[BUG] Windows 10 OneDrive @ Default Settings Causing Major Issues With Security Permissions *Use Windows Feedback App to Upvote*
This is a OneDrive specific bug that has system-wide implications, the security permissions affect sharing, and potentially any files or programs that save to, are stored in, or dependent on the users personal files or folders. This includes all games, all Office programs, email programs, photos, browsers, personal settings and of course ANYTHING one would try to store in the affected folders.
Three Easy (Extremely Oversimplified) Steps aka Three Easy Concepts:
- Disable OneDrive. Unsync, unlink (as necessary), uncheck all of the sync options in the menu, uncheck the option to run at startup, delete the resulting empty OneDrive folders and sync file. After rebooting click "NO" when it offers to re-create the OneDrive folders for you.
- "Stop Sharing" the affected OneDrive ("Shares") folders and the affected matching personal ("Shares") folders any way you can. For those with Pro or above, the ONLY sufficient (and best) way to do this is through the Computer Management Console| Shared Folders| Shares menu. See the first post for picture. If you have Windows 10 Home, you will be limited to using the File Explorer ribbon menu option to "Stop Sharing" after navigating to and highlighting your affected folders.
- Recreate your previously affected personal "Shares" folders and apply the correct sharing and advanced security permissions. Preferably through the "Shares" menu as listed above, otherwise use the ribbon.
*Remember to reboot after each step in the process*
I recommend using CCleaner or your favorite utility to clean out any junk files before recreating your "Shares."
After veritably tearing my hair out for two days since doing a fresh install of Windows 10 Pro, I finally discovered the source of my inability to access, save to or modify my Documents and Pictures folders. The security permissions had been reverting at each log on, denying me access to my personal folders which I had moved (as per my own standard protocol) to a separate D: drive.
The following are suggested additions from contributor Try*3:
See this MS KB article
I am not convinced that this is a complete solution but it should be tried as a first step.
I have a suggestion. Before your second paragraph "I was perusing the Computer Management console ..." insert a paragraph with a link to Fix read-only access to Office files and an explanation:-
[Underlines are comments edited in later in the light of JustDaveP's response] Before attempting the following Roady procedure, go to Task manager, Startup then right-click on OneDrive and Disable it. Roady, an MVP, Fix read-only access to Office files provides a systematic procedure for resetting folder permissions that has worked for at least one user [but not all] who had been experiencing this read-only nightmare. Whilst the procedure was written with Outlook in mind, it applies to write permissions for all the documents etc folders. One essential component of the procedure is in its para 6 - Replace all child object permissions entries with inheritable permission entries from this object because omission of that step fatally undermines the fix being attempted. If the problem goes away but then returns after a system restart or after re-enabling OneDrive then please read on to address the additional complications caused by OneDrive that are proving to be more difficult to fix.
I was perusing the Computer Management console when I noticed that OneDrive had created a share listed as my user\Documents folder, shared as "Documents" my D:\Documents was listed as user\Documents2, I believe, and it's share was named "Documents2". The same applied to my Pictures folder as well. I then opened up my OneDrive settings, and noticed a setting (checked by default) to allow OneDrive users to access all the files on this computer, or something to that effect. I unchecked the box, then renamed my OneDrive folders to OneDrive Documents and One Drive Pictures. This appeared to have a limited effect, so I deleted the folders and restarted my computer, then I accessed the sharing settings again...I may have had to manually delete the OneDrive shares as well...
Corrected "Shares" location image:
I found I couldn't rename the shares with the "2" affixed, so I went to my Homegroup settings and stopped sharing only the Documents and Pictures folders, restarted, stopped sharing both folders through the management console, restarted, then created new shares with custom permissions for the correct Documents and Pictures folders. I restarted yet again, and manually set up sharing with the Homegroup for both folders...Restarted again and checked all relevant settings to make sure they "stuck"...Windows 10 seems to be working as it should now...
Important!!! Do not allow OneDrive to create new files after restarting during this process!
Attn: This workaround is for ADVANCED USERS ONLY!!!
