# Taking ownership of files on remote computer



## Eisenbart (Nov 13, 2004)

Hallo everyone!

I am running a network on two computers using Windows XP and basically everything works fine. In order to be able to access my backup data on computer B from computer A, I created a limited user account with identical user names and passwords on both machines.

I set the permissions in such a way that I can theoretically take ownership of files on computer B from computer A, but when I try to do so, I get the following error message:

"This security ID may not be assigned as the owner of this object."

What can I do about it? I can take ownership on the remote computer when I am logged in as administrator, but from my limited user account, it only works if I log in locally on computer B. Does it have to do with the SID of my limited user account not being identical on both machines?

Best regards,

Matthias


----------



## johnwill (Sep 26, 2002)

You can't change file permissions with a limited account.


----------



## grue155 (May 29, 2008)

On an XP Pro box, a limited account can change permissions of a file that is owned by that limited account user. Just tried that on a file, and it took that change.

However, SID's are another matter entirely. The SID is the numeric equivalent of the user name (the S-1-stuff-morestuff-yetmorestuff). SIDs are generated by the operating system and are intended to be universally unique. Deleting a user, and then recreating the account with the same user name will produce a different SID, and the recreated account is not able to access the old account. Only in a domain login can you guarantee the same SID across machines, as there is only one SID in the domain and the login authenticates the SID.

In short, in a workgroup environment, you can't get there from here.


----------



## Eisenbart (Nov 13, 2004)

I understand that SIDs may vary from one machine to the other, even if the user name ist the same. For example, on my primary computer, the SID for my account is

*S-1-5-21-1547161642-2111687655-725345543-1003*

while on my secondary computer, the SID is

*S-1-5-21-1202660629-117609710-682003330-1005*

As you can see, the SIDs differ greatly, so having identical SIDs on both machines for my account is next to impossible. If taking over file ownership requires identical SIDs, then it cannot be done. But I doubt that this is the case, because taking over file ownership works when I am logged in as administrator. And the administrator's SID on my primary computer is

*S-1-5-21-1547161642-2111687655-725345543-500*

while on my secondary computer it is

*S-1-5-21-1202660629-117609710-682003330-500*

If taking over file ownership required identical SIDs on both machines, then it wouldn't work for the administrator either. But it does work for the administrator, so it cannot have to do with the SIDs not being identical.

It must be some access rights problem, or maybe it has to do with some strange policy setting. Otherwise, why should I not be able to take over file ownership on a remote computer, while it does work locally? :4-dontkno


----------



## grue155 (May 29, 2008)

Someone who knows more than me had to walk be thru this. I'm translating my understanding back into this posting, so I may not quite have it right. :wink:

What you're describing is an autheniticated logon. In the general case, it goes like this:

A user on machine A (userA), logs into machine B as userB. UserB owns and can manipulate files. UserA is impersonating userB thru the login, but userA does not own the files. They're owned by userB.

In this instance, that userA is an administrator provides a different level of authentication for impersonating userB, who also happens to be an adminstrator. But it is still an impersonation. The files are still owned by userB, and not by userA.

As it was explained to me.


----------



## Eisenbart (Nov 13, 2004)

I see, thank you for that information! :smile: So the files on machine B are owned by userB, and if he and userA happen to be administrators, userA can transfer file ownership to userB, who he is impersonating.

But what is the difference between an authenticated logon through a limited user account and an authenticated logon through an administrator's account? How can I make the taking over of file ownership work not only for administrators, but also for limited user accounts? After all, userA is impersonating userB, and userB does have the rights to take over file ownership!


----------



## grue155 (May 29, 2008)

> How can I make the taking over of file ownership work not only for administrators, but also for limited user accounts?


This is in the settings that I know as permissions, and I think Microsoft calls "access rights". Right-click on a file or folder, select properties, the security tab, then the Advanced button. You'll get a list of user accounts and groups. Click on one to highlight it, and edit, and you'll get a list of things that can be allowed. As seen in the attached, "take ownership" is one of the settings. If you want a user to take ownership, then the permissions settings need to allow that user to take ownership.


