Recieve "windows cannot access the specified device path or file" as the administrator and owner

Some antivirus applications can prevent you from opening .exe and other potentially dangerous files from a remote location. You might try to temporarily disable your antivirus application and see if you can access the files. If so, you may need to edit the settings of the AV application on that computer.

It might be also possible that you don't have to read/execute permission on the shared folder, but you have read permission. So you can copy the file to your workstation, there it will inherit the permissions of the target folder and you can execute the files (enabled by default).
So my suggestion is to check the NTFS permissions on the network folder, ideally through Effective permissions tools (folder properties -> Security -> Advanced -> Effective Permissions)

My  antivirus settings haven't been changed and I was able to access these files previously. But I just as a test I disabled my antivirus and was still unable to open the files.

I am a domain administrator and have full access to the files. But I did check and I have all of the boxes checked.

Try this:

Go to the link and click: EXE (lnk and regfile) Fix for Windows XP

http://www.kellys-korner-xp.com/xp_tweaks.htm

It's on line 12

Well i just found another error that I'm not sure is related, but I have attached a screen shot of it. It occurs when I clicked on the link. I have reset all of my IE security settings and that didn't fix it. When I click "ok" everything closes and the file doesn't download
download-error.JPG

OK, let's try it a different way:

Download this .txt file. Change the format of the file to .REG. once done, double click this file.
exefix.txt

I downloaded the file and changed it to a reg file. I ran the file and was still unable to run any of the files.

Well, that rules out shell handlers for exe files.

Where are your roaming profiles kept? Are they on a DC, mass storage device, or some other device?

The roaming profiles are managed by the DC, but stored on a file server

I was hoping it was a linux based mass storage device. Being a file server means it would have been joined to the domain and not lost its ability to authenticate with AD.

So, that leads me to the next troubleshooting possibility. Are these EXE and MSI files that you created have a signed publisher. Some security settings will not allow you to run EXE and MSI files that are not digitally signed.

Some do and some don't; the 2 msi files i tried were a install files from Microsoft and another software vender, some of the other files were just created in house and don't have a digital signature.

OK:
Digital signatures are not a problem in some cases.
The shell for exe files is not a problem.
You can't run .REG, .EXE, and .MSI files.
You can see the files within the share, but can't run them.

This really sounds like a program that is denying you access to run these files from a remote location or a plain old permissions problem, as martin babarik pointed out.

What Antispyware package are you running? I think Spybot S&D prevents from running EXE files from a remote location. Some other antispyware packages may prevent you from running these files from a remote location.

Can you execute these .exe files locally? In other words, can you copy the file and paste it to the c:\drive and be granted access to the file?

We aren't using any antispyware, we use symantec antivirus, but when i disabled it i still wasn't able to run the files.

I can copy and paste the files on my desktop or anywhere on the c: drive and run them. They work perfectly then.

Did you check the NTFS and SHARE permissions on your file server as martin babarik suggested?

Sorry it took so long to get back to you, I was out of the office on Friday. But yes I did check those permissions and I have full access.

We have not tried this, but do you have a DNS connection to the profile holder.

Try to ping the server that holds the file shares by using the server name. Sometimes you can see a file in the browser, (in my network places). But, you can't access it because DNS will not allow you to authenticate with the authentication server.

One other thing I should ask, do you use cloned or imaged machines? Could the SID be the same for two or more computers, therefore confusing the authentication process?

Yes, I can ping the server that is holding the profiles without issue.

We don't use cloned or imagined machines. So it would be extremely unlikely that the SID was the same as another computer.

Did you check the ""Effective Permissions"""

Permissions are done by taking the NTFS permissions and Share permissions and comparing the two. It will take the combine each permission and take the most restrictive of the two. The effective permissions tab will tell you what the combination of the two permissions sets will give you.

On the shared folder, right click, go to sharing and security, click on the advanced button and click on the "effective permissions" tab. Then, type in the person or group you want to see what the effective permissions, or what I call the "resultant set of permissions" , is for that share.

This was suggested by martin_babarik earlier and I have every box check. I have ownership of both the file and folder.

Oh, (bleep):

I am not thinking.

