ekriner
asked on
Can't take ownership or delete a folder.
I need help changing ownership of a folder. Our SBS 2003 box was recently compromised with w32sdbotaj and w32mytobab. When it was compromised a few Administrator accounts were created; Admin, Admin$ and Admin000. I have removed the accounts from AD MMC and removed their profiles by going into system properties --> advanced --> clicking settings on User Profiles and removed the profiles. I noticed the folders had not beem moved under C:\Documents and Settings\%username%. Admin and Admin$ are still there. The have a folder in there called cookies that I have tried to take ownership of from the root of the folder and from the folder up a level. Each time I do, it gives me the following error:
An error occurred applying security information to:
C:\Documents and Settings\admin\Cookies
Access is Denied.
I have tried logging in as domain Admin, Administrator and still no luck. I have rebooted the box several times, and still no luck. I have checked the box Replace owner on subcontainers and objects too.
When I right click on cookies and do a properties I only see 2 tabs --> General and Customize. No security tab at all. Please help me either get into or delete these files!
An error occurred applying security information to:
C:\Documents and Settings\admin\Cookies
Access is Denied.
I have tried logging in as domain Admin, Administrator and still no luck. I have rebooted the box several times, and still no luck. I have checked the box Replace owner on subcontainers and objects too.
When I right click on cookies and do a properties I only see 2 tabs --> General and Customize. No security tab at all. Please help me either get into or delete these files!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
What about granting with cacls?
And if you were hit with a bug, I'd try all this in safe mode.
I'd also recommend you check for rootkits and the like...could be that's what's locking you down...
And if you were hit with a bug, I'd try all this in safe mode.
I'd also recommend you check for rootkits and the like...could be that's what's locking you down...
ASKER
No luck there either. I did check for Root Kits using Sophos free Anit-Rookkit software. Here are the results of cacls:
C:\Program Files\Windows Resource Kits\Tools>cacls "Documents and Settings\Admin
" /t /c /g Everyone:F
Are you sure (Y/N)?Y
The system cannot find the path specified.
C:\Program Files\Windows Resource Kits\Tools>
I am going to try in safe mode in a couple of hours, because someone took the server room key and left for a few. Thanks for your help!
C:\Program Files\Windows Resource Kits\Tools>cacls "Documents and Settings\Admin
" /t /c /g Everyone:F
Are you sure (Y/N)?Y
The system cannot find the path specified.
C:\Program Files\Windows Resource Kits\Tools>
I am going to try in safe mode in a couple of hours, because someone took the server room key and left for a few. Thanks for your help!
Need to specify the full path...
This should be the command at your prompt:
C:\Program Files\Windows Resource Kits\Tools>cacls "c:\Documents and Settings\Admin" /t /c /g Everyone:F
This should be the command at your prompt:
C:\Program Files\Windows Resource Kits\Tools>cacls "c:\Documents and Settings\Admin" /t /c /g Everyone:F
ASKER
Well it looks like we have the exact same path. The bottom C:\Program Files\Windows Resource Kits\Tools> was just the return command prompt. Do I need to download a cacls program? Anyway, it looks like I am still a couple of hours away from being able to try it. I am going to do it after business hours. Thanks again!
You were missing the C:\ in your example... (which is why the last line was returned).
C:\Program Files\Windows Resource Kits\Tools>cacls "Documents and Settings\Admin
" /t /c /g Everyone:F
Are you sure (Y/N)?Y
The system cannot find the path specified.
I normally drop cacls.exe in my windows\system32 folder, so that I can run it from anywhere...
C:\Program Files\Windows Resource Kits\Tools>cacls "Documents and Settings\Admin
" /t /c /g Everyone:F
Are you sure (Y/N)?Y
The system cannot find the path specified.
I normally drop cacls.exe in my windows\system32 folder, so that I can run it from anywhere...
ASKER
DOH, man it has been a long 2 days. I think I have the virus up and out of the system, and that did it for me. Thanks for pointing out the obvios! I guess what they say is true, 2 pair of eyes is better than one. I will take your advice on the System32 directory too. Anyway, thanks so very much for your help!
Happy to help. Thanx for the grade!! :^)
ASKER
C:\Program Files\Windows Resource Kits\Tools>subinacl /applyonly=owner /subdirec
tories "c:\Documents and Settings\Admin\Cookies"
c:\Documents and Settings\Admin\Cookies - CreateFile Error : 5 Access is denied.
Elapsed Time: 00 00:00:00
Done: 1, Modified 0, Failed 1, Syntax errors 0
Last Done : c:\Documents and Settings\Admin\Cookies
Last Failed: c:\Documents and Settings\Admin\Cookies - CreateFile Error : 5 Acce
ss is denied.
C:\Program Files\Windows Resource Kits\Tools>subinacl /applyonly=owner /subdirec
tories "c:\Documents and Settings\Admin"
==========================
+File c:\Documents and Settings\admin
==========================
/control=0x3c00 SE_DACL_AUTO_INHERITED-0x0
UTO_INHERITED-0x0800 SE_SACL_PROTECTED-0x2000
/owner =builtin\administrators
/primary group =system
/audit ace count =0
/perm. ace count =1
/pace =contracthwe\administrator
CONTAINER_INHERIT_ACE-0x2 OBJECT_INHERIT_ACE-0x1
Type of access:
Special acccess : -Read -Write -Execute -Delete -Change Permissions
-Take Ownership
Detailed Access Flags :
FILE_READ_DATA-0x1 FILE_WRITE_DATA-0x2 FILE_APPEND_DATA
-0x4
FILE_READ_EA-0x8 FILE_WRITE_EA-0x10 FILE_EXECUTE-0x2
0 FILE_DELETE_CHILD-0x40
FILE_READ_ATTRIBUTES-0x80 FILE_WRITE_ATTRIBUTES-0x10
READ_CONTROL-0x20000
WRITE_DAC-0x40000 WRITE_OWNER-0x80000 SYNCHRONIZE-0x10
0000
Elapsed Time: 00 00:00:05
Done: 1, Modified 0, Failed 0, Syntax errors 0
Last Done : c:\Documents and Settings\admin