Windows Owner

License: PRO+ (Professional Edition or higher)
Plugin Type: Index Plugin
Author: Diskover Data, Inc.

Overview

The Windows Owner plugin extracts Windows file ownership information during Diskover indexing. It retrieves the owner and primary group of each file and directory using the Windows security API, providing visibility into Windows file ownership across your storage systems.

This plugin is a lightweight alternative to the full Windows Attrib plugin. While Windows Attrib extracts complete DACL (Discretionary Access Control List) information including all permissions and access control entries, the Windows Owner plugin focuses specifically on ownership data—making it ideal when you only need to know who owns files without the overhead of full ACL analysis.

What This Plugin Does

• Retrieves the Windows file owner for each file and directory

• Retrieves the Windows primary group information

• Updates the standard owner and group fields in Elasticsearch with Windows-specific values

• Optionally includes domain prefixes (e.g., ACME\jsmith) for multi-domain environments

• Falls back to storing SID strings when account names cannot be resolved

Use Cases

For Storage Administrators:

• Analyze data ownership patterns across file shares and storage systems

• Identify files owned by service accounts versus user accounts

• Track ownership distribution for capacity planning and chargeback

For Compliance Officers:

• Document data ownership for regulatory requirements (SOX, HIPAA, PCI-DSS, GDPR)

• Generate ownership reports for audit purposes

• Verify that sensitive data has appropriate owners assigned

For IT Operations:

• Identify orphaned files from deleted user accounts

• Plan cross-platform migrations by understanding current ownership structures

• Detect shadow IT by finding files owned by unexpected accounts

Understanding Windows Ownership

Windows Security Model Overview

Windows uses a comprehensive security model based on Security Identifiers (SIDs) and security descriptors. Every file and directory on NTFS file systems has a security descriptor that contains:

The Windows Owner plugin focuses on extracting the owner and primary group information, which are essential for understanding data ownership patterns, identifying orphaned files, and supporting compliance initiatives.

Understanding Security Identifiers (SIDs)

SIDs are unique, immutable identifiers that represent security principals (users, groups, computers) in Windows environments. Unlike Unix UIDs/GIDs which are simple numbers, SIDs provide globally unique identification across domains and forests.

Key SID Characteristics:

SID Format Example:

S-1-5-21-3623811015-3361044348-30300820-1013

Well-Known SIDs Reference

Windows defines well-known SIDs for built-in accounts and groups. These SIDs are consistent across all Windows installations:

Owner vs Primary Group

File Owner:

The owner of a file or directory in Windows has special significance:

• The owner always has the ability to modify the object's permissions, even if explicitly denied

• Ownership determines who can take responsibility for the object

• The owner is typically the user who created the file

Primary Group:

The primary group in Windows is primarily a legacy feature for POSIX compatibility:

• Originally used for POSIX subsystem applications

• Required for Services for UNIX (SFU) compatibility

• Not used for access control decisions in pure Windows environments

• Typically set to "Domain Users" or "None" for most accounts

When SIDs Appear Instead of Names

SIDs may appear in owner or group fields instead of friendly account names in several scenarios:

Files showing SIDs instead of account names often indicate orphaned data from deleted users. Use the search query owner:S-1-5-* to find these files for review and potential cleanup.

Common Trustees Reference

Requirements

Python Dependencies

Platform Requirements

• Windows operating system (Windows Server 2016+, Windows 10+)

• Python 3.9 or higher

• Diskover indexer with plugin support

• Read access to file security descriptors

Installation

Step 1: Install pywin32

Windows:

python -m pip install pywin32

Step 2: Run Post-Install Script

The pywin32 package requires a post-installation step to register COM libraries:

python -m pywin32_postinstall -install

If you encounter permission errors, run PowerShell as Administrator.

Step 3: Enable Long Path Support (Optional)

For paths exceeding 260 characters, enable Windows long path support:

Option A: Group Policy

1. Open gpedit.msc

2. Navigate to: Computer Configuration > Administrative Templates > System > Filesystem

3. Enable "Enable Win32 long paths"

Option B: Registry

New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\FileSystem" -Name "LongPathsEnabled" -Value 1 -PropertyType DWORD -Force

A restart is required after enabling long path support.

Reference: Microsoft Documentation - Maximum Path Length Limitation

Step 4: Enable the Plugin

1. Navigate to Diskover Admin > Plugins > Index Plugins > Windows Owner

2. Enable the plugin and configure parameters as needed

3. Save the configuration

Step 5: Connect the Plugin to an Index Task Configuration

1. Navigate to Diskover > Configurations > [Configuration Name]

2. At the bottom within Index Plugins Enablement, enable the Windows Owner plugin

3. The plugin will now run automatically during scans using this configuration

Configuration

Configure the plugin through the Diskover Admin interface at Diskover Admin > Plugins > Index Plugins > Windows Owner.

Configuration Parameters

Configuration Examples

Standard Configuration (Default)

Short account names without domain prefix. SIDs stored for unresolvable accounts.

Result:

• Owner displays as: jsmith

• Group displays as: Domain Users

• Orphaned files display as: S-1-5-21-3623811015-3361044348-30300820-1013

Multi-Domain Environment

Include domain names for environments with multiple domains or domain trusts.

Result:

• Owner displays as: ACME\jsmith

• Group displays as: ACME\Domain Users

• Orphaned files display as: S-1-5-21-3623811015-3361044348-30300820-1013

Minimal Index Size

Do not store SIDs when accounts cannot be resolved (produces smaller index).

Result:

• Owner displays as: jsmith

• Group displays as: Domain Users

• Orphaned files display as: 0

Note: With use_sid set to false, you lose the ability to identify specific orphaned accounts, but gain smaller index sizes.

Indexed Fields

The Windows Owner plugin overwrites the default owner and group Elasticsearch fields with Windows-specific values. It does not add any new fields to the index.

Field Mappings

Example Field Values

Searching in Diskover

Use these queries in the Diskover search bar to find files based on Windows ownership.

Basic Owner and Group Searches

Domain-Aware Searches

When inc_domain is enabled:

Combined Searches

Troubleshooting

Common Issues

Verifying File Ownership

Use these PowerShell commands to verify file ownership outside of Diskover:

View file owner:

(Get-Acl "D:\path\to\file.txt").Owner

View file group:

(Get-Acl "D:\path\to\file.txt").Group

View full security descriptor:

Get-Acl "D:\path\to\file.txt" | Format-List *

Testing SID Resolution

To test if a SID can be resolved:

$sid = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-21-xxx-xxx-xxx-1234")
try {
    $sid.Translate([System.Security.Principal.NTAccount])
} catch {
    Write-Host "SID cannot be resolved: $_"
}

Domain Controller Connectivity

If experiencing SID resolution issues, verify domain controller connectivity:

nltest /dsgetdc:YOURDOMAIN
Test-NetConnection -ComputerName dc.yourdomain.com -Port 389

Support

• Diskover Documentation

• Diskover Support

• Microsoft - Maximum Path Length Limitation

Last Updated: January 2026
Diskover Data, Inc.