# Solved: Accidently restriced permissions for all users on drive D-Windows 7



## iTrey (Feb 18, 2010)

I was messing around with my security settings on my second hard drive (D), and i locked myself out. Below is an image of what happens:







http://itrey30.angelfire.com/GetAttachment.jpg
IF you can't see it, it says "cant access drive d, access is denied". Please HELP! i had like 30gb worth of info on it and i cant afford to lose it. ive never run system restore before, so that option is out. Reformatting it will lose all data. If you know what to do please post your thoughts. Ive run out of ideas.


----------



## DaveA (Nov 16, 1999)

What program were you using when you locked up the drive?

And there is nothing but the "AngelFire" image at your link.


----------



## TheOutcaste (Aug 8, 2007)

What did you change in the permissions?
Did you delete a group, or set a Deny permission?
Have you tried bypassing the root of the drive and going directly to a folder?
So instead of clicking on the *D:* drive, in the location bar delete any existing text, then type *D:\<name of folder>* and press *Enter*.


----------



## iTrey (Feb 18, 2010)

Thank you for your replies. I didn't use any program, i just right clicked, opened preferences, went to the security tab and denied all permissions(on accident). I didn't know that as soon as i clicked ok it would deny my (as an admin) permission also. Yes, i have tried that, outcaste.

Here's a differnt link to the picture: http://www.mediafire.com/?b3mzhnzjonm


----------



## TerryNet (Mar 23, 2005)

If that "not accessible" is the result of a right click I have no idea what to do (in Windows).

If you can right click it maybe you can Take Ownership.


----------



## TheOutcaste (Aug 8, 2007)

Deny permissions can get you in trouble in a hurry.
This procedure may fix it if that is what was done. I've walked two people through this on Vista to recover their C: drive, and it should work the same on Win 7, but I've never tried it.

As this isn't the system drive, might be easiest to just backup the data using a Live CD, then delete the partition and recreate it, then copy the data back. It's more intended for recovering the C: drive, so you won't have the hassle of re-installing Windows and all programs.

If done on the Windows drive, it does change permissions from the defaults so there may be some issues with permissions, but I haven't heard of any in the two cases I've dealt with.

If you want to give this a try just for fun and education though, here's the procedure.

I would recommend you first backup your data AND system drive either using a Live CD to boot the system, or image the drives so you can restore things back to the state they are now. I'm not sure if connecting it to another system to copy your data off will work, the other system may be denied access as well. The same may be true with the Windows based Live CDs, so a Linux version would be my first choice, as it generally ignores NTFS permissions.

*Live CDs:*
Ultimate Boot CD for Windows
BartPE CD/DVD
Ultimate Boot CD
Knoppix
Ubuntu
Puppy Linux
Linux Mint
The first two require access to a Windows XP Disk
The Ultimate Boot CD does not include SATA drivers, so you'll need to be able to change the BIOS setting for the SATA controller to ATA instead of AHCI, or Compatibility mode instead of Enhanced (wording will vary)
Note: A Vista/Win7 DVD can also be used to recover files and make some repairs. A Vista RE disk can be downloaded from one of these links:
Vista Recovery Environment CD
64 bit Vista
32 bit Vista
Windows 7 from here:
Recovery Environment CD


Boot with the DVD
Select your language and click *Next*
Click *Repair your Computer*
After it scans for Windows installations click *Next* (Win7: Select Top option first)
Click *Command Prompt*.

You can use *Copy*, *Xcopy*, or *Robocopy* to copy files to an external drive, a different partition, or a different internal hard drive.

Once the data is safe, give this a whirl:

Is the *Administrator* account displayed on the Welcome screen?
If not, follow these steps to activate it:

Boot to Safe Mode and log in with the *Administrator* account if available.
If not, use any other Admin account.
Open a Command Prompt (Should say *Administrator* in the Title bar)
If not, open an Elevated Prompt by clicking *Start*, type *cmd*, when *cmd.exe* appears in the list, right click it and choose *Run as administrator*

type the following (there is a space between the different colors):
*Net User Administrator /active:yes*
You should see *The command completed successfully*

Reboot to Normal mode and log in with the *Administrator* account

If it's never been used before, it may take a minute as the profile is created.

