Rights problem - Even the administrator is locked out, but I don'tsee why

[Will Pittenger]

I needed to lock users out of a select folder due to privacy concerns.
I know not to deny to all users and then attempt to allow in just select
users. So I locked out just the users I needed to stay out. Then I
found myself forced to reinstall Windows.

In the new installation, I tried something slightly different with that
folder. I create a group containing just the members that had to stay
out. I then denied to that group rather than to individual members.
Trouble was, somehow, it acted like I was part of that group. (I could
see the files, which others weren't supposed to be able to do, but that
was it.) I never was. I verified that I wasn't by going to the window
where it lists the effective rights for a user. I supposedly had all
rights.

Eventually, I deleted all entries and reset it by inheriting from the
parent folder. That provides full access to everyone. This, from the
point of view of what I, as user, could do, changed nothing. I still
can't open the files.

What is going on?

 

[Pegasus \(MVP\)]

I needed to lock users out of a select folder due to privacy concerns. I
know not to deny to all users and then attempt to allow in just select
users. So I locked out just the users I needed to stay out. Then I found
myself forced to reinstall Windows.

In the new installation, I tried something slightly different with that
folder. I create a group containing just the members that had to stay
out. I then denied to that group rather than to individual members.
Trouble was, somehow, it acted like I was part of that group. (I could
see the files, which others weren't supposed to be able to do, but that
was it.) I never was. I verified that I wasn't by going to the window
where it lists the effective rights for a user. I supposedly had all
rights.

Eventually, I deleted all entries and reset it by inheriting from the
parent folder. That provides full access to everyone. This, from the
point of view of what I, as user, could do, changed nothing. I still
can't open the files.

What is going on?

- Why were you forced to re-install Windows?
- Did you ever try to seize ownership of the problem folder?
- What is the current permission structure of the problem folder?

To post the current permissions, do this:
- Click Start / Run / cmd {OK}
- Type these commands:
cacls "d:\My Folder\My Subfolder" > c:\perms.txt{Enter}
net user "%UserName%" >> c:\perms.txt{Enter}
notepad c:\perms.txt{Enter}
- Copy & paste this text into your reply.

 

[Will Pittenger]

See attached. The reinstall happened because I was experimenting with a
program that emulated Vista on XP. However, it was crashing constantly,
including during installation. I tried to uninstall it, but it crashed
again. Next time I rebooted, a critical system file was missing. I was
told to boot my system disk and use the repair option. However, I
couldn't get far enough along to use the repair option because my XP
install disk is SP1 and I had partitions extending past 137 GB. That
disk wouldn't boot. I was able to use G4L to back up my partitons, so I
could finally get that disk booting, but for some reason thought that I
needed to backup the boot partition too. That failed. A partition with
32GB was supposedly stored in just 52 megs. I didn't notice until I was
attempting to restore.

I did ensure that I own the folder.
-----
will 68 at mtco dot com
will dot pittenger1 at gmail dot com (use this address for large signatures)

- Why were you forced to re-install Windows?
- Did you ever try to seize ownership of the problem folder?
- What is the current permission structure of the problem folder?

To post the current permissions, do this:
- Click Start / Run / cmd {OK}
- Type these commands:
cacls "d:\My Folder\My Subfolder" > c:\perms.txt{Enter}
net user "%UserName%" >> c:\perms.txt{Enter}
notepad c:\perms.txt{Enter}
- Copy & paste this text into your reply.

d:\images\Collection BUILTIN\AdministratorsOI)(CI)F
BUILTIN\Backup OperatorsOI)(CI)F
CREATOR OWNEROI)(CI)(IO)F
EveryoneOI)(CI)F
BUILTIN\Power UsersOI)(CI)F
BUILTIN\UsersOI)(CI)F
LUCY\Will PittengerOI)(CI)F

User name Will Pittenger
Full Name
Comment
User's comment
Country code 000 (System Default)
Account active Yes
Account expires Never

Password last set 4-27-2008 6:0 am
Password expires Never
Password changeable 4-27-2008 6:0 am
Password required Yes
User may change password Yes

Workstations allowed All
Logon script
User profile
Home directory
Last logon 5-31-2008 10:16 pm

Logon hours allowed All

Local Group Memberships *Administrators
Global Group memberships *None
The command completed successfully.

