# File permissions, an S-1-5-21 account, and inherited permissions



## cats74 (Sep 26, 2009)

I recently looked at my D drive, to find out that every file and folder in the D drive has a S-1-5-21.... account under the security tab. However the D drive itself does not. When I do to delete it, it tells me I cannot because it is inheriting permissions from its parent. But The D drive itself (The parent) doesn't have that user. So first, can you explain this. 
So, I go and stop it from inheriting permission, and then delete it.. The issue is that this is quite time consuming. I basically want to remove this user on every file and folder on the drive at once. Now how do I do that?
I would be perfectly happy removing all the file permissions for all the files (Yes, I know that leaves them unaccessable) and then just adding them, as adding them to the D drive itself will cause all the child objects to inherit them, yes?


----------



## centauricw (Jun 26, 2010)

The S-1-5-21... are all well-known security identifiers for builtin accounts. You can't delete them because they all represent critical Windows accounts without which you will not be able to use you computer. This Microsoft Knowledge Base article describes which system account belongs with with security identifier.


----------



## cats74 (Sep 26, 2009)

These are identified in the article as accounts for a domain. I have never been a part of a domain. In addition these files are not windows or program files, they are simply storage, things like pictures, movies, etc. Making even windows unable to access these files will not prevent me from using my computer. Finally, I indicated that I have deleted some, and have had no issues. The information you have provided seems to be a quick guess at something without doing any research before posting a reply. For these files, I have already learned there are no consequences for deleting these security accounts. On the plus side you have however bumped the post.
I am just looking for the command line syntax to delete this account off of all files, folders, etc in the current directory, and all below it.


----------



## centauricw (Jun 26, 2010)

There is no command line utility that will delete an account from a folder and iterate through the subfolder. But from the GUI, you can replace the ACLs on files and subfolders using the ACLs on the current folder from the advanced tab.


----------



## Couriant (Mar 26, 2002)

centauricw said:


> The S-1-5-21... are all well-known security identifiers for builtin accounts. You can't delete them because they all represent critical Windows accounts without which you will not be able to use you computer. This Microsoft Knowledge Base article describes which system account belongs with with security identifier.


I have seen them for Computer/Domain Users too.

The fact that you have it on all files and folders (unless i read that wrong) would indicate a change to one of the accounts, whether it's built in or not. Did you or do you know anyone that has made any changes the user accounts?


----------



## centauricw (Jun 26, 2010)

> I have seen them for Computer/Domain Users too.
> 
> The fact that you have it on all files and folders (unless i read that wrong) would indicate a change to one of the accounts, whether it's built in or not.


I will add that only time it is safe to remove accounts from the file or folder security properties is when it's an orphaned account, which will be listed as _Unknown Accouct S...._, where S... is the SID of the orphaned account. Non-orphaned accounts will never display the SID and you should only remove BUILTIN accounts with great care.

All files and folders should have Full Control for BUILTIN\Administrators and BUILTIN\System. Removing either of these leads to trouble.


----------

