How to bind old user's SID to new user to remain NTFS file ownership and permissions after freshly reinstall of Windows?
Each time we reinstalled Windows, it will create a new SID for user even the username is as same as before.
// example (not real SID format, just show the problem)
user SID
--------------------
liuyan S-old-501 // old SID before reinstall
liuyan S-new-501 // new SID after reinstall
The annoying problem after reinstall is NTFS file owership and permissions on hard drive disk are still associated with old user's SID.
I want to keep the ownership and permission setting of NTFS files, then want to let the new user take the old user's SID, so that I can access files as before without permission problem.
The cacls
command line tool can't be used in such situation, because the file does belongs to new user, so it will failed with Access is denied error. and it can't change ownership.
Even if I can change the owership via SubInACL
tool, cacls
can't remove the old user's permission because the old user does not exist on new installation, and can't copy the old user's permission to new user.
So, can we simply bind old user's SID to new user on the freshly installed Windows ?
Sample test batch
@echo off
REM Additional tools used in this script
REM PsGetSid http://technet.microsoft.com/en-us/sysinternals/bb897417
REM SubInACL http://www.microsoft.com/en-us/download/details.aspx?id=23510
REM
REM make sure these tools are added into PATH
set account=MyUserAccount
set password=long-password
set dir=test
set file=test.txt
echo Creating user [%account%] with password [%password%]...
pause
net user %account% %password% /add
psgetsid %account%
echo Done !
echo Making directory [%dir%] ...
pause
mkdir %dir%
dir %dir%* /q
echo Done !
echo Changing permissions of directory [%dir%]: only [%account%] and [%UserDomain%\%UserName%] has full access permission...
pause
cacls %dir% /G %account%:F
cacls %dir% /E /G %UserDomain%\%UserName%:F
dir %dir%* /q
cacls %dir%
echo Done !
echo Changing ownership of directory [%dir%] to [%account%]...
pause
subinacl /file %dir% /setowner=%account%
dir %dir%* /q
echo Done !
echo RunAs [%account%] user to write a file [%file%] in directory [%dir%]...
pause
runas /noprofile /env /user:%account% "cmd /k echo some text %DATE% %TIME% > %dir%\%file%"
dir %dir% /q
echo Done !
echo Deleting and Recreating user [%account%] (reinstall simulation) ...
pause
net user %account% /delete
net user %account% %password% /add
psgetsid %account%
echo Done ! %account% is recreated, it has a new SID now
echo Now, use this "same" account [%account%] to access [%dir%], it will failed with "Access is denied"
pause
runas /noprofile /env /user:%account% "cmd /k cacls %dir%"
REM runas /noprofile /env /user:%account% "cmd /k type %dir%\%file%"
echo Done !
echo Changing ownership of directory [%dir%] to NEW [%account%]...
pause
subinacl /file %dir% /setowner=%account%
dir %dir%* /q
cacls %dir%
echo Done ! As you can see, "Account Domain not found" is actually the OLD [%account%] user
echo Deleting user [%account%] ...
pause
net user %account% /delete
echo Done !
echo Deleting directory [%dir%]...
pause
rmdir %dir% /s /q
echo Done !
You could use setacl to replace the orphaned SIDs with a new one. For example, use the following to replace your old SID with the new one:
setacl.exe -on C:\
-ot file
-actn trustee -trst "n1:S-old-501;n2:S-new-501;ta:repltrst"
-rec cont
There is no supported way to change the computer's SID or to change the SID of a local account so that it does not match that of the computer.
The wording of your question implies that you are reinstalling the operating system frequently, which you shouldn't need to do. If you are having repeated issues which require a reinstallation, it may be worth figuring out what is causing them rather than just reinstalling each time.
Certain groups use well-known SIDs which means they do not change when the computer is reinstalled. So you may make your problem simpler by choosing permissions ahead of time so that they use these groups. Some of these groups that might be useful include Administrators, Power Users, Users, Authenticated Users and INTERACTIVE.
-
One slow but easy way of resetting permissions for an entire folder tree is to copy it:
robocopy /e /b c:\original-folder c:\new-copy
This must be run from an elevated command prompt. Using the /b option makes robocopy use restore privilege to bypass security on the files. Create
c:\new-copy
before you start and set the permissions as desired.You can use this command to delete the original folder after you've copied it:
robocopy /e /b c:\empty-folder c:\original-folder