How to return the owner of a file on a local machine as computer name\user?

[Witis]

Hi

I would like to know how to return the full domain name (domain\user name) of the owner of a file such as a text file stored on a local machine which is not connected to a network.
In particular when a file is owned by a member of the administrators group I have to return domain\user name rather than just "Administrators" + "BuiltIn". Is it possible?

[Doogle]

Do you mean Computer Name as opposed to Domain name ?If the Computer is not connected to a Network it won't be connected to a Domain

[Witis]

Hi Doogle

Exactly, so yes how to return the owner of a file in the form of computer name\user rather than administrators + built in. (thread title now reflects Doogle's comments)

[Witis]

This is the problem, I am using this code to extract the owner from a file (I just change the file path coloured blue):

1. Set a reference in Projects / References to the Microsoft WMI Scripting Library.
2. Add this code without option explicit.

Code:

Private Sub Command1_Click()
strFolderName = "C:\program files"
Set objWMIService = GetObject("winmgmts:")
Set objFolderSecuritySettings = _
objWMIService.Get("Win32_LogicalFileSecuritySetting='" & strFolderName & "'")
intRetVal = objFolderSecuritySettings.GetSecurityDescriptor(objSD)
If intRetVal = 0 Then
   Debug.Print "Owner: " & objSD.Owner.Domain & "\" & objSD.Owner.Name
Else
   Debug.Print "Couldn't retrieve security descriptor."
End If
End Sub

source:http://gallery.technet.microsoft.com...-f4461d9b7e83/

When I run this code on XP to look up "C:\program files" it returns "Owner: BUILTIN\Administrators". I need it to return Computer Name\Administrators, how can I do this?

[dilettante]

Note the WMI is not considered a reliable tool for application use. It is an admin tool, which is why you see so much about it on TechNet.

Some systems may not even have it installed, while others have the service set to Stopped for security reasons (reducing attack surface Microsoft calls it) as well as to free up the overhead.

[petersen]

Would you like to try the following [note that the argument passed to Function GetLocalcompName() here is ComputerNameDnsFullyQualified; you might want to try others].

Original reference source: http://www.answers.com/topic/getcomputernameex-win-api

Code:

Private Enum COMPUTER_NAME_FORMAT
    ComputerNameNetBIOS
    ComputerNameDnsHostname
    ComputerNameDnsDomain
    ComputerNameDnsFullyQualified
    ComputerNamePhysicalNetBIOS
    ComputerNamePhysicalDnsHostname
    ComputerNamePhysicalDnsDomain
    ComputerNamePhysicalDnsFullyQualified
    ComputerNameMax
End Enum

Private Declare Function GetComputerNameEx Lib "kernel32.dll" Alias "GetComputerNameExA" _
   (ByVal NameType As COMPUTER_NAME_FORMAT, ByVal lpBuffer As String, ByRef nSize As Long) As Long
      

Private Function doGetComputerName() As String
    doGetComputerName = GetLocalCompName(ComputerNameDnsFullyQualified)
End Function


Private Function GetLocalCompName(inItem As COMPUTER_NAME_FORMAT) As String
    Dim sBuffer As String
    Dim Ret As Long
    sBuffer = Space(256)
    Ret = Len(sBuffer)
    If GetComputerNameEx(inItem, sBuffer, Ret) <> 0 And Ret > 0 Then
         GetLocalCompName = Left$(sBuffer, Ret)
    End If
End Function

[Witis]

dilettante, the example shows the problem, which also occurs if I call LookupAccountSid (via GetFileSecurity and GetSecurityDescriptorOwner), it seems the WMI merely implements/wraps these api calls.

petersen, that is almost a solution, although I am trying to get the owner of the file, even if it is from another pc, so it needs to be able to distinguish between files that are owned by administrators on one machine from administrators on other machines. At the moment WMI and LookupAccountSid return "Administrators" and "BuiltIn" in many situations even if the files are from different machines.

I was thinking that doing a dns lookup on the file owner's sid might work...

[petersen]

Will this one help? It is supposed to return "Adminstrators" in this case (Orig source MSDN, slightly modified)

Code:

Private Declare Function GetFileSecurity Lib "advapi32.dll" Alias "GetFileSecurityA" ( _
   ByVal lpFileName As String, ByVal RequestedInformation As Long, pSecurityDescriptor As Byte, _
   ByVal nLength As Long, lpnLengthNeeded As Long) As Long

Private Declare Function GetSecurityDescriptorOwner Lib "advapi32.dll" (pSecurityDescriptor As Any, _
   pOwner As Long, lpbOwnerDefaulted As Long) As Long

Private Declare Function LookupAccountSid Lib "advapi32.dll" Alias "LookupAccountSidA" ( _
   ByVal lpSystemName As String, ByVal Sid As Long, ByVal Name As String, cbName As Long, ByVal ReferencedDomainName As String, cbReferencedDomainName As Long, _
   peUse As Long) As Long

Private Const OWNER_SECURITY_INFORMATION = &H1
Private Const ERROR_INSUFFICIENT_BUFFER = 122&


