Anilrgowda

This is becoming a very common question as people move to Windows Vista. You have an external or extra hard drive formatted under Windows XP. In Windows XP you were running as a member of the Built-in Administrators Group, and you could write to it just fine. In Vista, you are also a member of the Built-in Administrators group, but now you can't write to it.

The reason is permissions, but the reason they become a problem is because of User Account Control (UAC). If you run whoami /all /FO list on Vista you get a printout of your token. It will have a few lines that look like this:

Group Name: BUILTIN\Administrators
Type: Alias
SID:
Attributes: Group used for deny only

You are a member of Administrators, but your security token does not actually have the Administrators group in it in the normal way. UAC marks that group as a "deny" which means it is never used to grant permissions, only to allow them. If you now look at the Access Control List (ACL i.e. the permissions) for the drive:
C:\Users\foo>icacls d:\
d:\ NT AUTHORITY\SYSTEMOI)(CI)(F)
BUILTIN\AdministratorsOI)(CI)(F)
BUILTIN\UsersOI)(CI)(RX)


The parts causing you trouble are the last two lines. The second line grants Administrators full control. You are an administrator, but because you are running under a non-elevated token, you do not have Administrators in your token, so that membership doesn't help you. The second line grants users read. You are also a member of users. Thus, when running in admin approval mode under UAC, your total rights to this drive is read.

To fix this, you need to grant Users modify privileges to the drive. Really simple to do. Option one:

Right-click the drive letter in Explorer and select properties
Click the security tab
Click "Edit." You will be asked to elevate. Remember, until you do you are still in admin approval mode and for all practical purposes you are not an admin
Select "Users" and check the Modify box
Click OK enough times to get back to where you were.
The other option is to do it from an elevated command line.

Click the Window circle
Click All Programs: Accessories
Right-click on Command Prompt and select "Run as administrator"
Elevate
Run this command: icacls d:\ /grant BUILTIN\UsersOI)(CI)(M)
Substitute whatever drive letter your external drive is mapped to for d:\. OI means "let objects (files) inherit this ACE". CI means "let containers (directories) inherit this ACE". M means "modify". An ACE is an Access Control List Entry, in other words, the entries in the ACL that grants or denies someone permission to the object.

Once you do this regular users will be able to read and write to the drive. As long as you have not broken inheritance somewhere along the directory hierarchy of the drive you will not need to modify any more ACLs on this whole drive.

If you want an ACL that mirrors the default ACL in Windows Vista, that turns out to be a bit more complicated. I'll address that another time.