XP has the ability to cache domain usernames and passwords. It will use those cached records prior to going to the domain controller. If you changed your admin password recently, your cached entry will not match the domain password. So, you can get an access denied. But DNS works, so you can see the files.

On the XP box, go to, control pannel>>users accounts>>advanced tab>>manage password button. Remove all cached entries.

There are no entries in that section.

I thought for sure that was it:

I can only think of one other thing at the moment. Maybe the child objects within the share don't have the same permissions as the share. Have you pushed permissions down to all child objects within the share?

To do this, go to the right click the share, go to the sharing and security menu, click the advanced button, and select the box that says replace permissions on all child entries within the share. Then, click apply, (or is it OK).

Please credit martin_babarik if the above is your answer:

He would have been on target with sharing inheretence.

I checked this first and it already is. Could it possibly be something is corrupted in my user profile? Because I noticed today that I couldn't access the same types of files on my own personal network drive(in Active Directory its the Home Path and Profile Path).

I have wanted to say from the beginning this is an IT security setting:

Look at the files you are having problems with.
>.EXE (executables)
>.MSI (Microsoft Installers)
> .REG (registry editting files)

> and access database files

I am not clear if you are having problems with all file types, (like .doc, .txt, .xls).

The file types you seem to have problems with are the most Operating system intrusive files. They are used to install files, execute programs, edit the registry and so forth. Since you can run them locally and not remotely or off of a flash drive/network drive, this makes me think more and more about IT security settings. The question is, (is this the only machine effected or is it on every machine you go to and log on).

As mentioned before, Antivirus packages can prevent you from running these types of files from a remote location unless otherwise configured. We ruled out that possibility.

Antispyware can do this. We ruled that out.

unsigned software: (you say some of it is signed)

There is a Group Policy Object that can do this. It takes a little knowledge of Group policy and some edits. Since, I don't know if you have someone tinkering with group policy there is no way of telling wether you have a GPO that is blocking you. You would know of the GPO if you created it yourself.

Also, XP users can't run these types of files from remote locations. So, maybe your Domain credentials are saved as a user, instead of a local user, on that XP machine.

The one file type that has thrown me for a loop is the problem you are having with the access files. This shouldn't be a part of an IT security lockout.

So, can you tell me if all file type are problematic?
Can you also tell me if this is one machine that is having problems under your logon credentials?


 

 

No, not all file types are a problem. I can open .txt, .doc, .jpg and .xls files.

I tried logging onto another machine and I received the same error messages I was receiving on my own machine.

Then it looks like you have a domain group policy object that prevents users from using certain files.

Run RSoP in logging mode and see what shows in the:
Computer Configuration\Windows Settings\Security Settings\Software Restriction Policies
User Configuration\Windows Settings\Security Settings\Software Restriction Policies

We aren't using a group policy on the major user group, which I am a part of. There are other group policies but they don't affect this situation.

At this point, you may be willing to try just about anything. Hang in there with me. This may seem odd, but I have a hunch.

Windows Explorer and Internet Explorer are like peas in bed with one another. So, maybe entering in the UNC path in trusted sites of IE will prevent explorer from denying you access from running these "operating system intrusive" files.

Give that a shot, it can't hurt.

I say "peas in bed with one another" because of the nature of Windows:

Windows Explorer is a GUI Shell that is used on the local machine.
Internet Explorer is a GUI Shell for remote sites, including USB storage devices.

They are like peas in a pod, because they are very similar in nature.
They are in bed with one another because they combine to make the complete package.

They are like peas in bed with one another, because sometimes it is all confusing.

Windows explorer has less security features because you are running OS intrusive files locally.
Internet explorer has more security features because you are running OS intrusive files remotely.

See the paradox?

WOW!!! Where did you pull that one out of. Cause it works. Any ideas how to fix it? Also, I recieve the file download error I attached earlier in this post.

Well, internet explorer has your domain as an untrusted site. All security settings that prevent you from accesing .exe, .msi, and .reg files and whatever else  pertain. You can enter your domain as a trusted site, or you could probably create a GPO to add it as a trusted site.

Let me go to work and review the Internet explorer security options. Then, I might be able to link them up to a GPO or recommend some settings. Here at home, I have never used Internet Explorer. You will hear from me  tomorrow.
 

