I feel like telling a story, so if you want to get to the meat of the question, skip down to the horizontal line.
Original title: Zombies from a dead domain won’t give me my files!
I ran into a problem restoring some old archive tapes, where file and folders were owned by users that no longer existed from a domain that no longer existed.
The tapes contained files backed up in Windows 2000, 2003, 2008, 2012 R2 (there may even be some NT4) from local NTFS volumes and CIFS NAS storage arrays, and I’m restoring them in Windows Server 2022.
It was useful in the past to preserve file ownership as that was the only record of authorship for many types of files.
But there appears to have been a period in the early 2000’s where people who left the company had their Active Directory accounts deleted rather than disabled. Of course, they owned files and folders on these tapes.
Much later, there was a domain rename, and since the users had been deleted, there was no way to add their SIDs to a SID history, the scope of which was unknown anyway.
Anyway, come today and I’m restoring files from these old tapes, and Windows is restoring the old DACLs and owners from yesteryear. Big mistake: Not only can I not access these files and folders as an admin, I can’t force permission inheritance on these files and folders, or even reset the owner using icacls from and elevated command prompt.
icacls <folder> /setowner Administrators /t /c
icacls <folder> /reset /t /c
I also have a script using xcacls.vbs that lets me reset the owner of just folders.
This worked for the files not owned by zombies, but Windows refused access to many, many files.
However, I was able to reset the owners in the File Explorer GUI and push the new owner out to everything underneath. “replace all child object permissions etc..” then replaced the permissions. I could then delete the whole thing.
Now, I can start over without restoring DACLs or owners — but then, the original non-zombie authors will just have to be forgotten. (The backup software is all or nothing about this).
icacls and xcacls won’t clean up the owners and DACLs, even with elevation. But I can do it en masse in File Explorer! Is there a way to do this more selectively using a command prompt?
