Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Reset All User Permissions To Default


  • Please log in to reply
18 replies to this topic

#1 Dude4ever

Dude4ever

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Norway
  • Local time:08:15 PM

Posted 30 September 2013 - 09:29 PM

Hello fellow fighters :-)

 

I have saved this description of how to reset some of the Windows Permissions to the default values for educational purposes, now I'm gonna share it for the same reason.

 

IF you are going to attemt this procedure, I want you to use system restore by opening a elevated command prompt, and type: systempropertiesprotection

 

When you do this step, the system properties window will open, and at the bottom, there is a option that is asking you to create a restore point on the disk that supports this action.

 

Click CREATE, Choose a name for the restore point, and click CREATE again then you are done when the loading finishes.

 

 

 

Now.

I hope You take your system seriously. If you choose to not take a backup of your system as described above, and you proceed with the following instructions, that's your call..

 

 

1.       Download subinacl.msi from the following link, and save it on the desktop:

http://www.microsoft.com/downloads/details.aspx?FamilyID=e8ba3e56-d8fe-4a91-93cf-ed6985e3927b&displaylang=en#AffinityDownloads (http://www.microsoft.com/downloads/details.aspx?FamilyID=e8ba3e56-d8fe-4a91-93cf-ed6985e3927b&displaylang=en#AffinityDownloads)

2.       On the desktop, double-click subinacl.msi to install the tool.
3.       Select C:\Windows\System32 as the destination folder.
Note: This step assumes that Windows is installed in C:\Windows. If Windows is installed elsewhere, select the appropriate path to .\System32.

 

 

Are you With me so far? This is the installation of the Windows native tool to change permissions of whole areas at the time, instead of one-by-one folders/files...

The next instructions will able you to create a script compatible with the installed SUBINACL, you can edit this entries as you please if you are experienced:

 

4.       Open Notepad.
5.       Copy the following commands and then paste them into the opened Notepad window:

subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=administrators=f
subinacl /subkeyreg HKEY_CURRENT_USER /grant=administrators=f
subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=administrators=f
subinacl /subdirectories %SystemDrive% /grant=administrators=f
subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=system=f
subinacl /subkeyreg HKEY_CURRENT_USER /grant=system=f
subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=system=f
subinacl /subdirectories %SystemDrive% /grant=system=f


6.       In Notepad click File, Save As, and then type: reset.cmd
7.       In Notepad click Save as type, and then select All Files (*.*).
8.       Save the reset.cmd-file to your desktop, and close Notepad.
9.       Double-click the reset.cmd-file to reset the Windows Update permissions.
Note: This step may take several minutes, so please be patient. When the permissions have been reset, you will be prompted with "Finished, press any key to continue."
10.    Press any key to complete the installation.

 

 

Then, my friends, install this program that helps you get a overview of all your systems permissions:

 

1. http://download.sysinternals.com/files/AccessEnum.zip

2. UNZIP TO ANY LOCATION

3. RUN ACCESSENUM.EXE

 

There you have total control over your computer and system permissions, if you ran the script in the instructions, you should be able to locate the permissions of any searched folder.

 

 

Just gathering useful resources here guys, you may go through this instructions differently based on experience, but always keep in mind to take a system backup, that is never a bad idea :)

 

-Erik

 

 

 

 

 



BC AdBot (Login to Remove)

 


#2 MylesG30

MylesG30

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:15 PM

Posted 11 November 2014 - 12:07 AM

I've done the steps listed this but instead I get a command prompt that briefly opens and closes



#3 genistas

genistas

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:15 PM

Posted 20 November 2014 - 03:38 PM

@Myles, 

 

I had the same problem but I figured it out. The subinacl.msi package is not actually copying the subinacl.exe file to the c:\windows\system32 folder when you run it. What I ended up doing was reinstalling subinacl, this time installing it to another folder (in my case the desktop). It extracts 3 files. Then I copied the files over to the system32 folder manually and it worked!



