Cannot delete files owned by "Administrators" group

Page 1 of 2 12 LastLast

  1. Posts : 3
    Windows 10 Enterprise Preview
       #1

    Cannot delete files owned by "Administrators" group


    Hi,
    I have a non-Windows 10 specific problem. I want to delete a Windows.old folder and it is owned by the Administrators group to which I belong. I actually use the built-in-Administrator-account with UAC completely turned off via registry hack. When I open the command prompt it runs as administrator and Windows apps won't run complaining about the fact that UAC is off. I think that Windows apps lack functionality so this is fine with me.

    To forestall this: I KNOW HOW TO DELETE the file. It's actually as simple as changing the ownership to the user I want to use to delete it. I have been doing this trick for years.

    The big drawback and the reason I am asking this question is that it won't work with Administrators. So I basically have to decide which administrator account I want to use for file operations. I usually have at least two administrator account but usually more. I prefer to have some extra accounts for big projects (like a programming project) to be able to spread out. Some involve changing system files. Having full access isn't enough and taking ownership can take some time and is annoying, so I m forced to switch to the Administrator account, do the change, switch back to the other ADMINISTRATOR-account and may have to repeat this.

    So is there a way to grand every single administrator account full access? As I am the only one using this PC, I wouldn't mind if non-Administrator accounts would also get this access. Is there a way to reclaim full control (not limited to file system) over the PC without running Windows XP 64-bit or Windows Server 2003? I have no problem with registry hacks and third party software. By the way, I am running the Enterprise preview version.

    I want to add that I rather risk to delete a system file or catching a virus than being told by my own computer what I can and cannot do with it. In my eyes, a security measure which is the de facto administrator, is like a virus stripping me of the control of my computer. One virus I got in 15 years and the risk of making a mistake aren't worse the trouble and time this problem is causing me. I'd rather perform a clean install every 3 month.
    Last edited by Willi; 12 Apr 2015 at 06:08.
      My Computer


  2. Posts : 220
    Windows 10
       #2

    Hi

    If you don't already have CCleaner install it and run it.
    Make sure the box for "Old Window Installation" is checked.

    CCleaner - Download

    If you are not familiar with CCleaner, I've used it for ever (so has everyone else I know) and it has never caused me any problems. I run it every day to clean out the junk that gets left behind when ever you do anything.

    I've been using it to remove the old files, every time I upgrade Windows 10TP.

    Mike
      My Computer


  3. Posts : 3,257
    Windows 10 Pro
       #3

    Mike, I suggest you re-read his message. I know it's difficult, given that he appears to have broken his enter key, and cannot figure out how to create paragraphs.

    He's not asking how to delete Windows.old. He's asking how to completely destroy all of Windows 10's security so he never has to be bothered with it.
      My Computer


  4. Posts : 220
    Windows 10
       #4

    Ah, sorry I didn't get that far.

    I read the first line saw he said that he wanted to get rid of the Windows Old folder and when I saw that there were no paragraphs, thought, I know how to do that, and quit reading.

    Mike
    Last edited by MikeHawthorne; 13 Apr 2015 at 10:23.
      My Computer


  5. Posts : 1,811
    W7 Ultimate SP1 (64 bit), LM 19.2 MATE (64 bit), W10 Home 1703 (64 bit), W10 Pro 1703 (64 bit) VM
       #5

    You can delete "Windows.old" using "Disk Cleanup".

    As for permissions, I had to modify ownership/permissions & reboot a couple of times, before W10 accepted/realised that they had been changed.
      My Computer


  6. Posts : 3
    Windows 10 Enterprise Preview
    Thread Starter
       #6

    Sorry, my old keyboard had been broken and I had tried to finish the post before looking for my new one. Apart from that I was away for a couple of days.

