How to bind old user's SID to new user to remain NTFS file ownership and permissions after freshly reinstall of Windows?

18

10

Each time we reinstalled Windows, it will create a new SID for user even the username is as same as before.

// example (not real SID format, just show the problem)
user   SID
--------------------
liuyan S-old-501    // old SID before reinstall
liuyan S-new-501    // new SID after  reinstall

The annoying problem after reinstall is NTFS file owership and permissions on hard drive disk are still associated with old user's SID.

I want to keep the ownership and permission setting of NTFS files, then want to let the new user take the old user's SID, so that I can access files as before without permission problem.

The cacls command line tool can't be used in such situation, because the file does belongs to new user, so it will failed with Access is denied error. and it can't change ownership.

Even if I can change the owership via SubInACL tool, cacls can't remove the old user's permission because the old user does not exist on new installation, and can't copy the old user's permission to new user.

So, can we simply bind old user's SID to new user on the freshly installed Windows ?

Sample test batch

@echo off
REM Additional tools used in this script
REM PsGetSid http://technet.microsoft.com/en-us/sysinternals/bb897417
REM SubInACL http://www.microsoft.com/en-us/download/details.aspx?id=23510
REM
REM make sure these tools are added into PATH

set account=MyUserAccount
set password=long-password
set dir=test
set file=test.txt

echo Creating user [%account%] with password [%password%]...
pause
net user %account% %password% /add
psgetsid %account%
echo Done !

echo Making directory [%dir%] ...
pause
mkdir %dir%
dir %dir%* /q
echo Done !

echo Changing permissions of directory [%dir%]: only [%account%] and [%UserDomain%\%UserName%] has full access permission...
pause
cacls %dir% /G %account%:F
cacls %dir% /E /G %UserDomain%\%UserName%:F
dir %dir%* /q
cacls %dir%
echo Done !

echo Changing ownership of directory [%dir%] to [%account%]...
pause
subinacl /file %dir% /setowner=%account%
dir %dir%* /q
echo Done !

echo RunAs [%account%] user to write a file [%file%] in directory [%dir%]...
pause
runas /noprofile /env /user:%account% "cmd /k echo some text %DATE% %TIME% > %dir%\%file%"
dir %dir% /q
echo Done !

echo Deleting and Recreating user [%account%] (reinstall simulation) ...
pause
net user %account% /delete
net user %account% %password% /add
psgetsid %account%
echo Done ! %account% is recreated, it has a new SID now

echo Now, use this "same" account [%account%] to access [%dir%], it will failed with "Access is denied"
pause
runas /noprofile /env /user:%account% "cmd /k cacls %dir%"
REM runas /noprofile /env /user:%account% "cmd /k type %dir%\%file%"
echo Done !

echo Changing ownership of directory [%dir%] to NEW [%account%]...
pause
subinacl /file %dir% /setowner=%account%
dir %dir%* /q
cacls %dir%
echo Done ! As you can see, "Account Domain not found" is actually the OLD [%account%] user

echo Deleting user [%account%] ...
pause
net user %account% /delete
echo Done !

echo Deleting directory [%dir%]...
pause
rmdir %dir% /s /q
echo Done !

LiuYan 刘研

Posted 2012-06-21T10:22:08.897

Reputation: 1 929

Why are you against just taking ownership of the file? – Ramhound – 2012-06-21T12:31:41.017

If only ownership is taken, some files are sill not accessable because the permission is still set to old user's SID. – LiuYan 刘研 – 2012-06-21T14:14:27.327

@LiuYan刘研 But after you take ownership, you should be able to edit all permissions. – Iszi – 2012-06-21T16:19:31.547

1@IsziRoryorIsznti, true if there're few files and all permissions are inherited from parents. but when there're lot files, and almost each file has individual permission setting (such as files under Cygwin), then I can't simply replace them with same permission. – LiuYan 刘研 – 2012-06-21T17:23:38.953

Answers

11

You could use setacl to replace the orphaned SIDs with a new one. For example, use the following to replace your old SID with the new one:

setacl.exe -on C:\ 
           -ot file 
           -actn trustee -trst "n1:S-old-501;n2:S-new-501;ta:repltrst" 
           -rec cont

Daniel Gehriger

Posted 2012-06-21T10:22:08.897

Reputation: 340

1

As of 2016-01-08, it is necessary to specify a what for the trustee action or the owner is not set. The -actn trustee line needs to be -actn trustee -trst "n1:S-old-501;n2:S-new-501;ta:repltrst;w:d,s,o,g". Even then, it does not correctly set whatever cygwin picks up for the group (stills displays as "unknown" in /bin/ls -l).