#4 meows

meows

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Oregon
  • Local time:11:15 AM

Posted 12 February 2015 - 03:23 AM

1507

 

1.       Download subinacl.msi from the following link, and save it on the desktop:

http://www.microsoft.com/downloads/details.aspx?FamilyID=e8ba3e56-d8fe-4a91-93cf-ed6985e3927b&displaylang=en#AffinityDownloads (http://www.microsoft.com/downloads/details.aspx?FamilyID=e8ba3e56-d8fe-4a91-93cf-ed6985e3927b&displaylang=en#AffinityDownloads)

 

 

If the above link has issues there is a second link

 

There is a new link for this http://www.microsoft.com/en-us/download/details.aspx?id=23510#AffinityDownloads

 

 

Or you can seek on the Knowledge Base ... http://support.microsoft.com/kb/313222 :)
Tis article is for windows vista but i works also for windows 7.

Just run in a evalated prompt the following command.

For windows 7 just use secedit /configure /cfg %windir%\inf\defltbase.inf /db defltbase.sdb /verbose



#5 Dude4ever

Dude4ever
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Norway
  • Local time:08:15 PM

Posted 13 February 2015 - 09:29 AM

@ genistas & @Myles

 

Great!

The steps were written as I did the whole procedure myself, so this problem may be occurring when your UAC is activated, while mine was not.


Edited by Dude4ever, 13 February 2015 - 09:37 AM.


#6 Curious D

Curious D

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:15 AM

Posted 16 February 2015 - 10:35 PM

Hi.  I saw this thread and wondered if this would help my problem.  A few days ago, I began noticing a problem with transfering files to another location.  I had pictures that I renamed and placed into my pictures folder.  When I tried to back up the pictures to my NAS, the files were inaccessible.  I checked the files and they were locked in the sense that I could not copy, move, delete or rename the file.  I that the files affected lost their security properties (No groups or users have permission to access this object).  I found that if I changed the security profile of the folder or file (right click, properties, security, edit, and put in "system" and my username), I will gain access.  I am at a loss as to why this is happening with file movement.  Now I have to reset all the settings in each folder for every file that can't be backed up.  I am hoping to reset the security settings back to default so that I can get the files copied easily.  Will this program work for my problem?  I have a Win 7 computer 64bit.  Thanks.



#7 Dude4ever

Dude4ever
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Norway
  • Local time:08:15 PM

Posted 17 February 2015 - 02:41 AM

@Curious D

 

That you describe is most likely caused by the excisting permissions on the hard-drive,

or it may be a faulty hard drive in either end of the file transfer.

 

This particular problem often occur if some update is applied, and then the power to the computer is cut off suddenly, then it's just an incomplete file transfer.

The permissions is described by the SACL for each file, "System Access Control List", and sometimes this is not transferred completely with the files.

 

A possible solution is to check that the permissions for the actual Hard-drive is inherited by files that is transferred to it:

Right-click C:/D:/G: -> Properties(menuitem) -> Security(tab) -> Advanced(Button) -> permissions(tab) -> change permissions(button) -> Set Full Control for admins, yourself and system, & read/write for "Users" -> Check "Replace all child object permissions with inheritable......." -> Click Use(button) -> OK->OK->OK

Done :-)

 

If this does not help, something is wrong with hard-drives, or you have some kind of malware lurking..


Edited by Dude4ever, 17 February 2015 - 02:46 AM.


#8 Curious D

Curious D

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:15 AM

Posted 17 February 2015 - 10:52 PM

Thanks for the reply.

 

I tried to change the root folder so that I don't have to change the subfolders, but I get this error in applying the settings with a "The access control list (ACL) structure is invalid" message. Then all the subfolders have a padlock on them and I have to go to all the affected folders and reset the security permission.  If I move a file into a folder that does not have the security settings (ie no group has permission to access files), the files lose the security settings that they had before being moved.  Is there another way to reset all of the permission?  Is the method described in this thread a way to get all folders and subfolders right if simply changing the drive security setting isn't working?



#9 Dude4ever

Dude4ever
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Norway
  • Local time:08:15 PM

Posted 18 February 2015 - 02:20 AM

@Curious D

 

This line in the script does the settings on your system drive:

subinacl /subdirectories %SystemDrive% /grant=administrators=f

 

Just change %SystemDrive% to be your NAS drive letter, and "administrators" can be changed to your own username on the computer.

 

To lose the padlock from files and folders, you have to grant the group "Users" read/write permissions.

 

 

Is the method described in this thread a way to get all folders and subfolders right if simply changing the drive security setting isn't working?

 

The method described does not include every hard-drive on your computer, you have to create new lines that includes the other drive letters.

%SystemDrive% for example only means in most cases your C: drive, environment variables defines that. But basically yes.

 

You should also make sure that you are the owner of the secondary disk. NB!! Do not take ownership over %SystemDrive%!


Edited by Dude4ever, 18 February 2015 - 03:43 AM.


#10 Dude4ever

Dude4ever
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Norway
  • Local time:08:15 PM

Posted 18 February 2015 - 06:49 AM

Here is the "Readme" for subinacl
example:
subinacl /subdirectories %SystemDrive% /grant=administrators=f
Could be changed to:
subinacl /subdirectories=filesonly D:\users\YOURNAME\Pictures /grant=USER=f /setowner=USER

Uppercase words must then be swapped with real variables


Usage :
     SubInAcl [/option...] /object_type object_name [[/action[=parameter]...]



 /options    :
    /outputlog=FileName                 /errorlog=FileName
    /noverbose                          /verbose (default)
    /notestmode (default)               /testmode
    /alternatesamserver=SamServer       /offlinesam=FileName
    /stringreplaceonoutput=string1=string2
    /expandenvironmentsymbols (default) /noexpandenvironmentsymbols
    /statistic (default)                /nostatistic
    /dumpcachedsids=FileName            /separator=character
    /applyonly=[dacl,sacl,owner,group]
    /nocrossreparsepoint (default)      /crossreparsepoint

 /object_type :
    /service            /keyreg             /subkeyreg
    /file               /subdirectories[=directoriesonly|filesonly]
    /clustershare       /kernelobject       /metabase
    /printer            /onlyfile           /process
    /share              /samobject

 /action      :
    /display[=dacl|sacl|owner|primarygroup|sdsize|sddl] (default)
    /setowner=owner
    /replace=[DomainName\]OldAccount=[DomainName\]New_Account
    /accountmigration=[DomainName\]OldAccount=[DomainName\]New_Account
    /changedomain=OldDomainName=NewDomainName[=MappingFile[=Both]]
    /migratetodomain=SourceDomain=DestDomain=[MappingFile[=Both]]
    /findsid=[DomainName\]Account[=stop|continue]
    /suppresssid=[DomainName\]Account
    /confirm
    /ifchangecontinue
    /cleandeletedsidsfrom=DomainName[=dacl|sacl|owner|primarygroup|all]
    /testmode
    /accesscheck=[DomainName\]Username
    /setprimarygroup=[DomainName\]Group
    /grant=[DomainName\]Username[=Access]
    /deny=[DomainName\]Username[=Access]
    /sgrant=[DomainName\]Username[=Access]
    /sdeny=[DomainName\]Username[=Access]
    /sallowdeny==[DomainName\]Username[=Access]
    /revoke=[DomainName\]Username
    /perm
    /audit
    /compactsecuritydescriptor
    /pathexclude=pattern
    /objectexclude=pattern
    /sddl=sddl_string
    /objectcopysecurity=object_path
    /pathcopysecurity=path_container

Usage  : SubInAcl   [/option...] /playfile file_name

Usage  : SubInAcl   /help [keyword]
         SubInAcl   /help /full
    keyword can be :
    features  usage syntax sids  view_mode test_mode object_type
    domain_migration server_migration substitution_features editing_features
         - or -
    any [/option] [/action] [/object_type]

Edited by Dude4ever, 18 February 2015 - 07:23 AM.


#11 Dude4ever

Dude4ever
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Norway
  • Local time:08:15 PM

Posted 19 February 2015 - 07:19 AM

Here you have lines for the script to set the default owner on Program Files folders:

 

subinacl /subdirectories %SystemDrive%\Program Files /setowner=NT SERVICE\TrustedInstaller /grant=NT SERVICE\TrustedInstaller=f

subinacl /subdirectories %SystemDrive%\Program Files (x86) /setowner=NT SERVICE\TrustedInstaller /grant=NT SERVICE\TrustedInstaller=f

/grant=[DomainName\]User[=Access]

     will add a Permission Ace for the user.
     if Access is not specified, the Full Control access will be granted.