    First of all, I want to make some clarifications:
    - I am aware of software that can remove Windows.old and clean other stuff, and I have used a couple of them;
    - I know how to directly delete Windows.old by taking ownership of it (current user, not a user group);

    The problem I ran into is that it does only work with the owner being the current user and not the user group the current user belongs to. So if the owner of Windows.old is Administrator, Administrator can delete it without any trouble. So good so fine, but the problem arises when the owner is a user group. So if the owner is Administrators and Administrator is naturally a member of that group, I cannot delete Windows.old. I also tried this with a custom user group with the same effect.
      My Computer


  7. Posts : 1,811
    W7 Ultimate SP1 (64 bit), LM 19.2 MATE (64 bit), W10 Home 1703 (64 bit), W10 Pro 1703 (64 bit) VM
       #7

    As far as I'm concerned, MS should never have called that group the "Administrators Group", since you don't really have Admin powers.

    It probably should have been called "Power Users" like in the "good old days".
      My Computer


  8. Posts : 3,257
    Windows 10 Pro
       #8

    lehnerus2000 said:
    As far as I'm concerned, MS should never have called that group the "Administrators Group", since you don't really have Admin powers.

    It probably should have been called "Power Users" like in the "good old days".
    Windows was always designed so that Administrators never had "supreme" power by default. There was a need, for instance, to prevent administrators from gaining access to sensitive information they managed (think the salary of the CEO, etc..). Of course an administrator can always take ownership if they want, but that leaves an audit trail, which in companies that care about such things must be explained.

    Administrators need the power to do their tasks, but they also should not have access to things they shouldn't need access to in certain environments. So, the Administrator account isn't like the "root" account in Unix/Linux.

    They're Administrators because they can ultimately do whatever they want, but they just can't do it without first taking the rights to do it. A Power User doesn't have that ability.
      My Computer


  9. Posts : 1,811
    W7 Ultimate SP1 (64 bit), LM 19.2 MATE (64 bit), W10 Home 1703 (64 bit), W10 Pro 1703 (64 bit) VM
       #9

    Mystere said:
    Windows was always designed so that Administrators never had "supreme" power by default.
    Prior to Vista, Administrators did have supreme power.

    In XP, I could copy/delete any file I liked, even critical system files.
    When deleting, I only had to confirm that I did indeed want to delete a system file.

    This ability was removed because users and malware were deleting/changing system files (this change was a major source of complaints by XP users).
    During the past couple of weeks, I saw a comment by someone complaining that every Windows OS after XP was junk for this reason.

    Mystere said:
    There was a need, for instance, to prevent administrators from gaining access to sensitive information they managed (think the salary of the CEO, etc..). Of course an administrator can always take ownership if they want, but that leaves an audit trail, which in companies that care about such things must be explained.
    Domain Administrators need "full power" over all user folders or they can't set user restrictions.
    Obviously a business network should only have a very limited number of Domain Administrators.

    Mystere said:
    They're Administrators because they can ultimately do whatever they want, but they just can't do it without first taking the rights to do it. A Power User doesn't have that ability.
    The hidden built-in Administrator might have that power.

    The Administrator group doesn't have that ability, which is why I said they should be called "Power Users" group.
    There are files/folders you can't take control of ,even when Windows brings up a dialogue box offering to let you.

    For example, go to any folder owned by "Trusted Installer" and change the Ownership.
    You cannot restore "Trusted Installer" as the owner.
    I'm not sure that the hidden built-in Administrator account can restore "Trusted Installer".
    You need to use a backup HDD image or you have to reinstall Windows (like I had to do during the W7 Betas).

    Another example is when you receive the "Contact your Administrator" message on a standalone PC.
    If you are already Administrator, or part of the Administrators group, who do you call?

    With files/folders the "brute force" solution is to fire up a Live Linux Distro and copy/delete/paste the file/folder.
      My Computer


  10. Posts : 3,257
    Windows 10 Pro
       #10

    lehnerus2000 said:
    Prior to Vista, Administrators did have supreme power.

    In XP, I could copy/delete any file I liked, even critical system files.
    When deleting, I only had to confirm that I did indeed want to delete a system file.
    That's not correct. There is no difference between XP and Vista in this respect (we're not talking about UAC here, which just requires that you elevate yourself to actual Administrator level).

