Pour les professionnels de l’informatique >
Forums - Accueil
>
Windows 7 Security
>
Locked Folder Access
Locked Folder Access
- Why do I get "access denied" while trying to explore folders such as 'Documents and Settings' and other folders displaying a padlock icon? I have tried changing folder permissions and taking ownership, but still get the same message. These folders seem to have SYSTEM as the default owner. Has microsoft locked these folders to keep prying eyes from delving too deeply into certain areas, or is there some security glitch on my installation?
This system is installed with Windows 7 RC, although it previously had the Beta version installed, the partition was deleted, a new one created and formatted and a clean install of the RC was performed. As such there should be no confusion with GUIDs, SIDs, or UIDs of any type from the previous installation permissions. Changing permissions, adding users, and taking ownership all seem to have varying degrees of success intermixed error messages, but after closing the properties pages and re-opening the changes 'at least appear' to have been made properly.
Anybody got ideas on the subject?- ModifiéCompuWyse PC samedi 16 mai 2009 03:03
Réponses
- First of all I believe you are mistaking the Documents and Settings and the My Documents folders. Documents and Settings is a system folder which contains sub-folders each user profile on the machine, including All Users and Default User, among other folders. My Documents is a shortcut or junction as you refer to it as, whose path is variable and dependent on the user that is currently logged into the machine. This 'junction' points to the Documents folder contained within the the folder named for that user inside of the Documents and Settings folder.
Secondly; any user with Administrative privileges, or at least the privileges to Take Ownership, should be able to take the ownership of the folder or file that they have the user rights to do so. In the the case of an administrator account those privileges are automatically granted to all resources unless over ridden by domain security policies within a domain environment, in which case the security is set at the Domain Controller either by Group Policy for the computers or the users, and in some cases for the specific resource.
Third and final comment; I finally tracked down the cause for the access denied error messages, and it was being caused by a permissions entry for the Everyone group denying access. Since the 'Deny' will override any other permissions taking ownership and granting permissions for any other user was ineffective until I removed the Deny Everyone permission entry.
Thanks you for posts anyhow, but Ihave managed to solve the problem on my own. I'm still not sure how the Deny Everyone was granted, but now that I have figured out the problem, I know what to look for on other folders if I have the same problem.- Marqué comme réponseCompuWyse PC dimanche 24 mai 2009 16:23
Toutes les réponses
- I have the same problems. I release c:, then i got access to some folders not so for local settings.
No idea, sorry - I have the same issues on a fresh hard drive with W7 RC. I tried moving the default programs in the All Programs menu and it tells me I do not have permission, even though I am an administrator.
My work around was to go under the folder permissions and grant myself full control. Once I did this, I was able to move the shortcuts. - I've got the same problems. The system UAC looks slightly different than my UAC. The system has all check marks for access and mine has check marks but unlike the system they are enclosed in a box that is slightly greyed out. Is there a way to log in as the "system". I have never ran a computer that I did not have control of. I have screwed a couple up, but I got them straightened out and learned from it. No control is for solitaire players. I need a source of information for:
Giving me full access
disabling the UAC?
You know, this problem is why I ____canned Vista and went back to XP64. - As far as I know there is no way to log in as SYSTEM, as this refers to the Operating System itself. You can configure processes and services to run under SYSTEM priviledges (i.e. full access to everything including hidden operating system files, processes, and services), but it is not an actual user account. In theory any user with administrator rights should be able to do the same, but with Vista and Windows 7, the UAC may not allow certain actions without verification. Windows 7 does allow a greater control of the UAC than Vista, but merely turning it off basically defeats any of the enhanced security features that go along with the new operating system. I haven't tried disabling the UAC to access locked folders, but I suspect that will probably not be the answer I am looking for. If you are interested, you can probably get to the UAC settings through the control panel to disable it.
- CompuWyse PC,
Here's how to remove the padlock icon from the folder so you can read/write. I just wrote this in a different thread, but I write here also hoping to get confirmation of working.
Right click the folder and choose "properties".
Click the "security" tab and then click "edit" and then click "add" and then click "advanced"
Click "object types" and then tick "groups" and then click "ok" and then click "find now"
Scroll to the bottom of the list and then highlight "Users" and then click "ok". "ok"
Highlight "users" and tick the boxes for "read" and "write" (and any other permissions you want).
Click "ok" "ok" - Stickywulf,
Your procedure works great until the end and I recieve a box saying "Error applying security" "error occured" "access denied".