Click on *Start*, type *regedit* in the Search box, press *Enter*
Navigate to this key:

```
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System
```
In the right pane, find *EnableLUA*
If it's not *0* (zero), double click and change it to *0*
You may get a pop up from the tray that UAC has been turned off, you can ignore it.
Collapse the tree back to *HKEY_LOCAL_MACHINE*
Right click on *HKEY_CLASSES_ROOT*, click *Permissions...*
Highlight *CREATOR OWNER*
Check *Full Control* under *Allow*
Highlight *SYSTEM*
Check *Full Control* under *Allow*
Highlight *Administrators*
Check *Full Control* under *Allow*
Highlight *Users*
Click *Remove*
If It Shows, Highlight Your *Username*
Click *Remove*
Click *OK*

Reboot the system, then Log into the *Administrator* account
Right click *Computer*, then click *Explore*
Right click the D: drive, click *Properties*.
Click the *Security* tab
Click the *Advanced* button
Click the *Owner* tab
Click the *Edit...* button
Highlight *Administrators*
Make sure the box for *Replace owner on subcontainers and objects* is _Unchecked_
Click *OK*, *OK* the Pop-up, then *OK* on the remaining property windows to close them
Right click the D: drive, click *Properties*.
Click the *Security* tab
Click the *Edit...* button
Highlight *Administrators*, and click *Full Control* under the *Allow* column
Check all other entries, and remove any *Deny* permissions.
*Default Groups/Allow Permissions*:

```
[B]Authenticated Users [COLOR=DarkRed]Special[/COLOR][/B]
[B]System              [COLOR=DarkRed]Full Control[/COLOR][/B]
[B]Administrators      [COLOR=DarkRed]Full Control[/COLOR][/B]
[B]Users               [COLOR=DarkRed]Read & execute[/COLOR]
                    [COLOR=DarkRed]List folder contents[/COLOR]
                    [COLOR=DarkRed]Read[/COLOR][/B]
```
Click *OK*, then click *Yes* on the Popup
You will get several error Popups, click *Continue* on all of them
Click *OK* on the Properties window.

Open a Command Prompt
Type the following two lines (there is a space between the different colors):
*CD /D D:\
icacls * /C /T /reset*

This will reset the default inherited permissions, but will not remove any Deny permissions that have been set on individual items. It's normal to see Access Denied messages, and some files will fail to be processed.
This should restore the ability to take ownership to remove any deny permissions that may be set on individual files/folders.

Close the Command Prompt when it finishes.
Start Regedit
Right click on *HKEY_CLASSES_ROOT*, click *Permissions...*
Click *Add...*, type *Users*, then click the *Check Names* button
Click *OK*
Click the *Advanced* button
Highlight *Users* and click the *Edit...* button
Check the following boxes under Allow:


Query Value
Enumerate Subkeys
Notify
Read Control

If you wish to re-enable the User Account Control (the Enable LUA value we changed earlier)
*Control Panel | User Accounts*
Click *Turn user Account Control On or Off*
Check the box and Click *OK*
(This does require a Reboot)

Reboot, log into the User Account and test.

Once everything is working, we need to restore *TrustedInstaller* as the owner of D:\
Right click *Computer*, then click *Explore*
Right click the D: drive, click *Properties*.
Click the *Security* tab
Click the *Advanced* button
Click the *Owner* tab
Click the *Edit...* button
Click the *Other users or groups...* button
Type in *NT SERVICE\TrustedInstaller*
Click the *Check Names* button
Click *OK*
Highlight *TrustedInstaller*
Make sure the box for *Replace owner on subcontainers and objects* is _Unchecked_
Click *OK*, *OK* the Pop-up, then *OK* on the remaining property windows to close them

To disable the Built-in Administrator account (Good idea):
Open a Command Prompt
type the following (there is a space between the different colors):
*Net User Administrator /active:no*
You should see *The command completed successfully*


----------



## iTrey (Feb 18, 2010)

Ok thank-you. when i try it, ill get back to you.:up:


----------



## Syst3mSh0ck (Jul 11, 2009)

Nice post, very informative


----------



## iTrey (Feb 18, 2010)

Crap. I only made it worse. I got to this point and then it wouldn't let me get into explorer.


> Reboot the system, then Log into the *Administrator* account
> Right click *Computer*, then click *Explore*
> Right click the D: drive, click *Properties*.
> Click the *Security* tab
> ...


http://www.mediafire.com/imageview.php?quickkey=hmt3yymy3mz
Fortunately, i can access stuff through run.
Also, there is no security tab anymore and when i go into advanced sharing it still says the administrator has blocked access to this folder.
Im going to try reinstalling windows...