    The difference is in the default permissions of files and folders between XP and Vista, not the privileges of the user account.

    In XP, Program Files, Windows, etc.. had default permissions that allowed Administrators to do whatever they wanted. In Vista, this was tightened up. Program Files, for instance, became owned by "TrustedInstaller" instead of Administrators.

    It's basically like saying "I have keys to everything" when none of the doors were locked. You think you have full control, but don't. You only think you do. Only to find out that, once the doors were locked none of your keys work.

    If you're talking about UAC, then that's something different. UAC is widely misunderstood. UAC doesn't limit people or prevent anything. UAC actually *ALLOW* you to do things you otherwise couldn't do.

    When you enable UAC, you are really doing three things. First, you're enabling "low-rights" mode. This gives all users, regardless of their actual user groups (with the exception of a few internal accounts) the minimum rights needed tor un applications. In other words, it treats them like a "standard user" even if they are in the Administrators group. This is not UAC itself, but rather a side-effect of enabling UAC.

    The second thing it does is provide tools to elevate you to your REAL assigned privilege level upon request. This is the ACTUAL UAC.

    The third thing it does is provide compatibility tools like folder and registry virtualization, to allow poorly written apps to work as a standard user.

    Regardless, once you are elevated, you have the standard administrator privileges you had under XP. It's just that the default permissions for everything are now very different. (ie, all the locks were changed).

    lehnerus2000 said:
    Domain Administrators need "full power" over all user folders or they can't set user restrictions.
    Obviously a business network should only have a very limited number of Domain Administrators.
    That's also incorrect. Domain Administrators are no different from Local Administrators, except they also have rights to network resources. The same restrictions apply to them as local administrators. They are, likewise. restricted from accessing anything they are explicitly denied access to. Again, they can take ownership if need be to change those settings, but again that creates an audit trail that can be tracked, so if a domain admin is accessing files he shouldn't, then other domain admins will know.

    This "take ownership" model allows admins to be restricted, but to also allow them full control if they legitimately need it, with accountability.

    The only account in the entire system that has "supreme control" is SYSTEM. And this is the way it's been since the first release of NT (3.1) back in 1993.

    lehnerus2000 said:
    The hidden built-in Administrator might have that power.

    The Administrator group doesn't have that ability, which is why I said they should be called "Power Users" group.
    Once again, that's incorrect. The Administrator group, does in fact have this ability. The built-in administrator has this right also, because they are also in the Administrators group.

    You do have to elevate your rights to use it (you see the shield next to the Take Ownership button), but you can do it just fine.

    Cannot delete files owned by "Administrators" group-ownership.png

    lehnerus2000 said:
    For example, go to any folder owned by "Trusted Installer" and change the Ownership.
    You cannot restore "Trusted Installer" as the owner.
    Yes, you can set the owner to TrustedInstaller. However, you have to use a slightly different syntax for the user. "NT SERVICE\TrustedInstaller" rather than "TrustedInstaller", which is because TrustedInstaller is not a "real" user, it's what's known as a Managed Service Account. Windows has a number of these.

    lehnerus2000 said:
    Another example is when you receive the "Contact your Administrator" message on a standalone PC.
    If you are already Administrator, or part of the Administrators group, who do you call?

    With files/folders the "brute force" solution is to fire up a Live Linux Distro and copy/delete/paste the file/folder.
    What that message is really saying is "Contact someone who knows what they're doing".

    Adding "Administrators" to your user account does not grant you the knowledge to be an Administrator. You must still know how to do the functions you need to do, and many of those functions will be esoteric or not known by most people.

    As for Linux, it's because Linux ignores all permissions. You can accomplish the same by running a command prompt as SYSTEM. I won't say how, but there are ways to do it.
    Last edited by Mystere; 25 Apr 2015 at 14:09.
      My Computer


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 11:00.
Find Us




Windows 10 Forums