18
10
Each time we reinstalled Windows, it will create a new SID for user even the username is as same as before.
// example (not real SID format, just show the problem)
user SID
--------------------
liuyan S-old-501 // old SID before reinstall
liuyan S-new-501 // new SID after reinstall
The annoying problem after reinstall is NTFS file owership and permissions on hard drive disk are still associated with old user's SID.
I want to keep the ownership and permission setting of NTFS files, then want to let the new user take the old user's SID, so that I can access files as before without permission problem.
The cacls
command line tool can't be used in such situation, because the file does belongs to new user, so it will failed with Access is denied error. and it can't change ownership.
Even if I can change the owership via SubInACL
tool, cacls
can't remove the old user's permission because the old user does not exist on new installation, and can't copy the old user's permission to new user.
So, can we simply bind old user's SID to new user on the freshly installed Windows ?
Sample test batch
@echo off
REM Additional tools used in this script
REM PsGetSid http://technet.microsoft.com/en-us/sysinternals/bb897417
REM SubInACL http://www.microsoft.com/en-us/download/details.aspx?id=23510
REM
REM make sure these tools are added into PATH
set account=MyUserAccount
set password=long-password
set dir=test
set file=test.txt
echo Creating user [%account%] with password [%password%]...
pause
net user %account% %password% /add
psgetsid %account%
echo Done !
echo Making directory [%dir%] ...
pause
mkdir %dir%
dir %dir%* /q
echo Done !
echo Changing permissions of directory [%dir%]: only [%account%] and [%UserDomain%\%UserName%] has full access permission...
pause
cacls %dir% /G %account%:F
cacls %dir% /E /G %UserDomain%\%UserName%:F
dir %dir%* /q
cacls %dir%
echo Done !
echo Changing ownership of directory [%dir%] to [%account%]...
pause
subinacl /file %dir% /setowner=%account%
dir %dir%* /q
echo Done !
echo RunAs [%account%] user to write a file [%file%] in directory [%dir%]...
pause
runas /noprofile /env /user:%account% "cmd /k echo some text %DATE% %TIME% > %dir%\%file%"
dir %dir% /q
echo Done !
echo Deleting and Recreating user [%account%] (reinstall simulation) ...
pause
net user %account% /delete
net user %account% %password% /add
psgetsid %account%
echo Done ! %account% is recreated, it has a new SID now
echo Now, use this "same" account [%account%] to access [%dir%], it will failed with "Access is denied"
pause
runas /noprofile /env /user:%account% "cmd /k cacls %dir%"
REM runas /noprofile /env /user:%account% "cmd /k type %dir%\%file%"
echo Done !
echo Changing ownership of directory [%dir%] to NEW [%account%]...
pause
subinacl /file %dir% /setowner=%account%
dir %dir%* /q
cacls %dir%
echo Done ! As you can see, "Account Domain not found" is actually the OLD [%account%] user
echo Deleting user [%account%] ...
pause
net user %account% /delete
echo Done !
echo Deleting directory [%dir%]...
pause
rmdir %dir% /s /q
echo Done !
Why are you against just taking ownership of the file? – Ramhound – 2012-06-21T12:31:41.017
If only ownership is taken, some files are sill not accessable because the permission is still set to old user's SID. – LiuYan 刘研 – 2012-06-21T14:14:27.327
@LiuYan刘研 But after you take ownership, you should be able to edit all permissions. – Iszi – 2012-06-21T16:19:31.547
1@IsziRoryorIsznti, true if there're few files and all permissions are inherited from parents. but when there're lot files, and almost each file has individual permission setting (such as files under Cygwin), then I can't simply replace them with same permission. – LiuYan 刘研 – 2012-06-21T17:23:38.953