I had quite a morning.
One of my colleagues was updating a piece of software with a critical security patch on a remote server. The installer creates a new directory with the version number in a target location. However, not long after they started, I received an email asking me to check the permissions on the new directory, because the application could not read the directory.
“… oh no,” I softly whispered to myself and the cat in my lap.
When I viewed the permissions for the new directory, the DOMAIN\Administrators group was… gone. And if you know anything about Windows permissions, this is not ideal. It basically means you’ve lost control of the directory. You cannot read, right, execute, delete, or change the permissions for the directory.
In other words, it’s hosed.
Thankfully, this was a non-production server. But by default, a new directory inherits the permissions of the parent. In order for this group to be missing, something (or someone) had to have deliberately removed the DOMAIN\Administrators group. That just doesn’t happen on its own.
For the next several hours, I researched ways to undo this action. A lot of suggestions I read suggested required booting in Safe Mode to change the permissions of the directory. However, this is a remote virtual server, so… no.
If you’re here, you’ve run into the same problem and are desperate for a solution. I hope this helps.
The Fix
Open PowerShell. In my attempts to fix this, a basic command line — even with elevated/administrative rights — could not do this.
Take ownership of the directory. This will cascade down to all objects in the directory.
> takeown /f DIR_NAME /r /a /d yGrant full rights to your user account. DOMAIN\USER below is the Windows account you’re using, whether that’s a local account or a domain account. If you’re not on a managed domain, then DOMAIN below is the “Device name” of your PC found under Windows Settings > System > About. Ex: TIMS-WIN11-PC. The :F after USER grants full control, and /T cascades to all objects in the directory.
> icacls DIR_NAME /grant DOMAIN\USER:F /TAt this point, your user account again has control of the directory. You can either use Properties > Security to grant full control to DOMAIN\Administrators, or (what I prefer) re-create the directory and copy the directory contents without their permissions. This allows you start the directory over with a clean slate of permissions that inherit from the parent directory.
Open a command line window. The xcopy command will create (or update, if it exists) any missing object (or whose last modified date in the source is greater than the target). The parameters tell the program to drill down to all objects in the source directory. Make sure you include the wildcard \* after the SOURCE_DIR.
> xcopy SOURCE_DIR\* TARGET_DIR /s /eNow breathe. You did it.