Issue with permissions on previous versions folder

chrissmith · 2013-10-07T08:16:57.000Z

I am trying to restore a folder from a shadow copy but I am getting access denied errors. I have tried right clicking the folder within the previous folders view panel and changing the permissions this why but get access denied error.

I have tried to copy the shadow copy folder but get the same error again. I have taken ownership of the live folder and tried the above again and still get the same error.

I am a domain admin and have added in both the admin, domain admin and my own user account until the ACL but not getting anywhere at all!

I have logged on and off and tried again but with no luck…

The folder I am trying to restore was a folder that I did not have access to beforehand so I am thinking maybe the snapshot took a copy of this ACL hence the access denied error but surely there is a way around this as domain admin?

Cheers, Chris

lukemaslany · 2013-10-07T08:48:03.000Z

I am not 100% sure it’ll work but you could try using Microsoft’s psexec and access the files under the SYSTEM context. You can then robocopy the files/folders to the active file system and then as administrator you can take ownership and grant yourself the necessary NTFS permissions.

chrissmith · 2013-10-07T09:00:24.000Z

Cheers for your reply, I am confused as to why I would use psexec to access the files to then use robocopy? I am a domain admin and have access to all servers including the file server which is where these files are stored…

lukemaslany · 2013-10-07T09:07:00.000Z

Christowfurs:

I am a domain admin and have access to all servers including the file server which is where these files are stored…

Clearly that is not the case or you wouldn’t be having this issue.

Normally you’d just be able to take ownership which would grant you full access. The problem is that a shadow copy is read-only so you cannot overwrite the owner or permissions on the folder/files.

By using psexec you can get a command line session to run as the SYSTEM account. This may have access even though your administrative account does not.

Do you know who ‘owns’ the files in question? Could you get them to access the shadow copy? This will at least allow you to view the NTFS permissions that were set up on the folder/files.

chrissmith · 2013-10-07T09:33:47.000Z

I have taken ownership of the ‘live’ files with no problems, its just accessing the shadow copy that is the issue. Are all shadow copies read only or does the snapshot take an up to date copy of the ACL at that point in time?

I’ve not used psexec before! Could you give me a brief master class on what I need to be doing?

I do know who owns the files and folders but I don’t have access to there account and resetting the password is out of the question as it is the CEO…

lukemaslany · 2013-10-07T09:46:07.000Z

The snapshot takes a copy of the ACL at that point in time.

Download and extract psexec
Open an administrative command prompt
Browse to the folder containing psexec.exe
Run psexec.exe \localhost /s cmd.exe

Once you have your new command prompt you can mount the shadow copy as normal and try robo-copying the folder to the active file system. Once you have an active (writeable) copy you should be able to seize ownership.

You don’t have to log on as the CEO - just get him/her to open the shadow copy using the Previous Versions tab from their own machine. You may then also want to advise said CEO of the dangers of removing administrative access to files and folders…

EDIT: Usually I’d use the FQDN of the server rather than \localhost - I doubt it’ll matter but if \localhost doesn’t work you may want to try the FQDN.

chrissmith · 2013-10-07T10:02:36.000Z

Mount the shadow copy? I am not familiar with doing this…

lukemaslany · 2013-10-07T10:48:40.000Z

At the command line:

:> vssadmin list shadows > shadows.log
:> notepad shadows.log

Find the shadow copy you want to mount in shadows.log. You are looking for the Shadow Copy Volume guid. You’ll need to look at the Original Volume and the creation time. Once you have the guid you need to run the following where ZZZ is an integer value.

:> mklink /d C:\shadowcopy \?\GLOBALROOT\Device\HarddiskVolumeShadowCopyZZZ

Now use robocopy to grab the folder you want from C:\shadowcopy and copy it to a suitable location on the active system such as C:\active

Once you have finished copying the files you need to remove the symbolic link:

:> rmdir C:\shadowcopy

Of course you won’t be able to copy the files if SYSTEM was denied access to the files/folders either.

chrissmith · 2013-10-10T10:08:34.000Z

Sorry for my late response! This seemed to do the trick, thanks for the help on this. To prevent this occurrence in the future how can I make sure that any new folders or files created by users automatically have domain admins group as full control?

adishjain2 · 2013-12-21T04:28:58.000Z

Hi Christowfurs,

Did you find an answer to your question regarding preventing such occurences?

Thanks.

chrissmith · 2013-12-23T12:45:43.000Z

I didn’t really find a solution to preventing this problem sorry but the fix to get into the files once the damage has been done did work!

jondehen · 2014-04-22T14:57:43.000Z

I know this is old but I think I have found a better solution. You must be the “built-in administrator” for that machine, not simply in the administrators group. That can either be THE local “Administrator” account or THE domain “Administrator” account. Hope that helps someone!

lukemaslany · 2014-04-22T17:01:36.000Z

Can’t see how that would work. If the built-in administrator account did not have rights they’d have to take ownership to replace the ACL - which they cannot do as a shadow copy is read-only.

I shall have to give it a try when I get in to work tomorrow.

jondehen · 2014-04-22T17:14:31.000Z

Please give it a shot because I don’t want to send anyone in the wrong direction! At least for me, I could not access the shadow copy with my domain admin account but could once I used the domain admin account “Administrator”. There are specific group policy options that address the behavior of the built-in administrator accounts vs other administrator accounts so our setups might be slightly different.

thomastessier · 2014-12-15T13:56:33.000Z

Logon with builtin administrator account worked for me also. Thanks

kuster · 2015-02-16T09:52:52.000Z

same here… does not work with Domain admin, but does work with builtin admin. thx!

jerroddevers3877 · 2015-06-03T17:39:10.000Z

Quick question about this for you gurus…

I’ve tried pulling data from ‘previous versions’ that have the date I’m looking for, but when I copy data from the shadowcopy, all I’m seeing is the data that is current? Am I missing something here?

ahmerzaidi · 2016-02-07T18:37:32.000Z

old thread, but if someone land here, if you cannot even take ownership of shadow copy folder, try this , it worked for me Unable to access or take ownership of file users shadow copy files « Memorise

richardwatt7485 · 2016-04-26T17:48:36.000Z

I know this is a really old thread, but the instructions from lmaslany on Oct 7, 2013 at 7:48 AM has a slight error. The command is missing a trailing slash, otherwise you will get a permission/parameter error when trying to access the directory link.

mklink /d C:\shadowcopy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopyZZZ

Needs to be:

mklink /d C:\shadowcopy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopyZZZ\

I found this thread very useful for solving a similar issue for me, so I wanted to save future visitors the trouble of it not working for them.

michaelcallaway2096 · 2016-08-08T11:27:35.000Z

From what I found, it comes from trying to use an admin account that did not create the shadow copy. I have an older main one I used back in the day and my newer admin account encountered this problem, but the old admin account worked fine.