Ownership of all files on hard drive suddenly changed

  • Thread starter Thread starter Big Al Mintaka
  • Start date Start date
B

Big Al Mintaka

Hello Everyone,
I noticed that when I explored an external USB drive that I couldn't see
folders I had been able to see earlier this evening. I checked the ownership
and found that the owner had been set to

S-1-5-21-2311030268-158868070-3690016334-1008

I looked through the Registry for this and found nothing. So, I reset the
ownership of all files on that drive to my account (I am the "real"
administrator).

Just out of curiosity I checked the ownership of some files on my C: drive.
All of my personal folders were now owned by that long ID string above. Now
I am setting the owner back to my account.

Folders like "Program Files" and "Windows" are owned by TrustedInstaller,
which is what they had been set to earlier today. It looks like all of my
personal folders on all hard drives have been hit.

What the.....????? Does anyone know what this means?

Thanks for your time,
Big Al Mintaka
 
S-1-5-21-2311030268-158868070-3690016334-1008 is a security identifier, a
SID. It is the internal identifier for a user account. The part before 1008
is the computer's or domain's SID. 1008 is called the Relative Identifier and
identifies the unique user account in that computer or domain. Even if you
change the name of the user account the SID always stays the same.

There are two typical scenarios when you see the SID instead of the user
account. Both of them stem from the fact that the computer is unable to
resolve the SID to a username.

The first is when you have used this drive on a different computer and an
account from that computer has been given permissions to, or ownership of,
data. You can tell whether this is the case by retrieving the computer SID
for the computer where you have the problem. There are a few ways to do that.
Without installing additional software, and assuming your account is not a
domain account, you can open a command prompt and typing "whoami /user". It
will show your own SID. If everything before the last number (1008 in this
case) matches between your account and the mystery one then the mystery SID
is for a local account. That means you have case 2.

Case 2 is where an account has been deleted. Ownership and permissions are
not reassigned when accounts are deleted. However, since the account no
longer exists, the computer is unable to find the username for it and shows
you the SID instead.

In your case, since it is an external drive, I would be willing to bet that
you used this drive in a different computer and changed ownership on
everything on the drive. If you log on to that computer with whatever account
you used and run whoami /user you should find that SID.

If you care to explore SIDs a bit more, psgetsid is a nice little tool that
can resolve them back and forth:
http://www.microsoft.com/technet/sysinternals/miscellaneous/psgetsid.mspx. If
you want to learn more about them, there is quite technical documentation at
http://technet2.microsoft.com/windo...7404-41a6-9be7-171d40c398db1033.mspx?mfr=true,
and in the forthcoming Windows Server 2008 Security Resource Kit.
 
Back
Top