Windows 7 Access Denied For Administrator
May 11, 2011 19 Comments
The Problem
You receive a Windows 7 access denied error when accessing a folder through Windows Explorer even though you have set the permissions correctly. You are an administrator and the administrators groups have full control over the folder but you can’t access it without Windows re-writing the permissions.
The cause of this is because of a new feature in Windows 7 called User Access Control (UAC). It is the combination of UAC and a bug in Windows Explorer that causes the access denied error.
The easiest solution is to simply disable UAC. If this is not possible (for security reasons) then read on for alternatives.
What is UAC?
In a nutshell UAC is an extra layer of security on top of Windows 7. When you log in as an administrator normally you would have full unrestricted access to everything. UAC aims to prevent this by running all tasks that don’t require administrator access in a more restrictive manner. When UAC is enabled an administrator as two access tokens; a standard user token (restricted) and an administrator token (unrestricted). All tasks first run under the restricted user token. Only when a specific program or tasks requires full administrative rights does it then prompt you to run it in an elevated mode. It then launches this task using the administrator token. For the scope of this article this all you need to know. To see the full benefit of UAC on Windows 7 follow the link listed above.
How Windows 7 Uses UAC
In Windows 7 some programs will automatically prompt you to run it in an administrative context when you run them. These programs are typically ones that serve only one purpose which require administrator rights in order to run; examples of these are any of the administrative tools that ship with Windows 7. Other programs like the command prompt don’t always need to be run in the administrative context. Simply using the DIR command and browsing folder structures can be done as a normal user, it does not require you to be an administrator. So, although you are logged in as an administrator it will run it under you standard user context. If however you type something like IPconfig /renew it will error saying access denied. At this point you need to close the CMD prompt and find it again in the start menu but this time right click and choose “Run as administrator”. This will now launch the program using the administrator token where IPconfig /renew will now work.
Why You Get Windows 7 Access Denied On Folders
Something I found that isn’t well documented regarding UAC is how it treats folder permissions. If you try to access a folder where the built in administrators GROUP has access to it UAC expects you to access it using your administrative token. Say you are a member of a group called Managers and this has access to a specific folder. When accessing this folder it works as expected; you gain access. If however you are not a member of this group but a member of the built in Administrators group which also has access to the folder you still get an access denied. This is not as expected, you should still gain access. With UAC enabled, to access this folder you need to run Windows Explorer under your administrator context by manually launching Windows Explorer from the start menu, right clicking it and choose “Run as Administrator”. This SHOULD WORK but unfortunately doesn’t due to the bug mentioned at the beginning of this article resulting in an access denied message.
It is important to note that this ONLY affects the Administrators group. As already mentioned for example if I create a new group called “staff” and added this group to the NTFS permissions of the folder I would be able to access this fine without having to elevate the program as long as I am a member of this group. This is ONE of the workarounds to this problem; for all folders you need access to create a new group and use this to assign permissions instead of the administrators group. This will allow you to access the folders without running Windows Explorer in the administrative context.
Windows Explorer Doesn’t Work With UAC
Yes you heard that right. I had to do a lot of research to find this out. This affects Vista, 2008 and Windows 7. Of course MS haven’t officially acknowledged this but you can prove this yourself by doing the following:
- Log in as an administrator and set permissions on a folder so that ONLY the Administrators group has access to it.
- Open two command prompts; one as normal and the other under the administrative context.
- Now try to DIR to this folder in both command prompts and read the contents. You will find that the CMD window running under the administrator context is the only one that can access the folder. This is behaving correctly as explained above.
- Now open MS Word, Excel, whatever in the administrative context. Save a file in this folder. This proves Word is running in elevated mode – The point of this step is to illustrate that ANY program (not just CMD) can access a folder where only Administrators have access to if you run it under your administrator context. Close Word.
- Now open Word in standard context (no admin) and try to open the file. You get an access denied. Again behaving exactly as it should.
- Now open two Windows Explorers; one as normal and the other under the administrator context.
- Try accessing the folder and BOTH OF THEM will fail. This proves Windows Explorer (reasons beyond me) does not run under the administrator context.
A bug?? I think so! So how do we access the folder under Windows Explorer? You can’t, well at least in this context. MS seriously screwed up here in my opinion. A lot of folders only allow the Administrators group access but you will also gets an access denied error without tweaks if UAC is enabled!
How Do We Prevent Access Denied On the Folder?
In Windows 7, access denied errors on folders can be eliminated using a a few methods. The easiest one as mentioned at the start of this article is to turn UAC off. Folder access will then behave exactly like XP. If this is not possible what I found works is to create a new group in Active Directory and call it something like “All-Folders-Access”. Add your administrator account to this group and then give this group full control permissions to the same folders the administrators groups have access to. This will allow you access to the folder with Windows Explorer. This is time consuming but the only solution if you want to keep UAC in use.
