After I accidentally denied access to everyone, how do I get access back?
A customer went to a folder and used the Security control panel to change its permissions to deny all access to everyone. After applying the changes, they realized that they had denied access to everyone, including themselves. How can they undo their changes and get things back to the way they were?
Congratulations, you locked your keys in the car.
In order to get things back to the way they were, you first need to know how they were before. In general, the system does not keep a history of changes with the ability to undo them. If you delete a file, then it’s gone. If you overwrite a file, the old contents are lost. And if you change the security on a folder, the old security settings have been replaced.
If you’re lucky, you might be able to find a backup that tells you what the security settings used to be for the folder and all of the items in the folder tree, and then you can go to the painstaking effort of reapplying those settings on the original items. I believe the technical term to describe this is “not fun”.
If the folder had default permissions before you accidentally messed them up, you can return to the default permissions by going to the Advanced security property sheet and (1) enabling inheritance, and (2) deleting all non-inherited permissions.
One small consolation is that even though you denied yourself access to the folder, if you are the owner of the folder, you still retain WRITE_DACL access, so you at least have permission to replace the access control list with a copy from the backup. (And if you aren’t the owner of the folder, you’ll have to go find the owner of the folder and apologize for messing up their folder.)
Light
Dark
10 comments
Could be worse. On one of our servers somebody denied read access for BUILTIN\Users to C:\Windows. I think they did it by taking away the allow rule rather than adding a deny because of how the system functioned after. Either you had admin rights or you could run no code because loading kernel32.dll failed. I’m pretty sure an actual deny rule would result in administrators could run no code either but system services would still function. That would make one of those fun disaster recovery puzzles to figure out how to fix.
Other ways to have access: Be SYSTEM, enable the backup restoration role, take ownership of the object.
Or:
– be an Adminstrator (which lets you take ownership)
– take ownership (which will implicitely give you WRITE_DACL permission)
– adjust the permissions (which probably involves at least giving yourself read access)
And Robert’s your mother’s brother.
If this is folder on local computer (no SMB share) and if you are an administrator … you can become the owner, change the DACL and change the ownership back.
As a windows user since the days of Windows 3.0/Dos 5, I completely understand why the OS we use today doesn’t keep track of all changes and offer the ability to undo them. But it we want to talk about killer features that would actually be a reason to upgrade to the new OS (as opposed to the current but opposite paradigm of “killing features” where useful OS functionality gets removed) offering full undo is at the top of my list. To some extent it wouldn’t even be that costly – instead of overwriting sectors, just write a new copy and mark the old sectors as historical, to be overwritten only when all free sectors are exhausted.
I realize this would be a pretty huge engineering endeavor. But then so was the transition from 7 to 8 to 10 to 11… with far less end user benefit (if any).
As someone who’s doomed to wait for enormously slow LTSC cumulative update that started installation without even asking and is slowing down every single piece of software running (now, we all definitely know LTSC was chosen for this very reason, to not have any control over the computer :sarcasm:), has already failed once and is now, when I should have fallen asleep like a few hours ago, teasing me with 75% installation progress just to fail by hanging at reboot like it always does… yes, I double that: instead of transforming Windows into a miner while removing useful stuff, doing a favor to end users by providing reliable means to restore the system to initial state would be a thing. At least, it would probably let me update in 3–4 hours instead of a few days. (No sarcasm here.)
Nobody really cares, but just for ”historical” purposes, factory reset of LTSC (after all possible recovery options, except enabling every driver and service one-by-one, failed) did fail, too. Besides taking much longer than plain reinstallation, it even failed to deal with touchpad software that was installed automatically as part of auto driver installation with Windows. Black screen after entering password.
Thanks, Microsoft, for these two days of desperate attempts after an ordinary update. In LTSC! At the very moment when losing the computer is the worst thing possible. But, I guess, the one responsible for this update will get paid instead of being fired. Q — ”quality”.
Use snapshots / shadowcopy. See my other posting a few seconds ago. I am using them locally since about XP Sp2. And once you get used to have them you don’t want to be without them, therefore I am stuck with Windows 11 21h2 until that one bug is fixed. And yes, it does not replace a backup, but when a program runs havoc you can undo it much easier.
Thanks for reminding me about that. Sounds like it’s worth finally getting my head wrapped around.
Ha, that is a funny one. Happened to me in my young days, of course. Today customers lock themselves out.
Usually I try to push “full access only SYSTEM, BULTIN\Administrators and Fileserveradmin group”. Everyone else has only “write” at best, so they cannot change the ACL. Such a lockout situation makes convincing much easier. Though I do use “deny delete everybody” on many folders when the customer agrees, since it prevents accidental moving of folders just ’cause a mouse pad acts up again.
Other things: If it is a fileserver you should have snapshots activated at least with the default settings. So you can go SYSTEM user in powershell, get-acl from the snapshot where it is the way it should be, and then set-acl on the broken permission folder.
As for snapshots: I have my own script for optimized settings, giving me a snapshot every two hours, and thinning them out during the next days. So I end up with a history of three month instead of one month, with about 48 snapshots instead of 63. And I have my own script to make snapshot browsing easier, giving you the path where you can access it directory using powershell/cmd/robocopy/Freecommander etc, not only explorer.exe. Though I hope the “local snapshots are inaccessible” Windows 11 bug I am reporting since May 2022, made it into the release of 22h2 and 23h2, will be fixed soon. I know that it is on the “to fix” list, I hope it won’t be long. (See https://learn.microsoft.com/en-us/answers/questions/935493/windows-11-all-22h2-builds-explorer-exe-previous-v?page=4#answers for this bug)