Need help understanding users and permissions to secure new system

Page 2 of 3 FirstFirst 123 LastLast

  1. Posts : 21
    Windows 7 Home Premium 64-bit
    Thread Starter
       #11

    >Hi! FluffyBunny, welcome to 7F

    Anak, many thanks for your reply! Now that I have some time to work on
    this again, I hope to finally get these issues resolved.

    >I am not an expert, by any means, but this should help give you full access.


    • Start Windows7 in safe mode (Turn on/re-boot, and tap F8 till windows menu come up).
    • Select safe mode.
    • Once started open windows explorer right click C:/ drive, properties. Then select Security tab.


    >In Group or user names, select each one (at a time) then Edit. You have to have the SYSTEM group listed.


    • Click each box under Allow so that there is a check mark in each box.
    • Go to advanced, Then the Owner tab, change from Administrators (your user name\Administrators) (what ever it's called) to your login name by using edit.
    • Then shut down and re-start in normal mode.


    >This should give you full control over your machine, and calm you down to where you can think straight again.

    Okay, I did the above steps. But when I first tried to change ownership,
    I got error dialogs again. Strangely, after the error dialogs went away, the change
    was apparently still applied. I don't know what to make of that, but what I
    ended up doing for each group was to change its owner from "Trusted Installer"
    to that of my "admin" account.

    >This is where I am not sure how this will turn out because I only have one drive.
    PANIC TIME AGAIN!

    >Now in order to have permission to access the E:\ drive or whatever drive you would like to access; you would go to the respective Drives properties >Security tab.

    >Your users should be listed, then edit each one as you did for the C:\ drive. If they are not, then we will have to create them.

    >You can always go back to any of your Drive's properties >Security tab >Edit Group or user names, and remove/un-check any allow boxes to restrict permissions.

    I also tried doing some changes on the E: drive, and I was able to change the
    owner of E: for each group from "SYSTEM" to my "admin" account. I note
    that for both sets of changes, I had logged into the "admin" account,
    which is of course an account with administrator permissions. I don't
    know whether this was really necessary, but it looks like I have proper
    control of my system again, so that is progress.

    >Since you have Home Premium this tutorial may only work with method 2 or 3. Drive Access - Restrict or Unrestrict in Vista, and Windows 7- Vista Forums

    >There are these two also:
    https://www.sevenforums.com/tutorials...-accounts.html
    User Accounts - Add or Remove from Groups

    >I did not want to throw too much at you, but we may have to get into sharing theses Drives.

    Yes, my head is spinning almost as fast as my hard drive from all the
    reading I've been doing about Windows' permission system. I'm
    still unclear about a lot of things, such as the concept of a restricted
    drive. And I'm not sure just what permissions I should really set.

    Just to be clear on what I'm trying to do, I want to make sure that
    the folders on drives C: and E: have their permissions set such that
    only the account owner (and those with administrator privileges) can
    do anything with those files. I can live with other users being able to
    see that files exist, but I don't want them able to see the _contents_ of
    the files or be able to modify them.

    I'm not clear on what happens if I deny a privilege to the Users or
    Authenticated users group. Does that mean that the privilege is
    denied to every member of the group EXCEPT the owner of the
    account (which is what I would hope)? Or does it even deny
    access to my own account? Am I correct in assuming that
    members of the Administrator and SYSTEM groups should
    always have all permissions (except for the special permissions
    that aren't normally checked)? These are issues that the
    documentation doesn't make very clear, so I will be grateful
    for any insights that you or others can provide.
      My Computer


  2. Posts : 5,605
    Originally Win 7 Hm Prem x64 Ver 6.1.7600 Build 7601-SP1 | Upgraded to Windows 10 December 14, 2019
       #12

    FluffyBunny said:
    Anak, many thanks for your reply! Now that I have some time to work on
    this again, I hope to finally get these issues resolved.

    Okay, I did the above steps. But when I first tried to change ownership,
    I got error dialogs again. Strangely, after the error dialogs went away, the change
    was apparently still applied. I don't know what to make of that, but what I
    ended up doing for each group was to change its owner from "Trusted Installer"
    to that of my "admin" account.
    Your welcome, The change you made is okay.
    Can you give me a hint as to what the errors where about? or recreate them to take a snip with the snipping tool, and then post them here?
    FluffyBunny said:
    I also tried doing some changes on the E: drive, and I was able to change the
    owner of E: for each group from "SYSTEM" to my "admin" account. I note
    that for both sets of changes, I had logged into the "admin" account,
    which is of course an account with administrator permissions. I don't
    know whether this was really necessary, but it looks like I have proper
    control of my system again, so that is progress.
    Good! my apologies, I do not think I made that step clear enough.

    Any time you are working with sharing or permissions you need to be in an Administrative account.


    FluffyBunny said:
    Yes, my head is spinning almost as fast as my hard drive from all the
    reading I've been doing about Windows' permission system. I'm
    still unclear about a lot of things, such as the concept of a restricted
    drive. And I'm not sure just what permissions I should really set.
    It depends on who will be using it, and what they need to have in order to preform the task they need to accomplish.

