Need help in migrating XP security accounts and settings.

[reachrishikh]

I have protected quite a few files and folders on my computer using the security provided by the NTFS file system and Win XP.
i.e. After you disable simple file sharing, whenever you right click a file or folder, you get an additional 'security' tab, wherin you can set permissions for accessing that file or folder based on the user account or user group on that computer.

Now I have locked quite a few files and folders this way, and restricted their access to one user account which also has admin priviledges on the machine.

I need to reinstall my Windows XP, and I know I will lose my files forever if I don't take certain steps to backup and transfer certain files/registry entries/ settings to the target windows installation. I don't know what these are, so could someone please help me out?

Also, I am in a bit of a hurry here, I just have 2 days after which my current win installation will be rendered useless, and I won't be able to extract those files/settings without a lot of additional hassles.


I recall reading about a similar query in one Digit QnA section a few months ago, but that guy had encrypted his files, he wasn't using file and folder permissions, so the instructions that apply to him are a bit different from mine. If they are the same, I don't know.


I have already tried searching the net, and I only get the ' Win XP file and settings transfer wizard' bullshit, and I went through the first 5 pages on this board, and couldn't find a similar thread. So please don't flame me for asking this question.

 

[techtronic]

Are you storing your Data on a separate partition or on the same partition where XP is installed (C:/) ?

 

[reachrishikh]

On a separate hard drive altogether. But that is not the issue. It doesn't matter where the data is stored, the permissions can be set on any data anywhere, but the security accounts are managed from a central place by windows. The security accounts are not stored in windows by the name you select for them - for example, if I create two accounts by the exact names -

John Smith
Jack Smith

in my original windows installation, internally, they won't be stored by that name. They have some cryptic identifying number. Also, John is set up as a user, and Jack is set up as a power user.

Secondly, assuming I set some deny permissions for John Smith on folder D:\XYZABC in my first installation, and permit Jack Smith to access the same folder.

Now, assuming I need to reinstall my windows completely, but my data is safe on another hard drive (the d:\). After the reinstallation, I recreate the exact 2 same user accounts

John Smith
Jack Smith

with the same user groups that they belonged to earlier, i.e. John is an ordinary user, and Jack is a power user.

It still won't make any difference, as the permissions are set for the John Smith and Jack Smith of the first installation, attached to the accounts with the cryptic names mentioned before, and not to tthe names John Smith and Jack Smith.

So if someone wants to retain the permissions set for the original security accounts, there is some procedure to save them/take a backup, and then import them into the new windows installation. But I just don't know what that is.
Someone please help me out.

I hope this clears things up.

 

[ImAClown]

Press F1 and you will get Microsoft Help thing. There type key words of your problem and you will get the solution. Sometimes, microsoft will fox it automatically....

 

[reachrishikh]

I'm afraid it isn't as simple as that my friend, and I was expecting a bit more technical and intelligent replies on this forum.

It appears this is one of those areas where microsoft itself doesn't want to be clear, and the support provided by it on this topic is hazy. I've already searched their kb articles before coming here, as mentioned above, and you would agree their kb articles are more detailed and have more comprehensive information on every thing relating to their products, so if it wasn't found there, I doubt I'll find it in the joke of a microsoft inbuilt help feature.

 

[reachrishikh]

Anyone???

 

[reachrishikh]

Come on guys, I thought the people over at Digit were smart, that they would know the answer to this.
Someone, please help me!

 

[narangz]

I guess this might help you:
1. Backup your EFS certificates in case you have encrypted the files. Here's how:
*www.practicalpc.co.uk/computing/windows/xpencrypt1.htm

Check out all the parts of the article.

2. Take ownership of files with NTFS permissions:
You must take ownership of the folder to gain access to the ACL(Account Control List). To take ownership of the folder follow these steps:

-Right click the folder->click Properties->Security tab
Click OK when you receive the following message:
You only have permission to view the current security information on username.
-Click Advanced, then ->Owner tab
-Select a new owner, select Replace owner on subcontainers and objects, and then click OK.
You'll receive this message:
You do not have permission to read the contents of directory path and directory name. Do you want to replace the directory permissions with permissions granting you Full Control?
Click YES.
-Close the boxes.
-Reopen the properties.

Now this folder inherits the permissions of the parent folder. If you want to change the permissions you'll have to block inheritance from the parent by uncheking the checkbox to 'Allow inheritable permissions from parent to propagate to this object'
Hope it helps!

