Help! Access Denied Even To The System Owner...

Discussion in 'Windows Vista Administration' started by AAD213, Mar 6, 2007.

  1. AAD213

    AAD213 Guest

    Hi,

    I have come across a problem with the UAC. I was changing the security
    settings for all account users and set them all to deny. I admit I had no
    idea that by doing that it would deny access to me, the only system
    owner/admin on the Vista system.

    It logs me in but it does not let me go into my drive C: at all, or
    use/change important owner options. It always says "Access Denied" or does
    nothing when I click on an option. I'm the only Vista account owner but it
    won't let me have access to my files anymore.

    Why doesn't Vista have some type of protection to prevent the only account
    owner from locking themselves out when accidently changing all "User Account
    Control / Access Control" to deny all?

    Can someone please help me resolve this issue or tell me who else to contact
    for help? I have many important files on my hard drive that Vista is now not
    allowing me access to anymore, even though I'm the only account user/admin
    setup on the system. It doesn't let me set up a new account with admin rights
    or change the UAC options back to allow me access again. Please someone let
    me know how I can resolve this problem. Thank you...
     
    AAD213, Mar 6, 2007
    #1
    1. Advertisements

  2. AAD213

    jimmuh Guest

    I'll admit up front that I'm not sure just how I would proceed at this point.
    I'm participating in your thread as much to see if I can learn something as
    to see if I might be able to help you. I am including a small sermon at the
    end of my post to make a point. Because it is a sermon, you may wish to skip
    it.

    ;-)

    But before I get to that -- IF THERE IS DATA ON THIS SYSTEM WHICH CANNOT BE
    REPLACED, AND IF THAT DATA IS TRULY IMPORTANT TO YOU, THEN YOU NEED TO
    PROTECT IT. (Forgive me for shouting. But I want to emphasize that you must
    not keep on working on this drive until you have made a copy of it. The first
    law of holes is this: "When you are in over your head, stop digging."
    Ideally, you would make a complete image of this drive onto another drive by
    using one of the available Vista-compatible third party image software
    packages which allows you to boot from a CD/DVD which contains the software
    and make a full copy of this drive onto another drive. You might also
    consider consulting a data recovery facility. They will charge you, of
    course. Only you can determine what your data is worth.)

    Now (bearing in mind that I've never had to go through this myself, so you
    might want to consult someone who has) --

    1. Are you able to open a command prompt with Administrator privileges?
    (Right-click on the Command Prompt shortcut under Accessories in the Start
    Menu. If so, it would be interesting to see if judicious use of the CACLS
    command with appropriate options (You can get the info on the options by
    issuing "CACLS /?" at the CLI.) could fix your problem. I suspect not.

    2. If CACLS doesn't work, are you able to issue this command --

    net user administrator /active:yes

    from the CLI. If this command is issued successfully, are you able to log on
    as Administrator and regain control of your drive? (I genuinely don't know.
    Microsoft has somewhat changed the rules about how admin accounts work in
    Vista. I don't know just how "special" this normally disabled admin account
    might be.)

    3. I would be interested to see if you could take ownership of the drive and
    fix the problem if you placed this drive in another Vista system. If you try
    this you MUST be certain that it isn't placed in the boot position. You would
    want this drive to come up as a "data" drive. You would boot with the Vista
    installation on the host machine and see if you can change the permissions
    settings on this drive.

    It is important for you to consider that the changes you have wrought on
    this system drive have probably led to the cessation of true usefulness of
    this installation of the OS. After you have recovered your data the only
    admissible procedure is to wipe that drive and reinstall the OS. I think it's
    extremely unlikely that you'll ever get it back into proper functionality,
    security-wise. My opinion only. Might be worth nothing.

    You should NOT be in a hurry. Get as much information before proceeding as
    you can. You got where you are by using powerful tools without investigating
    documentation beforehand. Do not continue in the same vein.

