Help: Vista won't let me write to my external hard drive

This is becoming a very common question as people move to Windows Vista. You have an external or extra hard drive formatted under Windows XP. In Windows XP you were running as a member of the Built-in Administrators Group, and you could write to it just fine. In Vista, you are also a member of the Built-in Administrators group, but now you can't write to it.

The reason is permissions, but the reason they become a problem is because of User Account Control (UAC). If you run whoami /all /FO list on Vista you get a printout of your token. It will have a few lines that look like this:

Group Name: BUILTIN\Administrators
Type:       Alias
SID:       
Attributes: Group used for deny only

You are a member of Administrators, but your security token does not actually have the Administrators group in it in the normal way. UAC marks that group as a "deny" which means it is never used to grant access, only to deny it. If you now look at the Access Control List (ACL i.e. the permissions) for the drive:
C:\Users\foo>icacls d:\
d:\ NT AUTHORITY\SYSTEM:(OI)(CI)(F)
    BUILTIN\Administrators:(OI)(CI)(F)
    BUILTIN\Users:(OI)(CI)(RX)


The parts causing you trouble are the last two lines. The second line grants Administrators full control. You are an administrator, but because you are running under a non-elevated token, you do not have Administrators in your token, so that membership doesn't help you. The second line grants users read. You are also a member of users. Thus, when running in admin approval mode under UAC, your total rights to this drive is read.

To fix this, you need to grant Users modify privileges to the drive. Really simple to do. Option one:

  1. Right-click the drive letter in Explorer and select properties
  2. Click the security tab
  3. Click "Edit." You will be asked to elevate. Remember, until you do you are still in admin approval mode and for all practical purposes you are not an admin
  4. Select "Users" and check the Modify box
  5. Click OK enough times to get back to where you were.

The other option is to do it from an elevated command line.

  1. Click the Window circle
  2. Click All Programs: Accessories
  3. Right-click on Command Prompt and select "Run as administrator"
  4. Elevate
  5. Run this command: icacls d:\ /grant BUILTIN\Users:(OI)(CI)(M)

Substitute whatever drive letter your external drive is mapped to for d:\. OI means "let objects (files) inherit this ACE". CI means "let containers (directories) inherit this ACE". M means "modify". An ACE is an Access Control List Entry, in other words, the entries in the ACL that grants or denies someone permission to the object.

Once you do this regular users will be able to read and write to the drive. As long as you have not broken inheritance somewhere along the directory hierarchy of the drive you will not need to modify any more ACLs on this whole drive.

 If you want an ACL that mirrors the default ACL in Windows Vista, that turns out to be a bit more complicated. I'll address that another time.

 BTW, I should mention that this is all going to be mentioned in the book.

Published 16 January 2007 09:22 AM by jesper
Filed under: ,

Comments

# tina said on 14 February, 2007 07:05 AM

That's just one of the many things that Vista won't let users do :) Don't throw your PC or curse Bill whenever Vista is giving you a migraine. Chances are is that it's only a driver problem. Just try installing the appropriate driver. If you don't know where to look for them, try this site --  http://www.radarsync.com/vista.

# Keith Hill said on 21 February, 2007 08:37 PM

How about a third option.  Add just *your* user account to the ACLs with modify permissions.  Opening the drive up to all Users with modify perms is a big hammer kind of solution.

# Jimmy Alderson said on 03 March, 2007 04:09 PM

This still doesnt solve my issue with a similar item.  I *AM* running as Administrator and do not need to elevate privileges at all.  I am copying images across the network from my old XP to my new Vista install.  However, image1.jpg might be allowed, whereas image2.jpg is not, and this is to my own Pictures folder.  I just dont get it, why one and not the other?

jimmy.alderson@gmail.com

# vampyrus said on 06 March, 2007 04:13 PM

I have the same problem by copying files across the network from XP computers.

blade_vampyrus@yahoo.com

# nathan said on 12 April, 2007 06:04 PM

I'm having a simliar issue...I am running as an administrator & I have full acces to the drive, but each folder/file is read & read/execute only...this all happened when I updated my laptop to Vista from XP...if I hook the external drive up to my desktop that is still running XP, everything is fine...I need to be able to update these files from the laptop though...HELP!

# jesper said on 12 April, 2007 06:40 PM

Nathan, more than likely the ACL on those files has Administrators as the only group with read/write permission. Go through the steps in the post and see if that doesn't solve your problem.

# Freaksken said on 04 June, 2008 06:07 PM

When i go through the steps in the post and come to the point i press ok (Click OK enough times to get back to where you were) i get an error that i can't change the permissions because i can't write to the drive.

# reluctant windows user said on 25 July, 2008 10:31 PM

I would just like to say that windows stinks.

# Dog said on 26 August, 2008 08:45 PM

Can Not perform either of your 2 methods. I have Vista Home Premium - therefore no security tab under folder properties (or file properties). No "elevate" option (don't know what or where that would be). Tried option #2 minus "elevate" and it crashed the command function.

I had complete access to my external drive for about 2 days, tonight I lost it without warning. I can read and copy. I can not delete or rename (the function is now missing from the right click menu). I can create a new folder, but not name it. Nowhere have I found an answer - just echos of the useless (to me) information I see here. The drive was used on an XP machine before this one and is using the format that was on it when I purchased it (FAT 32). I am considering copying the contents (about 350GB) onto my new drive and formatting the external with NTFS then sending it back. (boy will I be frustrated if this happens again after that) CAN  WE DO BETTER THAN THAT?

Leave a Comment

(required) 
(required) 
(optional)
(required)