I have a typical "Account Unknown" on many files from old/other Windows installations and there are a ton of typical answers everywhere.
However, I'm not looking for typical takeown, subinacl, xcacls or GUI solution.
I'd like to change those unknown SIDs to known local SID but maintain permission types and inheritance.
So far the only thing close to what I'm looking for is PowerShell script: http://poshcode.org/2081 wich allows deleting unknown SIDs in network shares. It contains basic logic for finding unknown SIDs but I have yet to find a way to replace SID in FileSystemAccessRule object but I'm not that fluent in PowerShell or .NET.
If I'm not wrong, this article on MS TechNet is suggesting construction of FileSystemAccessRule and that can be accomplished.
Does anyone know if there is a better solution to this?
Maybe there is an application, command line tool or cmdlet for this job?
Answer
In Powershell using Get-Acl and Set-Acl you can modify the ACL by manipulating the SDDL string.
First get the ACL object.
$acl = Get-Acl -Path C:\YourFile.txt
Now get the SDDL string:
$sddl = $acl.sddl
Now you can replace the SID in the string with what you want. This uses a regular expression to update partial matches.
$sddl2 = $sddl -replace "S-1-5-21-[0-9-]+", "ExistingSIDHere"
Then update the ACL object:
$acl.SetSecurityDescriptorSddlForm($sddl2)
Then set the object's ACL:
Set-Acl -AclObject $acl -Path C:\YourFile.txt
No comments:
Post a Comment