The Problem
You receive a Windows 7 access denied error when accessing a folder through Windows Explorer even though you have set the permissions correctly. You are an administrator and the administrators groups have full control over the folder but you can’t access it without Windows re-writing the permissions.
The cause of this is because of a new feature in Windows 7 called User Access Control (UAC). It is the combination of UAC and a bug in Windows Explorer that causes the access denied error.
The easiest solution is to simply disable UAC. If this is not possible (for security reasons) then read on for alternatives.
What is UAC?
In a nutshell UAC is an extra layer of security on top of Windows 7. When you log in as an administrator normally you would have full unrestricted access to everything. UAC aims to prevent this by running all tasks that don’t require administrator access in a more restrictive manner. When UAC is enabled an administrator as two access tokens; a standard user token (restricted) and an administrator token (unrestricted). All tasks first run under the restricted user token. Only when a specific program or tasks requires full administrative rights does it then prompt you to run it in an elevated mode. It then launches this task using the administrator token. For the scope of this article this all you need to know. To see the full benefit of UAC on Windows 7 follow the link listed above.
How Windows 7 Uses UAC
In Windows 7 some programs will automatically prompt you to run it in an administrative context when you run them. These programs are typically ones that serve only one purpose which require administrator rights in order to run; examples of these are any of the administrative tools that ship with Windows 7. Other programs like the command prompt don’t always need to be run in the administrative context. Simply using the DIR command and browsing folder structures can be done as a normal user, it does not require you to be an administrator. So, although you are logged in as an administrator it will run it under you standard user context. If however you type something like IPconfig /renew it will error saying access denied. At this point you need to close the CMD prompt and find it again in the start menu but this time right click and choose “Run as administrator”. This will now launch the program using the administrator token where IPconfig /renew will now work.
Why You Get Windows 7 Access Denied On Folders
Something I found that isn’t well documented regarding UAC is how it treats folder permissions. If you try to access a folder where the built in administrators GROUP has access to it UAC expects you to access it using your administrative token. Say you are a member of a group called Managers and this has access to a specific folder. When accessing this folder it works as expected; you gain access. If however you are not a member of this group but a member of the built in Administrators group which also has access to the folder you still get an access denied. This is not as expected, you should still gain access. With UAC enabled, to access this folder you need to run Windows Explorer under your administrator context by manually launching Windows Explorer from the start menu, right clicking it and choose “Run as Administrator”. This SHOULD WORK but unfortunately doesn’t due to the bug mentioned at the beginning of this article resulting in an access denied message.
It is important to note that this ONLY affects the Administrators group. As already mentioned for example if I create a new group called “staff” and added this group to the NTFS permissions of the folder I would be able to access this fine without having to elevate the program as long as I am a member of this group. This is ONE of the workarounds to this problem; for all folders you need access to create a new group and use this to assign permissions instead of the administrators group. This will allow you to access the folders without running Windows Explorer in the administrative context.
Windows Explorer Doesn’t Work With UAC
Yes you heard that right. I had to do a lot of research to find this out. This affects Vista, 2008 and Windows 7. Of course MS haven’t officially acknowledged this but you can prove this yourself by doing the following:
- Log in as an administrator and set permissions on a folder so that ONLY the Administrators group has access to it.
- Open two command prompts; one as normal and the other under the administrative context.
- Now try to DIR to this folder in both command prompts and read the contents. You will find that the CMD window running under the administrator context is the only one that can access the folder. This is behaving correctly as explained above.
- Now open MS Word, Excel, whatever in the administrative context. Save a file in this folder. This proves Word is running in elevated mode – The point of this step is to illustrate that ANY program (not just CMD) can access a folder where only Administrators have access to if you run it under your administrator context. Close Word.
- Now open Word in standard context (no admin) and try to open the file. You get an access denied. Again behaving exactly as it should.
- Now open two Windows Explorers; one as normal and the other under the administrator context.
- Try accessing the folder and BOTH OF THEM will fail. This proves Windows Explorer (reasons beyond me) does not run under the administrator context.
How Do We Prevent Access Denied On the Folder?
In Windows 7, access denied errors on folders can be eliminated using a a few methods. The easiest one as mentioned at the start of this article is to turn UAC off. Folder access will then behave exactly like XP. If this is not possible what I found works is to create a new group in Active Directory and call it something like “All-Folders-Access”. Add your administrator account to this group and then give this group full control permissions to the same folders the administrators groups have access to. This will allow you access to the folder with Windows Explorer. This is time consuming but the only solution if you want to keep UAC in use.
Your third option is to re-write the permissions on the folder and let Windows 7 do this for you. This is fine to do on normal folders but I would not recommend it on special folders like Windows, System32, user profiles etc. These folders have special permissions assigned to them. Overwriting these can cause serious problem and possibly a re-installation.
The 4th and final work around is probably your best option as it allows you to keep UAC enabled with no downsides to it. With the introduction of UAC came additional group policies in Windows 7 to manage it. These are located in Computer Configuration\ Windows Settings \ Security Settings \ Local Policies \ Security Options:
This last solution is probably your only option for special folders like profile folders.By default only the user has access to their own profile. There is another group policy that will add the administrators group to each user profile when it is created thus allowing administrators access but of course this won’t work with UAC on.
From the printscreen above if you enable the first option it will basically disable UAC for the built-in administrator account. This prevent the Windows 7 access denied error on these special folders as you no longer need to elevate Windows Explorer therefore bypassing the bug. This keeps UAC on for all other accounts and is the most secure work around of the 4 provided. If you have other administrator accounts which require access to these folders you will need to enable the 3rd option (highlighted above). This will affect anyone who is a member of the administrators GROUP rather than just the built-in administrator account. This kind of defeats the point though….You have effectively turned off UAC for all administrators so you might as well disable it outright. I would suggest enabling it for the built-in account only and use other administrator accounts for your administrative duties. Only when you come across this problem you could log in as the built-in administrator and then amend permissions accordingly.
No comments:
Post a Comment