NTFS ACL/control question

I should really know this for sure, but…

Say you have NT/Win2k/XP installed on your system. You’re running an NTFS drive, and the access lists on the whole drive is administrator - full control - and that’s it. nothing for anyone else.

Now say you buy a new computer and stick that drive in the new system, without the OS (just a data drive). Will the administrator of a the new install/machine have full control access to that drive?

I’m questioning this because I believe the ACLs (access control lists) on the drive would have the GUID of the account that has control over them, and compare that to the new administrator. They might have the same account name, but different GUIDs, and therefore maybe not grant access.

Then I think, also, that the administrator of any OS instance/machine will have any access to any file, whether it recognizes his GUID or not. Is that correct? Can the admin of another install go into an NTFS partition and change the ACLs to give him access?

What about a non-admin case? This doesn’t personally matter to my situation, but I’m curious - if an account ‘user1’ exists on the first install, and the NTFS partition gives ‘user1’ full control over a few files, will ‘user1’ on the new install of the OS also have full control of those files? I’m guessing no, because the GUIDs won’t match, but I’m curious.

Anyway, to sum up my question: Will the administrator account of my new computer/OS install have any problems accessing the NTFS drive on a data drive I’ll be moving to the new system?

Thanks.

Good question. I can’t say for certain, but my guess would be that when you first attempt to access the moved drive you will be denied access. There would be nothing stopping you from taking ownership and reapplying permissions though.

If the above is the case, the ‘user1’ account would be in trouble, because they don’t normally have the ability to take ownership.

Members of the Administrators group can be denied access to a file or folder, but it’s a moot point since they will have the ability to grant the rights back to themselves.

When moving drives between NT/2k boxes I’ve observed the following:
On access the system seems to allow access to the Everyone group, but in the ACL editor you can still see SIDs present that don’t map to any users on the new box and appear as GUIDs.

If the general security context of the drive has completely changed (i.e. from one standalone server to another or from one domain to another) then none of the SIDs in the ACLs will map to any users, a situation that the OS sees as an error and ignores. I have a feeling in the back of my mind that the local Administrators group has the same SID on every system though (anyone have any confirmation of this?), so these local rights would map from system to system.

In the end though, you can’t keep the administrator out of a folder. Well, unless you do what I did and lock down the IP security policy and accidentally deny everyone the right to log in at the console, thus leaving the box entirely sealed from all access.