|
it
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Taking ownership of files on remote computerI am running a network on two computers using Windows XP and basically everything works fine. In order to be able to access my backup data on computer B from computer A, I created a limited user account with identical user names and passwords on both machines. I set the permissions in such a way that I can theoretically take ownership of files on computer B from computer A, but when I try to do so, I get the following error message: "This security ID may not be assigned as the owner of this object." What can I do about it? I can take ownership on the remote computer when I am logged in as administrator, but from my limited user account, it only works if I log in locally on computer B. Does it have to do with the SID of my limited user account not being identical on both machines? I understand that SIDs may vary from one machine to the other, even if the user name ist the same. For example, on my primary computer, the SID for my account is S-1-5-21-1547161642-2111687655-725345543-1003 while on my secondary computer, the SID is S-1-5-21-1202660629-117609710-682003330-1005 As you can see, the SIDs differ greatly, so having identical SIDs on both machines for my account is next to impossible. If taking over file ownership requires identical SIDs, then it cannot be done. But I doubt that this is the case, because taking over file ownership works when I am logged in as administrator. And the administrator's SID on my primary computer is S-1-5-21-1547161642-2111687655-725345543-500 while on my secondary computer it is S-1-5-21-1202660629-117609710-682003330-500 If taking over file ownership required identical SIDs on both machines, then it wouldn't work for the administrator either. But it does work for the administrator, so it cannot have to do with the SIDs not being identical. It must be some access rights problem, or maybe it has to do with some strange policy setting. Otherwise, why should I not be able to take over file ownership on a remote computer, while it does work locally? -- Matthias Hofmann Anvil-Soft, CEO http://www.anvil-soft.com - The Creators of Toilet Tycoon http://www.anvil-soft.de - Die Macher des Klomanagers Matthias Hofmann <hofm***@anvil-soft.com> wrote:
Show quoteHide quote > Hello everyone! Think about it - just because the user accounts and passwords match doesn't > > I am running a network on two computers using Windows XP and basically > everything works fine. In order to be able to access my backup data on > computer B from computer A, I created a limited user account with > identical user names and passwords on both machines. > > I set the permissions in such a way that I can theoretically take > ownership of files on computer B from computer A, but when I try to > do so, I get the following error message: > > "This security ID may not be assigned as the owner of this object." > > What can I do about it? I can take ownership on the remote computer > when I am logged in as administrator, but from my limited user > account, it only works if I log in locally on computer B. Does it > have to do with the SID of my limited user account not being > identical on both machines? > I understand that SIDs may vary from one machine to the other, even > if the user name ist the same. For example, on my primary computer, > the SID for my account is > > S-1-5-21-1547161642-2111687655-725345543-1003 > > while on my secondary computer, the SID is > > S-1-5-21-1202660629-117609710-682003330-1005 > > As you can see, the SIDs differ greatly, so having identical SIDs on > both machines for my account is next to impossible. If taking over > file ownership requires identical SIDs, then it cannot be done. But I > doubt that this is the case, because taking over file ownership works > when I am logged in as administrator. And the administrator's SID on > my primary computer is > S-1-5-21-1547161642-2111687655-725345543-500 > > while on my secondary computer it is > > S-1-5-21-1202660629-117609710-682003330-500 > > If taking over file ownership required identical SIDs on both > machines, then it wouldn't work for the administrator either. But it > does work for the administrator, so it cannot have to do with the > SIDs not being identical. > It must be some access rights problem, or maybe it has to do with some > strange policy setting. Otherwise, why should I not be able to take > over file ownership on a remote computer, while it does work locally? mean they're the same account. You csn't take ownership of files on a remote computer in a workgroup. Only in AD. "Lanwench [MVP - Exchange]"
<lanwe***@heybuddy.donotsendme.unsolicitedmailatyahoo.com> schrieb im Newsbeitrag news:OJBIHLe5JHA.1196@TK2MSFTNGP03.phx.gbl... So how come I can create files on the remote computer, with the owner being > Think about it - just because the user accounts and passwords match > doesn't mean they're the same account. You csn't take ownership of files > on a remote computer in a workgroup. Only in AD. set according to the account that you say cannot take ownership? And why does it work for the administrator, who too only has a matching password, but no identical accounts? -- Matthias Hofmann Anvil-Soft, CEO http://www.anvil-soft.com - The Creators of Toilet Tycoon http://www.anvil-soft.de - Die Macher des Klomanagers
Show quote
Hide quote
