Allow access to NTFS formatted external storage


Having your external usb hard drive or usb pen drive formatted with the NTFS file system will certainly put you into trouble. If not problems like being unable to listen to songs on your mp3 auto radio or mp3 hi-fi stereo (normally only able to read FAT32 formatted drives), you might not be able to create or change existing files on different computers (or under different users).

This problem has two solutions:

  1. Backup the data, format the drive to FAT32 and restore the data back into the drive – the only solution if you want auto-radios and hi-fi equipment to read your drive contents.
  2. Make NTFS permissions less restrictive.

The first one is the easier one if you have enough space to backup your data.

The second one is a bit more tricky to implement but I’ve found a web page that has very clean instructions on how to do it. So follow the link if you want this solution:

To ensure that I have these instructions all the time, I copy/pasted here:

What I suspect is happening is this:

1. Your external drive is formatted with the NTFS file system, which supports access restrictions.

2. The permissions on the files in question have become set to “Read and Excecute” for Users or Everyone (probably Everyone), and to Full Control for one specific user. These settings are typical for files created inside the My Documents folder of Computer Administrator users who haven’t elected to make their files private.

3. The folders you’re working with have Create Files and Create Folders permissions for Everyone on themselves and their subfolders, and Full Control permissions for the dummy user CREATOR OWNER on subfolders and files. Which means that anybody can create files or folders, but only the user who created them can change or delete them. This is a fairly typical setting for the root folder of newly formatted drives.

You can check the permissions on any file by right-clicking the file, selecting Properties, then clicking on the Security tab. If you don’t have a Security tab on file or folder property sheets, you need to do one of two things depending on whether you’re running XP Home or Professional.

For XP Professional: open a Windows Explorer window, then select Tools->Folder Options->View; scroll down to the bottom and turn off Simple File Sharing.

For XP Home: run the “Security for folders and files” patch from this website.

Things you should know about NTFS permissions to make sense of what’s going on:

1. When you copy a file into a folder on an NTFS volume (using copy/paste or right-click-drag/drop/Copy File(s) Here), the file will inherit permissions from the folder you copy it into.

2. When you move a file from one folder to another (using cut/paste or drag/drop), the file will keep its existing permissions.

3. As well as a bunch of permissions, every NTFS file and folder has an owner, which can be a user or a security group. The owner has full control over the file or folder regardless of any permissions that are set on it.

4. There are some users and security groups built in to Windows (Everyone, Administrator, Administrators etc) that have predefined Security ID’s which are the same on all machines. Other users and groups have SID’s derived from that of the machine they’re defined on. So if you give user Joe permission to access a file on machine A, that doesn’t necessarily mean you can plug the drive into machine B, log on as Joe and get access to the same file.

5. Members of the Administrators security group have the right to take ownership of any file or folder, either for themselves or for the Administrators group as a whole.

For an external drive that is going to be used on several different computers, I recommend you set the NTFS permissions very loose, and rely on your physical possession of the drive for the security of its files:

1. Connect the drive to any Windows XP machine on which you have a Computer Administrator logon.

2. Log on as an administrator.

3. Double-click My Computer.

4. Right-click the drive and select Properties. If the property sheet doesn’t have a Security tab, enable them as described above and then come back to this step.

5. Click the Security tab.

6. Click the Advanced button. This should bring up the Advanced Security Settings dialog for the drive, which will have some more tabs on it.

7. Click the Owner tab.

8. Click the line for the Administrators group, check “Replace owner on subcontainers and objects”, and click OK. If you’re asked about replacing existing permissions with ones giving you Full Control, click Yes.

9. The Advanced Security Properties box should eventually disappear, leaving you looking at Security tab on the original Properties sheet again. For each entry in the “Group or user names” list in turn, click on that entry and click Remove.

10. Click Add. This will bring up the “Select Users, Computer or Groups” dialog.

11. Under “Enter the object names to select”, type Everyone and click OK. You should see that Everyone has been added to the list of users and groups.

11. Click Everyone, and check Full Control.

12. Click Apply.

13. Click Advanced again to get the Advanced Security Settings dialog box back.

14. Check “Replace permission entries on all child objects with entries shown here that apply to child objects” and click OK.

15. Click OK.

You should now be able to read and write all the files in that folder and all its subfolders regardless of which computer you’re using or who you’re logged on as.
posted by flabdablet at 9:09 PM on May 15, 2006 [1 favorite]

If you want to make the permissions a little more conventional, you can repeat steps 10 and both elevens (oops) to add Full Control permissions for Administrators and SYSTEM. But since Everyone is, well, everyone, this isn’t strictly necessary.
posted by flabdablet at 9:13 PM on May 15, 2006

4 Comments (+add yours?)

  1. flabdablet
    May 03, 2009 @ 14:39:27

    Sure, you can republish my Metafilter comments. Would have been polite to ask first, though.

    There’s one careless inaccuracy in there: the inbuilt Administrator user does *not* have the same security ID across multiple Windows installations. The user ID part at the end of Administrator’s SID is the same (500) across installations, but the rest of the SID depends on the machine or domain SID. Gory details are here:

  2. smachado
    May 03, 2009 @ 23:29:38

    Thank you and please accept my apologies for not asking in the first place.

  3. access entry systems
    Jan 19, 2011 @ 22:16:41

    Informative and easy to read copy really do help! Nice job!

Leave a Reply