john john:
If you have several valid owners on files on the drive and
if you only want to replace the owner on the specific SID
use the SubInAcl tool, available from the Microsoft site.
My daughter owns lots of music and anime files on her network share. I'll
check out subinacl but not do anything drastic until I've read about it some
and made a new C: image (all the data drives get nightly backups, so they're
OK. The SIDs in the owner column are ugly but they aren't really hurting any
functionality and I'm wary of making things worse with an ill-understood fix.
But I've heard of subinacl and ought to know how to use it (I have an MCSE
but my job is PACS administrator in a hospital and I haven't ever worked as a
domain admin, so there's lots of stuff I don't know.) Thanks for the tip. I'm
counting that as question 2 down.
Take a look at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\ProfileList and see if the user is showing
there
Well, that's another third of the mystery. The SID belongs to said daughter,
who used to log in as kelly on her own PC and had accounts with matching IDs
and passwords on the other two PCs we have here to make workgroup-style
network sharing a little smoother. She recently made herself a new account
with a different username, and then started getting "You don't have
permission to access this network resource. Go yell at your administrator"
messages. The administrator would be dad, so I made her new accounts all
'round with the new ID. And deleted user kelly on my PC which, though I
didn't see it happen, is bound to be the moment all these files stopped
belonging to kelly and started belonging to our friend
S-1-5-21-839522115-838170752-682003330-1022.
these phantom SIDs are usually present if the drive was mounted
and used on another Windows installation.
John, I think you've gone three for three. Not exactly a different Win
installation (in fact I made great efforts to keep the win installation the
same, as I'll describe,) but the drive was once the boot drive of a
completely different PC. I got lots of new hardware including a new
motherboard and processor but the drive was only about 18 months old then and
the windows install was pretty elaborate and I'm lazy so (not really
expecting it to work but having nothing to lose, also just for the L of it)
before taking the old machine down for the last time I went to device
manager, displayed hidden devices, and deleted everything in sight. And then
tried moving the drive to the new PC and booting from it to see how much of
the new hardware it could recognize and install drivers for. It complained
bitterly and blue-screened multiple times but eventually it at least gave me
safe mode. From there after several passes with the registry cleaner in
CCleaner.exe--which seems to me to really hit the sweet spot between not
doing much of anything and cutting too deep--and some google-aided manual
registry fixes it gave me a boot to XP standard mode which lasted a good
twenty minutes before croaking. After a bit more cleanup and a couple of sfc
/scannow passes and a few drivers that had to be downloaded from vendor sites
(but not many, basically just for the new chipset, new graphics card and new
soundcard) it seemed almost, y'know, useable. That was xmas of 2006 and I'm
still using it and it's now (especially since installing SP3) as clean and
stable as it was before its harrowing experience.
I like telling this tale to folks who diss on windows. But I still encounter
the occasional oddness left over from the abuse I gave it then and I feel
sure something I did resulted in kelly owning lots of my files. Strongest
evidence is that all the files and folders now owned by
S-1-5-21-839522115-838170752-682003330-1022 show a creation date from before
the great switchover.
Andrew:
If all the DCs are offline, or there is a network problem,
you can see raw SIDs instead of friendly names. I have
certainly seen this in the past! However, once the workstation
can access Active Directory on the DC again, the SIDs will
go back to appearing as friendly names; and life is good again.
Yeah, I've seen that much also. At work. Where I work for radiology, not
I.T., and I consider it part of my job to give my radiologists what they say
they need for best patient care, rather than enforcing I.T. policies that
were basically made for secretaries. Among these is a workaround for making
all the MDs local admins of their own reading stations (example of the need:
their report dictation software, from a Very Big Name I'll call D*ctaPh*ne,
insists on writing to the registry and often throws session-ending tantrums
if it can't.) Well, it was a near-panic moment after the I first time I tried
slipping their domain IDs into the local admin group and then rebooted off
the domain to do other stuff, and saw all the doctors' login names change to
SIDs on all their profile files. But, as you say, just reconnect to the
domain and all those SIDs turn back to normal friendly usernames. (If you
call DR1479 friendly, anuway. At least it's friendlier than
S-1-5-21-839522115-838170752-682003330-1022!)
Thanks very much to both of you!