Would Someone Care To Explain To Me Drive Security Settings

Discussion in 'Windows 10' started by ChaserLee, Jul 1, 2018.

  1. ChaserLee

    ChaserLee MDL Senior Member

    Oct 7, 2014
    425
    91
    10
    I admit that I have never fully understood the settings that can be found when I right-click a file, folder, or even a drive, click Properties, and then select the Security tab.

    Here is my particular situation. I am using drives which contain folders and files that I've had for years, and during those years they have been in many different systems, with many different OS installed.

    Inevitably, when I install a new OS, I will run into situations where when I try to read a folder on a drive, a pop-up will tell me I don't have permission to read that drive/folder/file. Even tho I'm logged in as the only user of the new OS, which I assume gives me Admin rights. So anyway, I have to click the pop-up and tell it to read the folder or whatever anyway, and then it goes ahead and does the read.

    But there have been many times when I cannot edit a file that is on that drive, and so on.

    So, what I've tried to do is to go to a particular folder on a drive, and right click and choose Properties, then the Security tab. In the list that says "Group or user names:" most of the time I see several entries that read "Account Unknown(...blah blah)", and they all have full control enabled. On the folder I just did that on, there were 8 different entries like that. Now, in addition to all those, there are three entries that read SYSTEM, (My user name with my outlook address), and finally Administrators.

    Of those last three, System has full control, Administrators has full control, but the entry that has my user name and outlook email address can only Read & execute, List folder contents, and Read. That's all.

    Now, shouldn't I be able to have full access to all files, with full permissions on each and every drive in my computer with the account I login in with? I'm the only user, so I'm thinking I should have full access to 99% of all files in each and every drive in my computer.

    How can I take care of this issue, because it gets very tiring having to go and change the Security permissions on a folder or file every time I run into one that won't let me edit it or change it in any way.

    I've tried running the "Take Ownership" program on entire drives, folders and such, but that doesn't seem to solve the security issue....

    Any help would be greatly appreciated!!!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. ChaserLee

    ChaserLee MDL Senior Member

    Oct 7, 2014
    425
    91
    10
    #3 ChaserLee, Jul 1, 2018
    Last edited: Jul 1, 2018
    (OP)
    In the code above, do I enter those 2 lines exactly like they are, or am I supposed to supply my computername and username ??

    I grabbed a copy of the GUI program you linked to, and I thank you very much! But I'd still like to know about those 2 lines of code you provided...
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. TairikuOkami

    TairikuOkami MDL Addicted

    Mar 15, 2014
    734
    614
    30
    You can leave it as it is, just change the letter of the drive to the one, you need to access.
     
  4. whitestar_999

    whitestar_999 MDL Senior Member

    Dec 9, 2011
    363
    141
    10
    What's happening is that you are swapping hdd between many systems & OS(all windows) which is causing lots of now irrelevant account permissions/ownerships on all the data in those drives.Furthermore you are not clearing the mess after each swap/reinstall resulting in accumulation of these entries.

    My suggestion is to remove all irrelevant/unknown accounts from all the drives(basically right click a drive letter & properties permission tab also enable "replace child objects permissions with inherited permissions) until only known/standard accounts are left.Do this after every swap/reinstall though this issue usually affects external hdd more than internal hdd.
     
  5. ShiningDog

    ShiningDog MDL Addicted

    Feb 25, 2018
    591
    544
    30
    i've faced this situation some times and i've found a simple solution to solve this.
    download and boot in linux mint with usb and change the files directory by moving all the files in a new folder and after that restore the files directory where they were.
    in this changing directory process linux restores and file permission and set it to default.
    now boot in windows and see the difference.
     
  6. ChaserLee

    ChaserLee MDL Senior Member

    Oct 7, 2014
    425
    91
    10
    Thanks everyone for their great input!! The only thing I'm left with now is how to get rid of all the "Account Unknown" entries on all my drives... Is there an easy or preferred way of doing that?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. BAU

    BAU MDL Senior Member

    Feb 10, 2009
    291
    452
    10
    #8 BAU, Jul 1, 2018
    Last edited: Jul 4, 2018
    Using a "Take Ownership" program in the past is part of the problem.
    Now you actually have to use such thing to fix it.
    I'll advise against executable programs, and use instead built-in windows tools via a registry file to add Take Ownership context menu. Example: TakeOwnership.reg
    -code superseded by better powershell based script below-

    There are other variations, some don't even work properly. Mine sets Everyone as owner and full control, keeping inherited permissions, hence preventing annoyances along the way.
    Give it a go (might need to run it twice for some broken folders, so refresh and re-check if ownership changed and permissions added).

    You don't like managing permissions once in a blue moon via a convenient context menu entry?
    Format your external HDDs with FAT32 or exFAT.

    Edit: switched ownership from Everyone to Users group as it's more suitable for this task.
    Difference from ClearOwnership.reg posted in a followup post is that it restores default inherited permissions from parent.
     
  8. whitestar_999

    whitestar_999 MDL Senior Member

    Dec 9, 2011
    363
    141
    10
    FAT32 max file size is 4gb,practically useless in today's time.

    I am not sure any of the above scripts will solve the issue of "unknown accounts" but I may be wrong.

    I already suggested a way to do this in my previous post so try it.
     
  9. ChaserLee

    ChaserLee MDL Senior Member

    Oct 7, 2014
    425
    91
    10
    #10 ChaserLee, Jul 1, 2018
    Last edited: Jul 1, 2018
    (OP)
    I copied that code, made a ownership,.reg file out of it, ran it and imported it into the registry, but there is no context menu entry for taking ownership. Nothing even close to that. I rebooted, but same result. Nothing showing up in the file context menu.... suggestions?