     File:
       F : Full Control
       C : Change
       R : Read
       P : Change Permissions
       O : Take Ownership
       X : eXecute
       E : Read eXecute
       W : Write
       D : Delete

     ClusterShare:
       F : Full Control
       R : Read
       C : Change

     Printer:
       F : Full Control
       M : Manage Documents
       P : Print

     KeyReg:
       F : Full Control
       R : Read
       A : ReAd Control
       Q : Query Value
       S : Set Value
       C : Create SubKey
       E : Enumerate Subkeys
       Y : NotifY
       L : Create Link
       D : Delete
       W : Write DAC
       O : Write Owner

     Service:
       F : Full Control
       R : Generic Read
       W : Generic Write
       X : Generic eXecute
       L : Read controL
       Q : Query Service Configuration
       S : Query Service Status
       E : Enumerate Dependent Services
       C : Service Change Configuration
       T : Start Service
       O : Stop Service
       P : Pause/Continue Service
       I : Interrogate Service
       U : Service User-Defined Control Commands

     Share:
       F : Full Control
       R : Read
       C : Change

     Metabase:
       F : Full Control
       R : Read - MD_ACR_READ
       W : Write - MD_ACR_WRITE
       I : Restricted Write - MD_ACR_RESTRICTED_WRITE
       U : Unsecure props read - MD_ACR_UNSECURE_PROPS_READ
       E : Enum keys- MD_ACR_ENUM_KEYS
       D : write Dac- MD_ACR_WRITE_DAC

     Process:
       F : Full Control
       R : Read
       W : Write
       X : eXecute

     SamObject:
       F : Full Control
       W : Write
       R : Read
       X : Execute

Edited by Dude4ever, 19 February 2015 - 07:25 AM.


#12 jerryh3

jerryh3

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:15 PM

Posted 01 March 2015 - 06:36 AM

Ok I followed this procedure to the letter. It's not my first rodeo with cmd files or batch files. The problem is when I run the cmd file the command prompt appears and immediately disappears. Nothing has been changed because I still have a zillion screwed up permissions interfering with my need to delete a file. So my question is what am I doing wrong or what is wrong with the install on my computer? Thanks Jerry :smash:  



#13 c_robertson

c_robertson

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:15 PM

Posted 06 May 2015 - 07:57 AM

Jerryh3. Place a pause at the end of your batch file and see if you see the error now.

If not save as a new file "test" and add only one line and run it to see if part of it work and progress from there.



#14 MikeMikeMikeMike

MikeMikeMikeMike

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:15 PM

Posted 18 February 2016 - 11:01 AM

First of all, let me say that this is GREAT!  And thank you very much.  It still does not quite help me but we are on the right track.

 

I'm trying to open some PDFs.  I get "access denied" and I'm now assuming that it is because I copied the files from one drive to another and probably lost permissions in the process.  Make sense?

 

After I run this script and do the scan as suggested I see that some of the folders are marked "Access is Denied" under the Read column.  When I try to open the file with Adobe I get "access denied".  When I change the security to add "Everyone" with "Full Access" I am able to open the file.

 

O.K.  So how could I run the script to allow full access to "Everyone", in so far as that will not break the system for some files.

 

Thoughts?



#15 MikeMikeMikeMike

MikeMikeMikeMike

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:15 PM

Posted 18 February 2016 - 11:06 AM

Oh, and while you are mulling that one over  :thumbup2:   I have another problem.  When I try to update Windows some of the updates ALWAYS fail.  They give a message about a resource not being found and present a popup box allowing me to say where a CD is located.  I think they are looking for an installation CD but I don't have one.  This is a modern system that came with no disks.  I think the most common failure is on updates to C++.  Is this also some kind of permission problem?  Or is it something else altogether?

 

Thanks again.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users