----------



## Eisenbart (Nov 13, 2004)

Thank you, but I already know these permissions, and I have already set them accordingly. That's just the problem, everything is set the way it should, but it still does not work!


----------



## grue155 (May 29, 2008)

Hmm... Should be a two step process. First the admin grants the chosen user (userB, in the posting so far) or a group the permission to take ownership. Then, second, that user or group member has to go and explicitly take ownership.

And your second step isn't working. The thing to check next is the effective permissions. To check a file or folder, get down to the permissions list, then click the effective permissions tab, and put in userB and see what comes back. If the "take ownership" isn't checked, it won't work. Alternatively, click the Owner tab, and see if userB is listed as one of the alternatives, while logged in as userB.

If the "take ownership" isn't checked in the effective permissions, then it's something that either needs to be set explicitly for that file or folder, or it's something that is inherited from a parent folder and needs to be overridden with an explicit setting.

At worst, just to check how things are working, create a test file as an admin, and then set the permissions for userB to have "full control". If that doesn't work, then something is off somewhere, and it's going to be time to walk thru some screenshots of the test file permissions, or xcacls output.


----------



## Eisenbart (Nov 13, 2004)

That effective permissions thing is an interesting idea... I just logged into my secondary computer locally and checked the effective permissions for my limited user account. The result was just as expected, my limited user account does have the "Take Ownership" access right.

Then I remotely logged into my secondary computer to do the same check. I clicked the effective permissions tab, clicked on "Choose" to select a user or group, followed by "Extended" and finally "Search now". Then I was prompted to enter the user name and password of an account on the remote computer, and when I did so, Windows kept searching and searching without ever coming to an end. (I closed the dialog after a while).

Now what does this tell us?


----------



## grue155 (May 29, 2008)

In a workgroup environment, remote logins have to authenticate against local users and passwords. Which should happen in an eyeblink. What you've described sounds like it's trying to do a network authentication, which is a domain logon. Without a domain, that will have to go thru a very long timeout (something like 20+ minutes, I think).

One way to check that, is to run a network monitor like Wireshark (wireshark.org), on the machine the machine that you are trying to log into, to see if it is trying to do a network authentication.


----------



## Eisenbart (Nov 13, 2004)

Ok, I just installed and ran Wireshark, but as my understanding about networking is rather limited, I can only post an extract of the log file it created:



> No. Time Source Destination Protocol Info
> 61 14.021737 192.168.0.2 192.168.0.1 TCP activesync > icslap [ACK] Seq=11101 Ack=17611 Win=64361 Len=0
> 62 15.046133 192.168.0.2 192.168.0.1 TCP activesync > icslap [PSH, ACK] Seq=11101 Ack=17611 Win=64361 Len=740
> 63 15.047267 192.168.0.1 192.168.0.2 TCP icslap > activesync [PSH, ACK] Seq=17611 Ack=11841 Win=65535 Len=204
> ...


Does this information tell us whether it's trying to do a network authentication, and if so, what to do next?


----------



## grue155 (May 29, 2008)

Thank you. Taking that extract, and putting it into a wide screen so the lines are more readable, fairly early on there is this sequence:


```
220 46.034241 192.168.0.1 192.168.0.2 SMB Tree Connect AndX Request, Path: \\HAMMER\IPC$
223 46.036847 192.168.0.1 192.168.0.2 SMB NT Create AndX Request, FID: 0x8001, Path: \srvsvc
224 46.036896 192.168.0.1 192.168.0.2 SMB Session Setup AndX Request, NTLMSSP_NEGOTIATE
227 46.039109 192.168.0.2 192.168.0.1 SMB Session Setup AndX Response, NTLMSSP_CHALLENGE, Error: STATUS_MORE_PROCESSING_REQUIRED
228 46.040155 192.168.0.1 192.168.0.2 DCERPC Bind: call_id: 1 SRVSVC V3.0
229 46.040221 192.168.0.1 192.168.0.2 SMB Session Setup AndX Request, NTLMSSP_AUTH, User: \
237 46.042167 192.168.0.1 192.168.0.2 SMB Tree Connect AndX Request, Path: \\HAMMER\IPC
```
The NTLM negotiate and challenge are, as I recall, the authentication sequence. What shows up as the user, a couple of lines further down, is a question. "User: \"?? The details could be hidden in the packet contents, or, it could be a Guest userid login. A Guest login has very very limited abilities.