 

[Pegasus \(MVP\)]

The data you posted tells me two things:
- You are a member of the Administrators group.
- The permission structure for the Collection folder
defines the access rights for a number of users.
All of them have full and unrestricted access, without
exception.

The above tells me that you should be able to do anything
you like with the Collection folder, yet you report otherwise.
Would you care to run this test?
- Click Start / Run / cmd {OK}
- Type the following commands:
dir "d:\images\Collection" > c:\test.txt 2>&1{Enter}
md "d:\images\Collection\Test" 1>>c:\test.txt 2>>&1{Enter}
copy c:\test.txt "d:\images\Collection\Test" 1>>c:\test.txt 2>>&1{Enter}
dir "d:\images\Collection\Test" >> c:\test.txt 2>>&1{Enter}
notepad c:\test.txt(Enter}

 

[Will Pittenger]

I don't think your tests were all that helpful. They showed that I
could get a directory of those folders (I knew that) and could create
new files. The problem is reading existing files.

 

[Pegasus \(MVP\)]

Fine. My first test revealed the permission structure of
the Collection folder. There was no problem there. If
your problem relates to existing files then you need to
apply the first set of test commands to one of these files.
You could also run this command:

cacls d:\images\Collection /t /e /g everybody:F "%UserName%":F

 

[Will Pittenger]

C:\Documents and Settings\Will Pittenger>cacls d:\images\Collection /t
/e /g everybody:F "%UserName%":F

 

[Pegasus \(MVP\)]

You can issue the command like this:
cacls d:\images\Collection /t /e /g "Will Pittenger":F

In your reply I expected to see the permission structure of the
files you cannot access.

 

[Will Pittenger]

It processed the files, for whatever that means.

 

[Pegasus \(MVP\)]

I assume you have now solved your problem.

 

[Will Pittenger]

No. I just checked. I tried to edit a file and got an "Access Denied"
error.

 

[Pegasus \(MVP\)]

Sorry, I cannot help you until you post the permission details
of one of the problem files. And while you're at it - add the
output from the attrib.exe command, e.g. like so:

attrib SomeFile.xls

 

[Will Pittenger]

Attrib lists "A" for a problem file. I assume "A" is for "archive." I
can't post the permission details as the command you gave earlier,
"cacls d:\images\Collection /t /e /g "Will Pittenger":F" didn't appear
to work as you expected. All it told me was that the file was
processed. I just reviewed the command. The version you gave changes
permissions rather than listing them.

 

[Pegasus \(MVP\)]

The command

cacls "FileName"

will show you the permissions. I gave you a fully detailed
example in my very first reply in this thread - please use it!

 

[Will Pittenger]

Sorry, you had me using another command. This version still isn't doing
what you expected.

D:\Images\Collection>cacls D:\Images\Collection\...\descript.ion

Displays or modifies access control lists (ACLs) of files

CACLS filename [/T] [/E] [/C] [/G usererm] [/R user [...]]
[/P usererm [...]] [/D user [...]]
filename Displays ACLs.
/T Changes ACLs of specified files in
the current directory and all subdirectories.
/E Edit ACL instead of replacing it.
/C Continue on access denied errors.
/G usererm Grant specified user access rights.
Perm can be: R Read
W Write
C Change (write)
F Full control
/R user Revoke specified user's access rights (only valid with
/E).
/P usererm Replace specified user's access rights.
Perm can be: N None
R Read
W Write
C Change (write)
F Full control
/D user Deny specified user access.
Wildcards can be used to specify more that one file in a command.
You can specify more than one user in a command.

Abbreviations:
CI - Container Inherit.
The ACE will be inherited by directories.
OI - Object Inherit.
The ACE will be inherited by files.
IO - Inherit Only.
The ACE does not apply to the current file/directory.

 

[Pegasus \(MVP\)]

You are rapidly losing me. The command

cacls "d:\My Folder\My Subfolder\MyFile.ext"

will display the current security settings of MyFile.ext unless
you have a rogue command on your machine that is taking
the place of c:\windows\system32\cacls.exe.

Sorry, you had me using another command. This version still isn't doing
what you expected.

D:\Images\Collection>cacls D:\Images\Collection\...\descript.ion

Displays or modifies access control lists (ACLs) of files

CACLS filename [/T] [/E] [/C] [/G usererm] [/R user [...]]
[/P usererm [...]] [/D user [...]]
filename Displays ACLs.
/T Changes ACLs of specified files in
the current directory and all subdirectories.
/E Edit ACL instead of replacing it.
/C Continue on access denied errors.
/G usererm Grant specified user access rights.
Perm can be: R Read
W Write
C Change (write)
F Full control
/R user Revoke specified user's access rights (only valid with
/E).
/P usererm Replace specified user's access rights.
Perm can be: N None
R Read
W Write
C Change (write)
F Full control
/D user Deny specified user access.
Wildcards can be used to specify more that one file in a command.
You can specify more than one user in a command.

Abbreviations:
CI - Container Inherit.
The ACE will be inherited by directories.
OI - Object Inherit.
The ACE will be inherited by files.
IO - Inherit Only.
The ACE does not apply to the current file/directory.
-----
will 68 at mtco dot com
will dot pittenger1 at gmail dot com (use this address for large
signatures)

The command

cacls "FileName"

will show you the permissions. I gave you a fully detailed
example in my very first reply in this thread - please use it!

 

[Will Pittenger]

Sorry. I should have noticed the path didn't have quotes.

D:\Images\Collection\...\descript.ion BUILTIN\Administrators:F
BUILTIN\Backup
Operators:F
LUCY\Will
Pittenger:F
Everyone:F
BUILTIN\Power
Users:F
BUILTIN\Users:F
-----
will 68 at mtco dot com
will dot pittenger1 at gmail dot com (use this address for large signatures)

You are rapidly losing me. The command

cacls "d:\My Folder\My Subfolder\MyFile.ext"

will display the current security settings of MyFile.ext unless
you have a rogue command on your machine that is taking
the place of c:\windows\system32\cacls.exe.

Sorry, you had me using another command. This version still isn't doing
what you expected.

D:\Images\Collection>cacls D:\Images\Collection\...\descript.ion

Displays or modifies access control lists (ACLs) of files

CACLS filename [/T] [/E] [/C] [/G usererm] [/R user [...]]
[/P usererm [...]] [/D user [...]]
filename Displays ACLs.
/T Changes ACLs of specified files in
the current directory and all subdirectories.
/E Edit ACL instead of replacing it.
/C Continue on access denied errors.
/G usererm Grant specified user access rights.
Perm can be: R Read
W Write
C Change (write)
F Full control
/R user Revoke specified user's access rights (only valid with
/E).
/P usererm Replace specified user's access rights.
Perm can be: N None
R Read
W Write
C Change (write)
F Full control
/D user Deny specified user access.
Wildcards can be used to specify more that one file in a command.
You can specify more than one user in a command.

Abbreviations:
CI - Container Inherit.
The ACE will be inherited by directories.
OI - Object Inherit.
The ACE will be inherited by files.
IO - Inherit Only.
The ACE does not apply to the current file/directory.
-----
will 68 at mtco dot com
will dot pittenger1 at gmail dot com (use this address for large
signatures)

The command

cacls "FileName"

will show you the permissions. I gave you a fully detailed
example in my very first reply in this thread - please use it!


Attrib lists "A" for a problem file. I assume "A" is for "archive." I
can't post the permission details as the command you gave earlier,
"cacls d:\images\Collection /t /e /g "Will Pittenger":F" didn't appear
to work as you expected. All it told me was that the file was
processed. I just reviewed the command. The version you gave changes
permissions rather than listing them.
-----
will 68 at mtco dot com
will dot pittenger1 at gmail dot com (use this address for large
signatures)

Pegasus (MVP) wrote:
Sorry, I cannot help you until you post the permission details
of one of the problem files. And while you're at it - add the
output from the attrib.exe command, e.g. like so:

attrib SomeFile.xls


No. I just checked. I tried to edit a file and got an "Access
Denied" error.
-----
will 68 at mtco dot com
will dot pittenger1 at gmail dot com (use this address for large
signatures)

Pegasus (MVP) wrote:
I assume you have now solved your problem.

message It processed the files, for whatever that means.

