?
Solved

Full Control Denied to Everyone

Posted on 2009-02-16
15
Medium Priority
?
579 Views
Last Modified: 2013-12-04
We have a folder on a Windows 2003 server that was accidentally locked out by denying Full Control to Everyone.  Is there an easy way to fix this?
0
Comment
Question by:ghfllc
15 Comments
 
LVL 8

Expert Comment

by:JustWorking
ID: 23654807
You would have to logon as an administrator and take ownership of the folder....then reset permissions:

http://technet.microsoft.com/en-us/library/cc780020.aspx
0
 
LVL 15

Expert Comment

by:wantabe2
ID: 23654809
You might be better off to copy the data in it to a temporary folder. Delete and then re-create the original folder and transfer the data back in to it.
0
 
LVL 11

Expert Comment

by:snoopfrogg
ID: 23654821
Removing the Everyone - Full Control deny entry is the quick fix.  Then have users log off, then back on to access the folder.

I'd determine why an administrator made this change and see if certain users or groups need to have their access reduced or completely removed.
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 
LVL 8

Expert Comment

by:Dirtpatch-Jenkins
ID: 23654840
How to Configure Security for Files and Folders
To configure file and folder security:

   1. Log on by using your domain user name and password.
   2. Start Windows Explorer.
   3. Expand My Computer, and then click the drive that contains the folder that you want to configure.
   4. Right-click the folder that you want to configure, and then click Properties.
   5. Click the Security tab.
   6. Click Advanced.
   7. Click to clear the Allow inheritable permissions from parent to propagate to this object and all child objects. Include these with entries explicitly defined here check box.
   8. In the Security dialog box that appears, click Copy.

      NOTE: The inherited permissions are copied directly to the folder.
   9. Click OK.
  10. To set permissions for a group or user who is not listed in the Group or user names box, click Add.
  11. In the Select Users or Groups dialog box that appears, type the names of the groups or users for whom you want to set permissions. For example, Accounting, Sales, and accounts receivable manager name).
  12. Click OK. The groups and users you added appear in the Group or user names box.
  13. To grant or deny a permission in the Permissions for User or Group box, click the user or group in the Group or user names box, and then click to select the Allow or Deny check box next to the permission that you want to allow or deny. For example:
          * To grant Modify permissions to the Accountants group, click Accountants, and then click to select the Allow check box next to Modify. Members of this group can add new files to the folder or edit the files in the folder.
          * To grant Read & Execute, List Folder Contents, and Read permissions to the Sales group, click Sales, and then click to select the Allow check box next to these permissions.
          * To grant Full Control permission to the accounts receivable manager, click accounts receivable manager name, and then click to select the Allow check box next to Full Control.
  14. Click OK.
0
 

Author Comment

by:ghfllc
ID: 23655159
@JustWorking This is our file server and part of an Active Directory domain.  I logged into the server as the domain administrator but I was not given the option to take ownership of the files.

@wantabe2 Even the domain administrator is denied access to browse the folder.

@snoopfrogg Any buttons that would allow me to change the permissions is denied.  The change was a mistake made by a user that has the authority to modify permissions to the folder.

@Dirtpatch-Jenkins I've tried going into the advanced security permissions but the checkbox to inherit permissions is also disabled.
0
 
LVL 11

Expert Comment

by:snoopfrogg
ID: 23659370
Administrator accounts should be able to take ownership of folders on the system they reside on.

If you do the following, can you take ownership of the folder?

1.  Right-click the folder -> Properties
2.  Security
3.  Advanced
4.  Owner tab
5.  Highlight or add your account and check "Replace owner on subcontainers and objects"

0
 

Author Comment

by:ghfllc
ID: 23659776
@snoopfrogg I tried that already.  I get an Access Denied error.
0
 
LVL 11

Expert Comment

by:snoopfrogg
ID: 23659890
Administrators have the ability to take ownership of folders on the local machine by default:  http://technet.microsoft.com/en-us/library/cc780020.aspx.  Are you sure you're logging in as a local administrator?

Another option:  Go to the user and have them remove the entry.  Once that's done, you should lessen the access they have.  
0
 

Author Comment

by:ghfllc
ID: 23660076
@snoopfrogg I've tried both the local and domain administrator and neither have worked.  I've tried going back to the user as well but even they are locked out since Everyone was denied Full Control.
0
 
LVL 11

Expert Comment

by:snoopfrogg
ID: 23660149
When you go to the folder and click the owner tab, which user/group does it indicate has ownership?  
0
 

Author Comment

by:ghfllc
ID: 23660222
@snoopfrogg It says the owner is the user that made the changes.  But it also tells me that I only have permissions to view the owner.  The box to choose a new owner is grayed out.  I can click on the Other Users button and type in Administrator but when I click Apply I get the Access Denied error.
0
 
LVL 11

Expert Comment

by:snoopfrogg
ID: 23660285
In that case the user who made the changes will need to take ownership, then change permissions and propagate the change down to subfolders and files.
0
 

Author Comment

by:ghfllc
ID: 23660322
@snoopfrogg I logged in as the user who made the changes and they get the same Access Denied error.  They don't have permissions to make changes to the ACL either.
0
 
LVL 11

Accepted Solution

by:
snoopfrogg earned 2000 total points
ID: 23664204
On the server, if you go to Local Security Policy -> Local Policies -> User Rights Assignment -> Take ownership of files or other objects, do you see Administrators listed?  For the time being, go ahead and add your personal account.

Once you do this, log off, log back on with your personal account, take ownership of the folder, then modify the ACL.
0
 

Author Comment

by:ghfllc
ID: 23664432
@snoopfrogg Administrators was already listed.  I was going to add in the user that originally owned the folder when I realized something.  When I was trying as the user to fix the problem, I was still doing it via the network share.  I temporarily added the user to the Domain Administrators group and logged into the file server as the user.  I was able to fix the ACL issues by going through the local filesystem.  Thanks for your help.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A quick step-by-step overview of installing and configuring Carbonite Server Backup.
OfficeMate Freezes on login or does not load after login credentials are input.
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
As many of you are aware about Scanpst.exe utility which is owned by Microsoft itself to repair inaccessible or damaged PST files, but the question is do you really think Scanpst.exe is capable to repair all sorts of PST related corruption issues?

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question