The remainder of the extract looks to be some kind of tree walk or file enumeration thru a backup directory.

In Wireshark, you would need to View -> Packet Details to get an look at the NTLM packets and what the contents are to see what kind of authentication is taking place, and for what user.


----------



## Eisenbart (Nov 13, 2004)

Ok, I did the whole thing again, but this time I got a somewhat different sequence:










The packet details are as follows:


```
No.     Time        Source                Destination           Protocol Info
    135 23.097274   192.168.0.2           192.168.0.1           TCP      mxxrlogin > icslap [ACK] Seq=17761 Ack=28105 Win=64364 Len=0

Frame 135 (54 bytes on wire, 54 bytes captured)
Ethernet II, Src: Intel_1b:93:56 (00:04:23:1b:93:56), Dst: Mototech_91:23:c1 (00:50:bf:91:23:c1)
Internet Protocol, Src: 192.168.0.2 (192.168.0.2), Dst: 192.168.0.1 (192.168.0.1)
Transmission Control Protocol, Src Port: mxxrlogin (1035), Dst Port: icslap (2869), Seq: 17761, Ack: 28105, Len: 0

No.     Time        Source                Destination           Protocol Info
    136 23.411193   192.168.0.1           192.168.0.2           SMB      Tree Connect AndX Request, Path: \\HAMMER\IPC$

Frame 136 (136 bytes on wire, 136 bytes captured)
Ethernet II, Src: Mototech_91:23:c1 (00:50:bf:91:23:c1), Dst: Intel_1b:93:56 (00:04:23:1b:93:56)
Internet Protocol, Src: 192.168.0.1 (192.168.0.1), Dst: 192.168.0.2 (192.168.0.2)
Transmission Control Protocol, Src Port: uaiact (1470), Dst Port: microsoft-ds (445), Seq: 40, Ack: 40, Len: 82
NetBIOS Session Service
SMB (Server Message Block Protocol)

No.     Time        Source                Destination           Protocol Info
    137 23.411395   192.168.0.2           192.168.0.1           SMB      Tree Connect AndX Response

Frame 137 (114 bytes on wire, 114 bytes captured)
Ethernet II, Src: Intel_1b:93:56 (00:04:23:1b:93:56), Dst: Mototech_91:23:c1 (00:50:bf:91:23:c1)
Internet Protocol, Src: 192.168.0.2 (192.168.0.2), Dst: 192.168.0.1 (192.168.0.1)
Transmission Control Protocol, Src Port: microsoft-ds (445), Dst Port: uaiact (1470), Seq: 40, Ack: 122, Len: 60
NetBIOS Session Service
SMB (Server Message Block Protocol)

No.     Time        Source                Destination           Protocol Info
    138 23.411533   192.168.0.1           192.168.0.2           SMB      NT Create AndX Request, FID: 0x8000, Path: \wkssvc

Frame 138 (158 bytes on wire, 158 bytes captured)
Ethernet II, Src: Mototech_91:23:c1 (00:50:bf:91:23:c1), Dst: Intel_1b:93:56 (00:04:23:1b:93:56)
Internet Protocol, Src: 192.168.0.1 (192.168.0.1), Dst: 192.168.0.2 (192.168.0.2)
Transmission Control Protocol, Src Port: uaiact (1470), Dst Port: microsoft-ds (445), Seq: 122, Ack: 100, Len: 104
