NTFS Permissions – Copies, and Moves…

2013-07-24T22:37:13+00:00 July 24th, 2013|Uncategorized|

Did you know …

Per Microsoft:  “By default, an object inherits permissions from its parent object, either at the time of creation or when it is copied or moved to its parent folder. The only exception to this rule occurs when you move an object to a different folder on the same volume. In this case, the original permissions are retained.

Okay, so you knew that… but did you know this …?

Per Microsoft: “You can modify how Windows Explorer handles permissions when objects are moved in the same NTFS volume. However, if you want to modify this behavior so that the object inherits the permissions from the parent folder, modify the registry as follows: “


Value name: MoveSecurityAttributes
Data type: DWORD
Value data: 0

And maybe even you knew that….  but did you know it doesn’t always work …?

Actually, this registry value used to work natively with Windows XP (after a reboot).  But for Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2, you must install a Microsoft-supplied HOTFIX to make it work, found here: (http://support.microsoft.com/kb/2617058).

Install the hotfix and reboot.

Also, make sure that the user account that is used to move the object has the Change Permissions permission set.

For the entire knowledge base article, please see: http://support.microsoft.com/kb/310316



XP EOS M-9… And Counting…

2017-07-27T00:01:03+00:00 July 17th, 2013|Uncategorized|

The Windows XP “End of Service” date is now only 9 months away!  Well, we’re actually just beyond 9-month mark now, but you get the point.

Before reading on, it might be a good idea to reference my post from last month, “XP Elimination — The looming crush…

If you think it’s ridiculous or hilarious that anyone should be concerned about migrating off of XP at this point, then you probably work in a small-to-medium sized company.  You might even be able to consider upgrading all the workstations by yourself (or with a buddy), or maybe you’ve just replaced all the computers with modern devices with updated OS’s.  Easy-peasy.

But many *large* enterprise company/organizations are watching the clock (or should be) for that looming April 8th deadline, for a variety of reasons.  And this is what I really wanted to touch on today — the fact that steering the massive enterprise can be like steering the largest ship in an ocean, but there are other factors to consider in the metaphorical ocean as well.  Like icebergs…  Like other, older ships that require rescuing… 

Okay, I’ve worn out the metaphor, so let’s start discussing some specifics.  Let’s look at the examples of three, ahem, *fictitious* example large organizations that have arrived at three different XP situations.

Organization “A” – What, me worry?

For our fictitious Organization “A”, things are smooth sailing.  Or so they think.  They’ve got only 20,000 XP machines, and they’ve set up a test pilot bed of about 50 Windows 7 machines, and it’s going well.  Well, *that* part’s going well.  What they will soon realize is that their back-end infrastructure isn’t prepared (in design nor scale) for the type of load that their Win7 deployment strategy calls for — and they have only just begun to prepare their applications for re-packaging.  But they aren’t worried.  Well, not as much as they should be, anyway.

Organization “B” –  Nope.  We don’t wanna.

Organization “B” doesn’t have a plan.  It’s not that they don’t have a clue, it’s just that they mostly don’t care.  They have 40,000 workstations, a bunch of old servers, and so on, in a complicated, aging infrastructure.  You see, things don’t really look good for the business end of the company in this age of consolidation, and most folks think they’ll be acquired anyway.  So XP is fine for now.  I guess.  Whatever.

Organization “C” – The best-laid plans…

For Organization “C”, they really have been doing it right.  They jumped in front of the project, and designed/prepared/deployed a sturdy, modern back-end infrastructure.  They rallied the troops and started the application re-packaging very early-on and devised a “just-in-time” strategy to manage application-to-user/workstation tracking and roll out the workstations right behind the infrastructure and apps.  The working schedule seems to indicate that all of their 50,000 workstations should be upgraded/re-deployed right around the the April 8th deadline.  Whew!  It looks like they’re going to make it!  Until…  Uh-oh…  Did we mention that Organization “C” just acquired Organization “B”? 