Your third option is to re-write the permissions on the folder and let Windows 7 do this for you. This is fine to do on normal folders but I would not recommend it on special folders like Windows, System32, user profiles etc. These folders have special permissions assigned to them. Overwriting these can cause serious problem and possibly a re-installation.
The 4th and final work around is probably your best option as it allows you to keep UAC enabled with no downsides to it. With the introduction of UAC came additional group policies in Windows 7 to manage it. These are located in Computer Configuration\ Windows Settings \ Security Settings \ Local Policies \ Security Options:
This last solution is probably your only option for special folders like profile folders.By default only the user has access to their own profile. There is another group policy that will add the administrators group to each user profile when it is created thus allowing administrators access but of course this won’t work with UAC on.
From the printscreen above if you enable the first option it will basically disable UAC for the built-in administrator account. This prevent the Windows 7 access denied error on these special folders as you no longer need to elevate Windows Explorer therefore bypassing the bug. This keeps UAC on for all other accounts and is the most secure work around of the 4 provided. If you have other administrator accounts which require access to these folders you will need to enable the 3rd option (highlighted above). This will affect anyone who is a member of the administrators GROUP rather than just the built-in administrator account. This kind of defeats the point though….You have effectively turned off UAC for all administrators so you might as well disable it outright. I would suggest enabling it for the built-in account only and use other administrator accounts for your administrative duties. Only when you come across this problem you could log in as the built-in administrator and then amend permissions accordingly.
Thanks for the post…i was scratching my head trying to save a file on a server in which I am a member of the Domain Admins group. By explicitly adding the non “administrator” group, it worked fine. My OS is Windows 2008 R2 Datacenter edition so it looks to still be an issue in R2 DC.
Thanks for the article – I recently revisited this issue on behalf of a collegue. I have long struggled with this madness, often being forced to turn off UAC on my servers though I would have preferred to keep UAC in place.
I just wonder why people aren’t kicking up more of a stink? This problem has existed since Windows Vista/Server 2008 and is a pretty big bug. It forces us to go against years of Best Practice, puts unncessary entries in our acls and just causes a load of pain.
I mean the idea of the OS ‘automagically’ adding single users to the file acls is insane in concept. Hello? Anyone home? Cheap programmers are obviously doing wonders for Microsoft’s code base. Keeping track of that mess is impossible and WTH happens when that admin is demoted or re-tasked?
MS has long pushed this concept of “elevating permissions” or separate accounts but putting it into practice is near impossible and they make it no easier.
Probably no-one comments becase they just learnt to turn off UAC about 2 years ago or found this article amidst their despair of trying to fix this cr*p and don’t have time to comment!
Thanks for this excellent article.
I have maybe different problem, and if it is possible, please answer to it.
Namely, on remote XP machine resides folder which I had access while I were using XP machine. Now, my XP machine is too old, so I replaced it with Vista one (same user name & pass, same permissions set, same workgroup) and there is a problem. I can’t access no more remote XP machine from my VIsta – error code “0×80070005 – Access denied”
Thanks in advance
Is it in a domain or workgroup first?
workgroup machines
What makes you think it is UAC? I don’t think it affects remote shares in a a workgroup. Have you tried browsing to it by typing \\computername\sharename in explorer?
When you say you can’t access it, is it by the method above or a you trying to browse the workgroup and that is where you get the error?
First of all, thanks for the quick prompt to my headache problem.
Browsing through entire workgroup. or typing the name \server_name\shared_name through windows explorer gave same result.
I really do not know what is the reason for that strange behavior. That is why I asked here, I thought maybe, it is some Vista problem (maybe, with UAC), because if I try again with XP machine it does work (I can access to share folder).
It doesn’t sound like a UAC problem to me. For the username and password you log into Vista as, does this exist on the XP machines? This is most likely the cause. The username and password must match exactly on all machines you want to access.
Also checked, and rechecked. For all of those reasons above – I have no idea what is causing the problem. Honestly, UAC is not logical to me either, to be the reason for error – simply because XP does not have it – but this I just I asked as last chance – again have no idea what is causing this problem
But, thank you very much for your time
The only other thing i can think is that Vista is connecting as the guest account (basically it doesn’t authenticate). You can test this by edditing the NTFS permissions on a share and manually add the guest account. By default it IS NOT part of the everyone group so techincally it won’t have access at this time. If Vista tries to connect this way it will. Try that and let me know how you get on.
Thanks. That was the issue. I completely forgot about Guest account – it was disabled.
Thanks again for help
Hi, I found this site through a link on another site about this Access Denied issue. I’m ready to start the hair ripping, and hope you can help me! I recently got a brand new computer which came preinstalled with Windows 7, have been working on an XP machine for years with no issues. I am the sole owner/user of this machine, and it really busts my buttons when I am not allowed to even open the Programs folder!