NetBIOS Session Service
SMB (Server Message Block Protocol)

No.     Time        Source                Destination           Protocol Info
    139 23.411818   192.168.0.2           192.168.0.1           SMB      NT Create AndX Response, FID: 0x8000

Frame 139 (193 bytes on wire, 193 bytes captured)
Ethernet II, Src: Intel_1b:93:56 (00:04:23:1b:93:56), Dst: Mototech_91:23:c1 (00:50:bf:91:23:c1)
Internet Protocol, Src: 192.168.0.2 (192.168.0.2), Dst: 192.168.0.1 (192.168.0.1)
Transmission Control Protocol, Src Port: microsoft-ds (445), Dst Port: uaiact (1470), Seq: 100, Ack: 226, Len: 139
NetBIOS Session Service
SMB (Server Message Block Protocol)

No.     Time        Source                Destination           Protocol Info
    140 23.413062   192.168.0.1           192.168.0.2           DCERPC   Bind: call_id: 1 WKSSVC V1.0

Frame 140 (194 bytes on wire, 194 bytes captured)
Ethernet II, Src: Mototech_91:23:c1 (00:50:bf:91:23:c1), Dst: Intel_1b:93:56 (00:04:23:1b:93:56)
Internet Protocol, Src: 192.168.0.1 (192.168.0.1), Dst: 192.168.0.2 (192.168.0.2)
Transmission Control Protocol, Src Port: uaiact (1470), Dst Port: microsoft-ds (445), Seq: 226, Ack: 239, Len: 140
NetBIOS Session Service
SMB (Server Message Block Protocol)
DCE RPC Bind, Fragment: Single, FragLen: 72, Call: 1

No.     Time        Source                Destination           Protocol Info
    141 23.413149   192.168.0.2           192.168.0.1           SMB      Write AndX Response, FID: 0x8000, 72 bytes

Frame 141 (105 bytes on wire, 105 bytes captured)
Ethernet II, Src: Intel_1b:93:56 (00:04:23:1b:93:56), Dst: Mototech_91:23:c1 (00:50:bf:91:23:c1)
Internet Protocol, Src: 192.168.0.2 (192.168.0.2), Dst: 192.168.0.1 (192.168.0.1)
Transmission Control Protocol, Src Port: microsoft-ds (445), Dst Port: uaiact (1470), Seq: 239, Ack: 366, Len: 51
NetBIOS Session Service
SMB (Server Message Block Protocol)

No.     Time        Source                Destination           Protocol Info
    142 23.413287   192.168.0.1           192.168.0.2           SMB      Read AndX Request, FID: 0x8000, 1024 bytes at offset 0

Frame 142 (117 bytes on wire, 117 bytes captured)
Ethernet II, Src: Mototech_91:23:c1 (00:50:bf:91:23:c1), Dst: Intel_1b:93:56 (00:04:23:1b:93:56)
Internet Protocol, Src: 192.168.0.1 (192.168.0.1), Dst: 192.168.0.2 (192.168.0.2)
Transmission Control Protocol, Src Port: uaiact (1470), Dst Port: microsoft-ds (445), Seq: 366, Ack: 290, Len: 63
NetBIOS Session Service
SMB (Server Message Block Protocol)

No.     Time        Source                Destination           Protocol Info
    143 23.413358   192.168.0.2           192.168.0.1           DCERPC   Bind_ack: call_id: 1 accept max_xmit: 4280 max_recv: 4280