 

[reachrishikh]

No, I haven't encrypted anything on my system. I had seen that backing up of the EFS certificates thing in the QnA section of Digit a few months ago. Thanks anyway.

So, if anyone with admin priviledges on any installation of Windows XP/Vista/2000/2003/2008/future versions on any computer, can take ownership of protected folders on the hard drive of a computer, and override all the security settings attached to that file or folder, then this mode of protecting access to files and folders on a Windows machine is very flawed, and can hardly be called 'security', don't you think?

So if taking ownership of the protected folders is the only option (an option that I was aware of previously), then does that mean I cannot migrate the security logon accounts from one installation of Windows to another? (Same version, e.g. XP Pro to XP Pro.)
Because if I go through the steps outlined above, I will have to manually take control of all folders where I had set security permissions, take ownership of all of them, and set all allow and deny permissions for each account all over again.

 

[iMav]

what exactly do u wanna do? u want to copy these restricted files to another location

 

[reachrishikh]

Would you please read the entire thread above? It would make everything a lot clearer, as I have explained everything quite clearly, with examples.

 

[reachrishikh]

Will someone from the Digit team please help me out? I know you guys check messages here frequently, if only to moderate the boards.
I don't want to go the flawed and time-consuming 'take ownership' mode, and I know there is some Security Accounts Manager (SAM) file or something that stores information about Windows workgroup and domain login accounts. If I am able to just transfer that file to the new windows installation, it will solve all my problems, but I don't know what exactly the file is, where it is located, and how exactly to transfer/backup-restore it.

 

[reachrishikh]

Okay, I have gone ahead and tried using the oft-suggested 'Windows File and Settings Transfer Wizard', and it was absolutely no help at all, just like I've been telling everyone all along!
It offers me to transfer all sorts of useless windows configuration settings that I can manually set on the new computer faster, and much better, but does not offer to transfer the most important of them all - the Security Accounts Manager files and user accounts.

 

[dheeraj_kumar]

You'd been doing this for four months? you coulda copied the folders to another drive, reinstalled windows, copy them back, and set permissions. Takes 30 mins extra, but it works.

 

[reachrishikh]

No, I've been procrastinating for four months.
I just reinstalled my windows finally 2 days ago, and did exactly that what you mentioned.
Although my folders and data already reside on another hard drive altogether, and if you'd gone through the above, you would have found that out.

If that is the only option out I have, then it is a highly tedious, time-consuming, not to mention highly insecure method of storing and managing security permissions for files and folders on NTFS partitions. I mean, what's the sense in setting security access/deny permissions if you can't migrate them should you need to do the inevitable re-install of the operating system, and if any damn fool with admin level priviledges can simply reset the permissions by taking ownership of the 'secured' files or folders?
Besides, it is possible to completely lock and also transfer encryption settins applied to files and folders on NTFS partitions, so why should the same not be applicable to security permissions?

 

[iMav]

This could have helped: *www.microsoft.com/windowsxp/using/setup/expert/crawford_november12.mspx

 

[reachrishikh]

^^ Dude, do you even bother to read what's written in a thread or do you just skim over stuff and post whatever comes into your head? This has happenned twice with you now, in this very thread. It seems you just want to post as much as you can to up your post count, just quantity, but no quality in your posts!



Just to make this clear - My requirements are highly technical. I'm not a silly noob asking around how to transfer those itty-bitty windows desktop settings, files from My Documents and the like, to a new computer. That's kiddy stuff, and I have my own far more efficient ways to take care of that stuff.
So if you don't have a reasonable technical knowledge about the MS Security Accounts Manager and its implementation, then please don't bother posting any more replies about the File and Settings Transfer Wizard.

 

[iMav]

Highly technical stuff? All you want to do is transfer files keeping their permissions & user privileges intact! All I said it culd have helped.

 

[reachrishikh]

I do NOT want to transfer any file at all! I want to transfer the 'Security Accounts Manager user accounts'.
And I mention just a few posts above that I have already tried the File and Settings Transfer Wizard, and it did NOT help, yet I have a post below me that implores me to do the same again.

The problem with a majority of you people is that you cannot be bothered to 'READ'!

I'm done with this place, I know I'm not getting any intelligent replies for this issue.

 

[iMav]

Sorry for missing the last line. My apologies. However, if it is the SAM settings that you want copy to the new installation, you can try by backing up the SAM file and then replace the one in your new installation. Not sure whether it will work.

file is stored in %systemroot%\system32\config\sam.