    FluffyBunny said:
    Just to be clear on what I'm trying to do, I want to make sure that
    the folders on drives C: and E: have their permissions set such that
    only the account owner (and those with administrator privileges) can
    do anything with those files. I can live with other users being able to
    see that files exist, but I don't want them able to see the _contents_ of
    the files or be able to modify them.
    Then you will need to go back in and modify the permissions you have already set.
    Anak said:
    You can always go back to any of your Drive's properties >Security tab >Edit Group or user names, and remove/un-check any allow boxes to restrict permissions.
    FluffyBunny said:
    I'm not clear on what happens if I deny a privilege to the Users or Authenticated users group. Does that mean that the privilege is denied to every member of the group EXCEPT the owner of the account (which is what I would hope)? Or does it even deny access to my own account?

    Am I correct in assuming that members of the Administrator and SYSTEM groups should always have all permissions (except for the special permissions that aren't normally checked)?

    These are issues that the documentation doesn't make very clear, so I will be grateful for any insights that you or others can provide.
    Logically I would think that anyone that has been assigned to a particular user or group would be locked out.

    To me, the safest way for you would be to have the one account, with full Administrator rights, but then you would also need a strong password on it.

    Are you still reading "Windows 7 Inside Out"? I shall have to read up on it just so I can understand the points you are having trouble understanding.

    I am not sure, I may have missed it, but is this a family, business or school computer?
    It would help to keep things organized if you made a list of:

    • Who uses this/these machines.
    • What do they need to do when they are on.
    • And list what permissions they do have with dates and times of change.

    I would have to look it up but you might be able to set up a time limit. Let us say 8pm to 10pm for homework.
      My Computer


  3. Posts : 21
    Windows 7 Home Premium 64-bit
    Thread Starter
       #13

    Quote: Originally Posted by FluffyBunny
    Just to be clear on what I'm trying to do, I want to make sure that
    the folders on drives C: and E: have their permissions set such that
    only the account owner (and those with administrator privileges) can
    do anything with those files. I can live with other users being able to
    see that files exist, but I don't want them able to see the _contents_ of
    the files or be able to modify them.



    >Then you will need to go back in and modify the permissions you have already set.

    Okay, I can do that. But I'm still not clear on WHICH permissions I need
    to set [see below].

    Quote: Originally Posted by FluffyBunny
    I'm not clear on what happens if I deny a privilege to the Users or Authenticated users group. Does that mean that the privilege is denied to every member of the group EXCEPT the owner of the account (which is what I would hope)? Or does it even deny access to my own account?

    Am I correct in assuming that members of the Administrator and SYSTEM groups should always have all permissions (except for the special permissions that aren't normally checked)?

    These are issues that the documentation doesn't make very clear, so I will be grateful for any insights that you or others can provide.

    ==> My apologies for the poor formatting of my responses below and all
    ==> the extra garbage tacked on at the end. I'm having some real problems
    ==> with the cut-and-paste facilities here.
    > Logically I would think that anyone that has been assigned to a particular user or group would be locked out.

    If this is true, this is the root of my problem. How can I lock out other people without locking out myself?? Locking out everyone including myself would be completely useless, and if that is all Windows will let me do, then you're effectively saying that is IMPOSSIBLE to have secure file permissions in Windows. I hope I'm just ignorant of the right method to use.

    In UNIX, you can set file permissions for three sets of people: You the user, members of groups that you belong to, and others (i.e., everybody else). If I want to stop others from reading my files, I just type 'chmod o-r filename' to remove read permission from others. This is what I'm trying to do in Windows, and there doesn't seem to be any obvious way to do it.

    >To me, the safest way for you would be to have the one account, with full Administrator rights, but then you would also need a strong password on it.

    Yes, I have created a password-protected "admin" account. This was not the first account I created, since Windows couldn't be bothered to mention that my first account was an administrative one. So I effectively have two account with administrative privileges at the moment. I plan to take away administrative privileges from the non-admin account after I've done all my configuration.

    >Are you still reading "Windows 7 Inside Out"? I shall have to read up on it just so I can understand the points you are having trouble understanding.

    Yes, I bought a copy of that book the other day on Kari's recommendation, and I've read most of chapter 16, "Managing User Accounts, Passwords, and Logons." But these issues don't seem to be fully discussed there, either.

    >I am not sure, I may have missed it, but is this a family, business or school computer?
    It would help to keep things organized if you made a list of:

    • Who uses this/these machines.
    • What do they need to do when they are on.
    • And list what permissions they do have with dates and times of change.

    I would have to look it up but you might be able to set up a time limit. Let us say 8pm to 10pm for homework.

    I don't need any time limits, but here is my intended use for the system:

    I am moving from a desktop Windows XP system to a Windows 7 laptop. The machine is only for me, but since it will connect to public WiFi networks, (and probably corporate networks at some point), it needs to be a lot more secure than my desktop machine was.