    UPDATE: OK, it was my fault for not using it correctly. I was tryig to run it on a single file, instead of on a directory. Once I selected a directory, the context menu entry was there. However, still the same issue, it did not remove any of the old Unknown entries... Was it supposed to? If not, how do I accomplish that?

    Also, is there a way to make Ownership go to SYSTEM instead of Everybody? Reason I ask is because if I run that script on my file share directories, then it's going to mess up the restrictions I have on Everybody being able to only read files, and not modify them in any way.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. ChaserLee

    ChaserLee MDL Senior Member

    Oct 7, 2014
    425
    91
    10
    #11 ChaserLee, Jul 1, 2018
    Last edited: Jul 1, 2018
    (OP)
    I did try it, which is why I gave you a like on the post. But it did not remove those Unknown entries I have.... which is what I'm trying to do now... And as an update, you were correct that script did not remove the Unknown account entries either, so I am still looking for an efficient way of doing that.,
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. BAU

    BAU MDL Senior Member

    Feb 10, 2009
    291
    452
    10
    #12 BAU, Jul 1, 2018
    Last edited: Jul 2, 2018
    It's unsafe, to the point of irresponsibility to clear existing permissions, hence it's not featured in the script I've shared above.
    But if you know what you're doing, and not use it on OS stuff, then it's trivial to adjust the script to do that as well, [example removed, see following post]
     
  12. whitestar_999

    whitestar_999 MDL Senior Member

    Dec 9, 2011
    363
    141
    10
    Strange,I have used this same method to remove unknown account entry from an entire drive's data.Can you tell me exactly what you did & where it didn't work?
     
  13. BAU

    BAU MDL Senior Member

    Feb 10, 2009
    291
    452
    10
    #14 BAU, Jul 2, 2018
    Last edited: Jul 4, 2018
    @ChaserLee: "UPDATE" only makes sense in a top post, not in the middle of a discussion, it gets overlooked specially when ninja editing.

    You're confusing share access with direct file access. You can set your shares as readonly from the share interface, it's a separate thing.
    The Everyone sid no longer includes anonymous logins from network, plus it's the default owner and full control for a new drive if I'm not mistaken.
    But anyway, I think the second choice after Everybody would be Users, since it's non-crippling for all local accounts, I'm not a fan of System ownership for personal files.
    So here's one more version that should remove all other permissions and only add Users with full control: ClearOwnership_v2.reg
    -code superseded by better powershell based script below-

    Ownership can sometimes be blocked, hence only some will change to Users, and others remain to Administrators
    Had to use a deprecated function to achieve it in the context of max command line allowed via registry
    The wmic part is to get the Users group regardless of Windows language
     
  14. ChaserLee

    ChaserLee MDL Senior Member

    Oct 7, 2014
    425
    91
    10
    Firstly, thank you again for your efforts on this issue I've been having!! Progress has been made to a great extend via your scripts!! Not to sound ungrateful, because as it stands, I can get the job done now with your 2 scripts, but it's a 2-part procedure.

    I made a new .reg file from your edited TakeOwnership script from towards the top of this thread. I'm sure I made a mistake, when I ran the edited .reg file, and imported it into the registery, because now I have 2 entries in my context menu that both read TakeOwnership. But by experimenting with them, I now know which is the original one, and which is the edited one that is supposed to make the Owner into Users. It does not do that for me. It just brings back all the inherited permissions without changing the owner at all.

    So, as it now stands, I run your original .reg file that makes the owner Everyone. That at least does change the owner, and as I said, leaves all kinds of entries in the permissions box.
    Then I run your second script, ClearOwnership, which leaves the owner as Everyone, but does clear all those entries in the permissions box except for the one entry of Users that have full permissions.

    I hope all that is clear. So, now at this point, if somehow you could come up with a final script that changed ownership to Users, and cleared all entries in the permissions box to only have Users with full control, that would be great.

    An added extra bonus would be if you could instruct me as to how to remove that second entry in my context menu for the edited version of TakeOwnership. I could probably find a third party program to do it, but thought you might know of a faster way to get it done.

    Again, Many Thanks!!!!!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  15. ChaserLee

    ChaserLee MDL Senior Member

    Oct 7, 2014
    425
    91
    10
    I got rid of the second TakeOwnership entry from my context menu by using regedit and deleting all occurrences of "322takeown" , so that issue is taken care of.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  16. BAU

    BAU MDL Senior Member

    Feb 10, 2009
    291
    452
    10
  17. ChaserLee

    ChaserLee MDL Senior Member

    Oct 7, 2014
    425
    91
    10
    Thanks VERY much. I'll try them both later on tonight, and post back with the results!! I really do appreciate the effort you have put into these scripts!!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  18. Feniksrising

    Feniksrising MDL Member

    Nov 27, 2016
    111
    60
    10
    Windows working against you is a security feature. When I run into this instead of doing the right thing I just use a sledgehammer called "unlocker".

    So long as you are not messing around with anything in the Windows folder nothing can go catastrophically wrong.
     
  19. ShiningDog

    ShiningDog MDL Addicted

    Feb 25, 2018
    591
    544
    30
    @BAU
    one partition in my system automatically include creator owner in file permission user list.
    and set 'administrators' as file owners.
    but other partition doesnt add creator owner in list and set windows 10 (user name) as file owner of the files.

    could you suggest any script which can-
    .restore (set to default) partition owner list and the users list in file permission at the partition level.
    .and also restores (set to default) the owner and user list or any other thing in all the files and folder of the partition.

    in short, a script which can set everything to default related to file permission.
    thank you.