Here's what worked for me in the end, over several days (I had several hundred thousand files to fix):
These could be parameterised much better, but I leave that as an exercise to the user... These both use subinacl, as getting /substitute ... /restore to work with icacls was beyond me. fixPerms.sh (to fix a single directory or file): #!/bin/bash d=${1:-.} #echo "fp: |$d|" # Download subinacl # from https://www.microsoft.com/en-gb/download/details.aspx?id=23510 /c/Program\ Files\ \(x86\)/Windows\ Resource\ Kits/Tools/subinacl /file "$d" /replace=S-1-5-21-xxx-1001=luther\\[me] /c/Program\ Files\ \(x86\)/Windows\ Resource\ Kits/Tools/subinacl /file "$d" /replace=S-1-5-21-xxx-513=luther\\None /c/Program\ Files\ \(x86\)/Windows\ Resource\ Kits/Tools/subinacl /file "$d" /replace=S-1-5-21-yyy-1001=luther\\[me] /c/Program\ Files\ \(x86\)/Windows\ Resource\ Kits/Tools/subinacl /file "$d" /replace=S-1-5-21-yyy-513=luther\\None icacls "$d" /remove "NULL SID" chown [me] "$d" You'll have to replace [me] with your username, and xxx with the meat of whatever SIDs your new install has given you and "Domain Users". The second pair of subinacl calls are there because I had done more than one reinstall, so had more than one stale persona to replace -- if you only have one stale persona, you obviously don't need them. walkPerms.sh (to fix a whole tree): #!/bin/bash fixPerms.sh . > /dev/null n=0 find "$@" \( \( -uid 98765 \) -o \( -uid 98766 \) \) -print0| tr '\000' '\012'| \ while read d do # echo "|$d|" wd=$(cygpath -w "$d") n=$((n + 1)) if [ "$n" = "50" ] then echo $wd n=0 fi if [ -h "$d" ] then chown -h [me] "$d" chgrp -h None "$d" else /c/Program\ Files\ \(x86\)/Windows\ Resource\ Kits/Tools/subinacl /file "$wd" /replace=S-1-5-21-xxx-1001=luther\\ht >/dev/null /c/Program\ Files\ \(x86\)/Windows\ Resource\ Kits/Tools/subinacl /file "$wd" /replace=S-1-5-21-xxx-513=luther\\None >/dev/null /c/Program\ Files\ \(x86\)/Windows\ Resource\ Kits/Tools/subinacl /file "$wd" /replace=S-1-5-21-yyy-1001=luther\\ht >/dev/null /c/Program\ Files\ \(x86\)/Windows\ Resource\ Kits/Tools/subinacl /file "$wd" /replace=S-1-5-21-yyy-513=luther\\None >/dev/null icacls "$wd" /remove "NULL SID" >/dev/null chown [me] "$d" fi done Same replacements required for [me] and xxx (and maybe yyy) as above. I didn't copied fixPerms.sh into the loop instead of invoking it by name in order to avoid 100,000s of (slow) forks -- I'm sure there are other optimisations which could be done. Finally, note that the uids used in the 'find' at the beginning of walkPerms.sh above are whatever you've added in your /etc/passwd per Corinna's earlier message [1], e.g. me0:*:98765:197121:U-LUTHER\me0,S-1-5-21-xxx-1001:/:/sbin/nologin me1:*:98766:197121:U-LUTHER\me1,S-1-5-21-yyy-1001:/:/sbin/nologin If the 'find' doesn't produce anything when you think it should, read the documentation about /etc/nsswitch.conf [2] and make sure it's either absent or getting /etc/passwd read. Hope this helps someone down the line, ht [1] https://cygwin.com/ml/cygwin/2016-06/msg00393.html [2] https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-mapping-nsswitch -- Henry S. Thompson, School of Informatics, University of Edinburgh 10 Crichton Street, Edinburgh EH8 9AB, SCOTLAND -- (44) 131 650-4440 Fax: (44) 131 650-4587, e-mail: h...@inf.ed.ac.uk URL: http://www.ltg.ed.ac.uk/~ht/ [mail from me _always_ has a .sig like this -- mail without it is forged spam] -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple