Post by drcard on Nov 30, 2019 22:28:05 GMT -5
There seems to be a lot of interest in Access Denied and Permissions topics, so I am posting the following. Please excuse me if I have posted this information before.
Access Denied – But it’s my PC
Overview:
Many users have encountered “Access Denied” when trying to access a file or folder on their own PC that they are sole user of and have Administrator’s rights to; and wonder how this is possible. The following explains what is happening and how to correct “access denied” and get full control of such files/folders.
Security, Account Types, Privileges, Ownership, and Permissions
Security of a PC is an enormous subject to cover, but for this topic the security I refer to is the base security thru account types, privileges of that account, ownership of a file/folder, and permissions for a file /folder. This base security explanation can become very complicated in a business setting with many users and many different levels of privileges and permissions; so what I cover here applies to a private user that is sole owner and user of the PC.
The security that comes from user accounts is in the privileges given to each user account. The base security is no access to any file on the PC except thru a user account and such access is limited to the privileges of that user account. Any PC using Windows (versions XP & up) requires that at least one user account has Administrator’s privileges (sometimes called Administrator’s rights). When a private user sets up their account on a new PC, that account will have Administrator’s privileges by default. As the only user that has setup an account on the PC, many users think that there will be only one account on the PC…theirs. By default, there will be other accounts. These others accounts may not be active or may be hidden and thus, do not show in the list of user accounts in the Accounts settings for that PC. Side Note: I will post about these other accounts in a different thread. You can open a Command Prompt, type in net user and press the Enter key to see all accounts installed on your PC including the inactive and hidden ones.
The sole user account will have Administrator’s privileges, which means you have the authority to control anything on the PC. Having an account with Administrator’s privileges does NOT mean you have control of everything on the PC, but rather the account has the authority to grant control of anything on your PC. You see this granting control in action when you open certain applications or utilities where the User Account Control window opens to ask for authority to open that application….you have to grant yourself the permission to use that application. For background automated actions where the user is not involved and Windows needs access to files/folders, Windows has created hidden accounts with their own set of privileges to access these files and perform the needed background function. In the Security tab of the Properties of a file you’ll see these default accounts such as SYSTEM with its own set of permissions. The key concept to understand is that the Security settings of a file/folder determines what actions each account is allowed to perform. Sometimes the user account with administration privileges does not have permissions to access the file/folder or perform functions like copy, move, delete, etc. Although the user with Admin rights doesn’t have permissions, the Administrative privileges of that account will allow the user to give their account permissions to perform any function desired.
Separate from a user’s account privileges, is the security of a digital file/folder thru ownership. Ownership is the absolute control of a file or folder. Only the Owner of the file or user accounts that the owner has given full control to can grant permissions to any user account, ranging from no access to full control. This means that a file or folder that the owner has set the permissions for the user account with Admin rights to have no access to, then that user account cannot access that file even if that account has Administrative privileges. While Administrative privileges will not let you change the permissions for such a file/folder, Administrative privileges will let you change ownership of the file to your user account. After changing ownership to your user account and as the owner you can change the permissions to give your account full control of the file/folder.
Thus, to gain access and control of a file/folder that gives “Access Denied” to your user account with Admin rights:
First, use your Admin rights to take ownership of the file/folder.
Second, as owner give your account full control permission.
There are two ways to perform the above 2 steps….1) Using the Advanced Security settings of the file/folder or 2) commands in a Command Prompt. The Command Prompt method is easier, faster, and one size fits all. What follows is the command prompt method to perform these two steps.
Commands To Take Ownership and Change Permissions
You will need the full PATH of the file or folder you wish to gain access to.
Open a Command Prompt as Administrator
WinKey + R to open Run box
Type in cmd
Press Ctrl + Shift + Enter
NOTE: In the commands below: The command shown is entered at the prompt (>). Replace the underscores (_) in the commands with a space. Replace PATH TO FILE with the full PATH to the file/folder. Include file extension in file’s name/PATH. Place the entire PATH in quotes. Press the Enter key after the command is entered and Command Prompt will respond with action that is taken.
takeown_/f_”PATH TO FILE”_/r_/d_y
The above command will take ownership. Enter the next command to grant your account permissions (full control).
icacls_”PATH TO FILE” /grant administrators:F_/T
Close the Command window. Reboot or open and close File Explorer for the ownership and permission to be upgraded to File Explorers control and allow access to the file/folder.
Side Note: Microsoft does not give permissions for users to access certain key system files and folders. This is to keep unknowledgeable users from damaging needed files. Users shouldn’t be circumventing Access Denied for Windows system files. However, many malware applications will use this ownership-access denied set up to prevent users from uninstalling the malware once it has been installed. Concept is no access means no deleting. It is for getting rid of these malware files I provided these takeown and grant permission commands. Leave your system files alone.
Access Denied – But it’s my PC
Overview:
Many users have encountered “Access Denied” when trying to access a file or folder on their own PC that they are sole user of and have Administrator’s rights to; and wonder how this is possible. The following explains what is happening and how to correct “access denied” and get full control of such files/folders.
Security, Account Types, Privileges, Ownership, and Permissions
Security of a PC is an enormous subject to cover, but for this topic the security I refer to is the base security thru account types, privileges of that account, ownership of a file/folder, and permissions for a file /folder. This base security explanation can become very complicated in a business setting with many users and many different levels of privileges and permissions; so what I cover here applies to a private user that is sole owner and user of the PC.
The security that comes from user accounts is in the privileges given to each user account. The base security is no access to any file on the PC except thru a user account and such access is limited to the privileges of that user account. Any PC using Windows (versions XP & up) requires that at least one user account has Administrator’s privileges (sometimes called Administrator’s rights). When a private user sets up their account on a new PC, that account will have Administrator’s privileges by default. As the only user that has setup an account on the PC, many users think that there will be only one account on the PC…theirs. By default, there will be other accounts. These others accounts may not be active or may be hidden and thus, do not show in the list of user accounts in the Accounts settings for that PC. Side Note: I will post about these other accounts in a different thread. You can open a Command Prompt, type in net user and press the Enter key to see all accounts installed on your PC including the inactive and hidden ones.
The sole user account will have Administrator’s privileges, which means you have the authority to control anything on the PC. Having an account with Administrator’s privileges does NOT mean you have control of everything on the PC, but rather the account has the authority to grant control of anything on your PC. You see this granting control in action when you open certain applications or utilities where the User Account Control window opens to ask for authority to open that application….you have to grant yourself the permission to use that application. For background automated actions where the user is not involved and Windows needs access to files/folders, Windows has created hidden accounts with their own set of privileges to access these files and perform the needed background function. In the Security tab of the Properties of a file you’ll see these default accounts such as SYSTEM with its own set of permissions. The key concept to understand is that the Security settings of a file/folder determines what actions each account is allowed to perform. Sometimes the user account with administration privileges does not have permissions to access the file/folder or perform functions like copy, move, delete, etc. Although the user with Admin rights doesn’t have permissions, the Administrative privileges of that account will allow the user to give their account permissions to perform any function desired.
Separate from a user’s account privileges, is the security of a digital file/folder thru ownership. Ownership is the absolute control of a file or folder. Only the Owner of the file or user accounts that the owner has given full control to can grant permissions to any user account, ranging from no access to full control. This means that a file or folder that the owner has set the permissions for the user account with Admin rights to have no access to, then that user account cannot access that file even if that account has Administrative privileges. While Administrative privileges will not let you change the permissions for such a file/folder, Administrative privileges will let you change ownership of the file to your user account. After changing ownership to your user account and as the owner you can change the permissions to give your account full control of the file/folder.
Thus, to gain access and control of a file/folder that gives “Access Denied” to your user account with Admin rights:
First, use your Admin rights to take ownership of the file/folder.
Second, as owner give your account full control permission.
There are two ways to perform the above 2 steps….1) Using the Advanced Security settings of the file/folder or 2) commands in a Command Prompt. The Command Prompt method is easier, faster, and one size fits all. What follows is the command prompt method to perform these two steps.
Commands To Take Ownership and Change Permissions
You will need the full PATH of the file or folder you wish to gain access to.
Open a Command Prompt as Administrator
WinKey + R to open Run box
Type in cmd
Press Ctrl + Shift + Enter
NOTE: In the commands below: The command shown is entered at the prompt (>). Replace the underscores (_) in the commands with a space. Replace PATH TO FILE with the full PATH to the file/folder. Include file extension in file’s name/PATH. Place the entire PATH in quotes. Press the Enter key after the command is entered and Command Prompt will respond with action that is taken.
takeown_/f_”PATH TO FILE”_/r_/d_y
The above command will take ownership. Enter the next command to grant your account permissions (full control).
icacls_”PATH TO FILE” /grant administrators:F_/T
Close the Command window. Reboot or open and close File Explorer for the ownership and permission to be upgraded to File Explorers control and allow access to the file/folder.
Side Note: Microsoft does not give permissions for users to access certain key system files and folders. This is to keep unknowledgeable users from damaging needed files. Users shouldn’t be circumventing Access Denied for Windows system files. However, many malware applications will use this ownership-access denied set up to prevent users from uninstalling the malware once it has been installed. Concept is no access means no deleting. It is for getting rid of these malware files I provided these takeown and grant permission commands. Leave your system files alone.