    My first step of this was to re-partition the drive to put user data on drive E: while leaving the OS and applications on C:. I don't want anyone but the account owner and the administrator to see other users' files.

    I will have (at least) three accounts:

    1. An admin account

    2. My primary account (which currently has administrator privileges, but those privileges will be removed later)

    3. A "Friend" account. This is intended to be like the built-in Guest account, except that it will also be password-protected. Users of this account should not be able to do things like installing software.

    I would also like to have one shared folder that the Guest account can access, so that other people can easily give me files, and I can give them files. (I want my primary account to able to grab files out of that folder, or put files into that folder.)

    I will do most activity (e.g., e-mail, surfing the Web, downloading software) from my primary account. I'll install software from the admin account (and I'll hope the I have the option to install it for all users, rather than having to install it in each separate account). If I collaborate with others on a software project, I want that shared folder to let us easily swap files. (Though I'll be using a Git repository for all the 'official' files in the project.)

    I hope this sounds like a reasonable setup that is similar to the way that many other people have their machines configured. And I hope I can achieve this configuration without having to become a hard-core, fully certified system administrator!

    ==> END OF RESPONSE
    ==> Sorry about all the other garbage below.






























    Posting Rules You may post new threads
    You may post replies
    You may post attachments
    You may edit your posts
    BB code is On
    Smilies are On
    [IMG] code is On
    HTML code is Off
    Forum Rules


    All times are GMT -6. The time now is 10:51 AM.

    -- 3.8.7 -- SF Default ---- SF Default (CDN) ---- SF Black ------ SF Black wide -- SF Default - Wide -- Seven Blue C ---- Seven Blue CDN -- SF Blue ---- SF Blue Wide -- SF Pastel ---- SF Pastel Wide -- Pitch Black -- SF Aero ---- SF Aero Wide Windows 8 Forums - FAQ - Contact Us - Forum Rules - Legal - Privacy - Log Out FluffyBunny - Top


    Windows 7 Forums is an independent web site and has not been authorized,
    sponsored, or otherwise approved by Microsoft Corporation.
    "Windows 7" and related materials are trademarks of Microsoft Corp.
    © Designer Media Ltd


      My Computer


  4. Posts : 5,605
    Originally Win 7 Hm Prem x64 Ver 6.1.7600 Build 7601-SP1 | Upgraded to Windows 10 December 14, 2019
       #14

    I would like to apologize for taking so long to reply, I became involved with other personal duties.

    Also, this will be an extended post in order to try and cover all of your concerns. Please read each section carefully. From here on out all my responses will be in Dark Blue.

    FluffyBunny said:
    Quote: Originally Posted by FluffyBunny
    Just to be clear on what I'm trying to do, I want to make sure that
    the folders on drives C: and E: have their permissions set such that
    only the account owner (and those with administrator privileges) can
    do anything with those files. I can live with other users being able to
    see that files exist, but I don't want them able to see the _contents_ of
    the files or be able to modify them.



    Anak: Then you will need to go back in and modify the permissions you have already set.
    Okay, I can do that. But I'm still not clear on WHICH permissions I need
    to set [see below].
    Okay lets see if we can make it more clear.

    FluffyBunny said:
    Quote: Originally Posted by FluffyBunny
    I'm not clear on what happens if I deny a privilege to the Users or Authenticated users group. Does that mean that the privilege is denied to every member of the group EXCEPT the owner of the account (which is what I would hope)?
    I think? You are confusing terms here. Owner, and Administrator are the same thing.
    You. Are the owner Administrator of all accounts, and have full control to all accounts including SYSTEM.

    If you deny a privilege to any Users or Authenticated users group (AUG), any one that has access to that account has to abide by the permissions you have set for those accounts.


    User(s) or AUG(s) are owners only in the aspect that they have (own) a password.




    The confusion starts with lumping these two statements together with your quote above.

    FluffyBunny said:
    Or does it even deny access to my own account?

    No it does not deny access to you the owner Administrator.
    Even if you enter those accounts (sign-in) while you are still signed-in as an Administrator you should still have full control. But, that is an awful redundant way to do that when you already have full access.


    FluffyBunny said:
    Am I correct in assuming that members of the Administrator and SYSTEM groups should always have all permissions (except for the special permissions that aren't normally checked)?
    Yes you are correct, but to clarify.

    There is only one member to the Administrator and SYSTEM groups and that would be you or anyone that you give your password to (I hope not!).


    FluffyBunny said:
    These are issues that the documentation doesn't make very clear, so I will be grateful for any insights that you or others can provide.

    ==> My apologies for the poor formatting of my responses below and all
    ==> the extra garbage tacked on at the end. I'm having some real problems
    ==> with the cut-and-paste facilities here.
    Anak: Logically I would think that anyone that has been assigned to a particular user or group would be locked out.
    If this is true, this is the root of my problem. How can I lock out other people without locking out myself??
    When you start using your machine at the beginning of the day or session would you not start the session with using your password to enter your account, just as you would in your UNIX example below?