    -- begin small sermon --

    The first thing I can do to help you is to point out that you should have
    learned TWO things (at least) so far in this adventure. The first (and most
    important by far) is to keep current backups of all important data. When you
    say that you have many important files on this system and that you need to
    regain access to them you are tacitly admitting that you haven't been backing
    up your data properly. A proper data backup is NOT copies of the data in
    another directory, or on a different partition on the same disk, or on a
    different disk in the same computer, or even on a different disk in a
    different computer. It is multiple archives on durable, properly protected,
    isolated storage media. That's if the data is truly important.

    The second thing I can do to help you is to point out that Vista DOES have
    safeguards to prevent people from "accidentally" changing permission settings
    so that NO ONE can access files on the system. You ignored the implications
    of some dialogs to get where you were when you made those changes. And then
    you didn't do any research concerning the consequences of applying the
    changes you were making. This is not a fault in the design of Vista or UAC.
    You were exploring without proper planning, and you got bit.

    -- end small sermon --
     
    jimmuh, Mar 6, 2007
    #2
    1. Advertisements

  3. AAD213

    jimmuh Guest

    Shucks. I forgot to mention another command you should try at the CMD prompt.
    You should try looking at the TAKEOWN command. That might be able to fix the
    access issue. Again, just "TAKEOWN /?" to see the options.
     
    jimmuh, Mar 6, 2007
    #3
  4. AAD213

    AAD213 Guest

    Jimmuh, I know I made a terrible mistake and lost my common sence there, but
    now I need help to hopefully fix this mistake.

    If I log into safe mode and click on Run it basicly says that admin
    privileges will be allowed.

    So I should type exactly as you typed:

    CLI.

    And then:

    CACLS /?

    Or:

    CMD.

    And then:

    net user administrator /active:yes

    Is all that correct?
     
    AAD213, Mar 6, 2007
    #4
  5. AAD213

    AAD213 Guest

    I tried the following at the cmd. prompt ( C:\Users\AAD> ):

    net user administrator /active:yes

    It then says "The Command Completed Successfully" but when I click on my C:
    drive it still says "Access Denied". By the way AAD is the only Vista user on
    my Vista PC.

    Also at the cmd. prompt ( C:\Users\AAD> ) I tried:

    TAKEOWN /?

    And a bunch of options that I do not understand show up.

    For instance my important directories and files are under the directory:

    C:\1-Saved

    But when I try ( TAKEOWN /F C:\1-Saved /R /D Y ) at the cmd. prompt
    (C:\Users\AAD>):

    I get "ERROR Access Denied" message.

    Can someone please tell me the exact way to allow me to take back ownership
    of my 1-Saved directory under my C: drive?
     
    AAD213, Mar 6, 2007
    #5
  6. AAD213

    jimmuh Guest

    No, you need to read more carefully. I said that after you activated that
    account you should log in under that account. You have successfully activated
    the Administrator account. You can believe me when I say that this account
    exists in addition to your AAD account. Now you need to log off, and then log
    on as Administrator. (No password will be required.) If you are not allowed
    access to the drive when logged on as Administrator, then you're going to
    have to try a different tack. Like placing the drive in a different system
    and using another installation of Vista to try to change the Access Control
    Lists on that drive.

    From here on I really can't, in good conscience, try to talk you through by
    way of newsgroup messages. You said you had important data on that drive. Did
    you make a copy of it as I suggested? If you don't understand the
    explanations you get when you type TAKEOWN /? at the CMD line, then I fear
    that you aren't familiar enough with the administrative concepts involved to
    proceed. That's what got you into trouble in the first place. There's no
    shame in that. It's just not something with which you're familiar. But, if
    that data is important to you, you need to calm down and proceed SLOWLY and
    WISELY. Please remember that you can make matters even worse than they
    already are. I promise you that someone who knows what s/he is doing can get
    that data back. (Well, I'm almost sure. I'm not really quite certain about
    the exact steps you took to get where you are.) But someone with experience
    and judgement in supporting the OS is going to need to look at this and
    handle it if you are going to be sure of recovering the data. Impatience is
    your worst enemy right now. As long as you are doing nothing to that drive,
    then nothing is changing in your situation. Please consider what I'm saying.
    Operating systems do what you TELL them to do, NOT what you WANT them to do.
     
    jimmuh, Mar 6, 2007
    #6
  7. AAD213

    AAD213 Guest

    I did create a backup of the most crusial day to day data but the rest of the
    data that I now don't have access to, it is important but just a little less
    than the latter.

    Anyways thank you for your input, I just hope that I can resolve this issue
    eventually...

    By the way the "CACLS" command has now been deprecated to "ICACLS".
     
    AAD213, Mar 6, 2007
    #7
  8. AAD213

    jimmuh Guest

    Sorry about CACLS vs ICACLS. I was rushed, but the deprecated commands lead
    you to the extant ones.

    Did you log on as Administrator and see if you could get access to the drive
    now? If that doesn't work I think you're pretty much left with setting the
    drive up in another system as a data drive amd trying to work with it from
    there. I do, however, still think it highly advisable to seek local help --
    if there's anyone who works as a system administrator (with MS Windows
    systems). I am NOT talking about the local guy who "knows computers". I'm
    talking about someone who really does know how to use the admin tools. I know
    it can be hard to know who to trust. But that's true of online conversations,
    too.

    ;-)

    Your situation has convinced me that I should, if and when I ever get time,
    test a Vista system to destruction in just this manner -- just to satisfy my
    curiosity. This is not the sort of situation I've ever had to deal with
    because I lock my users down so they couldn't possibly get into this type of
    trouble.

    That "Deny" setting has caused a lot of people trouble in the past, but it
    had been quite a while since I had heard of a situation like this, like NT4
    and Windows 2000 days. I don't actually remember anyone denying access to the
    whole system drive, but I'm certain it has been done. It is usually easy
    enough to fix an issue where Deny has been applied just to a particular
    directory structure, but denying root and all subdirectories, which is what I
    think you have done, is something I just haven't ever seen or heard of.
     
    jimmuh, Mar 6, 2007
    #8
  9. AAD213

    AAD213 Guest

    Okay I rebooted and went into the Admin account but I still get the same
    access denied message when I click on my C: drive it doesn't even let me
    create/modify a accounts.

    I guess no one on my PC can have any access to my drive C: anymore. Well
    maybe by puting the drive on another Vista setup that will do the trick to
    reset the access controls. Or maybe if I reinstall/recovery on the same drive
    it will reset all user access settings. I just wonder if it will erase my
    data at C:/1-Saved but I'll wait to see if I get more input from other folks
    first.

    Various input on this issue is welcomed...
     
    AAD213, Mar 6, 2007
    #9
  10. AAD213

    jimmuh Guest

    Be careful about "install / recovery". If this is an OEM Vista installation
    you need to be sure that you're actually doing a "repair" installation of
    Windows. What the OEM refers to as a "repair" can be a total wipe and
    reinstallation. An actual repair installation might do the trick, though I've
    never seen this particular situation before. The repair installation (which
    is what I would call an in-place upgrade because you install Windows again
    just as though you were doing an upgrade installlation of Windows) is
    supposed to fix permissions issues (on file system and registry). It should
    not remove data structures, but it may affect some or all of your software
    installations, though it isn't supposed to. Many software vendors (most)
    haven't really got Vista right, yet.

