This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(297.6, 95%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAZ%3C/text%3E%3C/svg%3E)
There are some explicit file system ACEs referring to a certain user. I was trying to find them using ICACLS specifiying the SID:
icacls * /findsid *S-1-5-21-...... /t
The problem: Nothing is found even though it should. I was trying a different user's SID and also it's name instead of the SID. Both of them worked. With the actual user to be found, I can't use the name because the user has already been deleted, so I have to use his SID.
So what am I doing wrong? Am I missing something?
(Strange new forums BTW. I was entering Windows 10 -> Security, but when posting, I don't see into which forum I'm posting. MSFT special again or am I missing something?)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 62%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDZ%3C/text%3E%3C/svg%3E)
Hello @Armin Zingler ,
Thank you for posting here.
Based on the description, I did a test in my lab.
Environement:
user: u1
SID:S-1-5-21-3544329616-3252733086-2160935199-1114
user: u4
SID: S-1-5-21-3544329616-3252733086-2160935199-1140
There are NTFS permissions on Newfolder,111.txt and 222.txt for u1. there are NTFS permissions on 222.txt for u4.
If i delete u4, I can not get any result for u4, either.
Here are detailed information:
icacls "C:\newfolder" /findsid *S-1-5-21-3544329616-3252733086-2160935199-1114 /t
icacls "C:\newfolder" /findsid fabrikam\u1 /t
icacls * /findsid *S-1-5-21-3544329616-3252733086-2160935199-1114 /t
icacls * /findsid fabrikam\u1 /t
If i delete u4, I can not get any result for u4, either.
icacls "C:\newfolder" /findsid *S-1-5-21-3544329616-3252733086-2160935199-1140 /t
icacls "C:\newfolder" /findsid fabrikam\u4 /t
icacls * /findsid *S-1-5-21-3544329616-3252733086-2160935199-1140 /t
icacls * /findsid fabrikam\u4 /t
Best Regards,
Daisy Zhou
Daisy Zhou.
thanks for taking the time to reproduce the issue and the demonstration here.
I wrote a small tool for this specific purpose to get the files and folders I was looking for.
Thanks
Hello @Armin Zingler ,
Thank you for your update. I am so glad that we resolved the problem.
As always, if there is any question in future, we warmly welcome you to post in this forum again. We are happy to assist you!
Best Regards,
Daisy Zhou