Skip to content
'.esc_attr( get_bloginfo('name')).'
 
  • Home
  • About Me
  • A Plea for Weather Radios
  • Stuff
  • Gallery
 
Windows Blue Screen of Death (BSoD)

Recover Administrator Permissions for Files and Folders in Windows

Posted on February 10, 2023February 10, 2023 by Tim

I had quite a morning.

One of my colleagues was updating a piece of software with a critical security patch on a remote server. The installer creates a new directory with the version number in a target location. However, not long after they started, I received an email asking me to check the permissions on the new directory, because the application could not read the directory.

“… oh no,” I softly whispered to myself and the cat in my lap.

When I viewed the permissions for the new directory, the DOMAIN\Administrators group was… gone. And if you know anything about Windows permissions, this is not ideal. It basically means you’ve lost control of the directory. You cannot read, right, execute, delete, or change the permissions for the directory.

In other words, it’s hosed.

Thankfully, this was a non-production server. But by default, a new directory inherits the permissions of the parent. In order for this group to be missing, something (or someone) had to have deliberately removed the DOMAIN\Administrators group. That just doesn’t happen on its own.

For the next several hours, I researched ways to undo this action. A lot of suggestions I read suggested required booting in Safe Mode to change the permissions of the directory. However, this is a remote virtual server, so… no.

If you’re here, you’ve run into the same problem and are desperate for a solution. I hope this helps.

The Fix

Open PowerShell. In my attempts to fix this, a basic command line — even with elevated/administrative rights — could not do this.

Take ownership of the directory. This will cascade down to all objects in the directory.

> takeown /f DIR_NAME /r /a /d y

Grant full rights to your user account. DOMAIN\USER below is the Windows account you’re using, whether that’s a local account or a domain account. If you’re not on a managed domain, then DOMAIN below is the “Device name” of your PC found under Windows Settings > System > About. Ex: TIMS-WIN11-PC. The :F after USER grants full control, and /T cascades to all objects in the directory.

> icacls DIR_NAME /grant DOMAIN\USER:F /T

At this point, your user account again has control of the directory. You can either use Properties > Security to grant full control to DOMAIN\Administrators, or (what I prefer) re-create the directory and copy the directory contents without their permissions. This allows you start the directory over with a clean slate of permissions that inherit from the parent directory.

Open a command line window. The xcopy command will create (or update, if it exists) any missing object (or whose last modified date in the source is greater than the target). The parameters tell the program to drill down to all objects in the source directory. Make sure you include the wildcard \* after the SOURCE_DIR.

> xcopy SOURCE_DIR\* TARGET_DIR /s /e

Now breathe. You did it.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Apache Apple AWS Bad Drivers Beta Biscuits Chick-fil-A College Football Dashcam Deep Archive DIY Dream Drowning Drunk Drivers Error Glacier Home iMac Pro Internet Recovery Iron Pipes LetsEncrypt MacBook Pro macOS macOS Catalina Nashville nVision PeopleSoft Recipes Recovery S3 Secure Boot Server Southern Recipes SSD SSL Steel Pipes T2 Tiering Tornado Twitter Twitter Cards VMware Weather Websites Wordpress

© 2023 iTim | Powered by Minimalist Blog WordPress Theme