    I'm hoping you'll get this figured out.
     
    jimmuh, Mar 7, 2007
    #10
  11. AAD213

    AAD213 Guest

    What happen was I was working late around 3:00 am (I must of been totally out
    of it) and right before I finished working I decided to right click on my
    drive C: and looked at the property tabs. I then headed over to the
    "Security" tab and saw settings for:

    Authenticated Users
    System
    AAD (Presrio\AAD)
    Administrators (Presario\Aministrators)

    I then proceeded to check the box with "Full Control" allow for each
    account, but then I relised that I shoud of not done that. So I quickly
    clicked on "Full Control" deny thinking that it would simply reset the allow
    options back accordingly (I wish it would of had a defualt option instead). I
    then restarted my computer and later found out that I had "Denied Access" to
    all users/accounts from accessing my C:\ drive and even to the admin account.
    I totally mis-caculated the power of Vista, totally...:(

    By the way my Vista is not an OEM, it's a retaill version of Vista Ultimate,
    and I hope that if it comes down to a reinstall/recover it would not delete
    my files.
     
    AAD213, Mar 7, 2007
    #11
  12. AAD213

    jimmuh Guest

    Ouch! Don't you hate what happens when you're sleepy? Heh.

    Yeah, just unchecking full control would have been a good start, but there
    really is seldom a good reason for changing these setting wholesale. The
    standard settings should be used, if at all possible, on personal machines --
    and on most work machines, for that matter. Messing with the ACLs is
    something that I consider to be a last resort.

    Data that resides under your user account location should be safe from a
    standard repair installation, and I would hope that data located in
    directories just off the root would be safe, too, though I never allow data
    storage in such locations on anything that I control. Normally the %Windows%
    directory and some subdirectories thereof are the ones that will be most
    affected. The repair should leave other stuff alone. But this is a truly
    strange situation. I don't believe that should matter, but I just can't be
    sure. I've been surprised a few times before when I tried to extrapolate from
    experience, so I prefer not to predict without extreme caution -- especially
    when someone else's data is at stake!

    I hope you'll post the results of your endeavors. I'm keeping my fingers
    crossed for you!
     
    jimmuh, Mar 7, 2007
    #12
  13. AAD213

    AAD213 Guest

    Success! I can't believe it but I was able to take back full ownership of my
    C: drive and got all 37gb of my stuff back. I thank those that tried to help
    me and gave me clues to fix the problem. Below are the steps as to how I made
    It work for my retail version of Vista Ultimate.


    These steps might help some else with a similar UAC/ACL complete root
    "Access Denied" issues to the point where even if you are logged into your
    Admin account it still doesn't let you create accounts or modify any
    important settings/permissions etc.


    Step 1:
    Clicked: Start Menu
    Click: Run
    Type: net user administrator /active:yes
    Close All Other Applications And Reboot Your System.

    Step 2:
    Click/Login To The Administrator Account.
    Clicked: Start Menu
    Click: Run
    Type: Regedit
    Go to: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Policies\System
    Right Click On: EnableLUA
    Click: Modify
    Change: Value Data To A 0
    Click: OK

    Step 3:
    Go Back To The Root Folders In The Registry Editor.
    Right Click On: HKEY_CLASSES_ROOT
    Click: Permissions
    Click: CREATOR OWNER
    Check: All Allow Boxes
    Click: Apply
    Click: SYSTEM
    Check: All Allow Boxes
    Click: Apply
    Click: Administrators
    Check: All Allow Boxes
    Click: Apply
    Click On Users
    Click: Remove
    Click: Your Account Name If It Shows
    Click: Remove
    Click: OK

    Step 4:
    Right Click On: HKEY_CURRENT_USER
    Click: Permissions
    Click: SYSTEM
    Check: All Allow Boxes
    Click: Apply
    Click: Administrators
    Check: All Allow Boxes
    Click: Apply
    Click: OK

    Step 5:
    Right Click On: HKEY_LOCAL_MACHINE
    Click: Permissions
    Click: Everyone
    Check: All Allow Boxes
    Click: Apply
    Click: RESTRICTED
    Check: All Allow Boxes
    Click: Apply
    Click: SYSTEM
    Check: All Allow Boxes
    Click: Apply
    Click: Administrators
    Check: All Allow Boxes
    Click: Apply
    Click: OK

