Down the Rabbit Hole of Access Control - Help!

[thricipio]

I seem to have made a change to the Access Control settings for a protected directory and I cannot revert it back to its original settings. I'm not sure exactly how I made this change occur, but I've tried everything I can to return it to its default settings, including doing a System Restore. But nothing works.

So now, at the very least, I'm trying to get a handle on whether or not these changed settings even matter.

Just to add a little context, what I was in the process of doing was trying to figure how to customize what's appearing in my Start Menu, like one could do in the XP world. Apparently, getting to that same endpoint is not so easy with 7.

Here are the details:

After unhiding protected os files in Windows Explorer, I made my way to {C:\ProgramData\Application Data} and of course, I couldn't get any further (access denied).
So, I right-clicked on {Application Data} and then: Properties » /Security\ and listed under "Group or user names:" were the following:
Everyone
SYSTEM
Administrators (‹machine_name›\Administrators)

Under "Permissions for Administrators," only Special permissions had a checkmark -- a faded one, under the Allow column.

I say "were" and "had" because now Administrators... is gone, seemingly forever?!

I did try to get a little further by selecting [Advanced] » /Owner\ » [Edit] and then selecting (or typing in) my admin-class account ID (via the [Other users or groups...] button), and taking over ownership of that directory. I was able to accomplish that, but it didn't really do any good; i.e., it didn't give me read/write access to the directory and it didn't allow me to restore the Administrators... listing on the /Security\ page.

That's it for the details. Thanks for bearing with me.

Ideally, I'd like to be able to accomplish my original goal: tweak what appears in the Start Menu. And whether or not I end up being able to do that, I'd like to be able to then return a directory's access permissions profile to its original state.

One more thing before I (mercifully!) end this post: in the course of trying to figure this out, I came upon a statement in the Win7 help documentation that may hold the key to what I'm after. It said, "Assigning ownership of a file or a folder might require you to elevate your permissions by using User Access Control." This seems promising, but I can't seem to find Help info on how to elevate my permissions.

Okay... that's it. Thanks for bearing with the long read.

Any help on this, will of course, be greatly appreciated.

--Thri

 

[Brink]

Hello Thri,

The C:\ProgramData\Application Data folder cannot be opened it's actually a junction point. It's default owner is "System". Instead, this would be for the C:\Users\(user-name)\AppData folder.

Was there a particular file that you were wanting to modify?

 

[thricipio]

Brink, thanks for taking the time to respond.

The C:\ProgramData\Application Data folder cannot be opened it's actually a junction point. It's default owner is "System".
·····················
Brink, I understand SYSTEM is the default owner. Are you saying there's no way an administrator-class user account (such as my own) can acquire ownership of this directory?
　
Was there a particular file that you were wanting to modify?
·····················
I was trying to find the location of a {Nero 9} subfolder that's visible in my Start Menu (see attached), appearing inside the {Nero} folder along with one shortcut: <Nero ControlCenter 4.lnk>.
　
Instead, this would be for the C:\Users\(user-name)\AppData folder.
·····················
I did find the shortcut where you indicated, or more specifically, here:
{C:\Users\‹user-name›\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Nero}

However, {Nero 9} was not there. Mistakenly I went looking for it in {C:\ProgramData\Application Data}, which is what got me into trouble (or not?).

With a little more poking around, I did find {Nero 9} here:
{C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Nero}

Speaking of "or not," this brings me back to one of my questions from my original post:

After unhiding protected os files in Windows Explorer, I made my way to {C:\ProgramData\Application Data} and of course, I couldn't get any further (access denied).
So, I right-clicked on {Application Data} and then: Properties » /Security\ and listed under "Group or user names:" were the following:
Everyone
SYSTEM
Administrators (‹machine_name›\Administrators)

Under "Permissions for Administrators," only Special permissions had a checkmark -- a faded one, under the Allow column.

I say "were" and "had" because now Administrators... is gone, seemingly forever?!

. . . the question being, is this something I need to worry about; i.e., that Administrators... (along with its faded Special permissions Allow checkmark) is no longer listed under /Security\ ?? I more than suspect the answer is "No, no worries" but a little assurance would go a long way.

Well, I guess that's about it.

A little long-winded, I know... so thanks for bearing with me.

And thanks again for responding.
--Thri

 

[logicearth]

The reason why you cannot access "Application Data" or any folder that issues "Access Denied" is a junction neither you, nor the SYSTEM can access these. Because you DO NOT NEED to access them. These junctions are there for compatibility with old applications. The links in my signature explain the purpose of these junctions and you SHOULD LEAVE THEM ALONE.

From, Junction Dysfunction:

....


Of course, a new opportunity can create a new problem: An application that isn’t familiar with junctions may get stuck in an infinite loop when it attempts to perform a recursive directory-tree walk. To prevent this, the compatibility junctions permit directory traversal but explicitly deny List contents permission: If you try to navigate to these folders from Explorer or the command prompt, you’ll get an Access denied error.


The compatibility symbolic links grant enough access to accomplish their goal of providing compatibility for older applications that unwisely chose to hard-code directory names. But they don’t supply enough rope to let these older applications cause themselves serious harm. Blocking List contents also has the pleasant side effect of removing an attractive nuisance for new programmers, who may be tempted to continue the tradition of those older applications. Will this technique work to steer people in the right direction? Only time will tell.