"Matthias Hofmann" <hofm***@anvil-soft.com> wrote in message A limited admin account is just that, limited. The admin account, which news:795751F1oe99oU1@mid.individual.net... > "Lanwench [MVP - Exchange]" > <lanwe***@heybuddy.donotsendme.unsolicitedmailatyahoo.com> schrieb im > Newsbeitrag news:OJBIHLe5JHA.1196@TK2MSFTNGP03.phx.gbl... > >> Think about it - just because the user accounts and passwords match >> doesn't mean they're the same account. You csn't take ownership of files >> on a remote computer in a workgroup. Only in AD. > > So how come I can create files on the remote computer, with the owner > being set according to the account that you say cannot take ownership? And > why does it work for the administrator, who too only has a matching > password, but no identical accounts? > since it may match, may be assuming that it is the local account of the remote machine. But I can't verify that because I don't exactly know how you logged on, was it a mapped drive that you supplied alternate credentials, or if it prompted you for credentials, the NTLM settings, etc. However one thing I can see is that it may have assumed it is the local admin account of the remote machine, but in most cases, it should have prompted you. -- Ace This posting is provided "AS-IS" with no warranties or guarantees and confers no rights. Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT Microsoft Certified Trainer ace***@mvps.RemoveThisPart.org For urgent issues, you may want to contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers. "Efficiency is doing things right; effectiveness is doing the right things." - Peter F. Drucker http://twitter.com/acefekay "Ace Fekay [Microsoft Certified Trainer]" <ace***@mvps.RemoveThisPart.org> Well first of all, thanks to all of you for your help. I am not a networking schrieb im Newsbeitrag news:%23WhbSBH6JHA.1424@TK2MSFTNGP02.phx.gbl... > A limited admin account is just that, limited. The admin account, which > since it may match, may be assuming that it is the local account of the > remote machine. But I can't verify that because I don't exactly know how > you logged on, was it a mapped drive that you supplied alternate > credentials, or if it prompted you for credentials, the NTLM settings, > etc. However one thing I can see is that it may have assumed it is the > local admin account of the remote machine, but in most cases, it should > have prompted you. expert, so I am describing everything as precisely as I can: I am running a home network with two computers with Windows XP Professional. Both computers belong to the same workgroup, and except for the problem described, the network runs just fine. I am calling my primary computer, the one I am working at, "computer A". The remote computer, where I am logging in and trying to take ownership of files, is "computer B". On computer A, I have one account for the administrator, and one limited user account. I rarely use the admin account, and the limited account is my personal account, so to speak. On computer B, I got the same accounts as on computer A, which means that user names and passwords are identical. The SIDs are different on both machines, of course. On computer B, I have two physical hard drives, master and slave. Windows and all the program and user data is installed on the master drive, while the slave is exclusively used for backups. The slave drive with the backup data is shared, so I can access it from computer A. The access permissions for the shared backup drive are set as follows: Authenticated Users: Full Control (yes), Change (yes), Read (yes) Guests: Full Control (no), Change (no), Read (yes) On the file system level, the access rights for the backup data on computer B are set in such a way that I can read, but not change them with my limited user account. I achieved this by adding the limited user account to the permissions for the backup data on computer B and giving myself the following access rights: Full Controll: no Traverse Folder / Execute File: yes List Folder / Read Data: yes Read Attributes: yes Read Extended Attributes: yes Create Files / Write Data: no Create Folders / Append Data: no Write Attributes: no Write Extended Attributes: no Dekete Subfolders and Files: no Delete: no Read Permissions: yes Change Permissions: no Take Ownership: yes Please note that beside my limited user account, the only other users or groups that have access rights for the backup data on computer B are "Administrators" and "SYSTEM". So when I log into computer B from computer A with my limited user account, the fact that I can read the backup data proves that the authentication worked and that I am practically logged in more or less the same way as I would if I logged in locally. The only difference seems to be that when I try to take owenership of a file within the backup data, my user name is displayed as "COMPUTER_A\Username" rather than "COMPUTER_B\Username" in the corresponding dialog. But when I remotely log into computer B with my administrator account and create a file within the backup data, the owner is set to "COMPUTER_B\Administrator", although it was created by "COMPUTER_A\Administrator"! And as I mentioned before, taking file ownership remotely also works fine with my administrator account. So how come it does not work with my limited user account? -- Matthias Hofmann Anvil-Soft, CEO http://www.anvil-soft.com - The Creators of Toilet Tycoon http://www.anvil-soft.de - Die Macher des Klomanagers
Show quote
Hide quote
