Taking ownership of files on remote computer

Hello everyone!

I am running a network on two computers using Windows XP and basically
everything works fine. In order to be able to access my backup data on
computer B from computer A, I created a limited user account with identical
user names and passwords on both machines.

I set the permissions in such a way that I can theoretically take ownership
of files on computer B from computer A, but when I try to do so, I get the
following error message:

"This security ID may not be assigned as the owner of this object."

What can I do about it? I can take ownership on the remote computer when I
am logged in as administrator, but from my limited user account, it only
works if I log in locally on computer B. Does it have to do with the SID of
my limited user account not being identical on both machines?

I understand that SIDs may vary from one machine to the other, even if the
user name ist the same. For example, on my primary computer, the SID for my
account is

S-1-5-21-1547161642-2111687655-725345543-1003

while on my secondary computer, the SID is

S-1-5-21-1202660629-117609710-682003330-1005

As you can see, the SIDs differ greatly, so having identical SIDs on both
machines for my account is next to impossible. If taking over file ownership
requires identical SIDs, then it cannot be done. But I doubt that this is
the case, because taking over file ownership works when I am logged in as
administrator. And the administrator's SID on my primary computer is

S-1-5-21-1547161642-2111687655-725345543-500

while on my secondary computer it is

S-1-5-21-1202660629-117609710-682003330-500

If taking over file ownership required identical SIDs on both machines, then
it wouldn't work for the administrator either. But it does work for the
administrator, so it cannot have to do with the SIDs not being identical.

It must be some access rights problem, or maybe it has to do with some
strange policy setting. Otherwise, why should I not be able to take over
file ownership on a remote computer, while it does work locally?

--
Matthias Hofmann
Anvil-Soft, CEO
http://www.anvil-soft.com - The Creators of Toilet Tycoon
http://www.anvil-soft.de - Die Macher des Klomanagers

Matthias Hofmann <(E-Mail Removed)> wrote:
> Hello everyone!
>
> I am running a network on two computers using Windows XP and basically
> everything works fine. In order to be able to access my backup data on
> computer B from computer A, I created a limited user account with
> identical user names and passwords on both machines.
>
> I set the permissions in such a way that I can theoretically take
> ownership of files on computer B from computer A, but when I try to
> do so, I get the following error message:
>
> "This security ID may not be assigned as the owner of this object."
>
> What can I do about it? I can take ownership on the remote computer
> when I am logged in as administrator, but from my limited user
> account, it only works if I log in locally on computer B. Does it
> have to do with the SID of my limited user account not being
> identical on both machines?
> I understand that SIDs may vary from one machine to the other, even
> if the user name ist the same. For example, on my primary computer,
> the SID for my account is
>
> S-1-5-21-1547161642-2111687655-725345543-1003
>
> while on my secondary computer, the SID is
>
> S-1-5-21-1202660629-117609710-682003330-1005
>
> As you can see, the SIDs differ greatly, so having identical SIDs on
> both machines for my account is next to impossible. If taking over
> file ownership requires identical SIDs, then it cannot be done. But I
> doubt that this is the case, because taking over file ownership works
> when I am logged in as administrator. And the administrator's SID on
> my primary computer is
> S-1-5-21-1547161642-2111687655-725345543-500
>
> while on my secondary computer it is
>
> S-1-5-21-1202660629-117609710-682003330-500
>
> If taking over file ownership required identical SIDs on both
> machines, then it wouldn't work for the administrator either. But it
> does work for the administrator, so it cannot have to do with the
> SIDs not being identical.
> It must be some access rights problem, or maybe it has to do with some
> strange policy setting. Otherwise, why should I not be able to take
> over file ownership on a remote computer, while it does work locally?

Think about it - just because the user accounts and passwords match doesn't
mean they're the same account. You csn't take ownership of files on a remote
computer in a workgroup. Only in AD.

"Lanwench [MVP - Exchange]"
<(E-Mail Removed) hoo.com> schrieb im
Newsbeitrag news:(E-Mail Removed)...

> Think about it - just because the user accounts and passwords match
> doesn't mean they're the same account. You csn't take ownership of files
> on a remote computer in a workgroup. Only in AD.

So how come I can create files on the remote computer, with the owner being
set according to the account that you say cannot take ownership? And why
does it work for the administrator, who too only has a matching password,
but no identical accounts?

