1

I am the administrator and I can no longer access my files in d drive. I can not change the access permissions back either even if running Explorer.exe as administrator.

I was trying to create a standard user that didn't have access to all my files so I could safely let others use my computer.

Windows however lets all users access them regardless of the account type. It seems to only consider user folders as off limits which seems really odd. I would think only admins/owners can access all the files on the system without restriction.

So, I edit the permissions and see that all authenticated users have access to the drive and obviously I don't want that so I edit it and hit deny.

Obviously I didn't expect to be denied access myself being an Administrator and seeing that Administrators have full control as a separate permission from the one I just edited, but here we are.

I am locked out of the drive completely. So I try to edit the permissions and give full control back to all authenticated users and that seemed ok at first. Then I tried just denying access to the new standard user specifically instead.

I tried going back to authenticated user and clicking deny and then full control again and hitting apply to reset it. Doing this keeps showing errors saying that I don't have access to enumerate the contents of the folders.

I now can see the folders in the root of the drive but I cant access anything inside them.

Clearly the interface for permissions in windows 10 is useless. Is there some PowerShell command I can run to give permission back so I can fix this situation.

I cant format the drive to not suggest that. All my personal files are on there.

The ideal result I am after::

  • All administrators have access to everything.
  • The new standard user I created can not access anything on D drive except for,
  • a select few folders on the drive that I specifically give them access to.
  • new standard users created will not have access to the drive unless explicitly given permission as well same as the previous user.
Improve this question

1 Answer 1

Reset to default
4

Obviously I didn't expect to be denied access myself being an Administrator and seeing that Administrators have full control as a separate permission from the one I just edited

File permissions on Windows work like this:

  1. All Deny entries have priority.
  2. Then, all Allow entries are considered.
  3. Finally, if the user is not on the list at all, then access is denied as well.

So in general, what you should have done is remove the Allow access entries rather than add Deny entries – don't use those if you can avoid them.

As an exception, the owner can always set new permissions – and an Administrator can always become the owner (take ownership) – so recovering from this almost always starts with setting either yourself or the Administrators group as the new owner. This lets you set a new access list that grants you full control – then you repeat the process with all sub-folders.

Windows Explorer sometimes offers to do that for you as soon as you try to open the folder (or when you try to see the permissions of something), but more commonly it's done using the takeown program.

takeown /a /r /d y /f D:\

The /d y asks it to automatically reset permissions as well, so it'll be able to recover the contents of the entire disk recursively.

Setting up the restrictions

Once you have your access back, edit the D:\ access list again, preferably through the Advanced view (or through elevated CLI if you prefer, although one of the steps is tedious to do via CLI).

  • If you're restricting a subdirectory, disable "Inherit permissions" and choose 'Copy'. Not needed for the whole disk as there is nothing to inherit from.

    icacls D:\Foo /inheritance:d

  • Remove "Users", "Authenticated Users", "Everyone", and similar entries if they're still there – keeping only Administrators and SYSTEM (and your own account, for UAC). Anyone else not on the list will automatically have no access, so there's no need to explicitly list them.

    icacls D:\ /remove "Authenticated Users"
icacls D:\ /remove "Everyone"

    Note: Due to Windows UAC, the Administrators grant will only be effective when you run programs "elevated" (i.e. 'Run as Administrator'). So if you click 'Apply' at this point and you're not on the access list personally, then you'll lose access through Explorer (which never runs elevated) – but it's not an issue since you can just add yourself through elevated PowerShell or Total Commander or any other file manager.

  • Grant yourself full control access (takeown will probably already have done this, but do it anyway just in case).

    icacls D:\ /grant "Bradley:(OI)(CI)(F)"

    The (OI) and (CI) mark the entry as inheritable (i.e. equivalent of "Applies to: This folder, subfolders, and files").

  • Grant "Authenticated Users" read/list access again, but mark it as non-inheritable – i.e. "Applies to: This folder only" – so that they can still list the top-level folders but not descend into them.

    icacls D:\ /grant "Authenticated Users:(R)"

    The absence of (OI)(CI) means the access entry won't be inherited. This step is technically optional (users can still access items if they know the path, e.g. if you create them a .lnk shortcut) but it'll make things more convenient.

  • Just in case, check the "Replace all child object permissions" box when saving the changes (this only needs to be done once), so that everything inside would be forced to inherit from the permissions you've just set on the root of the disk.

    (the * is important, you want to only reset children)
icacls D:\* /reset /t

(approximate equivalent)
gci D:\ | % { icacls "$_.fullname" /reset /t }

  • Finally, on each of the specific folders that the user needs access to, just add them to the access list for that folder. This can be done through the normal view of the 'Security' tab.

    icacls D:\Videos /grant "Users:(OI)(CI)(R,W)"

In case you want to allow access to a whole folder but disallow one specific subfolder, often it's still better to avoid 'Deny' entries and to instead disable permission inheritance on that folder, which would let you remove the unwanted entries from it specifically.

Side note: There is very little difference between Authenticated Users and Everyone (all Windows versions since XP exclude Anonymous from Everyone). There's also little difference between those and the regular Users group if guest accounts aren't used.

Improve this answer
5
  • that takeown command said invalid syntax. Doesn't say what part of the command is invalid.
    – Bradley Hayes
    Commented May 18 at 9:19
  • I think it's the /s, I confused it with another command – should have been `/f D:`.
    – grawity_u1686
    Commented May 18 at 9:21
  • takeown got me access again but then I lost it when removing everything except admins and system from the list. This doesn't make any sense. If the only permissions I have left are admins and system giving full control I should not have lost access again.
    – Bradley Hayes
    Commented May 18 at 12:33
  • 1
    Ah, yes... that would be the UAC thing where you technically don't have admin rights unless you specifically run a program "as admin". You probably still have access through an elevated PowerShell – just not through Explorer (which never runs elevated). I suppose I should've written the first part as a single step (removing one item and adding another without clicking Apply in between), but it's probably enough if you use an elevated PowerShell to add yourself – or an elevated Total Commander, or SetACL Studio, etc.
    – grawity_u1686
    Commented May 18 at 13:43
  • This would be a good guide on how to make additional HD's private by default.
    – Bradley Hayes
    Commented May 19 at 0:57

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .