Access Control Quick Fixes

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

This section provides the most common access control problems and their solutions. You can use the information in this section to resolve problems in the same way you would use a FAQ to find answers to common questions. Read this section before you begin any advanced troubleshooting.

Common Access Control Problems

Listed below are common access control problems and quick fixes:

You are unable to access a file or folder as a result of a Deny ACE applied to Everyone

Security policy is not being enforced

You are unable to access a file or folder as a result of a Deny ACE applied to Everyone

If a Deny access control entry (ACE) is applied to the Everyone security group, no one will be able to access the resource and only the owner will be able to change the permissions. Anyone, including the owner, who attempts to access the file or folder will receive an "Access is denied" error.

Perform the following procedure to determine whether a Deny ACE is applied to a user or group. You must be an administrator or the owner of the file or folder to perform this task.

To determine whether a Deny ACE is applied to a user or group

  1. Right-click the file or folder that the user or group is unable to access and then click Properties.

  2. Click the Security tab, and in Group or user names, click the user or group you want to examine ACEs for.

  3. In Permission for <user or group>, examine the permissions and determine whether a Deny ACE is applied to a user or group.

You can recover access to the file or folder, though, by modifying the resource's permissions. Before you can modify the permissions, you must be the owner of the file or folder. Perform the following procedure if you are not the resource's owner. You must be an administrator or have been granted the Take ownership of files or other objects user right.

To take ownership of a file or folder

  1. Open Windows Explorer, and then locate the file or folder you want to take ownership of.

  2. Right-click the file or folder, click Properties, and then click the Security tab.

  3. Click Advanced, and then click the Owner tab.

  4. In the Change owner to box, do one of the following:

    • To change the owner to a user or group that is not listed, double-click Other users and groups. In the Enter the object name to select (examples) box, type the name of the user or group, and then click OK.

    • To change the owner to a user or group that is listed, click the new owner.

  5. (Optional) To change the owner of all subcontainers and objects within the tree, select the Replace owner on subcontainers and objects check box.

Note

You can transfer ownership in two ways: 1) the current owner can grant the Take ownership permission to others, allowing those users to take ownership at any time. A user granted the Take ownership permission can take ownership of the object or assign ownership to any group that the user is a member of. 2) A user who has the Restore files and directories privilege can double-click Other users and groups and choose any user or group to assign ownership to.

Note

An administrator can take ownership of any file on the computer.

Once you have taken ownership of the file or folder, perform the following procedure to remove the Deny ACE from the Everyone group's ACL.

To remove the Deny ACE applied to the Everyone group

  1. Open Windows Explorer, and then locate the file or folder you want to modify permissions for.

  2. Right-click the file or folder, click Properties, and then click the Security tab.

  3. In the Group or user names box, select Everyone.

  4. In the Permissions for Everyone box, select Full Control.

Security policy is not being enforced

After the local security policy or a policy administered through Group Policy has been modified, you might need to refresh the policy on a local computer if it is not enforcing the policy.

Perform the following procedure to refresh the security policy on a Windows 2000 Server–based computer.

To force a Windows 2000 Server–based computer to refresh its security policy settings and Group Policy settings

  1. Open a command prompt.

  2. Type secedit /refreshpolicy.

The /refresh option ignores all processing optimizations and reapplies all settings.

The Gpupdate command-line tool refreshes local Group Policy settings and Group Policy settings that are stored in Active Directory, including security settings. This command supersedes the now obsolete /refreshpolicy option for the secedit command for Windows Server 2003.

Perform the following procedure to refresh the security policy on a Windows Server 2003–based computer.

To force a Windows Server 2003–based computer to refresh its security settings and Group Policy settings

  1. Open a command prompt.

  2. Type gpupdate /force.

The /force option ignores all processing optimizations and reapplies all settings.