--
Matthias Hofmann
Anvil-Soft, CEO
http://www.anvil-soft.com - The Creators of Toilet Tycoon
http://www.anvil-soft.de - Die Macher des Klomanagers

"Matthias Hofmann" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> "Lanwench [MVP - Exchange]"
> <(E-Mail Removed) hoo.com> schrieb im
> Newsbeitrag news:(E-Mail Removed)...
>
>> Think about it - just because the user accounts and passwords match
>> doesn't mean they're the same account. You csn't take ownership of files
>> on a remote computer in a workgroup. Only in AD.
>
> So how come I can create files on the remote computer, with the owner
> being set according to the account that you say cannot take ownership? And
> why does it work for the administrator, who too only has a matching
> password, but no identical accounts?
>

A limited admin account is just that, limited. The admin account, which
since it may match, may be assuming that it is the local account of the
remote machine. But I can't verify that because I don't exactly know how you
logged on, was it a mapped drive that you supplied alternate credentials, or
if it prompted you for credentials, the NTLM settings, etc. However one
thing I can see is that it may have assumed it is the local admin account of
the remote machine, but in most cases, it should have prompted you.

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
Microsoft Certified Trainer
(E-Mail Removed)

For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

"Efficiency is doing things right; effectiveness is doing the right
things." - Peter F. Drucker
http://twitter.com/acefekay

Matthias Hofmann <(E-Mail Removed)> wrote:
> "Lanwench [MVP - Exchange]"
> <(E-Mail Removed) hoo.com> schrieb im
> Newsbeitrag news:(E-Mail Removed)...
>
>> Think about it - just because the user accounts and passwords match
>> doesn't mean they're the same account. You csn't take ownership of
>> files on a remote computer in a workgroup. Only in AD.
>
> So how come I can create files on the remote computer, with the owner
> being set according to the account that you say cannot take
> ownership? And why does it work for the administrator, who too only
> has a matching password, but no identical accounts?

Can't help you out with that one. Passthrough is taking care of it somehow.
All I know is that a *local* account has *no* ability to do anything on
another computer.

"Ace Fekay [Microsoft Certified Trainer]" <(E-Mail Removed)>
schrieb im Newsbeitrag news:%(E-Mail Removed)...

> A limited admin account is just that, limited. The admin account, which
> since it may match, may be assuming that it is the local account of the
> remote machine. But I can't verify that because I don't exactly know how
> you logged on, was it a mapped drive that you supplied alternate
> credentials, or if it prompted you for credentials, the NTLM settings,
> etc. However one thing I can see is that it may have assumed it is the
> local admin account of the remote machine, but in most cases, it should
> have prompted you.

Well first of all, thanks to all of you for your help. I am not a networking
expert, so I am describing everything as precisely as I can:

I am running a home network with two computers with Windows XP Professional.
Both computers belong to the same workgroup, and except for the problem
described, the network runs just fine.

I am calling my primary computer, the one I am working at, "computer A". The
remote computer, where I am logging in and trying to take ownership of
files, is "computer B".

On computer A, I have one account for the administrator, and one limited
user account. I rarely use the admin account, and the limited account is my
personal account, so to speak.

On computer B, I got the same accounts as on computer A, which means that
user names and passwords are identical. The SIDs are different on both
machines, of course.

On computer B, I have two physical hard drives, master and slave. Windows
and all the program and user data is installed on the master drive, while
the slave is exclusively used for backups. The slave drive with the backup
data is shared, so I can access it from computer A. The access permissions
for the shared backup drive are set as follows:

Authenticated Users: Full Control (yes), Change (yes), Read (yes)
Guests: Full Control (no), Change (no), Read (yes)

On the file system level, the access rights for the backup data on computer
B are set in such a way that I can read, but not change them with my limited
user account. I achieved this by adding the limited user account to the
permissions for the backup data on computer B and giving myself the
following access rights:

Full Controll: no
Traverse Folder / Execute File: yes
List Folder / Read Data: yes
Read Attributes: yes
Read Extended Attributes: yes
Create Files / Write Data: no
Create Folders / Append Data: no
Write Attributes: no
Write Extended Attributes: no
Dekete Subfolders and Files: no
Delete: no
Read Permissions: yes
Change Permissions: no
Take Ownership: yes

Please note that beside my limited user account, the only other users or
groups that have access rights for the backup data on computer B are
"Administrators" and "SYSTEM". So when I log into computer B from computer A
with my limited user account, the fact that I can read the backup data
proves that the authentication worked and that I am practically logged in
more or less the same way as I would if I logged in locally.