    Step 6:
    Right Click On: HKEY_USERS
    Click: Permissions
    Click: Everyone
    Check: All Allow Boxes
    Click: Apply
    Click: RESTRICTED
    Check: All Allow Boxes
    Click: Apply
    Click: SYSTEM
    Check: All Allow Boxes
    Click: Apply
    Click: Administrators
    Check: All Allow Boxes
    Click: Apply
    Click On Users If It Shows
    Click: Remove
    Click: Your Account Name If It Shows
    Click: Remove
    Click: OK

    Step 7:
    Right Click On: HKEY_CURRENT_CONFIG
    Click: Permissions
    Click: CREATOR OWNER
    Check: All Allow Boxes
    Click: Apply
    Click: Administrators
    Check: All Allow Boxes
    Click: Apply
    Click: OK
    Close Registry Editor And All Other Applications And Reboot Your System.

    Step 8:
    Click/Login To The Available Regular/Owner Account.
    Clicked: Start Menu
    Click: Control Panel
    Click: Add Or Remove User Acounts
    Create A New User Account And Logoff.
    Close Registry Editor And All Other Applications And Reboot Your System.

    Step 9:
    Click/Login To Your New Created Account.
    Right Click On The Drive Or Directory You Lost Access To.
    Click: Properties
    Click: Security
    Click: Advance
    At The Permissions Tab.
    Click: Edit
    Click: Add
    Type The Name Of The Recently New Created Account.
    Click: Check Names
    Your New Account Name Should Fully Show Up.
    Click: OK
    A Permission Screen Should Show Up.
    Click On The Allow Box Where It Says Full Control.
    Where It Says "Apply To:" Choose The "This Folder, Subfolders And Files"
    Option.
    Click: OK
    Again At The Permissions Tab Click On Your New Created Account.
    Click: Apply
    Click Yes On The Security Popup To Change Your Allow Permissions.
    If An Errors Occur Just Click Continue.
    Once The Process Finishes, Reboot Your System And Login To Your New Account.
    You Should Now Have Access Back Into Your Hard Drive Or Directory.


    Note: There Maybe Better/Shorter Ways Out There To Do This But In My
    Situation They Were Not Working. The Above Steps Are What Worked For Me But
    May Not Work For You. Please Make Sure You Are Having Similar Issues To Mine
    Before Trying The Above Steps...
     
    AAD213, Mar 7, 2007
    #13
  14. AAD213

    jimmuh Guest

    I'm glad you got it figured out. Are you planning on doing a clean
    installation of the OS now that you've recovered your data?
     
    jimmuh, Mar 7, 2007
    #14
  15. AAD213

    AAD213 Guest

    Yeah I think I will do a clean install soon, I'm backing up all my data over
    to DVD's for now...;)
     
    AAD213, Mar 9, 2007
    #15
  16. AAD213

    Ujjval Guest

    Do you think This Proceedure can be Followed by Booting to WIN RE using the
    Windows Vista DVD, and Then Choosing the Command Prompt option, There We need
    not use any admin usernames or password to login. Please Tell me if this can
    be done. as i am a Technician Who Does not have access to a lot of Vista
    Computers, and One of my Customer's has a Problem. He has lost his
    Administrator password, and is not able to login. i have a Way to Reinstall
    the OS on his Dell Computer Using the Dell Image Restore Option But that is
    not an option always. He needs Security on is account, Does not want me to
    create another account and has important data that he cannot loose. i dont
    have the option of connecting his HDD to another computer as this is Remote
    Troubleshooting.


    and the poor guy has a Tendency to loose his Password ever now and then.

    Any help is appriciated.

    regards,
    Ujjval
     
    Ujjval, Apr 30, 2007
    #16
  17. AAD213

    PITTAG Guest

    Try starting your computer in the Safe Mode ( F-8) during the POST test with
    Networking. Then login as administrator and then change your permissions in
    the User accounts. I had the same problem and it worked for me.. Hope this
    helps.
     
    PITTAG, Dec 4, 2007
    #17
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.