Permissionless external drive with NTFS

50

21

I have an external hard disk which has 1 partition, formatted in NTFS. I use this drive on multiple computers with a different logins on different machines, Windows XP and Windows 7. All files are plain old files, not OS encrypted or compressed.

Every now and then Windows 7 does not let me access some files, citing permission problems. I can circumvent this per case by taking ownership and setting appropriate permissions. This, however, is tedious. Is there a simple way to tell Windows to not enforce or store any permissions on any file/directory on a partition?

user12889

Posted 2010-05-14T05:08:25.413

Reputation: 1 743

Yes. OP is asking about a similar feature to this toggle in iOS (ignore permissions on external HD): http://www.cnet.com/news/solving-read-only-conditions-for-external-hard-drives/

– Jon – 2016-05-22T16:19:07.543

Set permissions to "EVERYONE" – Moab – 2016-08-15T21:18:09.583

@laggingreflex: Your bounty is not exactly in line with the original post. I answered the two question in the comments for the convert command, but added a new answer regarding permissionless disk formats. – harrymc – 2017-12-14T20:17:08.617

The answer is a solution but it doesn't answer your question. – reconbot – 2010-09-26T18:14:36.707

Answers

38

Your external drive is formatted with the NTFS file system, which supports access restrictions.

Unfortunately, while some users and security groups are built-in to Windows with predefined Security IDs which are the same on all machines (such as Everyone), other users and groups have SIDs derived from the machine they're defined on.

To normalize the situation you should:

  1. While logged-in as Administrator, right-click the drive's root directory and select Properties.
  2. Click the Security tab, then the Advanced button.
  3. In the Advanced Security Settings dialog for the drive, click the Owner tab, then the Edit button.
  4. Click the Administrators group, check Replace owner on subcontainers and objects and click OK. If asked about replacing existing permissions with ones giving you Full Control, click Yes.
  5. Back in the Security tab and on the original Properties sheet again, click the Edit button, and in the Security dialog click Remove for all entries for all accounts listed under "Group or user names", except for the well-known ones of System, Administrators, Users and Authenticated Users.
  6. Click Add, and in the "Select Users, Computer or Groups" dialog under "Enter the object names to select", type Everyone and click OK. You should verify that Everyone has been added to the list.
  7. Click Everyone, check Full Control, then click on Apply.
  8. Click Advanced again to go back to the Advanced Security Settings dialog box and click the Change Permissions button. Check Replace permission entries on all child objects and click OK and OK.
  9. Click OK.

Be careful in the future not to allocate separate access permissions to sub-folders of the drive (leaving all permissions as inherited). If this happens again, repeat the step for "Replace permission entries on all child objects".

Be mindful of the fact that under Windows 7/8 the Guest account is not part of the Everyone group. If you need it, you'll have to add Guest as above for the Everyone group.

If you encounter problems with UAC, try using Explorer via "Run as administrator".

harrymc

Posted 2010-05-14T05:08:25.413

Reputation: 306 093

I can set the owner of files to Everyone as well. Just wondering whether this is a good idea? Because even the local administrator group won't exist on another machine, I guess. And who will be the owner of new files added on another machine, will it be inherited, too? – ygoe – 2014-10-05T08:54:33.077

1The above is the correct solution and really the only easy way to deal with external NTFS drives that may used by multiple user accounts or on different machines. If there are files you want private you can always use something like TrueCrypt to make a folder and it's contents private. – jtreser – 2010-05-14T11:04:23.000

+1 - "Everyone Full Control" or "Administrators Full Control / Users Modify" is the easiest way around this. Beyond that, it's a matter of making sure something doesn't decide to mess with the ACLs. – afrazier – 2010-05-14T13:53:34.457

@ygoe The Administrators group has what is known as a "well-known SID" (security identifier) so it is the same on every Windows computer. Assigning it as the owner means it will apply to any machine to which the drive is connected in the future. See https://support.microsoft.com/en-us/kb/243330.

– Holistic Developer – 2016-08-30T20:33:23.860

I have a doubt... it should be Administrators or Everyone?. Or Administrators as the owner and Everyone in the permissions?. Or it is the same?. What about if i plug this disk into a Linux or a Mac OS system?.. it will be able to recognize the Administrators or the Everyone SIDs? – Brethlosze – 2017-06-18T02:34:58.813

+1 with opening a 'cmd.exe' as "Run as Administrator", through diskmgmt.msc command. Just changing directly often dont do anything. I thinks that is one of the major caveats in all of this. – Brethlosze – 2017-06-18T02:39:03.043

Does it specifically have to be 'Administrator' that takes ownership of the external drive's root folder or is a user with admin rights good enough? Because I can't seem to get this to work and I don't have the person with the Administrator password on hand. At least I can still access the drive just fine on my Linux laptop... (Whoever decided that putting ACLs on external hard drives was a good idea should be shot) – kahen – 2011-08-27T20:22:35.480

1UAC... my sworn enemy. 2 reboots later and a takeown /f e:\ /r /d y later, and everything is in order again. – kahen – 2011-08-27T21:22:32.810

A radical solution is to TrueCrypt the drive in FAT32 and suffer the limitations. As there are no ACLs under FAT32 it is g'teed you can access your files on virtually any machine... your home and work Windows PCs, Linux, OS X, and unless encrypted, even your phone and TV/SAT receiver. It's a shame that M$ made it so hard to attach memory even to simple Windows PCs. Really a crude and unfriendly design.