 

[Pegasus \(MVP\)]

Your normal logon account "Will Pittenger" has no access rights
to this file, only the account "Pittenger" (which is probably your
Vista account). There are several ways to resolve this issue.
They all involve you logging on as Administrator.

a) Via the GUI: You rigt-click the folder D:\Images while
in Explorer, then add the "Will Pittenger" account to the
permission list and force the change the propagate to all
subfolders via the Advanced menu. You can find full details
about this process by clicking Start / Help and looking for
help on Permissions.

b) Via the Command Prompt: You issue this command:
cacls "d:\images" /t /e /g "Will Pittenger":F
The command will include the "Will Pittenger" account to
all files and folders in the "D:\Images" tree.

If you still have a problem then you need to seize ownership
of the D:\Images folder. Again the process is described under
Start / Help when looking for help on Ownership.

To avoid such problems in future, you should synchronise
your WinXP/Vista account names & passwords.

 

[Will Pittenger]

Well, at least I have a possible solution. I don't understand where you
see the username "Pittenger". That should never have existed.



Notes:

1. I never had Vista. Both partitions were XP Pro SP1 (originally).
The new partition is now SP3 RC2. The previous install made it also
made it to SP3 RC2 before I lost it.

2. I am quite confident that all user names and passwords were the name
between installations.

 

[Will Pittenger]

BTW: One problem that I have is that I have been diagnosed with Asperger
Syndrome. That might be causing problems between us. I know it can
make me a bear to work with.
-----
will 68 at mtco dot com
will dot pittenger1 at gmail dot com (use this address for large signatures)

You are rapidly losing me. The command

cacls "d:\My Folder\My Subfolder\MyFile.ext"

will display the current security settings of MyFile.ext unless
you have a rogue command on your machine that is taking
the place of c:\windows\system32\cacls.exe.

Sorry, you had me using another command. This version still isn't doing
what you expected.

D:\Images\Collection>cacls D:\Images\Collection\...\descript.ion

Displays or modifies access control lists (ACLs) of files

CACLS filename [/T] [/E] [/C] [/G usererm] [/R user [...]]
[/P usererm [...]] [/D user [...]]
filename Displays ACLs.
/T Changes ACLs of specified files in
the current directory and all subdirectories.
/E Edit ACL instead of replacing it.
/C Continue on access denied errors.
/G usererm Grant specified user access rights.
Perm can be: R Read
W Write
C Change (write)
F Full control
/R user Revoke specified user's access rights (only valid with
/E).
/P usererm Replace specified user's access rights.
Perm can be: N None
R Read
W Write
C Change (write)
F Full control
/D user Deny specified user access.
Wildcards can be used to specify more that one file in a command.
You can specify more than one user in a command.

Abbreviations:
CI - Container Inherit.
The ACE will be inherited by directories.
OI - Object Inherit.
The ACE will be inherited by files.
IO - Inherit Only.
The ACE does not apply to the current file/directory.
-----
will 68 at mtco dot com
will dot pittenger1 at gmail dot com (use this address for large
signatures)

The command

cacls "FileName"

will show you the permissions. I gave you a fully detailed
example in my very first reply in this thread - please use it!


Attrib lists "A" for a problem file. I assume "A" is for "archive." I
can't post the permission details as the command you gave earlier,
"cacls d:\images\Collection /t /e /g "Will Pittenger":F" didn't appear
to work as you expected. All it told me was that the file was
processed. I just reviewed the command. The version you gave changes
permissions rather than listing them.
-----
will 68 at mtco dot com
will dot pittenger1 at gmail dot com (use this address for large
signatures)

Pegasus (MVP) wrote:
Sorry, I cannot help you until you post the permission details
of one of the problem files. And while you're at it - add the
output from the attrib.exe command, e.g. like so:

attrib SomeFile.xls


No. I just checked. I tried to edit a file and got an "Access
Denied" error.
-----
will 68 at mtco dot com
will dot pittenger1 at gmail dot com (use this address for large
signatures)

Pegasus (MVP) wrote:
I assume you have now solved your problem.

message It processed the files, for whatever that means.