Why does after Installing new windows folder and file asking for Permission?

Question

When I install new Windows OS (Windows 8.1, Windows 8, Windows 7), many files and folders become inaccessible. I mean I cannot access those folders and files, cannot copy, rename or move them, and I cannot even delete them. I don't have permission.

If I want to use these I have to change permission from folder or file security properties tab everytime I setup new Windows.

But the problem is changing permission of a lot of files and folders is very time consuming and boring.

[NB-The files and folders which I am talking about are not located on C-drive. These are located on another drive and most of the files are audio and video files.]

Why does this happen? Is there any permanent solution for it so that I don't have to change permission every time I setup Windows?

Here are some sample screenshots:

1) Properties

2) Advanced Security Settings

This problem occurs with many files and folders, but doesn't occur with every file or folder on the drive. Below are screenshots of a folder that doesn't suffer from this problem:

1) Properties

2) Advanced Security Settings

Answer 1

It happens because the files and folders from your old operating system installation have permissions assigned to users that do not exist on your new operating system.

Any user in the Administrators group can "take ownership" of files/folders. Once that user has ownership, he/she can then change the permissions to something convenient. One way to do that is to use the "takeown" and "icacls" commands in an elevated command prompt. Typing "commandname /?" at the command prompt will tell you how to use the command.

You do not have to change file permissions one-by-one, you can set the permissions on the root folder (e.g. D:) and have them propagate down to all subfolders and files (this is called "recursion").

Answer 2

Windows (NTFS) file permissions are stored in Access Control Lists (ACL) which are made up of Access Control Entries (ACE). Each ACE is valid for a specific user or group.

When you install a new OS and attach an previously existing drive you may see ACEs for users with a name such as S-1-5-21-12345678-....

Every user/group has a unique internal Id, called the SID, these SIDs are stored in the ACEs.

When displaying permissions to a file, the OS takes the SID and looks up the name for it. Because you set permissions on files with a different OS, the SIDs used do not exist on the current OS and the system can't resolve the names (so it displays the SIDs).

This should explain why you can not access the files, the users with permissions simple do not exist in your current installation.

To work around this problem, you can either use a Windows Domain, which is most likely overkill, or you can only use well-known groups for your permissions.

Well-known groups have the same SID on every Windows OS, so even if you install a new Windows, the SIDs used in the ACEs do exist and work.

Some well known-groups are everyone, users or administrators

To see more well known groups on your OS, open a PowerShell and run:

get-wmiobject -class "win32_account" -namespace "root\cimv2" | where-object{$_.sidtype -eq 4} | where-object{$_.sid.length -lt 15} | sort name | format-table name, sid  -autosize

it shows something like this:

 Access Control Assistance Operators S-1-5-32-579
 Administrators                      S-1-5-32-544
 Backup Operators                    S-1-5-32-551
 Cryptographic Operators             S-1-5-32-569
 Distributed COM Users               S-1-5-32-562
 Event Log Readers                   S-1-5-32-573
 Guests                              S-1-5-32-546
 Hyper-V Administrators              S-1-5-32-578
 IIS_IUSRS                           S-1-5-32-568
 Network Configuration Operators     S-1-5-32-556
 Performance Log Users               S-1-5-32-559
 Performance Monitor Users           S-1-5-32-558
 Power Users                         S-1-5-32-547
 Remote Desktop Users                S-1-5-32-555
 Remote Management Users             S-1-5-32-580
 Replicator                          S-1-5-32-552
 Users                               S-1-5-32-545

Not all these groups are good candidates to be used for NTFS permissions, because they give their members additional (unwanted) permissions/rights or their membership is only applied when running as an elevated process (Administrators, Power Users).

If the users group does not work for you, you could use the Replicator group because as far as I know, it doesn't have any side-effects to its members.