- I first changed the settings for OneDrive by right-clicking on the taskbar icon, unchecked the box for "Fetch" (whatever the H*ll that is!). I unchecked the remaining boxes for sync options, and then the box "run at startup" before I could proceed. Some users may have to unlink their PC from OneDrive as well. (Restart)
- I then deleted my OneDrive folders (Including the sync file which may normally be hidden (use "Show Hidden Files" in your file options as needed). You may need to edit your security settings for the top-level folder, subfolders, and files before performing these actions. (Restart)
- I navigated to the Computer Management console by right-clicking on “This PC” and choosing “Manage.” I clicked on “Shared Folders” then “Shares.” In the middle Shares window I right-clicked on each of the OneDrive created folders. In my case, these were both the Documents and Pictures folders, and selected “Stop Sharing.” (Restart)
- To prevent any conflicts, I navigated to my Homegroup settings and chose to stop sharing my Documents and Pictures folders. (Restart)
- I then navigated back to Computer Management as above and selected “Shared Folders” then “Shares” and chose to “Stop Sharing” my personal Documents and Pictures folders. (Restart)
- I navigated back to the “Shared Folders” console in Computer Management then right-clicked on “Shares” this time and chose “New Share.” Using Sharing Wizard, I browsed to the physical location of my Documents folder and clicked “Okay” to create the share. I clicked through to the “Shared Folder Permissions” window and selected “Customize permissions” then clicked on the “custom” button below.
- In the “Share Permissions” window, I checked the box for “Full Control” for everyone (optional). I then chose “Add”->”Advanced”->”Find Now”->”Administrators” (Plural, NOT the Administrator) and then assigned full permissions as before. Next, I navigated to the “Security” tab to ensure that my username was listed there with full permissions as well as Administrators and System. I repeated the same procedure for my Pictures folder. (Restart)
- Using File Explorer, I navigated to the location of my shared folders, clicked on my Documents folder and selected the “Share” tab and chose my Homegroup options in the little box on the menu bar. I did the same for my Pictures folder. (Restart)
- After reboot, I went to the Network and Sharing advanced sharing settings page to ensure that “File and Folder Sharing” was still selected, then Homegroup options to ensure that my folders were shared. You may need to check you advanced security permissions as necessary.
A Warning Against Using Task Manager to Disable OneDrive:
My advice to a poster who was using only Task Manager to disable OneDrive (with minor editing):
...just a word of caution, it may be best...to go into OneDrive's settings menu, and uncheck all the boxes to disable fetch, and sync for all drives and folders. Another tab has a box to uncheck the option to run at startup. After reboot, this should empty your OneDrive folders making them safe to delete. Delete the sync file too. In my experience, using task manager alone to disable any program at startup has not been very effective. Perhaps the OneDrive service can be set to "disabled" in the System Services module...
On another thread [in which I had steered a user here to see your advice], another user suggested that you add this warning somewhere within the procedure
Disabling OneDrive through Task Manager > Startup only prevents OneDrive from starting during initial boot or a restart. If you open a document in an Office application from a OneDrive folder -- which Office tries very hard to make it easy to do -- then OneDrive will start up, and your permissions to the Documents folder will disappear again.
It seems sensible to warn people as they might otherwise not realise.
A note regarding modification of the security permissions:
I may have been using the wrong terminology or guidelines for setting up the security permissions in some of my posts. Do not enable inheritance!!! This will reset your permissions with those from the root of your drive (which can and will present additional problems). What you need to do is correctly set your permissions at your top level affected user file and do check "Replace all child object permission entries with inheritable permission entries from this object."
See pic below:
I'm not saying this is your issue, and if it is, I wish I could help you with it:
*This is also a word of caution for anyone reading this*
Last night/this morning I almost bricked my laptop with my experimenting. I inadvertently applied inherited permissions and descendent permissions to my c:\user root directly (my personal folders and files are mainly on d:, as previously mentioned) and downward. It only threw one error message related to power shell, but when I rebooted, I was barely able to access my desktop as described here, i.e. no start menu, settings menu, and it froze up when I tried to right click on anything. It was basically unusable.
I have a task manager icon on my taskbar and was able to access that to open the "run" menu and pull up an admin command prompt. The only way I could fix this was to enable the special Hidden "Account-Which-Shall-Not-Be-Named", then wait for it to load it's fresh config. Fortunately I had my working desktop system as a basis for comparison, so I was able to go back and manually reset the advanced security permissions on a folder by folder basis. Tedious. I then disabled the said account, restarted, and it works again!!! :))))
If you find this discussion helpful and/or relevant, please "recommend" this discussion by clicking the recommend button on the first post. Maybe it will help get this issue noticed! Thank you to all who have contributed so far.
Windows 10 Pro 64-bit