Liu*_* 刘研 20 windows ntfs permissions
我们每次重新安装Windows时,它会创建一个新的SID为用户甚至用户名是相同的了。
// example (not real SID format, just show the problem)
user SID
--------------------
liuyan S-old-501 // old SID before reinstall
liuyan S-new-501 // new SID after reinstall
重装后的恼人问题是NTFS文件的所有权和硬盘磁盘的权限仍然与旧用户的SID相关联。
我想保留NTFS文件的所有权和权限设置,然后想让新用户使用旧用户的SID,这样我就可以像以前一样访问文件而没有权限问题。
该cacls命令行工具不能在这样的情况下使用,因为该文件不属于新用户,所以它会失败的访问被拒绝的错误。它不能改变所有权。
即使我可以通过SubInACL工具更改所有权,cacls也无法删除旧用户的权限,因为旧用户在新安装时不存在,并且无法将旧用户的权限复制到新用户。
那么,我们可以在新安装的 Windows 上简单地将旧用户的 SID 绑定到新用户吗?
样品测试批次
@echo off
REM Additional tools used in this script
REM PsGetSid http://technet.microsoft.com/en-us/sysinternals/bb897417
REM SubInACL http://www.microsoft.com/en-us/download/details.aspx?id=23510
REM
REM make sure these tools are added into PATH
set account=MyUserAccount
set password=long-password
set dir=test
set file=test.txt
echo Creating user [%account%] with password [%password%]...
pause
net user %account% %password% /add
psgetsid %account%
echo Done !
echo Making directory [%dir%] ...
pause
mkdir %dir%
dir %dir%* /q
echo Done !
echo Changing permissions of directory [%dir%]: only [%account%] and [%UserDomain%\%UserName%] has full access permission...
pause
cacls %dir% /G %account%:F
cacls %dir% /E /G %UserDomain%\%UserName%:F
dir %dir%* /q
cacls %dir%
echo Done !
echo Changing ownership of directory [%dir%] to [%account%]...
pause
subinacl /file %dir% /setowner=%account%
dir %dir%* /q
echo Done !
echo RunAs [%account%] user to write a file [%file%] in directory [%dir%]...
pause
runas /noprofile /env /user:%account% "cmd /k echo some text %DATE% %TIME% > %dir%\%file%"
dir %dir% /q
echo Done !
echo Deleting and Recreating user [%account%] (reinstall simulation) ...
pause
net user %account% /delete
net user %account% %password% /add
psgetsid %account%
echo Done ! %account% is recreated, it has a new SID now
echo Now, use this "same" account [%account%] to access [%dir%], it will failed with "Access is denied"
pause
runas /noprofile /env /user:%account% "cmd /k cacls %dir%"
REM runas /noprofile /env /user:%account% "cmd /k type %dir%\%file%"
echo Done !
echo Changing ownership of directory [%dir%] to NEW [%account%]...
pause
subinacl /file %dir% /setowner=%account%
dir %dir%* /q
cacls %dir%
echo Done ! As you can see, "Account Domain not found" is actually the OLD [%account%] user
echo Deleting user [%account%] ...
pause
net user %account% /delete
echo Done !
echo Deleting directory [%dir%]...
pause
rmdir %dir% /s /q
echo Done !
Dan*_*ger 13
您可以使用setacl用新的 SID 替换孤立的 SID。例如,使用以下命令将旧的 SID 替换为新的:
setacl.exe -on C:\
-ot file
-actn trustee -trst "n1:S-old-501;n2:S-new-501;ta:repltrst"
-rec cont
| 归档时间: |
|
| 查看次数: |
23246 次 |
| 最近记录: |