    FluffyBunny said:
    Locking out everyone including myself would be completely useless, and if that is all Windows will let me do, then you're effectively saying that is IMPOSSIBLE to have secure file permissions in Windows. I hope I'm just ignorant of the right method to use.
    No it is not impossible.
    FluffyBunny said:
    In UNIX, you can set file permissions for three sets of people: You the user, members of groups that you belong to, and others (i.e., everybody else). If I want to stop others from reading my files, I just type 'chmod o-r filename' to remove read permission from others. This is what I'm trying to do in Windows, and there doesn't seem to be any obvious way to do it.
    Not to sound harsh here, but as you have mastered the intricacies of UNIX and its CMD line, so to, you will have to become comfortable with Windows and its GUI.

    You will find you can use parts of both to help guide you, but you will have to differentiate between the two when you are working with them.

    FluffyBunny said:
    Anak:To me, the safest way for you would be to have the one account, with full Administrator rights, but then you would also need a strong password on it.
    Yes, I have created a password-protected "admin" account. This was not the first account I created, since Windows couldn't be bothered to mention that my first account was an administrative one. So I effectively have two account with administrative privileges at the moment. I plan to take away administrative privileges from the non-admin account after I've done all my configuration.
    You state you have two Admin accts., but refer to the one as non-admin Do you mean the one that you would like to make your primary?
    Then your plan is sound.

    FluffyBunny said:
    Anak: Are you still reading "Windows 7 Inside Out"? I shall have to read up on it just so I can understand the points you are having trouble understanding.

    Yes, I bought a copy of that book the other day on Kari's recommendation, and I've read most of chapter 16, "Managing User Accounts, Passwords, and Logons." But these issues don't seem to be fully discussed there, either.
    Anak: I am not sure, I may have missed it, but is this a family, business or school computer?
    It would help to keep things organized if you made a list of:

    • Who uses this/these machines.
    • What do they need to do when they are on.
    • And list what permissions they do have with dates and times of change.

    I would have to look it up but you might be able to set up a time limit. Let us say 8pm to 10pm for homework.
    FluffyBunny said:
    I don't need any time limits, but here is my intended use for the system:

    I am moving from a desktop Windows XP system to a Windows 7 laptop. The machine is only for me, but since it will connect to public WiFi networks, (and probably corporate networks at some point), it needs to be a lot more secure than my desktop machine was.
    Something else you may want to consider.
    Paid version:Absolute Software | LoJack for Laptops: Track, Locate, and Recover Stolen Computers
    Free version:
    Adeona: A Free, Open Source System for Helping Track and Recover Lost and Stolen Laptops
    Plus different security settings, and software for your WiFi.

    My responses will be in dark blue within the confines of your Quote.
    FluffyBunny said:
    My first step of this was to re-partition the drive to put user data on drive E: while leaving the OS and applications on C:. I don't want anyone but the account owner and the administrator to see other users' files.
    I am not sure if windows will automatically break down the Admin, and User accounts for each partition. You will have to let me know how that turns out. If it does, it will make it simpler.

    I will have (at least) three accounts:

    1. An admin account

    This will (Hopefully) have full control over C:\ and E:\

    2. My primary account (which currently has administrator privileges, but those privileges will be removed later)
    All you will need to do is check
    Modify the others like Read, and Write will take check themselves.

    3. A "Friend" account. This is intended to be like the built-in Guest account, except that it will also be password-protected. Users of this account should not be able to do things like installing software.
    Then you only need to check Read, and Write.

    I would also like to have one shared folder that the Guest account can access, so that other people can easily give me files, and I can give them files.
    Then your "Guest" will need a password,
    with Read, and Write permissions. Maybe Read and Execute also. Your "Modified Account" should already be able to do this.

    (I want my primary account to able to grab files out of that folder, or put files into that folder.)I will do most activity (e.g., e-mail, surfing the Web, downloading software) from my primary account.
    As stated above; "All you will need to do is check Modify the others like Read, and Write will take check themselves".

    I'll install software from the admin account (and I'll hope the I have the option to install it for all users, rather than having to install it in each separate account).

    You should.

    If I collaborate with others on a software project, I want that shared folder to let us easily swap files. (Though I'll be using a Git repository for all the 'official' files in the project.)

    Also need a clarification here. There are several schools of thought here, You really should have an Admin account, and then your own personal-primary account


    Have you used Git in UNIX? what are the permissions there?

    I hope this sounds like a reasonable setup that is similar to the way that many other people have their machines configured. And I hope I can achieve this configuration without having to become a hard-core, fully certified system administrator!

    Well, hopefully not too hard-core :)


    I still feel there is a way to go here to make sure you are comfortable, especially since I was having a hard time understanding your differences between the Owner, Admin, and primary accounts.
    But, It is still nothing we can not get straightened out!


    ==> END OF RESPONSE
    ==> Sorry about all the other garbage below.
    Cleaned up >

    End of Line >
      My Computer


  5. Posts : 21
    Windows 7 Home Premium 64-bit
    Thread Starter
       #15

    Anak,

    Thank you kindly for responding. I have to admit I am still very confused
    here. Some of my confusion may be from differences in Windows vs.
    UNIX nomenclature. (And I think I finally figured out how to quote the
    text I'm replying to here.)

