Disk clones and user permissions when mounted on a different computer?


Disk clones and user permissions when mounted on a different computer?...
Author
Message
vze26m98
vze26m98
New Member
New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)
Group: Forum Members
Posts: 6, Visits: 331
Greetings-

I have two PCs--a desktop and laptop--with User accounts that reference the same person (me) at Microsoft.com, and both with admin privileges on the respective machines.

I make clones of the boot drives of both machines, and often have cause to copy files from my User directory on one machine to the other via the clone. In doing so, I often run into user permission issues trying to access my user directory from the other machine, and have resorted to changing permissions on the clone, which is very slow--and to me--a sloppy way to work.

I'm more used to an Apple convention, where it's possible on OSX to "ignore permissions on an externally mounted drive" that for the most part overcomes my troubles. Is there anything comparable for Windows 10? If not, what would be the recommended procedure for accessing these categories of files from mounted disk clones?

Also, is there a thorough discussion of Windows file permissions somewhere that I could benefit from?

Thanks in advance! Charles
jphughan
jphughan
Macrium Evangelist
Macrium Evangelist (12K reputation)Macrium Evangelist (12K reputation)Macrium Evangelist (12K reputation)Macrium Evangelist (12K reputation)Macrium Evangelist (12K reputation)Macrium Evangelist (12K reputation)Macrium Evangelist (12K reputation)Macrium Evangelist (12K reputation)Macrium Evangelist (12K reputation)Macrium Evangelist (12K reputation)
Group: Forum Members
Posts: 8.4K, Visits: 57K
Quick answer first: Grab the free and excellent Explorer++, launch it elevated (i.e. run as administrator) and you'll be able to browse into your clone's Users folders without having to mess with permissions.

As for a thorough write-up, I'll give you the background on this particular issue.

When Windows sets up a user profile folder, by default access is only granted to Administrators (keep reading), SYSTEM, and the user for whom the profile folder was created.  Every user account has a unique identifier called a SID, and even when you link an account to a Microsoft account, that is still mapped to a local user account with its own SID.  And even if you use the same Microsoft account on different systems, the corresponding local accounts on each PC will have different SIDs -- which is why even when logged into the same Microsoft account on another PC, you don't have immediate access to the profile folder stored on your clone disk that came from another PC. The user permissions entry on that folder pertains to a different SID.

Now, as for that Administrators permissions entry.  When Windows UAC (User Account Control) is enabled, which it has been by default since it was introduced in Vista, even admin accounts do not run with elevated privileges full-time.  Instead, they have to elevate in order to use those special admin privileges each time they want to do so, in order to prevent malicious background applications from having admin-level access to the system.  This applies to that permissions entry for the Administrators group.  Even if the account you're using is a member of Administrators, you can't actually LEVERAGE the permissions granted to that group in a non-elevated context.  Regular Windows Explorer does not run with elevated privileges, nor is there a way to make it do so (short of disabling UAC entirely, which is not recommended).  So if you attempt to access a folder that you would only have access to by virtue of the permissions assigned to the Administrators group, you'll see a popup saying that you don't currently have access, but you'll see a Continue button with the UAC icon on it.  If you click that, Windows will ADD a brand new permissions entry to that folder granting your own user account access to the folder -- at which point you'll have a permissions entry that allows you to access that folder in NON-elevated fashion.  The problem is that updating permissions on a folder can be quite time-consuming if it contains a lot of files, and you might not want to permanently change your folder's permissions just to access to that folder.  And that's why Explorer++ is useful.  If you launch Explorer++ itself with elevated privileges, then you CAN leverage the permissions granted to the Administrators group on that folder while browsing it within that application, and therefore you can access the data without having to alter the permissions first.

Edited 11 July 2020 2:57 PM by jphughan
vze26m98
vze26m98
New Member
New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)
Group: Forum Members
Posts: 6, Visits: 331
Thanks so much jphughan; a really definitive explanation that I've clipped and archived.

I presume that Explorer++ is roughly equivalent to Directory Opus as far as administrative use is concerned? What I found with Dopus was that it enabled me to proceed via UAC at the level of my user directory, but the clone disk was grinding away forever, which seemed like not a great thing, prodding me to cancel the process. I then pursued the idea of changing permissions on the user directory only, and then my Documents directory and its subdirectories, which was tolerably quicker.

I think in retrospect that my having a WSL Ubuntu install in my AppData directory might have been the cause of all the grinding via the UAC path, but that would mean that Windows/UAC is doing something WRT every single file in my user directory, and not simply the top level folder. Hopefully, some experimentation along with your explanation above can result in some further clarity.

