\[Editor's Note: Do you have a security-related question about Windows 2000? Send it to [email protected], and you might see the answer in this column!\]
Recently, one of my users' accounts was accidentally deleted. After I recreated the account, the user couldn't access her home directory (her drives are mapped through logon scripts). When I re-added her to the appropriate groups, she could access folders to which each group had access, but she still couldn't access her home directory. When she tried to log on to the network, her logon script attempted to map to her home directory. However, when she tried to access that directory, she received the Access denied error message. She could access all other departmental folders as before. When I checked her home directory's ACL, her user account wasn't listed. After I added her user account to the ACL, she could access her home directory. Does Windows 2000 delete every access control entry (ACE) for a user when that user is deleted?
When you recreated your user's account, she received a new SID, a unique ID code assigned to every user and group for the life of that user or group. Win2K and Windows NT never reuse a SID. ACLs reference users by SID, not by username. When you originally granted your user access, you granted access to a specific account rather than to a specific user. When you deleted and then recreated a new account for her and Win2K issued her a new SID, she lost all ACEs, rights assignments, and group memberships because they applied to her old SID.
If you delete a user account and view the ACL of a folder to which that user had access, you'll see the old ACE's SID listed with a question mark icon, as Figure 1 shows. Your user regained access to folders because they're presumably controlled by groups and you put her new account into the appropriate groups.