– Andreas Spindler – 2013-05-23T14:36:59.017

At step 7, I get, "An error occured while applying security information to: <file name>... Access is denied.". This pops up for every single file on the drive until I click cancel. – Jon Bentley – 2013-10-29T16:33:58.350

2@JonBentley: You probably have problems with UAC. Try using Explorer via "Run as administrator". – harrymc – 2013-10-29T17:42:09.317

@harrymc Thanks, that solves the problem. Might be worth adding that to the answer. – Jon Bentley – 2014-01-26T17:32:06.513

9

takeown is the easiest tool to get rid of this braindamaged permission system.

start a cmd as administrator (right-click cmd icon, run as admin), and enter

takeown /f [root dir of drive] /r /d y

example for drive F:

c:\>takeown /f f:\ /r /d y

woens

Posted 2010-05-14T05:08:25.413

Reputation: 191

2Watch out for things like junctions in Windows Vista/7, it ended up recursing in to F:\Documents And Settings for me, which linked to C:\Users. – Chris Chilvers – 2013-09-06T22:53:41.190

9

The example above:

takeown /f f:\ /r /d y

will assign owner to the current user. To assign owner to the administrators group add the /a option, For example:

takeown /f f:\ /a /r /d y

This will accomplish steps 1-4 of harrymc's solution.

Note that /d y is localisation dependent, with German localisation it is e.g. /D j.

eric

Posted 2010-05-14T05:08:25.413

Reputation: 91

0

About Recur-sing, If you find a shortcut within a folder that goes back to that folder simply reset the permission of the shortcut to deny permission to whatever is causing the problem. most likely in the app data area under users. otherwise you get irritating things like unlimited file paths mucking up archiving or copying or whatever. One of the most irritating problems next to the security stuff itself. If one of these OS makers really believed in liberty to the users they would develop an NTFS with no security descriptors and let the users do what they will.

geoffrey m voeth

Posted 2010-05-14T05:08:25.413

Reputation: 1

0

Of course this was asked a long time ago, but people still may see this if they put in the right search (like I did). There are a couple of newer methods of dealing with this that have since been developed.
The first is to use the convert command. I believe it's available with Windows 7 & above. Open a command prompt (I'd advise opening it as administrator if possible). Then enter:

convert X: /FS:NTFS /NoSecurity

where X: is the letter of your external drive. This will keep the NTFS format but convert security on all files & folders to allow access by all users. The other option is to reformat your drive to exFAT. You'll want to backup any existing files elsewhere as this will wipe the disk. You can do this from the Windows drive format GUI. IF you have Win7 or greater it should be there.

Right click your drive in the explorer view , click "Format", pick "exFAT" in the File System drop-down and click Start.

The advantages of the exFAT system is there are no file size or partition size limitations, and it's fully supported (Read AND Write) by both Windows and newer Mac OS's (and Linux distro's too).

Mark

Posted 2010-05-14T05:08:25.413

Reputation: 1

(1) You say “I'd advise opening it as administrator if possible”.   Is there any possibility that this command could succeed if run by a non-privileged user?  (2) You say “This will keep the NTFS format but convert security on all files & folders to allow access by all users.”   Does that apply to files that are created in the future? – Scott – 2017-11-16T01:47:11.783

How long does it take? Is it quicker than resursive takeown? – laggingreflex – 2017-12-14T15:25:09.767

convert /NoSecurity will need to be run again on each use, and administrator permissions may be required as it locks the disk. For exFAT: The convert command description says: "Volumes converted to the NTFS file system cannot be converted back to FAT or FAT32", so because exFAT is just FAT64, it might not be possible to convert NTFS to exFAT. – harrymc – 2017-12-14T20:03:05.407

0

User @laggingreflex asked in his posted bounty about file formats that will not cause problems regarding permissions when moved between computers.

I would suggest in this case to format the disk as FAT32, which lacks totally the notions of security and permissions. Its disadvantage is that it is limited to files of size up to 4GB in size. Its advantage is that it's universally supported on all versions of Windows, Mac, Linux, game consoles, and practically anything with a USB port.

If the 4GB limitation is unacceptable, the exFAT format is basically FAT64. Its disadvantage is that it's proprietary and requires licensing from Microsoft. It works with all versions of Windows from XP Service Pack 3 and above (and/or separate installation of Windows XP Update KB955704), and on modern versions of Mac OS X, but requires additional software on Linux.

harrymc

Posted 2010-05-14T05:08:25.413

Reputation: 306 093