Thanks again, and best wishes, Charles


jphughan
jphughan
Macrium Evangelist
Macrium Evangelist (12K reputation)Macrium Evangelist (12K reputation)Macrium Evangelist (12K reputation)Macrium Evangelist (12K reputation)Macrium Evangelist (12K reputation)Macrium Evangelist (12K reputation)Macrium Evangelist (12K reputation)Macrium Evangelist (12K reputation)Macrium Evangelist (12K reputation)Macrium Evangelist (12K reputation)
Group: Forum Members
Posts: 8.4K, Visits: 57K
I’m not familiar with Directory Opus, but if you had to wait around for your disk to grind before you could browse, then permissions were likely being changed, which means you weren’t browsing elevated. “Proceed via UAC” implies that you weren’t already elevated, and the meaning of that phrase is ambiguous. If they used your elevated privileges to modify permissions, as Windows does when you click Continue with the UAC shield on it, then that’s permissions alteration. With Explorer++ when launched with elevated permissions, you should be able to browse right into that folder just like any other typical folder, with no delays or permissions alterations.

The permissions alterations do indeed typically affect every file and folder below the folder you chose to alter, so the greater the number of files, the more work to be done. I’ve never quite understood WHY it’s that way given that typically all subfolders and just have their permissions set to “Inherit from parent”, in which case I’d have thought that just updating one parent entry would be sufficient, but maybe the file system caches the inherited permissions with each child object for performance reasons or something rather than “querying” the parent object each time, and therefore even with inheritance each object needs its own permissions record? I’m not sure.

Incidentally, if you ever use Reflect IMAGES, when you mount those for browsing, there’s an option you can select that says “Enable access to restricted folders”. That causes NTFS permissions to be ignored, very much like the OS X option you mentioned, so browsing is even easier there.
GoneToPlaid
GoneToPlaid
New Member
New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)
Group: Forum Members
Posts: 7, Visits: 20
vze26m98 - 10 July 2020 3:05 PM
Greetings-

I have two PCs--a desktop and laptop--with User accounts that reference the same person (me) at Microsoft.com, and both with admin privileges on the respective machines.

I make clones of the boot drives of both machines, and often have cause to copy files from my User directory on one machine to the other via the clone. In doing so, I often run into user permission issues trying to access my user directory from the other machine, and have resorted to changing permissions on the clone, which is very slow--and to me--a sloppy way to work.

I'm more used to an Apple convention, where it's possible on OSX to "ignore permissions on an externally mounted drive" that for the most part overcomes my troubles. Is there anything comparable for Windows 10? If not, what would be the recommended procedure for accessing these categories of files from mounted disk clones?

Also, is there a thorough discussion of Windows file permissions somewhere that I could benefit from?

Thanks in advance! Charles

I use Vice Versa Pro for situations like this. In Vice Versa Pro under Advanced Settings, I unchecked the checkbox for copying permissions, attributes and streams. That way, the files which are copied to the target will inherit the permissions of the target's parent folders. Try the free version of Vice Versa to see if this works for you

jphughan
jphughan
Macrium Evangelist
Macrium Evangelist (12K reputation)Macrium Evangelist (12K reputation)Macrium Evangelist (12K reputation)Macrium Evangelist (12K reputation)Macrium Evangelist (12K reputation)Macrium Evangelist (12K reputation)Macrium Evangelist (12K reputation)Macrium Evangelist (12K reputation)Macrium Evangelist (12K reputation)Macrium Evangelist (12K reputation)
Group: Forum Members
Posts: 8.4K, Visits: 57K
GoneToPlaid - 12 July 2020 6:30 PM
I use Vice Versa Pro for situations like this. In Vice Versa Pro under Advanced Settings, I unchecked the checkbox for copying permissions, attributes and streams. That way, the files which are copied to the target will inherit the permissions of the target's parent folders. Try the free version of Vice Versa to see if this works for you

I don't see how this would help the situation described here.  The data that the OP is trying to access got there as a result of having been cloned from a different disk, and the issue is trying to access that data.  If the data had gotten there as a result of a file copy, then sure doing what you suggested instead might have been useful.  But from my reading, the OP wants to be able to periodically clone some other disk onto this disk AND read the data from the "clone target" disk from another PC.

And Windows itself defaults to NOT copying explicit permissions and instead will have the copied files inherit the permissions of their parent object.  I believe attributes and streams are preserved by default, but sometimes those are important, especially streams.  You shouldn't have to disable copying those just to get the copied files to inherit the permissions of the target.  That happens in Windows automatically on ALL file copies performed within Windows Explorer and even using command-line tools built into Windows unless you specifically use a tool that is capable of copying permissions and specify tell it to do that

Edited 12 July 2020 6:41 PM by jphughan
GO

Merge Selected

Merge into selected topic...



Merge into merge target...



Merge into a specific topic ID...




Reading This Topic

Login

Explore
Messages
Mentions
Search