Focus on Microsoft
Re: S-1-5-21... Jul 21 2008 09:50PM
Randhir Vayalambrone (vayalambrones yahoo com) (1 replies)
Re: S-1-5-21... Jul 22 2008 04:26AM
Red Cat (redcat9876 gmail com) (2 replies)
Re: S-1-5-21... Jul 23 2008 06:11AM
Jørgen Hovelsen (jorgen hovelsen ntnu no)
Re: S-1-5-21... Jul 23 2008 01:18AM
Anthony Petito (anthonypetito gmail com)
This link might be of some assistance and maybe help explain why
you're seeing the group:
http://www.cygwin.com/cygwin-ug-net/ntsec.html

Hope that helps.

--
Anthony Petito

On Mon, Jul 21, 2008 at 11:26 PM, Red Cat <redcat9876 (at) gmail (dot) com [email concealed]> wrote:
>
> Hey,
>
> Thanks a lot for the comments so far. I'm starting to grasp the basic
> idea of SID's and AD. But now my question is, why does that user,
> "None" or that SID S-1-5-21... appear only for this specific folder?
> I'm almost 100% positive it has nothing to do with past accounts
> because I've never deleted any to my knowledge. Why does it show up
> now and only for this specific folder? The only thing different I can
> think of is that this folder was created from a tarball using Cygwin.
> (The tarball was downloaded from John the Ripper)... Does that have
> anything to do with it? Is Cygwin or John the Ripper burrowing into my
> system? Is that why it's coming up? Should I delete it? (I thought
> John the Ripper was safe enough...) Once again, thanks for all the
> great comments and thanks in advance.
>
> On Mon, Jul 21, 2008 at 2:50 PM, Randhir Vayalambrone
> <vayalambrones (at) yahoo (dot) com [email concealed]> wrote:
> > computername\none is a special group (hidden in the local users/groups mmc; try creating a user or a group named None on Windows, it will fail with an error group exists). None equates to the domain users in AD.
> > Read Keith Brown's "Programming Windows Security" (if it is still available) to understand the internals of Windows security.
> >
> > Regards,
> > Randhir Vayalambrone
> >
> >
> >
> > ----- Original Message ----
> > From: Charles Hardin <fonestorm (at) gmail (dot) com [email concealed]>
> > To: Erik Boles <eboles (at) mxlogic (dot) com [email concealed]>
> > Cc: Dennis Li <dennis.li.sh (at) gmail (dot) com [email concealed]>; Red Cat <redcat9876 (at) gmail (dot) com [email concealed]>; "focus-ms (at) securityfocus (dot) com [email concealed]" <focus-ms (at) securityfocus (dot) com [email concealed]>
> > Sent: Monday, 21 July, 2008 7:50:52 PM
> > Subject: Re: S-1-5-21...
> >
> > You guys are missing the part that he said its COMPUTERNAME\none. This
> > means its a local account, nothing to do with AD. Im not that familiar
> > with vista users but I would not be suprised if this was some sort of
> > system generated account.
> >
> > Charles Hardin
> >
> >
> > On Mon, Jul 21, 2008 at 2:37 PM, Erik Boles <eboles (at) mxlogic (dot) com [email concealed]> wrote:
> >> Also -- if the user is deleted from A-D that had access to that folder it will show the SID rather than the name of the user as that container for the user still exists, it just doesn't have a name any longer.
> >> Erik
> >>
> >>
> >>
> >>
> >>
> >> -----Original Message-----
> >> From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of Dennis Li
> >> Sent: Monday, July 21, 2008 11:30 AM
> >> To: Red Cat
> >> Cc: focus-ms (at) securityfocus (dot) com [email concealed]
> >> Subject: Re: S-1-5-21...
> >>
> >> Hi,
> >>
> >> Normal, the user like 'S-1-5....' is a domain account. After your
> >> computer is added into a domain (AD), the administrator account of the
> >> domain is added to your local administrators group automatically. And
> >> when you browse the security property of the folder, OS will query the
> >> real name of that domain user. Before the query is done, you'll see
> >> the name is 'S-x-x-xxx'.
> >>
> >> Dennis
> >>
> >> On Tue, Jul 22, 2008 at 12:56 AM, Red Cat <redcat9876 (at) gmail (dot) com [email concealed]> wrote:
> >>>
> >>> Hey,
> >>>
> >>> I have a question on something I saw on my computer today. I'm on a
> >>> Windows Vista. I was looking at some of the "properties" of some
> >>> folders in my "Public" folder and clicked on the "Security" tab. Then
> >>> I noticed my usual login user, "Everyone", and one other user, whose
> >>> id seemed to be S-1-5-21...and some numbers. Then after a couple
> >>> moments it turned into the user, "None" with (My computer name\None)
> >>> right next to it. I looked at the permissions it was given and
> >>> apparently it was given "Special Permissions." I was pretty sure I
> >>> didn't and never had created a user named "None". But I still checked
> >>> the Users folder to see if there was indeed a user named "None". There
> >>> wasn't. I even checked to see if there were any hidden users using the
> >>> "view hidden folder option", but there was no uesr by the name of
> >>> "None". I looked on google for some time but all I managed to find was
> >>> that it could possibly be a remnant from a past OS or something. But
> >>> this computer had Vista installed on it when I got it. Also, it might
> >>> be some sort of guest that was made for my computer or something. My
> >>> own speculation is that it has something to do with the fact that I
> >>> used Cygwin to open up a tarball and create this folder. Anyway, what
> >>> does this user mean? Why does it have special permissions? Is it some
> >>> sort of sign that I have a back door somewhere on my computer or that
> >>> I'm being keylogged or something? Thanks in advance.
> >>
> >
> >

--
Anthony Petito

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus