Getting blocked by the “a required privilege is not held by the client” error when managing your C: drive in Windows 11? You’re not alone. This frustrating message often appears when a broken “Account Unknown” permission block your access.
Broken permissions are often left behind after deleting user accounts, domain changes, or system updates. Without fixing it, you can’t adjust security settings, install critical software, or enforce policies. In this guide, you’ll learn how to safely remove these orphaned entries and regain full control.
Methods for fixing the error message “a required privilege is not held by the client”
Before proceeding to the different approaches to fixing this error, make sure to do both of these requirements:
- Backup your system:
- For all users: Create a restore point.
- Press Win + S, then search and open Create restore point.
- Click Configure, then enable Turn on system protection.
- Click Create, then name it (e.g., Pre_Permission_Fix).
- For advanced users: For full disk backups, use wbadmin start backup in PowerShell.
- For all users: Create a restore point.
- Verify “Account Unknown” exists:
- Open File Explorer, then right-click the C: drive.
- Go to Properties > Security tab.
- Click Advanced, then check the Owner field or permission entries for Account Unknown.
- If you see this, it confirms there are orphaned SIDs blocking access.
Method 1: Take ownership and remove Account Unknown (GUI)
For most users, utilizing the graphical user interface (GUI) is the simplest fix for the “a required privilege is not held by the client” error in Windows 11.
- Open advanced security settings:
- Open File Explorer, then right-click your C: drive.
- Go to Properties > Security > Advanced.
- Take ownership:
- Click Change permissions, select Administrator accounts from Principal, then choose Edit.
- Check the box next to Full control.
- Click Ok.
- Select Administrators again, then check the box Replace all existing inheritable permissions on all descendants with inheritable permissions from this object.
- Click OK > Apply.
- Remove the orphaned entry:
- Back in Advanced Security Settings, check the permission entries list.
- Select any Account Unknown entry, then click Remove.
- Click Apply > OK to save changes.
Method 2: Fix via Command Prompt (ownership reset)
If the GUI method doesn’t work, this command-line solution can do the trick.
- Launch Elevated Command Prompt:
- Press Win + S, then type cmd.
- Right-click Command Prompt in the results, then select Run as administrator.
- Take ownership recursively:
- Run this command: takeown /f C:\ /r /d y
- /r: Applies to all subfolders/files.
- /d y: Auto-confirms Yes to prompts.
- Wait until the scan of your entire C: drive finishes (may take 10+ minutes).
- Grant full administrative control:
- After the scan finishes, run this command next: icacls C:\ /grant administrators:F /t
- administrators:F: Gives Full control to admin accounts.
- /t: Processes all subdirectories.
- The line Successfully processed (X number) files will appear to confirm success.
Method 3: PowerShell permission reset (advanced)
For stubborn Account Unknown errors, this PowerShell method forcibly resets permissions to the default.
- Launch PowerShell as administrator:
- Press Win + X, then select Windows Terminal (Admin).
- If PowerShell is not the default command-line tool, select the dropdown arrow next to the tabs above, then select PowerShell.
- Run reset commands:
- Run the commands below to remove residual SIDs and reassign ACLs:
$targetPath = “C:\Your\Target\Directory” # Recursively get all files and folders
Get-ChildItem -Path $targetPath -Recurse -Force | ForEach-Object {
$acl = Get-Acl -Path $_.FullName
$modified = $false
foreach ($access in $acl.Access) {
if ($access.IdentityReference.Value -match “^S-1-5-“) {
$acl.RemoveAccessRule($access)
$modified = $true
}
}
if ($modified) {
Set-Acl -Path $_.FullName -AclObject $acl
Write-Host “Removed orphaned SIDs from $($_.FullName)”
}
}
- Replace “C:\Your\Target\Directory” with the path to the directory you wish to clean.
- The script processes all files and subdirectories within the specified path.
- It identifies orphaned SIDs by matching the pattern “^S-1-5-“, which corresponds to standard SID formats.
- Run the commands below to remove residual SIDs and reassign ACLs:
Symptoms of “a required privilege is not held by the client” error
Now that you’ve learned the methods for fixing this error, recognize these symptoms to give you a better understanding that you’re facing the ‘required privilege’ error:
Blocked permission changes
The error appears when you’re editing C: drive permissions (right-click > Properties > Security > Advanced). For instance, trying to add or remove users triggers “a required privilege is not held by the client” failures.
Visible “Account Unknown” entries
In Security > Advanced, you’ll see entries like Account Unknown (S-1-5-21-…). This means that the orphaned SIDs lack valid user/group mappings.
Broken inheritance
This happens when the Disable inheritance or Replace all child permissions buttons fail, and an error occurs while applying security information. It will also show that subfolders or files have retained corrupted permissions despite parent changes.
Command-line failures
Running takeown or icacls commands in Command Prompt returns this message:
ACCESS DENIED
This error (a required privilege is not held by the client) often blocks fixes.
Pro tips and key considerations related to “a required privilege is not held by the client” error
Keep these expert insights in mind when resolving the “required privilege” error in Windows 11.
Account Unknown SIDs are usually safe to remove
These SIDs appear when user accounts are deleted, PCs are removed from a domain, or the system clones “retain old permissions.” You can delete them only if the original account is permanently gone.
Protect your system volume
Never reset permissions on C:\Windows, Program Files, or system folders unless absolutely necessary. Incorrect changes may crash your OS or trigger activation errors.
High-risk scenarios
This error frequently appears after a domain detachment, when a work device is converted to personal use or removed from an enterprise environment. It also happens after a system cloning without SID cleanup and during bulk profile deletion scripts.
For domain-joined PCs, always clean computer accounts in Active Directory before reimaging to prevent this Windows error. You can do the next tip on how to verify your permissions after these scenarios.
Verify your permissions
Run these checks in an Elevated Command Prompt:
whoami /groups > Check current group membership
gpresult /h permissions_report.html > Review applied policies
Look for a missing Administrators group or conflicting domain policies.
Resolving the “a required privilege is not held by the client” error
Orphaned “Account Unknown” entries can suddenly lock you out of your system. As we’ve seen, this “a required privilege is not held by the client” error strikes when deleted accounts leave broken permissions on your C: drive.
Fortunately, reclaiming access is straightforward: use the Security tab’s Advanced settings to take ownership and remove invalid entries, or automate the fix with command-line tools like takeown and icacls.
Always create a restore point first. It takes two minutes but prevents big problems. After fixing permissions, check the Security tab to confirm everything works right. With these steps, you’ll stay in control of your Windows 11 PC.