I have to click that box twice to get rid of it and then I get a box saying "Unable to save Permission changes". - BoomerBob,
Try taking ownership of the folder first.
Right click the folder and choose "properties" and then click on the "security" tab.
Click on "advanced" and then click on the "owner" tab.
Click "edit" and then highlight your username, and then tick the box "replace owner on subcontainers and objects" and then click "ok" "ok" "ok"
Once you are now the owner of the folder, then follow the instructions in my last post to change permissions.
- Stickywulf
I tried the ownership route to no avail. In windows\sys32 I found a group policy editor named gpedit.msc. It has a multitude of security settings. As soon as I understand it a little better I intend to grant myself some rights. I haven't changed anything yet. I want to understand it better. take a look at it. Just double click it and you are on your way. - It isn't possible to take ownership of "Documents and Settings" since it isn't a folder but is a junction.
Is it Documents and Settings you are trying to access, or what is the name of the folder? - Sorry I haven't had a chance to reply until now. My Win 7 system is at a remote location and I don't get a chance to play much with it lately. I have LogMeIn installed, but have been having difficulty with that logging in completely (which I posted in another thread). But more importantly I have been experiencing what appears to be a display driver issue since I posted this thread, and am having difficulty navigating to anything currently. I plan on picking up the system and bringing it back to my primary location so I can have better access to explore the multiple issues. I may even have to reload, who knows.
As far as the folder access goes, there are several folders with the padlock icon that exhibit 'access denied' issues, but since my current display issue tends to cause the screen to flash rapidly, or go blank entirely, it is nearly impossible to accomplish anything at this point. I have found that rebooting into either safe-mode or choosing 'enable low resolution video' works, but that is a topic for another thread anyhow.
I'll keep you posted if I get a cance to try any of your suggestions, or if I find another solution of my own. - Hey people ;)
I just install a new network...works great, but being a newbie in networking I share my g disk who has my windows install(big no no).
everything is accessable BUT I can't access the G: drive at all and can't even si how much space i have left on it, or cannot install or change anything.
I want into the user profile section in the pannel controle, but a can't make any add, or supress any user...a cant change anything on my user profile, anything with the shield (blue and yellow) is off limite to me and when I click, it those not do anything at all.
HELP I need to install stuff and acces some for work :S.
Thx! - Stickywulf
OK I have to back up. I am getting the ownership route working. I must have been clicking the wrong time or place. Who knows anyhow I am making progress thanks for the help. - I am having exactly the same problem. I can not get access to any folder with a padlock icon. It seems Microsoft have locked us out completely from system folders. I managed to get the Padlock off one folder by following the processes in the previous posts but when I tried to open the folder I got into a circular address:-
file:///C:/ProgramData/Application%20Data/Application%20Data/Application%20Data/
Very frustrating. - Application Data is a junction, and junctions are impossible to access since they aren't really folders. The Application Data folder from WinXP is known as AppData in WinVista and Win7.
C:\Users\Default\AppData
C:\Users\Username\AppData - I checked the ownership of the C drive on my PC and found it was set to "Trusted Installer" I changed the ownership to my user name and that solved the problem. I suspect this occurred because I did not reboot my PC at the end of the install of Windows 7 and went straight into using it.
- Proposé comme réponseVasco NZ vendredi 22 mai 2009 23:53
- Hello Stickywulf
Thanks for your procedures. I dont know which one is working because I have running the two parts yesteday evening without succes.
But this morning, that mean after reboot, the lock is away and no more trouble to delete the folder.
Config: Acer: Aspire X3200, AMD Phenom 9550 ( 32-bit Quad core ), 4 Gb RAM MB: Acer WMCP78M, Chipset: Nvidia; GeForce 9400 (GF8200 + GF 9200) MCP78PV - First of all I believe you are mistaking the Documents and Settings and the My Documents folders. Documents and Settings is a system folder which contains sub-folders each user profile on the machine, including All Users and Default User, among other folders. My Documents is a shortcut or junction as you refer to it as, whose path is variable and dependent on the user that is currently logged into the machine. This 'junction' points to the Documents folder contained within the the folder named for that user inside of the Documents and Settings folder.
Secondly; any user with Administrative privileges, or at least the privileges to Take Ownership, should be able to take the ownership of the folder or file that they have the user rights to do so. In the the case of an administrator account those privileges are automatically granted to all resources unless over ridden by domain security policies within a domain environment, in which case the security is set at the Domain Controller either by Group Policy for the computers or the users, and in some cases for the specific resource.
