
of it) and right before I finished working I decided to right click on my
drive C: and looked at the property tabs. I then headed over to the
"Security" tab and saw settings for:

Authenticated Users
System
AAD (Presrio\AAD)
Administrators (Presario\Aministrators)

I then proceeded to check the box with "Full Control" allow for each
account, but then I relised that I shoud of not done that. So I quickly
clicked on "Full Control" deny thinking that it would simply reset the allow
options back accordingly (I wish it would of had a defualt option instead). I
then restarted my computer and later found out that I had "Denied Access" to
all users/accounts from accessing my C:\ drive and even to the admin account.
I totally mis-caculated the power of Vista, totally...

By the way my Vista is not an OEM, it's a retaill version of Vista Ultimate,
and I hope that if it comes down to a reinstall/recover it would not delete
my files.

 

[Guest]

Ouch! Don't you hate what happens when you're sleepy? Heh.

Yeah, just unchecking full control would have been a good start, but there
really is seldom a good reason for changing these setting wholesale. The
standard settings should be used, if at all possible, on personal machines --
and on most work machines, for that matter. Messing with the ACLs is
something that I consider to be a last resort.

Data that resides under your user account location should be safe from a
standard repair installation, and I would hope that data located in
directories just off the root would be safe, too, though I never allow data
storage in such locations on anything that I control. Normally the %Windows%
directory and some subdirectories thereof are the ones that will be most
affected. The repair should leave other stuff alone. But this is a truly
strange situation. I don't believe that should matter, but I just can't be
sure. I've been surprised a few times before when I tried to extrapolate from
experience, so I prefer not to predict without extreme caution -- especially
when someone else's data is at stake!

I hope you'll post the results of your endeavors. I'm keeping my fingers
crossed for you!

 

[Guest]

Success! I can't believe it but I was able to take back full ownership of my
C: drive and got all 37gb of my stuff back. I thank those that tried to help
me and gave me clues to fix the problem. Below are the steps as to how I made
It work for my retail version of Vista Ultimate.


These steps might help some else with a similar UAC/ACL complete root
"Access Denied" issues to the point where even if you are logged into your
Admin account it still doesn't let you create accounts or modify any
important settings/permissions etc.


Step 1:
Clicked: Start Menu
Click: Run
Type: net user administrator /active:yes
Close All Other Applications And Reboot Your System.

Step 2:
Click/Login To The Administrator Account.
Clicked: Start Menu
Click: Run
Type: Regedit
Go to: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Policies\System
Right Click On: EnableLUA
Click: Modify
Change: Value Data To A 0
Click: OK

Step 3:
Go Back To The Root Folders In The Registry Editor.
Right Click On: HKEY_CLASSES_ROOT
Click: Permissions
Click: CREATOR OWNER
Check: All Allow Boxes
Click: Apply
Click: SYSTEM
Check: All Allow Boxes
Click: Apply
Click: Administrators
Check: All Allow Boxes
Click: Apply
Click On Users
Click: Remove
Click: Your Account Name If It Shows
Click: Remove
Click: OK

Step 4:
Right Click On: HKEY_CURRENT_USER
Click: Permissions
Click: SYSTEM
Check: All Allow Boxes
Click: Apply
Click: Administrators
Check: All Allow Boxes
Click: Apply
Click: OK

Step 5:
Right Click On: HKEY_LOCAL_MACHINE
Click: Permissions
Click: Everyone
Check: All Allow Boxes
Click: Apply
Click: RESTRICTED
Check: All Allow Boxes
Click: Apply
Click: SYSTEM
Check: All Allow Boxes
Click: Apply
Click: Administrators
Check: All Allow Boxes
Click: Apply
Click: OK

Step 6:
Right Click On: HKEY_USERS
Click: Permissions
Click: Everyone
Check: All Allow Boxes
Click: Apply
Click: RESTRICTED
Check: All Allow Boxes
Click: Apply
Click: SYSTEM
Check: All Allow Boxes
Click: Apply
Click: Administrators
Check: All Allow Boxes
Click: Apply
Click On Users If It Shows
Click: Remove
Click: Your Account Name If It Shows
Click: Remove
Click: OK

Step 7:
Right Click On: HKEY_CURRENT_CONFIG
Click: Permissions
Click: CREATOR OWNER
Check: All Allow Boxes
Click: Apply
Click: Administrators
Check: All Allow Boxes
Click: Apply
Click: OK
Close Registry Editor And All Other Applications And Reboot Your System.