Frame 143 (186 bytes on wire, 186 bytes captured)
Ethernet II, Src: Intel_1b:93:56 (00:04:23:1b:93:56), Dst: Mototech_91:23:c1 (00:50:bf:91:23:c1)
Internet Protocol, Src: 192.168.0.2 (192.168.0.2), Dst: 192.168.0.1 (192.168.0.1)
Transmission Control Protocol, Src Port: microsoft-ds (445), Dst Port: uaiact (1470), Seq: 290, Ack: 429, Len: 132
NetBIOS Session Service
SMB (Server Message Block Protocol)
DCE RPC Bind_ack, Fragment: Single, FragLen: 68, Call: 1

No.     Time        Source                Destination           Protocol Info
    144 23.414611   192.168.0.1           192.168.0.2           WKSSVC   NetWkstaGetInfo request Level:100

Frame 144 (202 bytes on wire, 202 bytes captured)
Ethernet II, Src: Mototech_91:23:c1 (00:50:bf:91:23:c1), Dst: Intel_1b:93:56 (00:04:23:1b:93:56)
Internet Protocol, Src: 192.168.0.1 (192.168.0.1), Dst: 192.168.0.2 (192.168.0.2)
Transmission Control Protocol, Src Port: uaiact (1470), Dst Port: microsoft-ds (445), Seq: 429, Ack: 422, Len: 148
NetBIOS Session Service
SMB (Server Message Block Protocol)
SMB Pipe Protocol
DCE RPC Request, Fragment: Single, FragLen: 60, Call: 1 Ctx: 0, [Resp: #145]
Workstation Service, NetWkstaGetInfo

No.     Time        Source                Destination           Protocol Info
    145 23.414894   192.168.0.2           192.168.0.1           WKSSVC   NetWkstaGetInfo response

Frame 145 (242 bytes on wire, 242 bytes captured)
Ethernet II, Src: Intel_1b:93:56 (00:04:23:1b:93:56), Dst: Mototech_91:23:c1 (00:50:bf:91:23:c1)
Internet Protocol, Src: 192.168.0.2 (192.168.0.2), Dst: 192.168.0.1 (192.168.0.1)
Transmission Control Protocol, Src Port: microsoft-ds (445), Dst Port: uaiact (1470), Seq: 422, Ack: 577, Len: 188
NetBIOS Session Service
SMB (Server Message Block Protocol)
SMB Pipe Protocol
DCE RPC Response, Fragment: Single, FragLen: 128, Call: 1 Ctx: 0, [Req: #144]
Workstation Service, NetWkstaGetInfo

No.     Time        Source                Destination           Protocol Info
    146 23.415071   192.168.0.1           192.168.0.2           SMB      Close Request, FID: 0x8000

Frame 146 (99 bytes on wire, 99 bytes captured)
Ethernet II, Src: Mototech_91:23:c1 (00:50:bf:91:23:c1), Dst: Intel_1b:93:56 (00:04:23:1b:93:56)
Internet Protocol, Src: 192.168.0.1 (192.168.0.1), Dst: 192.168.0.2 (192.168.0.2)
Transmission Control Protocol, Src Port: uaiact (1470), Dst Port: microsoft-ds (445), Seq: 577, Ack: 610, Len: 45
NetBIOS Session Service
SMB (Server Message Block Protocol)

No.     Time        Source                Destination           Protocol Info
    147 23.415164   192.168.0.2           192.168.0.1           SMB      Close Response, FID: 0x8000

Frame 147 (93 bytes on wire, 93 bytes captured)
Ethernet II, Src: Intel_1b:93:56 (00:04:23:1b:93:56), Dst: Mototech_91:23:c1 (00:50:bf:91:23:c1)