I still don’t know my way around this new OS and despite my best efforts, I cannot find the path you listed above to make the changes that would grant me access to my own files again. My problem is that do most of my navigation and file management from the Windows Explorer window. I am not concerned about lowering the Nanny cr*p as I am a careful and responsible person who takes all precautions and constantly (obssessively?) monitors my system and programs to ensure all is up-to-date. I couldn’t even find a clear way to turn the UAC off! I have my system set to startup direct to my user account (no “logging in”) so there are no multiple logins configured (nor can I even find the area where that should be done!) nor do I wish to set them up, unless there is a need to share this computer with anyone down the line.
Can you direct me to where I can find the above “Computer Configuration\ Windows Settings \ Security Settings \ Local Policies \ Security Options” or at least where I can go to disable the ever-annoying UAC? I NEED to be able to access my folders, and I suspect this may also be behind the problems I’ve been having with backups (can’t create restore points) lately too.
Thanks! Deb
Hi Deb,
No problem. In Windows 7 the group policy settings are hidden by default. To access them take a look at this MS article http://support.microsoft.com/kb/307882. Read the section titled “How to Start the Group Policy Editor” and follow the instructions. You will then have access to the Group Policy settings where you can find the values I mention above. Let me know how you get on. Once you have done all the changes (including the article ones) you will need to restart your computer.
Hi D.A.R.Y.L., thank you for your incredibly fast response! While I was waiting, I continued browsing search results and found elsewhere a statement to the effect that setting the UAC meter to “Never notify” effectively deactivated it, so I gave that a try – and it worked! Too bad it didn’t just say so on the settings page, would have saved me a lot of grief, not to mention time. I do wish MS wouldn’t make it so hard to find stuff such as the group policy settings, and I’ve found the program’s “Help & Support” to be singularly UNhelpful the vast majority of the time. It seems the “fancier” Windows becomes, the harder they make it for a regular self-taught geek to figure things out. I do appreciate having folks like you providing help so freely with these frustrating little problems! That said (again as just a “regular” computer user), despite all the negative things said about this operating system, I find it to be an amazing piece of work. I have a (minimal) understanding of coding and can only imagine the size of the code for this program. I took a class in Pascal in the pre-Windows days and was assigned to write a “small” script to do some simple math calculations. It took a couple of pages of “if/then” “and/or” command lines just to execute a simple 2 plus 2 type operation!
Then again, I suppose I am easily amazed.
Excellent work, writer.
1) start Task Manager og terminate explorer.exe
2) enable: Show processes from all users
3) in the Applications tab, choose: New Task…, write explorer.exe and choose Create this task with administrative privileges
Seams to work.
Thanks, yes I read something like this before myself. It is because when you logon explorer is launched obviously for you to navigate and use the OS etc. This runs under normal user rights and every instance of explorer launched afterwards has the same effect. By killing all instances then launching it from task manager using the method you suggested forces it to run in admin mode. Does it run new instances afterwards in admin mode automatically though? I haven’t tested this and it could be a security issue.
Thanks for the tip.
ACCESS IS DENIED IN WINDOW 7 WHEN COPY OR SAVE A FILE IN ANY DRIVE IN THE ADMINISTRATOR USER
This isn’t a bug. Only one master explorer.exe process can run at a time.
If you launch explorer.exe logged in as non BI Administrator (and this will happen automatically on startup), then you can’t just start up another explorer.exe instance by right-clicking on the explorer executable and selecting “run as administrator”. It just opens a new explorer window under the main explorer.exe instance, which is still just running as your regular user.
Don’t believe me? Just check task manager. After you launch the “admin” explorer, there is still only one explorer.exe listed in the process list — and it will be running under the regular user, not under the Administrator user. So it servers no purpose to try and “run” explorer as an administrator if explorer is already running! The UAC prompt fufills its task, but explorer.exe has logic build into it to prevent another instance of itself from running. It just processes all such requests by simply opening up another window under the main instance.
Well, why couldn’t explorer say something like “only one explorer.exe instance may run at a time, you cannot start a new explorer.exe instance.” ? Imagine trying to deal with all the logic around that and programs which routinely start up new windows. They simply call explorer.exe to bring up their new window, regardless of the arguments passed to explorer. And whatever type of user the request is coming from is irrelevant. You would then have behavior where users would be getting all kinds of messages about explorer running only one instance at a time when they have no idea why.
So, if you really wanted to run explorer.exe under the administrator account, you have two options:
1) Open up taskmanager, kill explorer.exe, click “Show all processes from all users”, click file->New Task (Run…), make sure the “Create this task with administrative privileges” checkbox is checked (this won’t be a checkbox if you’re already logged in as a BI administrator or you have UAC turn off — it’ll just be a statement that the process WILL be created with administrative privilges), then type explorer.exe and hit enter.
2) Modify the explorer.exe executable to always run as an Administrator. Then the next time you log in it should start up that way.