    I think? You are confusing terms here. Owner, and Administrator are the same thing.
    You. Are the owner Administrator of all accounts, and have full control to all accounts including SYSTEM.

    If you deny a privilege to any Users or Authenticated users group (AUG), any one that has access to that account has to abide by the permissions you have set for those accounts.


    Okay, perhaps I was using the term "owner" in the wrong way.
    But you just said above that SYSTEM is an account. Is that really true?
    (Apparently so, cf. pg. 790 of "Windows 7 Inside Out.) This is one of the
    things that is truly driving me nuts about Windows - Microsoft's repeated
    habit of hiding key information from the user. First, it was the built-in
    Administrator and Guest accounts, and now SYSTEM. Geez.

    There is only one member to the Administrator and SYSTEM groups and that would be you or anyone that you give your password to (I hope not!).
    Okay, that is useful to know. Though it begs the question of
    how can I tell which accounts are members of which groups?

    Not to sound harsh here, but as you have mastered the intricacies of UNIX and its CMD line, so to, you will have to become comfortable with Windows and its GUI.
    Yes, that is true - which is why I'm reading two books and spending many
    hours surfing the Web - yet none of what I've read so far has made it clear
    how to accomplish what I want to do. Perhaps I can make my goal clearer
    with an example:

    Suppose that I create two new standard (non-administrative) accounts on
    my system, with usernames Jack and Jill. A new set of folders for will be
    created on drive E: for Jack the first time I log into Jack's account, and
    similarly for Jill. (The folders appear automatically on drive E: because I
    made a registry change to ensure that folders for all new accounts are
    created on drive E:.)

    If I or user "Jack" logs into the Jack account, I expect that user Jack
    should be able to access and modify the contents of all his own folders.
    BUT Jack should NOT be able to read or modify the contents of Jill's
    folders (or the folders belonging to the admin account for that matter.)
    Similarly, when Jill logs into her account, she should be free to muck
    about with her own files and folders, but she should not be able to see
    any of Jack's files. I THINK this is the way that accounts are supposed
    to be set up by default when you create a new account on a normal,
    unpartitioned drive (i.e., no manual repartitioning). But I'm not sure
    that happens automatically with my setup on the E: drive, and for
    the existing account folders that I manually moved to the E: drive,
    the copied folders were visible to EVERYBODY, which is not what I
    wanted. So I'm trying to figure out how to get back to a "normal"
    set of permissions for those folders.

    I think part of my confusion arises from the fact that the Security
    tab for folders shows four groups by default: Authenticated Users,
    SYSTEM, Administrators, and Users. It doesn't show ANY of the
    accounts that I created. I finally learned how to make my own
    account names appear on this page:

    Take Ownership and Change Permissions of Files and Folders | Windows 7 Tutorials

    Please correct me if I'm wrong, but this is what I THINK I now need
    to do to create the desired permissions for, say, user Jack's folders:

    1. Log in to Jack's account and add user Jack to the set of users
    displayed in the Security tab for Jack's top-level folder. (Or
    do I need to log in as the admin user?)

    2. Select user Jack, press Edit, and allow Full Control.

    3. When I get back to the Security tab, select "Authenticated Users,"
    press Edit, and deny all permissions.

    4. When I get back to the Security tab, select "Users," press
    Edit, and deny all permissions.

    5. Leave the SYSTEM and Administrators group set with all their
    normal permissions.

    6. Repeat steps 1-5 for each account, substituting Jill for Jack, etc.

    I HOPE that this will give me what I want.

    If I collaborate with others on a software project, I want that shared folder to let us easily swap files. (Though I'll be using a Git repository for all the 'official' files in the project.)
    Also need a clarification here. There are several schools of thought here, You really should have an Admin account, and then your own personal-primary account
    Uh, I DO have an Admin account, and a personal-primary account. I expect
    to be doing my development work in the personal-primary account, with
    occasional forays into the admin account if it is necessary to start things
    like Apache or MySQL. (And no, I don't intend to run them as services;
    I want to start and stop them manually.)

    Have you used Git in UNIX? what are the permissions there?

    I have really only used Git under Windows XP, and haven't experienced
    any permission problems. I don't think there should be any problems
    with creating a Git repository in my personal-primary account.

    Something else you may want to consider.
    Paid version:Absolute Software | LoJack for Laptops: Track, Locate, and Recover Stolen Computers
    Free version:
    Adeona: A Free, Open Source System for Helping Track and Recover Lost and Stolen Laptops
    Plus different security settings, and software for your WiFi.
    Thanks for the links; that was something I hadn't considered.
    Though unfortunately it doesn't look like Adeona is an active
    project any more.
      My Computer


  6. Posts : 21
    Windows 7 Home Premium 64-bit
    Thread Starter
       #16

    I hope you can help me here, because I'm getting pretty damned
    frustrated. I tried out some changes on the admin account (after I
    logged in as user admin). I dug through the several levels of dialogs to
    find the list of all users, and added admin to the list of Group or user names.
    For user name admin, I changed the permissions from

    Allow to Allow
    ----- ----
    Read & execute Full control
    List folder contents
    Read

    When I clicked OK, I got the error dialog

    An error occurred while applying security information to
    E:\Users\admin\AppData
    Access denied.

