NinjaOne Backup — Error 13: Access Denied (NTFS Permissions)
Audience: T1 / T2 Use when: Backup fails with "Error 13: Missing or insufficient permissions. Access Denied."
What This Error Means
The SYSTEM account on the device running Lockhart was denied access to one or more files or folders that are included in the backup plan. Lockhart runs as SYSTEM — if SYSTEM can't read a file, it can't back it up.
This is an NTFS permissions issue, not a NAS issue.
Most Common Causes at Dental Sites
| Cause | Explanation |
|---|---|
| Folder with explicitly denied SYSTEM permissions | A folder was locked down with a Deny ACE for SYSTEM |
| Inherited permissions broken after a migration | A server migration or domain join removed SYSTEM from folder ACLs |
| Specific dental app folder with restrictive ACLs | Some apps install with overly restrictive permissions |
| User home folder or profile with no SYSTEM access | Redirected folders or user-specific paths |
Step 1 — Identify Which Path Is Failing
The NinjaOne activity log or Lockhart log will usually name the specific file or folder that triggered the denial:
# Check Lockhart log for access denied entries
$logPath = "C:\ProgramData\NinjaRMM\NinjaOneBackup\logs\lockhart.log"
Get-Content $logPath | Where-Object {$_ -match "access denied|Error 13|permission"} | Select-Object -Last 20
Note the full path — that's what you need to fix.
Step 2 — Check SYSTEM Permissions on the Affected Path
# Check the current ACL on the problematic folder
$path = "C:\Path\To\ProblemFolder"
Get-Acl $path | Format-List
# Or in a more readable format:
(Get-Acl $path).Access | Where-Object {$_.IdentityReference -like "*SYSTEM*"} | Format-Table
Look for:
- SYSTEM missing from the ACL entirely
- A Deny entry for SYSTEM (Deny overrides Allow)
Step 3 — Restore SYSTEM Access
# Grant SYSTEM full control on the affected folder (and subfolders/files)
$path = "C:\Path\To\ProblemFolder"
$acl = Get-Acl $path
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(
"NT AUTHORITY\SYSTEM",
"FullControl",
"ContainerInherit,ObjectInherit",
"None",
"Allow"
)
$acl.SetAccessRule($rule)
Set-Acl -Path $path -AclObject $acl
Write-Host "SYSTEM access granted to: $path"
⚠ If there's a Deny ACE for SYSTEM, remove it first:
$acl = Get-Acl $path
$denyRule = $acl.Access | Where-Object {
$_.IdentityReference -like "*SYSTEM*" -and $_.AccessControlType -eq "Deny"
}
if ($denyRule) {
$acl.RemoveAccessRule($denyRule)
Set-Acl -Path $path -AclObject $acl
Write-Host "Deny rule removed"
}
Step 4 — Consider Excluding the Path (If Appropriate)
If the folder genuinely shouldn't be backed up (e.g., a system-locked path that can be regenerated):
- NinjaOne → device → Backup → Edit plan → Exclusions → add the path
- Save and trigger a manual backup run
Do not exclude paths containing dental data or database files without T2/T3 review.
After Fixing
Trigger a manual backup run and confirm it completes without Error 13. Check the Lockhart log to confirm the previously denied path is now being processed.