7
Aldar
4y

Any Windows Sysadmins here? I have a question for you - How do you do it?

I only very rarely have to do something that would fall under "Windows System Administration", but when I do... I usually find something either completely baffling, or something that makes me want to tear our my hair.

This time, I had a simple issue - Sis brought me her tablet laptop (You know, the kind of tablets that come with a bluetooth keyboard and so can "technically" be called a laptop) and an SD card stating that it doesn't work.

Plugging it in, it did work, only issue was that the card contained file from a different machine, and so all the ACLs were wrong.

I... Dealt with Windows ACLs before, so I went right to the usual combination of takeown and icacls to give the new system's user rights to work with the files already present. Takeown worked fine... But icacls? It got stuck on the first error it encountered and didn't go any further - very annoying.

The issue was a found.000 folder (Something like lost+found folder from linux?) that was hidden by default, so I didn't spot it in the explorer.

Trying to take ownership of that folder... Worked for for files in there, safe for one - found.000\dir0000.chk$Txf; no idea what it is, and frankly neither do I care really.

Now... Me, coming from the Linux ecosystem, bang my head hard against the table whenever I get "Permission denied" as an administrator on the machine.

Most of the times... While doing something not very typical like... Rooting around (Hah... rooting... Get it?! I... Carry on) the Windows folder or system folders elsewhere. I can so-so understand why even administrators don't have access to those files.

But here, it was what I would consider a "common" situation, yet I was still told that my permissions were not high enough.

Seeing that it was my sister's PC, I didn't want to install anything that would let me gain system level permissions... So I got to writing a little forloop to skip the one hidden folder alltogether... That solved the problem.

My question is - Wtf? Why? How do you guys do this sort of stuff daily? I am so used to working as root and seeing no permission denied that situations like these make me loose my cool too fast too often...

Also - What would be the "optimal" way to go about this issue, aside for the forloop method?

The exact two commands I used and expected to work were:
takeown /F * /U user /S machine-name /R
icacls * /grant machine-name\user:F /T

Comments
  • 4
    Every time I do Windows management, I make sure my fridge is filled with booze... Preparations for a good day. Have a backup fridge just in case.
  • 4
    @Condor I can see why. My condolences that you have to administrate this sort of system. I would go crazy in your place, even with booze. Drunk crazy.
  • 1
    Lol, these things suck ass when they crop up. I'm not 100% sure of all the underlying pieces, but usually managing domain joined systems is a hell of a lot easier to work on because the OS grants more permissive rights to domain admins. just a side note, on windows 10 both home and pro, even if your user account is in the local administrators security group, I've run into weird permissions issues that I was ONLY able to circumvent by switching to the built-in 'administrator' user account or by joining the system to a domain and using a domain admin account to troubleshoot.

    So on my gaming PC I don't have a user account, I just setup a user for the sake of setting a password and enabling the administrator user. Then I switch over to using the builtin account and deleting the user account oobe forces us to setup.
  • 0
    1. Take ownership of all files
    2. Remove all permissions
    3. Enable permission inheritance.
    4. Set the permission on this folder (with permissions enabled for subfolders and files)

    Generally, this permission scheme (permissions with inheritance) is the default (with some exceptions).

    I have no idea how to solve it with icacls.
  • 0
    @zymk Never thought about doing that. I guess on desktops, I still stick with "working under root = bad". And I have no idea how domain-joined PC administration works either I'm a simple linux admin. Most we use is LDAP and that is still only to manage users/groups and stuff...

    @sbiewald Fails on the first step - Cannot take ownership of one of the files, meaning I cannot delete the higher up directories because they are not empty. Meaning I cannot even reset ACLs because I do not own the file.
  • 0
    @Aldar Enable the privilege "SeTakeOwnershipPrivilege". Those might be disabled by default, even in administrative sessions.
    Either assign them temporarily in the local security policy (relogin required) or during the session in an administrative powershell session.
Add Comment