Private Function getOwnerName(ByVal inFileSpec As String) As String
    Dim szfilename As String
    Dim bSuccess As Long
    Dim sizeSD As Long             ' Buffer size to store Owner's SID
    Dim pOwner As Long            ' Pointer to the Owner's SID
    Dim mOwner As String          ' Name of file owner
    Dim domain_name As String   ' Name of the first domain for the owner
    Dim name_len As Long          ' Required length for the owner name
    Dim domain_len As Long        ' Required length for the domain name
    Dim sdBuf() As Byte             ' Buffer for Security Descriptor
    Dim deUse As Long              ' Pointer to a SID_NAME_USEenumerated type of a/c
  
    bSuccess = 0
    mOwner = ""
    domain_name = ""
    name_len = 0
    domain_len = 0
    pOwner = 0
  
    If Dir(inFileSpec) = "" Then
         Exit Function
    End If

    szfilename = inFileSpec
  
      ' Call GetFileSecurity the first time to obtain the size of the
      ' buffer required for the Security Descriptor.
    bSuccess = GetFileSecurity(szfilename, OWNER_SECURITY_INFORMATION, 0, 0&, sizeSD)
  
    If (bSuccess = 0) And _
         (Err.LastDllError <> ERROR_INSUFFICIENT_BUFFER) Then
         'Err.Raise Err.LastDllError, , APIErrorDescription(Err.LastDllError)
         Exit Function
    End If
  
      'Create a buffer of the required size and call GetFileSecurity again.
    ReDim sdBuf(0 To sizeSD - 1) As Byte

      'Fill the buffer with the security descriptor of the object specified by the
      'szfilename parameter. The calling process mus have the right to view the
      'specified aspects of the object's security status.
    bSuccess = GetFileSecurity(szfilename, OWNER_SECURITY_INFORMATION, sdBuf(0), sizeSD, sizeSD)
  
    If (bSuccess <> 0) Then
          ' Obtain the owner's SID from the Security Descriptor.
        bSuccess = GetSecurityDescriptorOwner(sdBuf(0), pOwner, 0&)
        If (bSuccess = 0) Then
             'Err.Raise Err.LastDllError, , APIErrorDescription(Err.LastDllError)
             Exit Function
        End If
     
         ' Retrieve the name of the account and the name of the first
         ' domain on which this SID is found.  Passes in the Owner's SID
         ' obtained previously.  Call LookupAccountSid twice, the first
         ' time to obtain the required size of the owner and domain names.
        bSuccess = LookupAccountSid(vbNullString, pOwner, mOwner, name_len, domain_name, domain_len, deUse)
        If (bSuccess = 0) And (Err.LastDllError <> ERROR_INSUFFICIENT_BUFFER) Then
             'Err.Raise Err.LastDllError, , APIErrorDescription(Err.LastDllError)
             Exit Function
        End If
     
          'Allocate the required space in the name and domain_name string variables.
          'Allocate 1 byte less to avoid the appended NULL character.

        mOwner = Space(name_len - 1)
        domain_name = Space(domain_len - 1)
     
          'Call LookupAccountSid again to actually fill in the names of the owner and
          'the first domain.
        bSuccess = LookupAccountSid(vbNullString, pOwner, mOwner, name_len, domain_name, domain_len, deUse)
        If bSuccess = 0 Then
             'Err.Raise Err.LastDllError, , APIErrorDescription(Err.LastDllError)
             Exit Function
        End If
     
        getOwnerName = mOwner
    End If
End Function

[Witis]

petersen, that code is good and should return the owner of the file , and you can also modify it further to also return the owner's domain name via the line in the code you posted:

Code:

domain_name = Space(domain_len - 1)

Once you can get both the owner and their domain for any file the problem I am having is this:

1. Format a usb drive with NTFS on machine A while you are logged in with admin rights.
2. Transfer the usb to another machine which is not on the same domain (i.e two separate machine that are unrelated to each other in any way).
3. While you are logged in with admin rights on the second machine, create a new textfile "New Text Document.txt" on the usb.
4. In windows file explorer right click the column that has "Name" above it (directly on the Name label) then add owner to the columns in order to have windows display the owner of this new file.
5. Note that the owner is displayed as "Administrators".
6. Run the code you have to determine the owner and domain and you will see that it says "Administrators" and "BuiltIn".

This is somewhat confusing at first, how did I just write a file to a usb drive that was formatted by another admin on another machine without providing a user name and password? Further is this file owned by the second machine's administrator group or the first machine's administrators group?

To answer this try and edit the "New Text Document.txt" on the usb drive, and you will be unable to edit and save the changes. Transfer the usb back to the first machine and try and edit the file, and you will see that you can.

Counter intuitively it seems that this new text file, although it was created by a member of the administrators group on the second machine and is reported as being owned by "administrators" "built in" in windows explorer, making one think the admins on machine 2 own the text file, in fact it is actually owned by the administrators of the first machine.

One way to remove this confusion is to write a function that returns the machine name or domain name\user instead of just "administrators" + "builtin".

[dilettante]

I'm not sure why you want these or what you want to do with them.

Can't you just replace BUILTIN by the machine name when it occurs?

[dilettante]

Ahh, NTFS on a removable drive. Tsk, tsk. You face this issue even if you move an IDE hard drive to another machine.

I believe you can only get back domain name for domain admins, and even then only when the domain controller is available on the network. Only the SID gets stored on the hard drive as far as I know.

[Witis]

dilettante, that is acceptable, the owner's sid could be used in place of Built in when the domain is unknown.

[petersen]

Just a long shot. Will passing a different argument to GetLocalCompName() - re COMPUTER_NAME_FORMAT per an earlier posting - be of any use?