    I clicked Continue twice, and the dialogs went away, and the permissions
    I wanted were seemingly applied. I then selected the 'Authenticated Users'
    group and chose to _Deny_ all access. I did the same for the Users group.
    Later, I logged out and logged back in again. Upon login, I got the error dialog

    Location not available
    E:\Users\admin\Desktop is not accessible.
    Access is denied.

    I can still use my machine, but something is clearly wrong. Do I perhaps
    need to restore access to the Users group? If so, why? And why does
    Windows consistently barf with errors every time I try to change file
    permissions???

    I hope that someone can give a clear explanation of what is going on.
    From my perspective, the Windows permission system is VERY flaky and
    untrustworthy. It shouldn't take a week of work just to get basic folder
    permissions set up. Please, somebody, dispel my ignorance!
      My Computer


  7. Posts : 5,605
    Originally Win 7 Hm Prem x64 Ver 6.1.7600 Build 7601-SP1 | Upgraded to Windows 10 December 14, 2019
       #17

    !!!An answer to your next post is at the bottom of this post.!!!


    FluffyBunny said:
    Anak,
    Thank you kindly for responding. I have to admit I am still very confused
    here. Some of my confusion may be from differences in Windows vs.
    UNIX nomenclature. (And I think I finally figured out how to quote the
    text I'm replying to here.)
    I think? You are confusing terms here. Owner, and Administrator are the same thing.
    You. Are the owner Administrator of all accounts, and have full control to all accounts including SYSTEM.


    If you deny a privilege to any Users or Authenticated users group (AUG), any one that has access to that account has to abide by the permissions you have set for those accounts.
    Okay, perhaps I was using the term "owner" in the wrong way.
    But you just said above that SYSTEM is an account. Is that really true?
    (Apparently so, cf. pg. 790 of "Windows 7 Inside Out.) This is one of the
    things that is truly driving me nuts about Windows - Microsoft's repeated
    habit of hiding key information from the user. First, it was the built-in
    Administrator and Guest accounts, and now SYSTEM. Geez.
    Your welcome. Yes, in these longer conversations figuring out where all the quotes start and stop, and then trying to remember what you wanted to say can become confusing.

    Yes. System is an account.
    From two sources. this first one is a little old, but still gives a good description:
    The system account and the administrator account (Administrators group) have the same file privileges, but they have different functions. The system account is used by the operating system and by services that run under Windows. There are many services and processes within Windows that need the capability to log on internally (for example during a Windows installation). The system account was designed for that purpose; it is an internal account, does not show up in User Manager, cannot be added to any groups, and cannot have user rights assigned to it. On the other hand, the system account does show up on an NTFS volume in File Manager in the Permissions portion of the Security menu. By default, the system account is granted full control to all files on an NTFS volume. Here the system account has the same functional privileges as the administrator account.

    NOTE: Granting either account Administrators group file permissions does not implicitly give permission to the system account. The system account's permissions can be removed from a file but it is not recommended.
    How the System account is used in Windows

    And:
    There is an account in Microsoft Windows that is more powerful than the Administrator account in Windows Operating Systems. That account is called System account it is similar to the root OR super user in the Linux/Unix world .
    https://alieneyes.wordpress.com/2006...nt-in-windows/

    Microsoft seems to feel that as their OS becomes more complicated they need to apply safeguards so the casual user won't sabot the OS. But, it does make it harder for the rest of us.

    If I would of known before we bought our system, I would of upgraded to at least win7pro at least there you have a group policy editor.anything lower and you have to fuss with permissions like we are.
    See:
    Local Group Policy Editor - Open
    FluffyBunny said:
    There is only one member to the Administrator and SYSTEM groups and that would be you or anyone that you give your password to (I hope not!).
    Okay, that is useful to know. Though it begs the question of how can I tell which accounts are members of which groups?
    Note: From here on my answers are in Dark Blue.
    Do you notice how windows will add the name you give to the level of the account in (parentheses?) i.e. Users (FluffyBunny\User)
    As you add names to the Users account that list of names should grow. i.e. Users (FluffyBunny\User;Jack\user;Jill\User;Water Pail\user;Humpty Dumpty\user etc.


    For later reference:
    Well-known security identifiers in Windows operating systems

    FluffyBunny said:
    Yes, that is true - which is why I'm reading two books and spending many
    hours surfing the Web - yet none of what I've read so far has made it clear
    how to accomplish what I want to do. Perhaps I can make my goal clearer
    with an example:

    !!Please excuse me I deleted your example for brevity.!!

