How to bind old user's SID to new user to remain NTFS file ownership and permissions after freshly reinstall of Windows?

windows ntfs permissions

Each time we reinstalled Windows, it will create a new SID for user even the username is as same as before.

// example (not real SID format, just show the problem)
user   SID
--------------------
liuyan S-old-501    // old SID before reinstall
liuyan S-new-501    // new SID after  reinstall

The annoying problem after reinstall is NTFS file owership and permissions on hard drive disk are still associated with old user's SID.

I want to keep the ownership and permission setting of NTFS files, then want to let the new user take the old user's SID, so that I can access files as before without permission problem.

The cacls command line tool can't be used in such situation, because the file does belongs to new user, so it will failed with Access is denied error. and it can't change ownership.

Even if I can change the owership via SubInACL tool, cacls can't remove the old user's permission because the old user does not exist on new installation, and can't copy the old user's permission to new user.

So, can we simply bind old user's SID to new user on the freshly installed Windows ?

Sample test batch

@echo off
REM Additional tools used in this script
REM PsGetSid http://technet.microsoft.com/en-us/sysinternals/bb897417
REM SubInACL http://www.microsoft.com/en-us/download/details.aspx?id=23510
REM
REM make sure these tools are added into PATH

set account=MyUserAccount
set password=long-password
set dir=test
set file=test.txt

echo Creating user [%account%] with password [%password%]...
pause
net user %account% %password% /add
psgetsid %account%
echo Done !

echo Making directory [%dir%] ...
pause
mkdir %dir%
dir %dir%* /q
echo Done !

echo Changing permissions of directory [%dir%]: only [%account%] and [%UserDomain%\%UserName%] has full access permission...
pause
cacls %dir% /G %account%:F
cacls %dir% /E /G %UserDomain%\%UserName%:F
dir %dir%* /q
cacls %dir%
echo Done !

echo Changing ownership of directory [%dir%] to [%account%]...
pause
subinacl /file %dir% /setowner=%account%
dir %dir%* /q
echo Done !

echo RunAs [%account%] user to write a file [%file%] in directory [%dir%]...
pause
runas /noprofile /env /user:%account% "cmd /k echo some text %DATE% %TIME% > %dir%\%file%"
dir %dir% /q
echo Done !

echo Deleting and Recreating user [%account%] (reinstall simulation) ...
pause
net user %account% /delete
net user %account% %password% /add
psgetsid %account%
echo Done ! %account% is recreated, it has a new SID now

echo Now, use this "same" account [%account%] to access [%dir%], it will failed with "Access is denied"
pause
runas /noprofile /env /user:%account% "cmd /k cacls %dir%"
REM runas /noprofile /env /user:%account% "cmd /k type %dir%\%file%"
echo Done !

echo Changing ownership of directory [%dir%] to NEW [%account%]...
pause
subinacl /file %dir% /setowner=%account%
dir %dir%* /q
cacls %dir%
echo Done ! As you can see, "Account Domain not found" is actually the OLD [%account%] user

echo Deleting user [%account%] ...
pause
net user %account% /delete
echo Done !

echo Deleting directory [%dir%]...
pause
rmdir %dir% /s /q
echo Done !

You could use setacl to replace the orphaned SIDs with a new one. For example, use the following to replace your old SID with the new one:

setacl.exe -on C:\ 
           -ot file 
           -actn trustee -trst "n1:S-old-501;n2:S-new-501;ta:repltrst" 
           -rec cont

  1. There is no supported way to change the computer's SID or to change the SID of a local account so that it does not match that of the computer.

  2. The wording of your question implies that you are reinstalling the operating system frequently, which you shouldn't need to do. If you are having repeated issues which require a reinstallation, it may be worth figuring out what is causing them rather than just reinstalling each time.

  3. Certain groups use well-known SIDs which means they do not change when the computer is reinstalled. So you may make your problem simpler by choosing permissions ahead of time so that they use these groups. Some of these groups that might be useful include Administrators, Power Users, Users, Authenticated Users and INTERACTIVE.

  4. One slow but easy way of resetting permissions for an entire folder tree is to copy it:

    robocopy /e /b c:\original-folder c:\new-copy

    This must be run from an elevated command prompt. Using the /b option makes robocopy use restore privilege to bypass security on the files. Create c:\new-copy before you start and set the permissions as desired.

    You can use this command to delete the original folder after you've copied it:

    robocopy /e /b c:\empty-folder c:\original-folder

Related

How to find and open previous versions of a folder programmatically (using PowerShell, WMI, etc)?
Can you reference an entire column in OpenOffice Calc (like A:A in Excel)?
How to verify that hard drive is filled with zeroes in Linux?
How can I generate thumbnail previews for FLV files in Windows 7?
How to pin to taskbar specific Control Panel function, for example Edit Power Plan?
Windows print screen with Mac Keyboard
Upgrading RAM in 14Q-cs0009tu, Product: 5DZ92PA#ACJ OS: Win 10 (64-Bit) Intel Core i3-7020U@ 2.30GHz, warranty over RAM 4GB 2133 MHz (slots 1of 2) [closed]
Is my Internet connection worsened by having multiple separate powerline adapters?
How to separate mixed Home directory files and User created files - Ubuntu 20.04
Where can I find H2 JDBC driver?
GIMP: Paste as New Layer
Virtualbox: Separate remote access from VM's internet access