Internet Protocol, Src: 192.168.0.2 (192.168.0.2), Dst: 192.168.0.1 (192.168.0.1)
Transmission Control Protocol, Src Port: microsoft-ds (445), Dst Port: uaiact (1470), Seq: 610, Ack: 622, Len: 39
NetBIOS Session Service
SMB (Server Message Block Protocol)

No.     Time        Source                Destination           Protocol Info
    148 23.434293   192.168.0.1           192.168.0.2           SMB      Tree Disconnect Request

Frame 148 (93 bytes on wire, 93 bytes captured)
Ethernet II, Src: Mototech_91:23:c1 (00:50:bf:91:23:c1), Dst: Intel_1b:93:56 (00:04:23:1b:93:56)
Internet Protocol, Src: 192.168.0.1 (192.168.0.1), Dst: 192.168.0.2 (192.168.0.2)
Transmission Control Protocol, Src Port: uaiact (1470), Dst Port: microsoft-ds (445), Seq: 622, Ack: 649, Len: 39
NetBIOS Session Service
SMB (Server Message Block Protocol)

No.     Time        Source                Destination           Protocol Info
    149 23.434396   192.168.0.2           192.168.0.1           SMB      Tree Disconnect Response

Frame 149 (93 bytes on wire, 93 bytes captured)
Ethernet II, Src: Intel_1b:93:56 (00:04:23:1b:93:56), Dst: Mototech_91:23:c1 (00:50:bf:91:23:c1)
Internet Protocol, Src: 192.168.0.2 (192.168.0.2), Dst: 192.168.0.1 (192.168.0.1)
Transmission Control Protocol, Src Port: microsoft-ds (445), Dst Port: uaiact (1470), Seq: 649, Ack: 661, Len: 39
NetBIOS Session Service
SMB (Server Message Block Protocol)

No.     Time        Source                Destination           Protocol Info
    150 23.435431   192.168.0.1           192.168.0.2           TCP      clvm-cfg > http [SYN] Seq=0 Win=65535 Len=0 MSS=1460

Frame 150 (62 bytes on wire, 62 bytes captured)
Ethernet II, Src: Mototech_91:23:c1 (00:50:bf:91:23:c1), Dst: Intel_1b:93:56 (00:04:23:1b:93:56)
Internet Protocol, Src: 192.168.0.1 (192.168.0.1), Dst: 192.168.0.2 (192.168.0.2)
Transmission Control Protocol, Src Port: clvm-cfg (1476), Dst Port: http (80), Seq: 0, Len: 0

No.     Time        Source                Destination           Protocol Info
    151 23.722121   192.168.0.1           192.168.0.2           TCP      uaiact > microsoft-ds [ACK] Seq=661 Ack=688 Win=65086 Len=0

Frame 151 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: Mototech_91:23:c1 (00:50:bf:91:23:c1), Dst: Intel_1b:93:56 (00:04:23:1b:93:56)
Internet Protocol, Src: 192.168.0.1 (192.168.0.1), Dst: 192.168.0.2 (192.168.0.2)
Transmission Control Protocol, Src Port: uaiact (1470), Dst Port: microsoft-ds (445), Seq: 661, Ack: 688, Len: 0

No.     Time        Source                Destination           Protocol Info
    152 23.999944   192.168.0.2           192.168.0.1           TCP      mxxrlogin > icslap [PSH, ACK] Seq=17761 Ack=28105 Win=64364 Len=740
```