While these are hypothetical scenarios, I will be re-visiting these imaginary companies over the next few months as we approach the XP EOS date, discussing some of the finer points of their challenges along the way…  Let’s wish them all luck, shall we? 





Removing Stuck System Files on Windows 8…

2017-07-27T00:01:03+00:00 July 10th, 2013|Uncategorized|

First off, I want to apologize for the lack of clarity in the title of this post; I honestly couldn’t fit the whole real subject in there.  And even if I could have, it would have been a bit silly anyway.  Here’s what it might have been called:

“Removing system files from a domain-based computer on a hard drive that was previously installed in another computer and your domain is currently un-available…”  Or something like that.  I know it sounds kinda’ crazy, but stick with me here…


Now, let me explain.  I’m a consultant that rarely goes into our corporate office, and therefore am usually authenticating with a cached domain credential to my laptop.  And as you may know, there are limits to permissions management when a domain is not available.  So when I added a second hard drive from another computer to my Windows 8 laptop, the NTFS permissions put up a pretty good fight in not letting me delete the old SYSTEM files on the now-secondary disk.  in the end, I had to do a handful of steps to sieze the permissions on those files and folders before I could delete them, made extra tricky by me being remote to the domain. 

How I Got Here:

Here are the steps that got me into the jam in the first place:

– Installed Windows 8 on original LAPTOP1 with a big hard drive as a local user, LAPTOP1Jeremy.Local
– Drove to office, joined to domain as user DOMAINJeremy.Pavlov, went on with life for a while
– Got a new LAPTOP2, and wanted to use big hard drive from LAPTOP1 as secondary disk in LAPTOP2
– Removed big hard disk from LAPTOP1 and installed into LAPTOP2, to what would become E: drive.
– Installed fresh Windows 8 on LAPTOP2 smaller C: drive as a local user, LAPTOP2Jeremy.Local
– Drove to office, joined to domain as user DOMAINJeremy.Pavlov, added DOMAINJeremy.Pavlov as member of local administrators group on LAPTOP2, went on with life
– Wanted to delete system folders (Windows, Program Files, etc.) from big E: drive (forgot to remove them originally), while preserving other folders (Virtual Machines, etc.)

…But, the folder(s) won’t let me delete them so easily.  My user (and Administrator credential) don’t have rights to the tiles, and since I’m not near the office to re-assign domain permission, I need different strategy.  Mind you, I would have just formatted the disk, but I have hundreds of Gigabytes of Virtual Machines on it.  And while I thought about removing the drive, or mounting in Linux, etc., I wanted to find an easier, repeatable way.

Stepping Through It

So, since NTFS won’t let deletion happen as-is, the permissions clearly need to be re-set.  So let’s walk through what we need to do to make this work…

– First, open a command prompt “As Administrator”, and run this command to “Take Ownership” of the unwanted folder on the E: drive:
takeown /f E:Unwanted Folder /R /A
…in this case, the /R means recursive, and the /A means set it to the Administrators group.

– Now that the local Administrators group has control, use the GUI Security tab in Windows Explorer (or PowerShell, or icacls) to grant it FULL CONTROL to This folder, subfolders, and files

– Fix inheritance by checking the box to “Replace all child object permission entries…” on “E:Unwanted Folder”

– Now, remove the unwanted folder with the good ol’ RD command (in the same command window you opened above, or the GUI):
RD /S /Q E:Unwanted Folder
…By the way, I just couldn’t bring myself to put “Windows” above, so I put “Unwanted Folder”.  You get the idea…

Of Course, A Script

Now if you just want to to do the whole thing in a script, here’s how you might do it:

#Set this to the folder to be removed:
SET DELETEME="E:Unwanted Folder"
#Next line sets ownership of hierarchy to Administrators Group
#Next line resets permissions for hierarchy to default
#Next line grants Administrators group "Full Control" to hierarchy 
ICACLS %DELETEME% /grant Administrators:(OI)(CI)F
#Next line removes hierarchy 

 …Of course, this is just one way (or two ways) to do it, in one weird situation.  But I thought it could help someone some day…  Maybe even myself…