Third and final comment; I finally tracked down the cause for the access denied error messages, and it was being caused by a permissions entry for the Everyone group denying access. Since the 'Deny' will override any other permissions taking ownership and granting permissions for any other user was ineffective until I removed the Deny Everyone permission entry.
Thanks you for posts anyhow, but Ihave managed to solve the problem on my own. I'm still not sure how the Deny Everyone was granted, but now that I have figured out the problem, I know what to look for on other folders if I have the same problem.- Marqué comme réponseCompuWyse PC dimanche 24 mai 2009 16:23
- My Documents is a per-user junction. Documents and Settings is a system Junction. They are BOTH junctions.
"c:\Documents and Settings" points to "c:\Users"
http://msdn.microsoft.com/en-us/library/bb968829(VS.85).aspx
By default,
- The attribute of a junction point is hidden.
- The Read permission of a junction point is Deny.
A table of commonly used junction points can be found here:
http://windowshelp.microsoft.com/Windows/en-US/Help/31ad4562-aee7-4fed-8316-89114dc973031033.mspx
Why do I get "access denied" while trying to explore folders such as 'Documents and Settings' and other folders displaying a padlock icon? I have tried changing folder permissions and taking ownership, but still get the same message. These folders seem to have SYSTEM as the default owner. Has microsoft locked these folders to keep prying eyes from delving too deeply into certain areas, or is there some security glitch on my installation?
This system is installed with Windows 7 RC, although it previously had the Beta version installed, the partition was deleted, a new one created and formatted and a clean install of the RC was performed. As such there should be no confusion with GUIDs, SIDs, or UIDs of any type from the previous installation permissions. Changing permissions, adding users, and taking ownership all seem to have varying degrees of success intermixed error messages, but after closing the properties pages and re-opening the changes 'at least appear' to have been made properly.
Anybody got ideas on the subject?
Docs and Settings...HA!...I can't see that folder because I don't have access to C:\, access denied.
Here's a posting by someone in another Windows Forum (who was directed to this tech area) that nearly exactly mirrors my experience:
Hi everyone,
Maybe some of you stumbled on tha same problem I have. I lost complete admin rights and can no longer read my C:\ drive. This happened for no particular reason but seems to be linked with me playing around with the HOMEGROUP funcitonnality. I was trying to find a way to enable one of my Windows 7 workstatiojn with my windows 7 server. Simple enough, I was trying to access \\server\c$. I kepted on getting access denied, even after supplying the right password. So I looked into the homegroup, tried to see what open would allow me to access my c$, but nothing worked. Out of desperation, I enabled sharing of my C:\ drive using the name C. Then I disabled homegroup... Mind you, all this was not done exactly in the same sequence but all that to say, all of a sudden, COMPLETE ACCESS to my C:\ was lost, until I realised I could no take it back since I was displayed as an administrator but could not do any admin tasks.. I tried takeown /f c:, tried that in safe mode, tried to use the computer management/disc management.. NOTHING.. I can't run anything since I don't have the privileges..
Is there a fix for this? How many of you got this problem?
----------------------------
My installation was of Win 7 RC build 7100 (NOT the server version) on a bare, freshly partitioned HD. There is only one user account, mine, and it has Admin rights.
Furthermore, the only links that work in User Accounts are "Create a new account" and I can change the picture of mine.
I'm about ready to wipe this drive and start over and not TOUCH Homegroup. Homegroups seem irrelevant in my case, anyway, since this is the only PC running Win 7. Win 7 is a bit of a control freak and doesn't play well with others, it's rather one-sided.- a) I'm glad it's not just me -See BradR56- which makes me think that there is a serious problem coming microsoft's way if they launch with this issue!
b) what's the solution?
I've tried everything in these threads to no avail. I understand what everyone is telling me to do, but there is a small problem "access denied" or the blue/yellow shield is there to stop opperation. Is there something in the registration that can be changed to give the ownership of folders?
I can't repair, change any system settings or even access takeown via the command prompt as it's "access Denied" all the way.
I've got my family photo's on here and the last thing I want to do is format harddrive, but that't the only option I've got left to me.
It appears to occur when you leave a homegroup. There is a warning, but not a critical stop. You should not be allowed to leave a homegroup if you are going to change the security settings on all your folders to "no-one" - FYI, I'm running another thread before I found this one.
http://social.technet.microsoft.com/Forums/en-US/w7itprosecurity/thread/71a804c7-52bc-4f8b-9012-925ae192f30b?prof=required&ppud=4
I'll post more information about the eventual solution there. I cannot afford to format hard-drive!