----------



## grue155 (May 29, 2008)

That is something different, but it seems incomplete. Details of what is in the SMB portion of the packet can be seen by clicking on the boxed-plus icon in the packet details window. You'd need to look at the NTLM challenge and auth packets to see what kind of login is being attempted.

It's possible to save the packet capture as a file. In Wireshark, on the toolbar at the top, click File -> SaveAs, give it some file name, and save in the default .pcap format. This saves all the packet data in the capture, so it can be examined later. The forum here won't allow pcap file attachment, but you can zip the capture file, and post a zip file. Then I can got thru the capture to see if I can make sense of what's going on.


----------



## Eisenbart (Nov 13, 2004)

Great, thank you so much for your help! :smile: I did another capture with Wireshark, and it contains that NTLM challenge and authentication stuff. Please have a look at the attached log file!


----------



## grue155 (May 29, 2008)

Got it. Thank you. Dayjob is bit hectic today, so it may be a little while before I get the chance to go thru the capture in detail.


----------



## Eisenbart (Nov 13, 2004)

Take your time, and thanks for your help so far! :smile:


----------



## Eisenbart (Nov 13, 2004)

Have you had a chance to look at the log file? :shy:


----------



## grue155 (May 29, 2008)

A little bit. There is a null login at frame 196 which I'm trying to make sense of. Null login usually translates into the Guest account, or some other minimum privilege account. I'm having to research things a bit as I go, which is proving a bit more time consuming that I had expected. It's educational :grin:


----------



## Eisenbart (Nov 13, 2004)

Great, thanks for your help! :smile: I am really curious why I cannot even find out what my effective permissions are on the remote machine, not to mention why taking file ownership does not work.


----------



## grue155 (May 29, 2008)

Research led me to these pages:

http://support.microsoft.com/kb/103390
http://technet.microsoft.com/en-us/library/cc749912.aspx
http://www.microsoft.com/windowsserver2003/techinfo/overview/security.mspx

which all seem to be written for the use in a domain environment, rather than a workgroup. I would expect the same design philosophy to be used, with different fallbacks (workgroup would presume automatic fails in contacting a domain, for example). I haven't been thru the W2k3 document yet, as the details in the KB pages are a bit dense for my background. It is educational :grin: A lot of things seem to be coming back to KB103390, so that seems to be something central to understanding what's going on.


----------



## Eisenbart (Nov 13, 2004)

I almost thought I had found a solution... :sigh:

I found out that while it is possible to take ownership of a file on a remote computer for the administrator, the file's owner will then be set to the administrator's SID on the _local_ rather than on the _remote_ computer. In other words, the owner will be set to a user not known on the machine where the file is located, which is not a good thing of course. I guess that for this reason, trying the same thing with a limited user account fails.

I also learned that while it is not possible to set the owner of a file on a remote computer to the administrator's remote SID, it is quite possible to set the file's owner to the remote computer's administrator _group_. This brought me to the idea of creating a group for myself on the remote computer and setting the owner of the files in the backup data to my group rather than to myself as a limited user.

Unfortunately, this did not work and I don't know why. I created the group and made myself a member of it, but when I went to the dialog for changing the owner of a file on the remote computer, my group did not show up in the list of candidates for new ownership. I also tried creating the same group on the local computer, but this did not help either.

So how come I can change the owner of a file on a remote computer to a group that the administrator belongs to, but not to a group that a limited user belongs to? :4-dontkno


----------



## grue155 (May 29, 2008)

> So how come I can change the owner of a file on a remote computer to a group that the administrator belongs to, but not to a group that a limited user belongs to?


Sorry for the delay in getting back to the topic. Dayjob has gotten rather busy, as sometimes happens this time of year.

In a domain environment, all of that would be working because all user identification would be done against the domain auth server. But in a workgroup environment, there is no auth server, and each machines checks only against its local data. So, if it can work in the local environment, it should be possible to have the same operation when a remote user logs into the local machine as a local user. I think of it as telepathic projection, and who's fingerprints and DNA are left at the scene that got past the ID checks.

To my knowledge, the only difference between a limited user and an admin user is the permission settings. It could also be that there is some magic bit that gets turned off with a limited user, and so some things just won't work without that magic bit being enabled. Like in *ix systems, root admin has the permissions, and the uid=0 as the magic bit. User without that uid=0, can't do anything that needs root authority regardless of what the permissons say. That could very well be what you're running into. I don't know if Windows has that equivalent uid=0, so some more research seems to be in order.


----------



## Eisenbart (Nov 13, 2004)

The way things look like at the moment, there's seems to be no way around installing a second hard drive into my primary computer and storing my backup data there instead of moving it to my secondary computer... :sigh: But thanks anyway for investing so much time to help me with my problem!


----------



## grue155 (May 29, 2008)

Glad to have been of some kind of help. I must say, it's been very educational for me. For that, I get to say Thank You! :grin:


----------