– Makyen – 2016-01-08T16:34:31.713

Is there an easy way to display the SID on a existing windows, without searching manually in regitry ? – Radon8472 – 2017-07-07T08:44:33.227

1@Makyen: I had the same problem with cygwin and fixed it with -rec cont_obj because it also applies changes on files. – Denis Bakharev – 2018-02-21T19:18:47.503

Nice tool! That's what I wanted (although it doesn't changed user SID)! It's in my must-have list now! However, there's an unexpected behaviour: when I tried this after my test batch (without delete the directory and file), the directory will inherit permissions from it's parent, that's something unwanted. Note: The ACL of the directory is changed via cacls command, but it's inheritance flag isn't changed. – LiuYan 刘研 – 2013-02-26T11:12:33.873

I think that needs to be C:\ according to the SetACL docs. – cdmckay – 2013-02-26T22:34:07.283

@cdmckay: not sure. It says: "If the object name ends with a backslash and you enclose it in quotes, make sure to escape the last backslash with another backslash". But I'm not enclosing it in quotes. – Daniel Gehriger – 2013-02-27T21:56:44.523

3

  1. There is no supported way to change the computer's SID or to change the SID of a local account so that it does not match that of the computer.

  2. The wording of your question implies that you are reinstalling the operating system frequently, which you shouldn't need to do. If you are having repeated issues which require a reinstallation, it may be worth figuring out what is causing them rather than just reinstalling each time.

  3. Certain groups use well-known SIDs which means they do not change when the computer is reinstalled. So you may make your problem simpler by choosing permissions ahead of time so that they use these groups. Some of these groups that might be useful include Administrators, Power Users, Users, Authenticated Users and INTERACTIVE.

  4. One slow but easy way of resetting permissions for an entire folder tree is to copy it:

    robocopy /e /b c:\original-folder c:\new-copy
    

    This must be run from an elevated command prompt. Using the /b option makes robocopy use restore privilege to bypass security on the files. Create c:\new-copy before you start and set the permissions as desired.

    You can use this command to delete the original folder after you've copied it:

    robocopy /e /b c:\empty-folder c:\original-folder
    

Harry Johnston

Posted 2012-06-21T10:22:08.897

Reputation: 5 054

So if I do this as admin and copy files from an old user location to the new user location does it set tge SUD of each file to tge new user?. – trusktr – 2014-06-21T19:30:27.377

@trusktr: depends what you mean; the ownership of the files are assigned to the admin user who is doing the copy, but the permissions are inherited from the parent folder. Typically, only the permissions matter. – Harry Johnston – 2014-06-21T22:29:02.830

Well basically what I want to do is copy all the files from an old Windows C:\Users\username location to a new Windows C:\Users\username location so those files all belong to the new user (just migrating to a fresh Windows install basically, and wanting to keep my previous user's files). It's the same username in both the old and new. Will a simple copy of the files from one place to the other as admin do the trick? I'm curious to know if the SIDs of the files will change to the new user's SID because I'm using NTFS-3G to map the file SIDs to my Linux user. – trusktr – 2014-06-21T23:02:02.000

@trusktr: the ownership won't be a problem in that case, but the user profile contains stuff (most notably the user's registry hive) that can't be migrated that way. Robocopy will be fine as far as permissions go, but I recommend copying each individual folder (e.g., Documents, Desktop, etc.) rather than the entire <username> folder. Leave out the hidden folders like AppData - make sure you keep a copy, but don't copy them over top of the new account. – Harry Johnston – 2014-06-21T23:09:19.793

Ideally I'd just like to keep my <username> folder on a separate partition (the old Windows partition) and make that <username> folder the home folder for my user <username> of my new Windows. – trusktr – 2014-06-25T02:52:49.287