Step 8:
Click/Login To The Available Regular/Owner Account.
Clicked: Start Menu
Click: Control Panel
Click: Add Or Remove User Acounts
Create A New User Account And Logoff.
Close Registry Editor And All Other Applications And Reboot Your System.

Step 9:
Click/Login To Your New Created Account.
Right Click On The Drive Or Directory You Lost Access To.
Click: Properties
Click: Security
Click: Advance
At The Permissions Tab.
Click: Edit
Click: Add
Type The Name Of The Recently New Created Account.
Click: Check Names
Your New Account Name Should Fully Show Up.
Click: OK
A Permission Screen Should Show Up.
Click On The Allow Box Where It Says Full Control.
Where It Says "Apply To:" Choose The "This Folder, Subfolders And Files"
Option.
Click: OK
Again At The Permissions Tab Click On Your New Created Account.
Click: Apply
Click Yes On The Security Popup To Change Your Allow Permissions.
If An Errors Occur Just Click Continue.
Once The Process Finishes, Reboot Your System And Login To Your New Account.
You Should Now Have Access Back Into Your Hard Drive Or Directory.


Note: There Maybe Better/Shorter Ways Out There To Do This But In My
Situation They Were Not Working. The Above Steps Are What Worked For Me But
May Not Work For You. Please Make Sure You Are Having Similar Issues To Mine
Before Trying The Above Steps...

 

[Guest]

I'm glad you got it figured out. Are you planning on doing a clean
installation of the OS now that you've recovered your data?

 

[Guest]

Yeah I think I will do a clean install soon, I'm backing up all my data over
to DVD's for now...

 

[Guest]

Do you think This Proceedure can be Followed by Booting to WIN RE using the
Windows Vista DVD, and Then Choosing the Command Prompt option, There We need
not use any admin usernames or password to login. Please Tell me if this can
be done. as i am a Technician Who Does not have access to a lot of Vista
Computers, and One of my Customer's has a Problem. He has lost his
Administrator password, and is not able to login. i have a Way to Reinstall
the OS on his Dell Computer Using the Dell Image Restore Option But that is
not an option always. He needs Security on is account, Does not want me to
create another account and has important data that he cannot loose. i dont
have the option of connecting his HDD to another computer as this is Remote
Troubleshooting.


and the poor guy has a Tendency to loose his Password ever now and then.

Any help is appriciated.

regards,
Ujjval

 

[PITTAG]

Hi,

I have come across a problem with the UAC. I was changing the security
settings for all account users and set them all to deny. I admit I had no
idea that by doing that it would deny access to me, the only system
owner/admin on the Vista system.

It logs me in but it does not let me go into my drive C: at all, or
use/change important owner options. It always says "Access Denied" or does
nothing when I click on an option. I'm the only Vista account owner but it
won't let me have access to my files anymore.

Why doesn't Vista have some type of protection to prevent the only account
owner from locking themselves out when accidently changing all "User Account
Control / Access Control" to deny all?

Can someone please help me resolve this issue or tell me who else to contact
for help? I have many important files on my hard drive that Vista is now not
allowing me access to anymore, even though I'm the only account user/admin
setup on the system. It doesn't let me set up a new account with admin rights
or change the UAC options back to allow me access again. Please someone let
me know how I can resolve this problem. Thank you...

Try starting your computer in the Safe Mode ( F-8) during the POST test with
Networking. Then login as administrator and then change your permissions in
the User accounts. I had the same problem and it worked for me.. Hope this
helps.