"Matthias Hofmann" <hofm***@anvil-soft.com> wrote in message I'm nost sure why it is acting differently, but what I can say and know from news:7977hjF1pqji7U1@mid.individual.net... > "Ace Fekay [Microsoft Certified Trainer]" <ace***@mvps.RemoveThisPart.org> > schrieb im Newsbeitrag news:%23WhbSBH6JHA.1424@TK2MSFTNGP02.phx.gbl... > >> A limited admin account is just that, limited. The admin account, which >> since it may match, may be assuming that it is the local account of the >> remote machine. But I can't verify that because I don't exactly know how >> you logged on, was it a mapped drive that you supplied alternate >> credentials, or if it prompted you for credentials, the NTLM settings, >> etc. However one thing I can see is that it may have assumed it is the >> local admin account of the remote machine, but in most cases, it should >> have prompted you. > > Well first of all, thanks to all of you for your help. I am not a > networking expert, so I am describing everything as precisely as I can: > > I am running a home network with two computers with Windows XP > Professional. Both computers belong to the same workgroup, and except for > the problem described, the network runs just fine. > > I am calling my primary computer, the one I am working at, "computer A". > The remote computer, where I am logging in and trying to take ownership of > files, is "computer B". > > On computer A, I have one account for the administrator, and one limited > user account. I rarely use the admin account, and the limited account is > my personal account, so to speak. > > On computer B, I got the same accounts as on computer A, which means that > user names and passwords are identical. The SIDs are different on both > machines, of course. > > On computer B, I have two physical hard drives, master and slave. Windows > and all the program and user data is installed on the master drive, while > the slave is exclusively used for backups. The slave drive with the backup > data is shared, so I can access it from computer A. The access permissions > for the shared backup drive are set as follows: > > Authenticated Users: Full Control (yes), Change (yes), Read (yes) > Guests: Full Control (no), Change (no), Read (yes) > > On the file system level, the access rights for the backup data on > computer B are set in such a way that I can read, but not change them with > my limited user account. I achieved this by adding the limited user > account to the permissions for the backup data on computer B and giving > myself the following access rights: > > Full Controll: no > Traverse Folder / Execute File: yes > List Folder / Read Data: yes > Read Attributes: yes > Read Extended Attributes: yes > Create Files / Write Data: no > Create Folders / Append Data: no > Write Attributes: no > Write Extended Attributes: no > Dekete Subfolders and Files: no > Delete: no > Read Permissions: yes > Change Permissions: no > Take Ownership: yes > > Please note that beside my limited user account, the only other users or > groups that have access rights for the backup data on computer B are > "Administrators" and "SYSTEM". So when I log into computer B from computer > A with my limited user account, the fact that I can read the backup data > proves that the authentication worked and that I am practically logged in > more or less the same way as I would if I logged in locally. > > The only difference seems to be that when I try to take owenership of a > file within the backup data, my user name is displayed as > "COMPUTER_A\Username" rather than "COMPUTER_B\Username" in the > corresponding dialog. But when I remotely log into computer B with my > administrator account and create a file within the backup data, the owner > is set to "COMPUTER_B\Administrator", although it was created by > "COMPUTER_A\Administrator"! > > And as I mentioned before, taking file ownership remotely also works fine > with my administrator account. So how come it does not work with my > limited user account? > > -- > Matthias Hofmann > Anvil-Soft, CEO > http://www.anvil-soft.com - The Creators of Toilet Tycoon > http://www.anvil-soft.de - Die Macher des Klomanagers > > experience that the administrator account will work that way but not non-admin accounts. I used to know of an article explaining the way accounts are enumerated when connecting over a network and explains the difference in regards to how the local SAM accounts are enumerated (it's a Rights setting in Local Policy) that works when the machine is set to Simple Sharing mode instead of the default Guest mode. If I find it, I'll post it, unless someone else does before me. Ace Matthias Hofmann <hofm***@anvil-soft.com> wrote:
> "Lanwench [MVP - Exchange]" Can't help you out with that one. Passthrough is taking care of it somehow. > <lanwe***@heybuddy.donotsendme.unsolicitedmailatyahoo.com> schrieb im > Newsbeitrag news:OJBIHLe5JHA.1196@TK2MSFTNGP03.phx.gbl... > >> Think about it - just because the user accounts and passwords match >> doesn't mean they're the same account. You csn't take ownership of >> files on a remote computer in a workgroup. Only in AD. > > So how come I can create files on the remote computer, with the owner > being set according to the account that you say cannot take > ownership? And why does it work for the administrator, who too only > has a matching password, but no identical accounts? All I know is that a *local* account has *no* ability to do anything on another computer.  
Other interesting topics
Group Policy logon script not applied if connected by WiFi
Multi-WAN loadbalancing & RRAS. Routing and Remote Access NAT - I need to modify TTL Remote AD offline and lack of access to local file server Dead DC - Slow internet resulting Reseting LAN interface count Windows 2000 server DHCP not serving 2nd scope Port Redirection Win2K3 - NIC Teaming - Mac address IAS Event ID 2: reason code 23: Unknown - Clients cant authticate |
|||||||||||||||||||||||