    I think part of my confusion arises from the fact that the Security
    tab for folders shows four groups by default: Authenticated Users,
    SYSTEM, Administrators, and Users. It doesn't show ANY of the
    accounts that I created. I finally learned how to make my own
    account names appear on this page:
    Take Ownership and Change Permissions of Files and Folders | Windows 7 Tutorials


    My answers are in Dark Blue.
    FluffyBunny said:
    Please correct me if I'm wrong, but this is what I THINK I now need to do to create the desired permissions for, say, user Jack's folders:
    1. Log in to Jack's account and add user Jack to the set of users
    displayed in the Security tab for Jack's top-level folder. (Or
    do I need to log in as the admin user?)This seems like an un-needed step.
    All you need to know is. That there is a user account that exists.
    Log into your admin account, then you can do whatever you want to Jack or Jills account.

    Jack or Jills account should have already been created
    as "top level or full control for that folder" Just go to the Security tab in properties of the Folder, and continue with step #3.

    2. Select user Jack, press Edit, and allow Full Control. Redundant.

    3. When I get back to the Security tab, select "Authenticated Users," press Edit, and deny all permissions. Correct.

    4. When I get back to the Security tab, select "Users," press
    Edit, and deny all permissions. Correct.

    5. Leave the SYSTEM and Administrators group set with all their
    normal permissions. Correct.

    6. Repeat steps 1-5 for each account, substituting Jill for Jack, etc. Correct.

    I HOPE that this will give me what I want.
    It should.


    FluffyBunny said:
    Uh, I DO have an Admin account, and a personal-primary account. I expect
    to be doing my development work in the personal-primary account, with
    occasional forays into the admin account if it is necessary to start things
    like Apache or MySQL. (And no, I don't intend to run them as services;
    I want to start and stop them manually.)
    You are very wise grasshopper!


    Something else you may want to consider.
    Paid version:Absolute Software | LoJack for Laptops: Track, Locate, and Recover Stolen Computers
    Free version:
    Adeona: A Free, Open Source System for Helping Track and Recover Lost and Stolen Laptops
    Plus different security settings, and software for your WiFi.
    Thanks for the links; that was something I hadn't considered.
    Though unfortunately it doesn't look like Adeona is an active
    project any more.







    To answer your newer post:

    Did you make sure to go to The E drive to set your permissions?
    Then Properties
    Select Security tab
    Select Owner
    Select your Admin account
    apply
    OK?


    I probably won't be able to respond until 2am est or later, I will be out checking if there is any aurora reaction to the CME the Sun expelled Monday evening.
      My Computer


  8. Posts : 21
    Windows 7 Home Premium 64-bit
    Thread Starter
       #18

    Thanks for responding, and thanks for the extra info on the
    SECURITY account; that's about what I expected.

    To answer your newer post:

    Did you make sure to go to The E drive to set your permissions?
    Then Properties
    Select Security tab
    Select Owner
    Select your Admin account
    apply
    OK?


    Yes, I was indeed on the E: drive; I at least managed to get
    that much right.

    Thank you for the feedback on the steps I suggested to set up
    my permissions. But they still don't work properly. I tried logging
    in as the admin user and then tried to set the permissions on the
    E:\Users\Friend folder for my Friend account. I wasn't allowed to
    see the owner of the folder, so I tried taking ownership. Then I
    looked at the permissions for the User group. I think they were set
    to Allow Read & execute, List folder contents, and Read, which was
    not what I tried to set them to earlier. I then clicked on the Edit
    button and denied all permissions for Users. After I clicked Apply, I once
    again got into an infinite loop of error messages (the same as I originally
    reported way above), and couldn't get out of the Security tab. I had to
    log back out and log in again to get rid of it. (I was dubious about trying
    to kill the window in the Task Manager.) On the other hand, once I
    logged back in, the Users group at least LOOKS like it has the correct
    (lack of) permissions now. But when I logged in, I still got the error I
    reported earlier,

    E:\User\admin\Desktop is not accessible.
    Access is denied.

    (I can still use the account, but maybe that explains why the desktop has
    a pure black background instead of the blue desktop I see at the login prompt.)

    I probably won't be able to respond until 2am est or later, I will be out checking if there is any aurora reaction to the CME the Sun expelled Monday evening.
    Cool! I wish I could see some aurorae. Unfortunately, (for this purpose)
    I live in California, so we rarely get them at our latitude. Plus, it's been
    raining all day. :-( I hope you get to see some spectacular sights!
      My Computer


  9. Posts : 5,605
    Originally Win 7 Hm Prem x64 Ver 6.1.7600 Build 7601-SP1 | Upgraded to Windows 10 December 14, 2019
       #19

    FluffyBunny said:
    (I can still use the account, but maybe that explains why the desktop has
    a pure black background instead of the blue desktop I see at the login prompt.)

    Cool! I wish I could see some aurorae. Unfortunately, (for this purpose) I live in California, so we rarely get them at our latitude. Plus, it's been raining all day. :-( I hope you get to see some spectacular sights!
    It disturbs me that your desktop has changed.
    Can you find a restore point, and go back to before the black desktop started to show?
    System Restore


    In my haste to go aurora hunting I gave you the short version for checking the ownership of your E:\ drive. Hopefully this more complete version will help.

