Why can’t I change the security settings on some of my files/folders on my external hard drive?

Leanne Talbot May 15, 2015
Pinterest Stumbleupon Whatsapp
Ads by Google

Leanne asks:

I am unable to access some of the files on my Seagate GoFlex hard drive on my Windows 8 computer.

I have tried changing the permissions on the security tab for the folders where the files are stored but it will not allow me to make the changes. I have also tried this on the individual files with no luck so I changed permissions for the entire hard drive. This did change the permissions for about 95% of my files but it is still not letting me access some of them.

Can you please help with this? The affected files are TV shows that I ripped from my DVD collection and I do not want to have to go through that process again!

ntfs-security-1

ntfs-security-2

Bruce’s reply:

To understand what is happening here, we need to take a brief look at some of the internals of how NTFS permissions, users, and groups work together to provide access control to the files. To do this, we will look at a few elements on the Advanced Security dialog box for one of my external drives.

default-ext-perms

The ‘Inherited from’ column is None for every entry. This is logical since we are looking at the root directory of the drive in question and it does not have a parent directory that it can inherit from.

The ‘Applies to’ column is ‘This folder, subfolders and files’ for each entry. This means that subfolders and files that are created in this folder will inherit the same permissions for the user or group listed as the Principal.

The ‘Principal’ column indicates the user, group, or system account that the access control will affect. Note that the accounts listed appear in two different formats. The ones with a parenthetical entry after it are specific to the computer listed. In this case, the entry for Administrators and Users apply to those group accounts on the computer named TestBox and have a SID that is unique to that specific computer. The other three accounts (SYSTEM, Authenticated Users, and Everyone) are universal accounts which have the same SID on every Windows computer.

The key to the drive we are looking at here are those universal SIDs. Because the Everyone group is a built-in account that exists on every Windows computer and has the same identifier on all of those machines, it provides an easy means to allow an external drive to be transported between different Windows computers and allow everyone to access all of the files on it, especially since it is allowing all files and folders created on this drive to inherit permissions to allow Full Control of those files and folders.

Now let’s take a look at the permissions on Leanne’s drive.

ntfs-security-3

Our interpretation of what we are seeing here needs to be modified somewhat since we are looking at a second-level subdirectory instead of the root directory of the drive, but it is not that different.

The first thing to note is that five of seven entries have inherited their permissions from the root of the drive while two of them have their permissions assigned directly on this particular folder.

The second item is that two of the principals have two entries each. What is interesting here is that the permissions that are being inherited from E:\ for the user Administrator have inheritance disabled beyond this point while the entry explicitly added for this account on this directory has inheritance enabled from this point further down into the directory tree with the exact same permissions!

Third, we have another built-in universal identifier with the CREATOR OWNER principal. The behavior of this identifier is unique in what it does. It acts as a placeholder for inheritable permissions. When a user creates a file or folder, the CREATOR OWNER SID is replaced by the SID of the creator of the object. What that means for us in this case is that if this drive is attached to a different computer or a different user was logged into Leanne’s computer and they copied files and/or folders to this drive, that user would become the owner of the files or folders copied here and would have full control of those objects.

It is very rare that the CREATOR OWNER principal is needed on most end-user systems and when used on external hard drives it tends to create more problems than it solves, so it would be a good idea to remove it. In this particular case, we need to remove both references to it; the one in the Bad Girls folder and the one that is applied at the root and inherited by all subfolders but we are going to try to take care of all of it in a single shot as well as clean up any similar issues on the rest of the disk while we are at it.

To do this, we need to open Windows Explorer or File Explorer, right-click on the E: drive and select Properties from the context menu. Select the Security tab and click on the Advanced button near the bottom of the dialog. Now set the permissions to match the screenshot of my G: drive shown at the top of my response. The order of the entries does not matter, but all five principals should be there with the ‘Access’ and ‘Applies to’ columns set as shown for the specified principals. Make sure you tick the box next to ‘Replace all child object permission entries with inheritable permission entries from this object’ then click on Apply. Depending on the number of files and folders on the drive this operation could take a bit of time.

Because this is being set from the top and we have ensured that all inheritable permissions are passed on, we should no longer get the error messages Leanne experienced when attempting to make the changes only on specific branches where she could not access her data due to the permissions set on the E:\Television Drama\Bad Girls\Bad Girls Series 1 folder or the files inside that folder.

Leave a Reply

Your email address will not be published. Required fields are marked *