[hewybo]

Now my wonderful Vista will not let me write to my "D" hard drive. Have changed all permissions to "allow." No sucess!!! Ideas?? Thanks..............

[Dave Hybrid]

If the drive was used in a different machine prior to using it with Vista it is possibly password locked.

You will need some 3rd party software to unlock it I think.

[serverguy]

I have seen this question come up before. I assume that you have taken the drive from a system that previously used Windows XP and now can't write to it.

In Windows XP you were running as a member of the Built-in Administrators Group, and you could write to it just fine. In Vista, you are also a member of the Built-in Administrators group, but now you can't write to it.

Explaination

The reason is permissions, but the reason they become a problem is because of User Account Control (UAC). If you run "whoami /all /fo list" on Vista you get a printout of your permissions token. It will have a few lines that look like this:

Group Name: BUILTIN\Administrators
Type: Alias
SID:
Attributes: Group used for deny only

You are a member of Administrators, but your security token does not actually have the Administrators group in it in the normal way. UAC marks that group as a "deny" which means it is never used to grant permissions, only to allow them. If you now look at the Access Control List (ACL i.e. the permissions) for the drive:
C:\Users\foo>icacls d:\
d:\ NT AUTHORITY\SYSTEM:(OI)(CI)(F)
BUILTIN\Administrators:(OI)(CI)(F)
BUILTIN\Users:(OI)(CI)(RX)


The parts causing you trouble are the last two lines. The second line grants Administrators full control. You are an Administrator, but because you are running under a non-elevated token, you do not have Administrators in your token, so that membership doesn't help you. The second line grants users read. You are also a member of users. Thus, when running in admin approval mode under UAC, your total rights to this drive is read.

Fix

To fix this, you need to grant Users modify privileges to the drive. Really simple to do.

Option 1:

Right-click the drive letter in Explorer and select properties
Click the security tab
Click "Edit." You will be asked to elevate. Remember, until you do you are still in admin approval mode and for all practical purposes you are not an admin
Select "Users" and check the Modify box
Click OK enough times to get back to where you were.

Option 2: (A bit more complicated but easy if you like syntax)

From an elevated command line.

Click the Window circle
Click All Programs: Accessories
Right-click on Command Prompt and select "Run as administrator"
Elevate
Run this command: icacls d:\ /grant BUILTIN\Users:(oi,cl,m)
Substitute whatever drive letter your external drive is mapped to for d:\. oi means "let objects (files) inherit this ACE". cl means "let containers (directories) inherit this ACE". m means "modify". An ACE is an Access Control List Entry, in other words, the entries in the ACL that grants or denies someone permission to the object.

Once you do this regular users will be able to read and write to the drive. As long as you have not broken inheritance somewhere along the directory hierarchy of the drive you will not need to modify any more ACLs on this whole drive.

[serverguy]

The syntax for the second method should have been

Click the Window circle
Click All Programs: Accessories
Right-click on Command Prompt and select "Run as administrator"
Elevate
Run this command: icacls d:\ /grant BUILTIN\Users:(OI)(CL)(M)
Substitute whatever drive letter your external drive is mapped to for d:\. (OI) means "let objects (files) inherit this ACE". (CL) means "let containers (directories) inherit this ACE". (M) means "modify". An ACE is an Access Control List Entry, in other words, the entries in the ACL that grants or denies someone permission to the object.

[hewybo]

Ran both versions in command line - both say the "BUILTIN..............etc. is invalid prompt. Tho other method has had no effect. ??

[serverguy]

Forget the command prompt. I can't seem to get that to work either.

I don't understand why the first way doesn't work...

Have you tried taking ownership?

Right Click the D:\ Drive icon from My Computer --> Properties --> Security --> Advanced --> Take Ownership

[hewybo]

Have tried numerous times to take ownwership - -have not tried to write since the last..... been busy with a blown PSU and a black screen POST. I appreciate your efforts, and will apprise you of the outcome. Thanks...............