I am adding this article so, I can easily reference this tomorrow morning. Parts of this article say the problem occurs regardless of certain configurations. So, I wanted that information handy while looking up the fix.

I think there is an option to identify your Intranet in IE advanced options.

http://support.microsoft.com/kb/303650

I am going to call in a little help on this one. Others might have a fix rather than a work around.

I had the same problem yesterday.  I disabled the windows component "Internet Explorer Enhanced Security Configuration" for administrators and was able to run any .exe I needed. Of course, that also disables the extra security for Internet Explorer, but at least it got me going.

This probably falls into the 'work around' category also, but I thought I'd add my two cents.

Thanks, I'll be out of the office for the next 2 weeks, but feel free to leave possible suggestions and I will test them when I return.

I was thinking about the possibility of adding your domain as a trusted site in a GPO.

OK:

Here's what I came up with today. Microsoft KB article only offers the work arounds. A plausible fix is to disable advanced security settings. Here are a couple articles for your reading pleasure:

http://support.microsoft.com/kb/942091
http://support.microsoft.com/kb/815141

Please NOTE:: Disabling Advanced security settings in IE will allow your users to run scripts and install files from a remote location. I think you want an alternative solution to adding all of these trusted sites and disabling IE security.
_________________________________________________________________________________

I wish to offer an alternative solution. Knowing the problem, do you think we might be able to add the  UNC path to your server by using a GPO. Doing this will allow you to continue to run under advanced Internet Explorer Security while you will still be able to access your resources as a trusted site. I think this is a more reasonable solution.

From one of our very own in EE:
https://www.experts-exchange.com/questions/21022455/How-to-add-Trusted-Intranet-site-using-GPO.html?qid=21022455

Now, what to add?? I don't think this will work by adding your domain as a trusted site:
*.your.domain.name  (meaning all on your.domain.name) You may have to add the UNC path of the file server.
So, it might end up looking like this:
\\yourservername

A non recommended fix to Explorer Enhanced Security is to remove it. Removing Enhanced Security will leave you more vulnerable.

You can go to

control pannel>>add/remove programs>>Windows components

to remove enhanced seurity.

Once again, this is not recommended because of becoming more vunlerable.

Sorry it took so long to get back to you and maybe I'm miss reading your advice. But it seems like you are offering fixes for how to allow me to access the files in internet explorer, which I can do now. I can't access the files from windows explorer. Also, there are no GPO on our domain controller so that shouldn't be an issue.

I am a little confused.

You can run these exe files in Internet explorer.

You can also run these files locally on Windows explorer.

Sounds like internet and windows explorer both work. When are we getting access denied errors?

Sorry I haven't responded in a while, I got caught up in another project.

I can't run these files in Windows Explorer over the network. I have to copy the file to my local computer(C: Drive) then open and make the changes, then move the file from my local computer to the network and replace the old file.

Hope that clears up the problem

OK:

I have been helping folks out recently on this issue and it seems there are two things that can cause such a problem.

One we already discovered. It is Internet Explorer Enhanced security. (I still believe this is your problem)
https://www.experts-exchange.com/questions/23351830/Admin-Permission-issue.html

The second is problems with the Domain Browser Services not being able to communicate.
https://www.experts-exchange.com/questions/23463433/domain-is-not-accessible-you-may-not-have-permission-to.html

If you choose to remove IE enhanced security. Please credit Christop123 for that solution.

I attempted both of those and neither solved the issue. I eventually just rebuild my user profile. Now everything works fine

I'd just like to pass a thank you to this thread.  Using it I was able to find out the issue on one of our DC's.  I was attempting to install the symantec AV from a machine on another domain, and was getting problems.  Adding *.ourdomain.com to the trusted sites worked, and so did the removing Internet Explorer Enhanced Security.  For the actual rollout, I'll just add the trusted site via group policy, which'll work regardless of whether the client machines have the IEES.

Thanks to all.

Like Nomadics, this post helped me sort a similar issue. In my case, the IE7 Security level on Local Intranet had somehow got set to High, rather than it's default Medium-Low. Not the same fix, but the points raised here got me looking through the IE7 security settings generally.