----------



## TheOutcaste (Aug 8, 2007)

So at this point we should have these steps done:
Enabled the Builtin Administrator account
Turned off UAC
Gave Full Control Allow permissions to System, Administrators, Creator_Owner on the *HKEY_Classes_Root* Key
Removed the Users group from the *HKEY_Classes_Root* Key

I'm not sure how that could keep Explorer from being able to open. It's already running, as you have the Start menu.
Can you start Regedit from the Run box? If so, try adding the *Users* group back to the *HKEY_Classes_Root* key With Full Control Allow permission.
You can also try restarting Explorer.
Open the Task Manager (CTRL+ALT+DEL, or right click the Taskbar)
Click Start, hold down *CTRL+SHIFT*, now right click a blank area of the Start Menu, between Shut Down and Run.. is a good spot.
Click *Exit Explorer*
In Task Manager click *File | New Task (Run...)* and type *Explorer.exe*, see if that allows you to open an explorer window


----------



## iTrey (Feb 18, 2010)

Thanks! Adding Users back worked, but now im afraid to try the whole thing again. Should i try the "Recovery Environment CD"? Would it fix the problem?


----------



## TheOutcaste (Aug 8, 2007)

I'd be leery of trying it again myself, unless I had a new image to restore if it messed up again.

You could use one of the Recovery Environment CDs to copy every thing over to the C: Drive or a USB drive. You'd have to do that from the command prompt using Xcopy or Robocopy, or you can open two Notepad windows and use the file Open dialogs as kind of a mini File explorer and drag and drop files between them.

A Linux CD would be a more user friendly option as well. If I had to choose one, I think Puppy Linux is a bit easier than Ubuntu or Mint for someone new to Linux. It would let you copy the files to the C: drive, an external, over a network to another PC, or you can burn them to CD.

Once the files are backed up, you can delete the D: partition, create a new one, and format it. That should take care of any permission problems, at least for the D: Drive.

I still don't understand why removing the Users group would have had the effect it did. Makes me wonder just what other oddities are lurking in the shadows. Might not hurt to start planing for a re-install at some point in the future to get a clean start with everything, before something comes up and you have to do it "unplanned".


----------



## TerryNet (Mar 23, 2005)

iTrey said:


> Thanks! Adding Users back worked, but now im afraid to try the whole thing again. Should i try the "Recovery Environment CD"? Would it fix the problem?


If you are going to experiment with permissions start with a test folder with just a few files and sub-folders--maybe a copy of a real one. Take notes of what you do, and if you end up with permissions that work as desired you have a procedure. If not, remove the test folder and start over. 

Are you just experimenting with permissions, or is there a problem you are addressing?


----------



## iTrey (Feb 18, 2010)

Nah, i was just messing around i guess.


----------



## iTrey (Feb 18, 2010)

ok. i found out something did work. i still cant access the drive, but i can access the files in the drive if i have a shortcut already made


----------



## TheOutcaste (Aug 8, 2007)

I've been trying to duplicate this on a Vista system and can't get it to the point of not being able to easily regain access.
I was able to lock my self out previously, which led to that lengthy procedure above. Now, all I have to do is take ownership, reopen the dialog, and edit the permissions.
I now have SP2 installed, previously I had SP1 I believe, or no service pack. Don't have one handy without SP2 to test on at the moment, and don't have a Win 7 system to test with either.

When you right click the drive, click Properties, then click the Security tab, does it display the list of Users or do you have a Continue button and an Advanced button?
What happens if you click either?

If Continue gets the list of users displayed, can you post a screen shot with the user/group that has any Deny permissions checked shown?
Same if clicking Advanced gets the advanced screen to display, showing the Permissions tab and the Owner tab.

Be sure to blank out any user names you don't want shown.


----------



## iTrey (Feb 18, 2010)

im just going to mark this as solved and take my computer to best buy or something


----------



## iTrey (Feb 18, 2010)

Nvm i didnt take it anywhere. about an hour after i last posted, i went into safe mode which made the security tab appear for some reason, and gave full control to all users. That solved the problem. However, something to note: when i restarted my computer after that, it made me run a diagnostic looking for problems on both my hard drives and my memory. Thanks to those that took the time and helped contribute to solving my problem.


----------