 

[F5ing]

logicearth, does this mean that he does or doesn't need to worry, based on these two quotes:

Under "Permissions for Administrators," only Special permissions had a checkmark -- a faded one, under the Allow column.
I say "were" and "had" because now Administrators... is gone, seemingly forever?!

. . . the question being, is this something I need to worry about; i.e., that Administrators... (along with its faded Special permissions Allow checkmark) is no longer listed under /Security\ ?? I more than suspect the answer is "No, no worries" but a little assurance would go a long way.

 

[edwar]

It's not a folder. It is, as other s have stated, a Junction Point. It is like a false Link/shortcut. It really doesn't exist.

If you tried to change permissions on these type folders or to the ROOT of the boot drive you may be facing a Re-Install of the OS.

 

[F5ing]

But it must really exist, in one form or another, in order to provide the desired functionality. And in this case it exists as an entity, like any other, on the disk in the file system.

And the problem (if there is one) that I would be worried about, is the fact that the administrators group has been removed from the permissions tab.

 

[thricipio]

And the problem (if there is one) that I would be worried about, is the fact that the administrators group has been removed from the permissions tab.

Yup... that's it in a nutshell. This is exactly what I'm concerned about. Although, still guardedly optimistic that someone in the know will get back to us and call me "safe at the plate." Leastwise, I'm hoping!

And thanks to one and all who've responded so far. There's still this remaining question, but at least I'm becoming better informed along the way.

--Thri
__________________
PS - If I've put myself in a ticking timebomb predicament here, I guess I'm better off learning about that now, rather than later. If I end up having to start over from scratch, well... that would be fairly horrible; but better now than later; I'm still at the beginning of installing my apps.

 

[F5ing]

If it isn't too painful for you, you might try a system restore to an earlier restore point.

I too would like someone who knows the answer to chime in.

 

[Brink]

You will not be able to open a junction point since it's not a folder, but only a symbolic link used for backwards compatibility to open another folder instead that may still be referenced by it's old location (the junction point) in previous versions of Windows from a older program. The links in logicearth's signature can give you more details about this if you like.

There's no need to worry about you removing the Administrators group by mistake from a junction point since you will not be able to open/access it anyway as it's not actually a folder that can be opened anyways.

@Thri,

Depending on what you need, the shortcuts in the Start Menu can be found at the locations in the tutorial below. If you needed to know where the exe file is that the shortcut runs, then you can right click on the shortcut, and click on Open File Location to be taken to it.

http://www.sevenforums.com/tutorials/296-start-menu-all-programs-add-delete-shortcuts.html

 

[Duzzy]

Well I was trying and typing this when Brink posted so I guess it's no problem but here's my findings anyway.

Well I thought I'd give it a shot and try to remove the Administrators and even though it told me I was unable to change the permissions Administrators still disappeared.

So I opened up the security tab and clicked advanced. Clicked change permissions > Add > Entered Administrators > Clicked OK > Checked "full control" and set "apply to this folder only" as it was before > Clicked OK > Clicked Apply.

Here I got the Error applying permissions just clicked continue then ok on the seconded dialog. Clicked ok on the permissions window and again got the Error applying permissions dialog, clicked continue again then a different error dialog where I clicked retry. Next I just clicked cancel and what do you know it didn't add Administrators.

So I clicked the Owners and proceeded to change the owner to Administrators then closed the advanced permissions window. Next I preformed the same steps as before starting with clicking advanced. Got the same errors when I clicked on apply and then on ok but when I clicked cancel Administrators showed up on the permissions tab.

So I then simple set the Owner back to System.

Edit: I use a Administator account and have UAC turned off.

 

[thricipio]

There's no need to worry about you removing the Administrators group by mistake from a junction point since you will not be able to open/access it anyway as it's not actually a folder that can be opened anyways.

Thanks, Brink. This is encouraging. I have some further thoughts/(questions?), but they'll have to wait: have to get ready for work.*

And thanks for the excellent tutorial on how to customize the Start Menu. I'm now back to the type of scheme I've grown used to in the XP world.

Later . . .
--Thri
________________
* ...which regularly gets in the way of life!

 

[thricipio]

Well I was trying and typing this when Brink posted so I guess it's no problem but here's my findings anyway. . . .

Duzzy- I didn't see your post until after I replied to Brink. Anyway, now I really have more questions!

But again, they'll have to wait; work beckons.

--Thri

 

[thricipio]

Next I performed the same steps as before starting with clicking advanced. Got the same errors when I clicked on apply and then on ok but when I clicked cancel Administrators showed up on the permissions tab.

Duzzy- did you also get restored, the faded checkmark for Allowing Special permissions for Administrators ?? What I'm wondering is: were you able to essentially restore the permissions listing to its original condition?
--Thri

 

[Duzzy]

Next I performed the same steps as before starting with clicking advanced. Got the same errors when I clicked on apply and then on ok but when I clicked cancel Administrators showed up on the permissions tab.

Duzzy- did you also get restored, the faded checkmark for Allowing Special permissions for Administrators ?? What I'm wondering is: were you able to essentially restore the permissions listing to its original condition?
--Thri

Well original as I know of. I didn't tick the box "Replace all child object permissions.....", only the steps I specified.

I actually done it twice because the first time I forgot about the "Apply to" drop down box and the Administrators just had all permissions checked except Special but the second time I changed it to "This folder only" (what it was) I got only the faded checkmark for Allow Special Permissions checked.