    I do not know if you have been creating restore points during all of this, but it would be prudent to make one before you start here.
    There is a "How To" link located in the blue note: box at the top of the tutorial link I posted above.


    Okay!
    Locate the file, folder or drive on which you want to take ownership in windows explorer like E: in your case.


    • Right click on the file, folder or drive and select “Properties” from Context Menu.


    • Click on Security tab.


    • Click on“Advance”.


    • Now click on Owner tab in Advance Security Settings for User windows.


    • Click on Edit Button and select user from given Change Owner to list if user or group is not in given list then, click on other users or groups.


    • Enter name of user/group and click OK. You can even click on administrator here, if you are logged in as an administrator.


    • Now select User/group and click apply and OK. (Check “Replace owner on sub containers and objects” if you have files and folder within selected folder/drive).


    • Click OK when Windows Security Prompt is displayed.


    • Now Owner name must have changed.


    • Now click OK to exit from Properties windows.



    Once you have taken the ownership of the Drive. Grant
    file or folder permissions to everyone even your user account.


    • Go to E: and then click right click on folder and choose properties.


    • Then go to security tab and click Edit then click Add >Advanced.


    • If you click on advanced, now click on Find Now and choose everyone and click OK.


    • Then again click OK and now click on Allow >Full control >or however much control you want Jack and Jill to have.


    • Click OK.


    Unfortunately our aurora trip was somewhat of a bust. The K indices were forecast to go from 4 up to 5 with 6 or 7 a sure bet, but by the time we arrived at our seeing location we checked the laptop, and it had already dropped to 2.....Oh well! Still got to see some meteors.

    All was not lost though, My one friend brought along his 10" reflector and I helped him setup and take some astro-photographs with his CCD equipment.
    Hope they come out all right, the seeing was rated as bad because of the high winds we were experiencing here causes a rippling effect in the atmosphere.

    We have a warning in effect until 9pm locally tonight. they were steady 20mph gust to 35 this morning, now they are steady25 gust 40.
      My Computer


  10. Posts : 21
    Windows 7 Home Premium 64-bit
    Thread Starter
       #20

    Anak,

    Sorry to hear that your aurora adventure didn't turn out
    that well. Though I'm glad you at least got to see a few
    meteors.

    It disturbs me that your desktop has changed.
    Can you find a restore point, and go back to before the black desktop started to show?
    System Restore
    Not that easily. I was getting the black desktop much earlier in
    the process, and I don't know how far back it goes. It might go
    all the way back to re-partitioning my drive and/or creating new
    accounts. I did create a new restore point before trying your next
    set of steps, for what it's worth.

    As far as taking ownership is concerned, I went through your set
    of steps, but my admin account is already the owner of drive E:.
    So nothing changed there. As for your steps to change permissions...

    Once you have taken the ownership of the Drive. Grant file or folder permissions to everyone even your user account.


    • Go to E: and then click right click on folder and choose properties.


    • Then go to security tab and click Edit then click Add >Advanced.


    • If you click on advanced, now click on Find Now and choose everyone and click OK.


    • Then again click OK and now click on Allow >Full control >or however much control you want Jack and Jill to have.


    • Click OK.
    ...they didn't work any better than the last several attempts. When
    you say to choose "everyone," I presume you mean the _group_
    named Everyone. I tried that, and yes I even Allowed Full control,
    even though that is the exact opposite of what I'm trying to do.
    (To reiterate, I'm trying to DENY all permissions to everybody EXCEPT
    administrators and the "owner" (more properly, login name) of the account.
    When I clicked OK to allow Full control, I got the usual error dialog once
    again:

    An error occurred while applying security information to:
    E:\Users\admin
    Access is denied.

    After clicking Continue a couple of times, I got the dialog

    Unable to save permission changes on admin.
    Access is denied.

    In trying to get out of this infinite loop of error dialogs, I
    once again got a warning about the permissions not having
    propagated properly, and that if I didn't fix them immediately,
    they would be left in an inconsistent state. Of course, that
    dialog provides no means whatsoever to fix them. Indeed,
    the only way I can get out is by logging off.

    I'm pretty sure these types of errors have occurred EVERY
    SINGLE TIME I have tried to change permissions. It is very
    easily reproducible, and as I've complained before, it really
    bugs me that this kind of mess is even POSSIBLE to have
    happen. What kind of operating system traps its users in
    an infinite loop of error dialogs??

    I note also that after logging out and logging back in, the
    login process is very slow, presumably because Windows
    is failing to load the desktop. Every time I log in, I get the
    dialog

    E:\Users\admin\Desktop is not accessible.
    Access is denied.

    This dialog also sometimes reappears when I bring up other
    windows.

    Something is clearly very wrong, and I'd really like to get some
    insight into how to fix it before I start installing all my applications.
      My Computer


 
Page 2 of 3 FirstFirst 123 LastLast

  Related Discussions
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 07:02.
Find Us