User cannot access a file or folder but should have permission

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

This problem occurs when a user attempts to access a file or folder and receives an "Access Denied" error.

Cause

This problem results when an administrator, the owner of the file or folder, or a user with the Change Permissions permission for a file or Full Control permission for a folder, changes the access control list (ACL) on the file or folder. Some of the changes that could deny a user access to a file or folder they should be able to access include:

  • The user or group was unintentionally removed from Group or User names on the file's or folder's Security tab.

  • An explicit Deny has mistakenly been applied to the user or group.

  • A conflict between share permissions and NTFS permissions was created when someone changes permissions without examining both types of permissions.

Solutions

There are two separate scenarios where a user may be denied access to a file or folder:

  • A user is denied access to a local file or folder

  • A user is denied access to a shared folder

A user is denied access to a local file or folder

There are three possible solutions for this problem:

Examine a user's permissions on a file or folder using Xcacls

Examine a user's or group's permissions on a file or folder

View a user's or group's effective permissions on files and folders

Solution One: Examine a user's permissions on a file or folder using Xcacls

The Xcacls command-line tool sets all file system security options that are accessible in Windows Explorer. Xcacls does this by displaying and modifying the ACLs of files. Perform the following procedure to investigate ACLs by using the Xcacls tool.

Important

Xcacls does not ship with Windows Server 2003. For information about how to install the Xcacls tool, see Configuring a Computer for Access Control Troubleshooting.

To examine a user's permissions on a file or folder using Xcacls

  1. Open a command prompt. Click Start, click Run, and type cmd.

  2. Type:

    Xcacls FileOrFolderPath

  3. Examine the user's permissions and compare with the desired permissions.

The following is an example of the preceding Xcacls command:

Xcacls C:\Tools

Solution Two: Examine a user's or group's permissions on a file or folder

Note

The use of access control lists (ACLs) to control users' or groups' permissions on a file or folder is supported on computers that use the NTFS file system but not on computers that use the FAT file system or that use Windows XP Simple File Sharing. If ACLs are not supported, the file or folder properties do not have Security properties available. Windows XP Home Edition is an example of an operating system that does not support ACLs.

To examine a user's or group's permissions on a file or folder

  1. Right-click the file or folder you wish to administer permissions for, click Properties, and then click the Security tab.

    Note

    If you are logged in with an account that has not been granted rights to administer permissions on the file or folder, the Security tab is not available.

  2. In Group or User names, select the user or group whose permissions you want to view.

  3. In Permissions for <group name or user name>, examine the user's permissions and compare with the desired permissions.

Solution Three: View a user's or group's effective permissions on files and folders

You can also use the Effective Permissions tool to view effective permissions of a user or group. The Effective Permissions tool does not display share permissions; it displays only cumulative NTFS permissions for a particular user or group.

To view effective permissions on files and folders

  1. Open Windows Explorer, and then locate the file or folder for which you would like to view effective permissions.

  2. Right-click the file or folder, click Properties, and then click the Security tab.

  3. Click Advanced, click the Effective Permissions tab, and then click Select.

  4. In Enter the object name to select (examples), enter the name of a user or group, and then click OK. The selected check boxes indicate the effective permissions of the user or group for that file or folder.

A user is denied access to a shared folder

Both share and NTFS permissions can be applied to a folder that is shared. However, share permissions and NTFS permissions behave differently. As a result, there are different processes for investigating permissions problems if share only or if a mixture of share and NTFS permissions have been applied. First you should determine what share permissions have been applied. Then determine which, if any, NTFS permissions have been applied.

Important

When share and NTFS permissions conflict, the most restrictive setting takes precedence.

Perform the following procedure to examine share permissions on a specific folder.

To examine user and group share permissions on a shared folder

  1. Right-click the shared folder you want to examine, and then click Properties.

  2. Click the Sharing tab, and then click Permissions.

  3. Examine the permissions and change any settings that contradict the desired permissions.

After you examine the share permissions, use the Xcacls tool to determine what NTFS permissions apply to a specific user or group. Perform the following procedure to investigate ACLs by using the Xcacls tool.

Important

Xcacls does not ship with Windows Server 2003. For information about how to install the Xcacls tool, see Configuring a Computer for Access Control Troubleshooting.

To examine user and group NTFS permissions on a shared folder

  1. Open a command prompt.

  2. Type the following command:

    Xcacls FileorFolderPath

  3. Examine the permissions and note any settings that contradict the desired permissions.

  4. Open Windows Explorer, right-click the shared folder, and then click Properties.

  5. Based on the outcome of the Xcacls data, adjust either the share permissions on the Sharing tab or the NTFS permissions on the Security tab. You can also use the Xcacls tool to adjust NTFS permissions using the command line.

Use the following guidelines when examining and adjusting share and NTFS permissions on a shared folder:

  • Inherited Deny permissions do not prevent access to an object if the object has an explicit Allow permission entry.

  • Explicit permissions take precedence over inherited permissions, even inherited Deny permissions.

NTFS permissions affect access to files and folders both locally and remotely and apply regardless of protocol. Share permissions, by contrast, apply only to shared folders (on a network). Share permissions do not restrict access to any local user, or to any terminal server user, on the computer on which you have set share permissions. Thus, share permissions do not provide privacy between users on a computer used by several users, nor on a terminal server accessed by several users.

If you want to manage folder access by using NTFS permissions exclusively, set share permissions to Full Control for Everyone. This frees you from having to think about share permissions, but because NTFS permissions are more complex than share permissions, using NTFS permissions correctly requires deeper understanding on your part. For more information about NTFS permissions, search for the term "NTFS permissions" on TechNet on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=38772).

Warning

Granting a user Full Control NTFS permission on a folder enables that user to take ownership of the folder unless the user is restricted in some other way. Be cautious in granting Full Control.