The only difference seems to be that when I try to take owenership of a file
within the backup data, my user name is displayed as "COMPUTER_A\Username"
rather than "COMPUTER_B\Username" in the corresponding dialog. But when I
remotely log into computer B with my administrator account and create a file
within the backup data, the owner is set to "COMPUTER_B\Administrator",
although it was created by "COMPUTER_A\Administrator"!

And as I mentioned before, taking file ownership remotely also works fine
with my administrator account. So how come it does not work with my limited
user account?

--
Matthias Hofmann
Anvil-Soft, CEO
http://www.anvil-soft.com - The Creators of Toilet Tycoon
http://www.anvil-soft.de - Die Macher des Klomanagers

"Matthias Hofmann" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> "Ace Fekay [Microsoft Certified Trainer]" <(E-Mail Removed)>
> schrieb im Newsbeitrag news:%(E-Mail Removed)...
>
>> A limited admin account is just that, limited. The admin account, which
>> since it may match, may be assuming that it is the local account of the
>> remote machine. But I can't verify that because I don't exactly know how
>> you logged on, was it a mapped drive that you supplied alternate
>> credentials, or if it prompted you for credentials, the NTLM settings,
>> etc. However one thing I can see is that it may have assumed it is the
>> local admin account of the remote machine, but in most cases, it should
>> have prompted you.
>
> Well first of all, thanks to all of you for your help. I am not a
> networking expert, so I am describing everything as precisely as I can:
>
> I am running a home network with two computers with Windows XP
> Professional. Both computers belong to the same workgroup, and except for
> the problem described, the network runs just fine.
>
> I am calling my primary computer, the one I am working at, "computer A".
> The remote computer, where I am logging in and trying to take ownership of
> files, is "computer B".
>
> On computer A, I have one account for the administrator, and one limited
> user account. I rarely use the admin account, and the limited account is
> my personal account, so to speak.
>
> On computer B, I got the same accounts as on computer A, which means that
> user names and passwords are identical. The SIDs are different on both
> machines, of course.
>
> On computer B, I have two physical hard drives, master and slave. Windows
> and all the program and user data is installed on the master drive, while
> the slave is exclusively used for backups. The slave drive with the backup
> data is shared, so I can access it from computer A. The access permissions
> for the shared backup drive are set as follows:
>
> Authenticated Users: Full Control (yes), Change (yes), Read (yes)
> Guests: Full Control (no), Change (no), Read (yes)
>
> On the file system level, the access rights for the backup data on
> computer B are set in such a way that I can read, but not change them with
> my limited user account. I achieved this by adding the limited user
> account to the permissions for the backup data on computer B and giving
> myself the following access rights:
>
> Full Controll: no
> Traverse Folder / Execute File: yes
> List Folder / Read Data: yes
> Read Attributes: yes
> Read Extended Attributes: yes
> Create Files / Write Data: no
> Create Folders / Append Data: no
> Write Attributes: no
> Write Extended Attributes: no
> Dekete Subfolders and Files: no
> Delete: no
> Read Permissions: yes
> Change Permissions: no
> Take Ownership: yes
>
> Please note that beside my limited user account, the only other users or
> groups that have access rights for the backup data on computer B are
> "Administrators" and "SYSTEM". So when I log into computer B from computer
> A with my limited user account, the fact that I can read the backup data
> proves that the authentication worked and that I am practically logged in
> more or less the same way as I would if I logged in locally.
>
> The only difference seems to be that when I try to take owenership of a
> file within the backup data, my user name is displayed as
> "COMPUTER_A\Username" rather than "COMPUTER_B\Username" in the
> corresponding dialog. But when I remotely log into computer B with my
> administrator account and create a file within the backup data, the owner
> is set to "COMPUTER_B\Administrator", although it was created by
> "COMPUTER_A\Administrator"!
>
> And as I mentioned before, taking file ownership remotely also works fine
> with my administrator account. So how come it does not work with my
> limited user account?
>
> --
> Matthias Hofmann
> Anvil-Soft, CEO
> http://www.anvil-soft.com - The Creators of Toilet Tycoon
> http://www.anvil-soft.de - Die Macher des Klomanagers
>
>

I'm nost sure why it is acting differently, but what I can say and know from
experience that the administrator account will work that way but not
non-admin accounts. I used to know of an article explaining the way accounts
are enumerated when connecting over a network and explains the difference in
regards to how the local SAM accounts are enumerated (it's a Rights setting
in Local Policy) that works when the machine is set to Simple Sharing mode
instead of the default Guest mode. If I find it, I'll post it, unless
someone else does before me.

Ace