Permissions in disarray after clean install

My security permissions appear to be screwed after re-installing Windows XP
Home. In connection with the clean install, I deleted two user accounts for
which I manually copied their files to a second hard drive. Now I notice
that the owner for many files is "Unknown" or has what I believe is an SID.
How do I best clean this up?

1) (a) Is it best to set the owner to "Administrators Group" at a high level
on the drive and ensure I select "Replace owner on subcontainers and object"
to let the change trickle down?
(b) Is this better than assigning the actual original owner which might
be a limited user?
(c) Is it safe to remove all the Unknown users (i.e. SID) showing in
the security permissions?

2) For allowing users access to the second hard drive (D: drive) where I
have "My Documents", is it better to provide full control to "Authenticated
Users" instead of "Users" Group? Or is there a group that is even more
secure? Of course, for each users' "My Documents" folder I will provide
access only to each individual user.

3) I notice my external hard drive has the root and the complete drive with
full control to "Everybody". Is this insecure or must it be this way on an
external drive since it can be hooked up to any computer?

Thanks for any help.

Replies inline
"Holmes" wrote in message
...
My security permissions appear to be screwed after re-installing Windows
XP
Home. In connection with the clean install, I deleted two user accounts
for
which I manually copied their files to a second hard drive. Now I notice
that the owner for many files is "Unknown" or has what I believe is an
SID.
How do I best clean this up?
A user name is an alias for an SID. Your reinstallation deleted all
accounts, but your copy of the files to another disk left them with the SID
of a now deleted account Since Windows never reuses an SID, these files
have an unknown user. So, what you do is to change the ownership. Refer
the the Help & Support discussion on "How to take ownership of files and
folders."

1) (a) Is it best to set the owner to "Administrators Group" at a high
level
on the drive and ensure I select "Replace owner on subcontainers and
object"
to let the change trickle down?
(b) Is this better than assigning the actual original owner which
might
be a limited user?
(c) Is it safe to remove all the Unknown users (i.e. SID) showing in
the security permissions?
"Adminstrators Group" is not a user name. I would not expect that changing
the owner to "Administrators Group" to be successful.
I would first add accounts for each of the original users.
I would then give ownership of the top level folder to the correct new
account.
I would give that new account full control.
I would give SYSTEM full control (this is Windows, and it needs full
control).
I would give members of the administrators group full control.

2) For allowing users access to the second hard drive (D: drive) where I
have "My Documents", is it better to provide full control to
"Authenticated
Users" instead of "Users" Group? Or is there a group that is even more
secure? Of course, for each users' "My Documents" folder I will provide
access only to each individual user.

The last choice is more secure. You should realize though that any member
of the administrators group can change permissions at any time for any
reason.
3) I notice my external hard drive has the root and the complete drive
with
full control to "Everybody". Is this insecure or must it be this way on
an
external drive since it can be hooked up to any computer?
"Everybody" means all accounts on the system. I would give "Everybody" read
access. If you connect the disk to another system, a member of the
administrators group can make whatever changes to permissions that are
needed.

Thanks for any help.

Jim

Holmes wrote:
My security permissions appear to be screwed after re-installing
Windows XP Home. In connection with the clean install, I deleted
two user accounts for which I manually copied their files to a
second hard drive. Now I notice that the owner for many files is
"Unknown" or has what I believe is an SID. How do I best clean this
up?

1) (a) Is it best to set the owner to "Administrators Group" at a
high level on the drive and ensure I select "Replace owner on
subcontainers and object" to let the change trickle down?
(b) Is this better than assigning the actual original owner
which might be a limited user?
(c) Is it safe to remove all the Unknown users (i.e. SID)
showing in the security permissions?

2) For allowing users access to the second hard drive (D: drive)
where I have "My Documents", is it better to provide full control
to "Authenticated Users" instead of "Users" Group? Or is there a
group that is even more secure? Of course, for each users' "My
Documents" folder I will provide access only to each individual
user.

3) I notice my external hard drive has the root and the complete
drive with full control to "Everybody". Is this insecure or must
it be this way on an external drive since it can be hooked up to
any computer?

Move/copy all the files that you put on the secondary drive to a FAT32
formatted system (assuming no files there are more than 4G in size by
themselves), format the secindary drive using your fresh install with NTFS
to ensure it is clean - move/copy all the files back. No more strange
permissions - it just inherits what was on the newly formatted drive.

(The FAT32 copy/move eiminates all security information - as FAT32 has no
place to store it)

As far as 1, 2, 3...

1) a) Depends on your intentions.
b) Depends on your intentions.
c) Yes.
2) Better? Depends on your intentions. Secure - maybe - although in order
to be a user of the computer, you'd have to be authenticated. ;-) As for
your 'of course' - that's nto a given - you'd have to set it that way.
3) Insecure - yeah - I suppose. However - your deduction is generally
correct - although nothing keeps someone with physical access to any drive
formatted with NTFS from taking ownership of all files on it and thus
gaining access.

--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html

Shenan Stanley wrote:
Move/copy all the files that you put on the secondary drive to a
FAT32 formatted system (assuming no files there are more than 4G in
size by themselves), format the secindary drive using your fresh
install with NTFS to ensure it is clean - move/copy all the files
back. No more strange permissions - it just inherits what was on
the newly formatted drive.
(The FAT32 copy/move eiminates all security information - as FAT32
has no place to store it)

As far as 1, 2, 3...

1) a) Depends on your intentions.
b) Depends on your intentions.
c) Yes.
2) Better? Depends on your intentions. Secure - maybe - although
in order to be a user of the computer, you'd have to be
authenticated. ;-) As for your 'of course' - that's nto a given -
you'd have to set it that way. 3) Insecure - yeah - I suppose. However -
your deduction is generally correct - although nothing
keeps someone with physical access to any drive formatted with NTFS
from taking ownership of all files on it and thus gaining access.

"secondary"

--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html