0

I got a new computer with Windows 10. I have an account belonging to the Administrators group.

In the beginning, everything was fine. I copied some installers to the D drive, installed some software, and ran Windows update. Afterwards, I lost my access to D drive! When I wanted to create a new folder, I got the error message "Destination folder access denied".

I checked the security settings, they appeared all right. enter image description here

I read these two articles Domain Admins group denied access to d: drive Why can't I browse my D: drive, even if I'm in the Administrators group?

The problem was not quite the same. I can still browse D drive, but I cannot create, copy or delete files.

I also found this page "all users" required for folder access? , and confirmed that GPEDIT.MSC is the same as suggested in this article.

Many thanks for any suggestion in advance.

Katherine Villyard
  • 18,510
  • 4
  • 36
  • 59
Terpsiphone
  • 11
  • 4
  • If you change the permissions to give your particular user account (or any non-built-in group that your user account is a member of) access, then it will work. – Harry Johnston Apr 11 '19 at 00:25
  • @HarryJohnston, thank you for your suggestion. The particular user account only belongs to the 'Administrators' group. I also tried giving the particular user account full access directly, but it did not help. – Terpsiphone Apr 15 '19 at 02:40
  • If the user account has explicit access you shouldn't have any problems. Possibly the change didn't actually take effect, or it affected only the root of the drive but not the contents. Unfortunately the tools built into Windows don't provide any straightforward way to recover from this situation, I'm not sure what the best approach is. You might get better help if you ask on Super User. – Harry Johnston Apr 15 '19 at 02:55

1 Answers1

2

This behaviour is irritating, but correct. Speaking in the name of the sometimes bizarre microsoft world.

You have to know that you are not in the Administrator group, when you (as a member of that group) start a application. Like in this case the Windows Explorer.

The "Administrators" group is part of the "Admin-Token-Filtering-Protected" group, like the Domain-Admins themselves. you have to start things "As Administrator" to actually act as you were a member of those groups. Fun-Fact: the windows explorer itself cannot be started 'As Administrator' without messing with the registry (or disabling the UAC completely).

You will be able to do everything on that drive, when you start your application with a rright click and 'Run as Administrator'. You cannot start the explorer with an admin token, so you have to use other tools, set the infamous LocalAccountTokenFilterPolicyto 0 or allow your user (or users group) access to the drive. Welcome to the bizarre world of local security stuff in the 21st century.

bjoster
  • 4,423
  • 5
  • 22
  • 32
  • 1
    Hi, bjoster, thank you so much for your reply. As I am hesitant to change registry, please allow me to ask more: (1) I tried to read some material about LocalAccountTokenFilterPolicy. To me it seems relevant to remote access, but I have the problem on my PC (although it is a WorkStation PC). Does it also apply? (2) Some says LocalAccountTokenFilterPolicy should be set to 1 to disable filtering ? [Here: access-denied-trying-to-connect-to-administrative-shares-on-windows-7/](https://helgeklein.com/blog/2011/08/access-denied-trying-to-connect-to-administrative-shares-on-windows-7/) – Terpsiphone Apr 15 '19 at 02:55
  • It is there in every session, (1) local and remote. Yes, (2) to disable the policy, the policy entry has to be set to 1. – bjoster Feb 11 '20 at 14:12