Solved

Taking ownership of a user folder?

Posted on 2014-04-01
7
415 Views
Last Modified: 2014-04-08
Normally if I pull a c: drive out of one computer and dock or connect it to another Windows 7 computer I will need to take ownership of the user folder before I can read or move files from the attached drive to the system drive I booted from.

Oddly I have a Windows 7 work-station in my shop that I can attach a system drive pulled from another computer and I can immediately open the User folder and see and open files and folders without having to ever take ownership of the folder on the attached D: drive.

Does anyone know how my magic Windows 7 computer is configured to allow me to see and move folders from another users hard drive without having to take ownership of files and folders?

Thanks -
Scott
0
Comment
Question by:scottjnorris
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 18

Expert Comment

by:web_tracker
ID: 39971040
Have you ever looked at that drive before, if you docked that particular drive in the past it is possible that you already gave the system rights to access the drive.
0
 
LVL 15

Expert Comment

by:Giovanni Heward
ID: 39971049
Perhaps the drive is FAT instead of NTFS.  

If NTFS, perhaps there isn't a DACL.  If there is, then duplicate ACE SIDs exists.

If a Windows object does not have a discretionary access control list (DACL), the system allows everyone full access to it. If an object has a DACL, the system allows only the access that is explicitly allowed by the access control entries (ACEs) in the DACL. If there are no ACEs in the DACL, the system does not allow access to anyone. Similarly, if a DACL has ACEs that allow access to a limited set of users or groups, the system implicitly denies access to all trustees not included in the ACEs.

Ref: http://msdn.microsoft.com/en-us/library/windows/desktop/aa446597%28v=vs.85%29.aspx

If the discretionary access control list (DACL) that belongs to an object's security descriptor is set to NULL, a null DACL is created. A null DACL grants full access to any user that requests it; normal security checking is not performed with respect to the object. A null DACL should not be confused with an empty DACL. An empty DACL is a properly allocated and initialized DACL that contains no access control entries (ACEs). An empty DACL grants no access to the object it is assigned to.

The following are well-known SIDs:

SID: S-1-0
Name: Null Authority
Description: An identifier authority.

SID: S-1-1-0
Name: Everyone
Description: A group that includes all users, even anonymous users and guests.

Ref: http://support.microsoft.com/kb/243330

Verify by running cacls x:\path\
0
 

Author Comment

by:scottjnorris
ID: 39971237
"Have you ever looked at that drive before, if you docked that particular drive in the past it is possible that you already gave the system rights to access the drive."

No ... the funny thing is I can and have pulled drives from dozens of customers computers and docked them to this one Windows 7 machine and have always been able to have access to user files and folders without ever first taking ownership?

Scott
0
SharePoint Admin?

Enable Your Employees To Focus On The Core With Intuitive Onscreen Guidance That is With You At The Moment of Need.

 
LVL 15

Expert Comment

by:Giovanni Heward
ID: 39973068
Run cacls x:\ on the drive letter of the mounted drive, any entries that resolve translate to well-known SIDs which exist between systems.
0
 

Author Comment

by:scottjnorris
ID: 39973190
" Run cacls x:\ on the drive letter of the mounted drive, any entries that resolve translate to well-known SIDs which exist between systems. "

I cacls x:\ on a docked drive that I can read without taking ownership.
Do these results mean anything?

C:\Users>cacls g:\
g:\ BUILTIN\Administrators:F
    BUILTIN\Administrators:(OI)(CI)(IO)F
    NT AUTHORITY\SYSTEM:F
    NT AUTHORITY\SYSTEM:(OI)(CI)(IO)F
    BUILTIN\Users:(OI)(CI)R
    NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)C
    NT AUTHORITY\Authenticated Users:(special access:)
                                     FILE_APPEND_DATA

Scott
0
 
LVL 15

Accepted Solution

by:
Giovanni Heward earned 500 total points
ID: 39973654
Yes, since the user/group names resolve (meaning you're not seeing any orphaned security identifiers (e.g. Account Unknown (S-1-5-21-1796170229-294937551-3999959926-1026))), this means you have matching security identifiers on your own system.

In other words, Windows 7 views the group Users (S-1-5-32-545) as being present on your existing system, and therefore permits Read access.  This is because S-1-5-32-545 exists on both the customers system and your system.  It also resolves the Administrators group (S-1-5-32-544) and recognizes that identifier on your system, so you receive Full Control (if an Administrator.)  No need to have ownership of the objects, as you've already been granted permissions based on these well-known built-in SIDs.

SID: S-1-5-32-545
Name: Users
Description: A built-in group. After the initial installation of the operating system, the only member is the Authenticated Users group.

SID: S-1-5-32-544
Name: Administrators
Description: A built-in group. After the initial installation of the operating system, the only member of the group is the Administrator account.
0
 

Author Comment

by:scottjnorris
ID: 39976900
Giovanni -

I appreciate your expertise and thorough response to my question.  Unfortunately I probably do not have the necessary background to fully appreciate how this works.

What I really want to know practically speaking is ... How do I configure my other Windows 7 workstations to be able to see a docked system drive (pulled from any-other workstation) and have permission to open and read the documents folder or the pictures folder etc (without having to take ownership)?

Is there a set of step by step instructions that can guide me thru this task?

Scott
0

Featured Post

Ready to get started with anonymous questions?

It's easy! Check out this step-by-step guide for asking an anonymous question on Experts Exchange.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup" or a blinking cursor with black screen. A loop for Auto repair will start but fix nothing.  You will be panic as there are no back…
When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
Suggested Courses

628 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question